[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to build latest n greatest Apache,PHP, OpenSSL rpms?

On Mon, Apr 11, 2005 at 06:11:29PM +0100, Loki Choggio wrote:
> --- Alexander Dalloz <ad+lists uni-x org> wrote: 
> > > For example while Apache 2.0.53 was released
> > Fedora
> > > didn't bother updating so the present 2.0.52 is
> > > theoretically exploitable. For example php 4.3.11
> > came
> > > out on March 31st but no updates are around the
> > corner
> > > Fedorawise. We know what happened with the holes
> > in
> > > php 4.3.9 and the exploits in existence.
> > 
> > Security fixes are backported. Maybe you should read
> > the RPMs changelogs.

It's not true that fixes are backported for Fedora as policy; the
general guideline is to ship the latest version as an update.

> I have indeed read the changelogs
> (http://www.apache.org/dist/httpd/CHANGES_2.0.53 ) and
> note with concern that Apache 2.0.52 from fedora does
> not cover those issues.
> httpd-2.0.52-3.1.i386.rpm (latest update) was released
>   12-Nov-2004 at 15:57  and does not include the
> Apache 2.0.53 fixes.

The two security fixes in 2.0.53, for CVE CAN-2004-0942 and
CAN-2004-0885, were included in the FC3 httpd-2.0.52-3.1 package; see
the top two entries in "rpm -q --changelog httpd".

> Neither would php-4.3.10-3.2.i386.rpm released on
> 21-Dec-2004 at 13:54  contain the 31st March 2005
> updates rated as critical. 

The PHP 4.3.11 update is still in testing due to the regressions
introduced upstream relative to 4.3.10; any additional testing is very
welcome.  It'll be pushed live this week barring discovery of any
further regressions.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]