Hi
Subject: Re: [suse-security] apache 1.3.19
You can allways download an compile it yourself.
-miah
I can run for president as well, if I have the time and money... but this isn't the point. One of the main reasons I choosed SuSE a few years back when entering into the Linux world, was that it gave me the option of not needing to study to be a Linux guru, before running a smal production system, but could somewhat lean on my computer experience so far from the dos and windows world. The rpm format was perfect for me, as I don't have the time to dig too deep, although I sure have fiddled a lot with it... and learned. I have noticed two things though, the versions or distros replace eachother far quicker in Linux then Windows, for good and worse... and the SuSE distros don't like it too much if you opt in a traditional compile and install here and there... if you want your system somewhat clean, and things easily get broken. I think it's ok with the majority of packages if they not are maintained for features through the distros, but for certain of the more important, and tightly into SuSE integrated packages there ought to be an other policy, like with apache. I have updated my distro with new CD's 6 times and most of this times it been to be upto date with apache or sendmail. I been ok with that, but now I kinda start to hesitate as I havn't more then almost installed the latest and a new one is out and which I have to get fixing some security in one of the two most important packages. I made a choice some years ago based on my current situation and SuSE fitted me then, although it wasn't a system prefarably to run as web- and mail server, but maybe it's time for me to re-evaluate the situation of today and look around... mark, I am not complaining, just releasing my point of view in questioning. thanks, Joakim
On Thu, Apr 19, 2001 at 06:48:15PM +0200, Hostmaster wrote:
Why isn't there an apache 1.3.19 update for SuSE 7.0? Isn't this "classified" as an security update/fix? at least is this what the apache release note says... as well as the 7.1 update page. I'm aware of the SuSE maintanace policy for older releases, but for gods sake I bougt 7.0 just a few months ago! and this was my 6th set of SuSE dist CD's and belive such important and widely used packet of the distribution should have a somewhat longer lifetime then a couple of months...? Thanks, Joakim Schramm
From 1.3.19 release notes: "Apache 1.3.19 Major changes The primary security fix is: The default installation could lead mod_negotiation and mod_dir or mod_autoindex to display a directory listing instead of the multiview'ed index.html.* files, if a very long path was created artificially by using many slashes. Now 403 FORBIDDEN is returned.
The bug fixes are:
The ServerRoot directive now removes trailing slashes. Restore functionality broken by the mod_rewrite security fix: The mod_rewrite string arithmetic is corrected for rewrite map. Some possible segfault conditions have been fixed. Under certain circumstances, Apache did not supply the right response headers when requiring authentication."
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Present evidence to the contrary, running for president and compiling apache are not really equivalent tasks ;-) There is an awful lot that you can do with minimal effort to be able to compile things on your own without getting 'too deep' and without writing rpm build scripts yourself. I've gotten in the habit of getting the source and testing it out. I use the a shell script to remind myself of how I want apache configured and installed. A minimal version of this script is found below. Run this from your unpacked apache directory and the only thing you'll have to worry about is modules that you've added. I also use the same kinds of scripts to build those, just because once I've figured it out, I want to be able to do that for all the machines the same way. RPM is a good way to do that, but that means you either have to wait for RPMs or learn to build them yourself. #!/bin/bash ./configure \ --verbose \ --with-layout=SuSE \ --enable-module=all \ --enable-shared=max make make install On Thursday, April 19, 2001, at 01:53 , Joakim Schramm wrote:
Hi
Subject: Re: [suse-security] apache 1.3.19
You can allways download an compile it yourself.
-miah
I can run for president as well, if I have the time and money... but this isn't the point. One of the main reasons I choosed SuSE a few years back when entering into the Linux world, was that it gave me the option of not needing to study to be a Linux guru, before running a smal production system, but could somewhat lean on my computer experience so far from the dos and windows world. The rpm format was perfect for me, as I don't have the time to dig too deep, although I sure have fiddled a lot with it... and learned. I have noticed two things though, the versions or distros replace eachother far quicker in Linux then Windows, for good and worse... and the SuSE distros don't like it too much if you opt in a traditional compile and install here and there... if you want your system somewhat clean, and things easily get broken.
I think it's ok with the majority of packages if they not are maintained for features through the distros, but for certain of the more important, and tightly into SuSE integrated packages there ought to be an other policy, like with apache. I have updated my distro with new CD's 6 times and most of this times it been to be upto date with apache or sendmail. I been ok with that, but now I kinda start to hesitate as I havn't more then almost installed the latest and a new one is out and which I have to get fixing some security in one of the two most important packages. I made a choice some years ago based on my current situation and SuSE fitted me then, although it wasn't a system prefarably to run as web- and mail server, but maybe it's time for me to re-evaluate the situation of today and look around... mark, I am not complaining, just releasing my point of view in questioning.
thanks, Joakim
On Thu, Apr 19, 2001 at 06:48:15PM +0200, Hostmaster wrote:
Why isn't there an apache 1.3.19 update for SuSE 7.0? Isn't this "classified" as an security update/fix? at least is this what the apache release note says... as well as the 7.1 update page. I'm aware of the SuSE maintanace policy for older releases, but for gods sake I bougt 7.0 just a few months ago! and this was my 6th set of SuSE dist CD's and belive such important and widely used packet of the distribution should have a somewhat longer lifetime then a couple of months...? Thanks, Joakim Schramm
From 1.3.19 release notes: "Apache 1.3.19 Major changes The primary security fix is: The default installation could lead mod_negotiation and mod_dir or mod_autoindex to display a directory listing instead of the multiview'ed index.html.* files, if a very long path was created artificially by using many slashes. Now 403 FORBIDDEN is returned.
The bug fixes are:
The ServerRoot directive now removes trailing slashes. Restore functionality broken by the mod_rewrite security fix: The mod_rewrite string arithmetic is corrected for rewrite map. Some possible segfault conditions have been fixed. Under certain circumstances, Apache did not supply the right response headers when requiring authentication."
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (2)
-
Joakim Schramm
-
Larry Mills-Gahl