Security patches for Apache 1.3.x?

[Ira Abramov]

howdie!

I have an embeded system (roughly based on CentOS 3) with a few legacy
components, one of which is Apache 1.3.42, which has served us well this
far, but now we bumped into these:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1928
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0419

Since the Apache 1.x line is EOL and I don't see this package has been
maintained with sec patches by Debian or even RHEL (correct me if I
missed anything)

Before I'm forced to rock the boat with a move to Apache2, lighty or
nginx, is there a source for patches for this that I missed?

Thanks,
Ira.

-- 
Patron of the arts
Ira Abramov
http://ira.abramov.org/email/

___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Re: Security patches for Apache 1.3.x?

[Yedidyah Bar-David]

On Thu, Jul 14, 2011 at 04:29:00PM +0300, Ira Abramov wrote:
 howdie!
 
 I have an embeded system (roughly based on CentOS 3) with a few legacy
 components, one of which is Apache 1.3.42, which has served us well this
 far, but now we bumped into these:
 
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1928
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0419
 
 Since the Apache 1.x line is EOL and I don't see this package has been
 maintained with sec patches by Debian or even RHEL (correct me if I
 missed anything)
 
 Before I'm forced to rock the boat with a move to Apache2, lighty or
 nginx, is there a source for patches for this that I missed?

You might consider RedHat's Extended Lifecycle Support. I do not see
freely distributable SRPMs for it - not sure why, whether that's legal
etc.

I used to compile and use apache 2.x on RHEL/CentOS 3 with no problem.
It will obviously require reviewing your config/modules/etc which might
be a significant task...
-- 
Didi


___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il