Hi security and Steve, I thought so too. Then I upgraded a box with apache (not apache-ssl) and apache got ugpraded. . .but I found:
http://lists.debian.org/debian-security/2004/11/msg00095.html So I know the things he lists as vulnerable are indeed in apache-common (dpkg -x'd the package), but then I'm left with a question, perhaps simply because I don't know much about Debian's security release engineering methods: Why did apache need to get upgraded too, if the vulnerabilities were in apache-common? If apache is upgraded, then why isn't apache-ssl? They can (obviously) be installed independant of each other, so I'm just a tad confused. FWIW, I have to say that I would then ask the same question about apache-dev: if there was no vulnerability, then why was it included in the security announcement? (and I'll say again, maybe I'm totally missing something here. . .) Reminder: I'm not on the list, so please CC me if you reply! Thanks! adam On Wed, Nov 17, 2004 at 07:26:28PM -0600, Steve Suehring wrote: > > If I'm not mistaken the vulnerabilities existed in two files found in > apache-common. Since apache-common is a prerequisite for apache-ssl, > updating apache-common should correct the vulnerability. I could be > wrong and I'm sure someone will correct me if I am. :) > > Steve > > On Wed, Nov 17, 2004, Adam Morley wrote: > > Hi, > > > > What about apache-ssl? I see updates for apache, apache-common and > > apache-doc, but not apache-ssl: > > -- adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
