On Thu, Feb 28, 2002 at 02:56:02PM -0000, Jeff wrote: > > Andrew Suffield wrote: > > Installing unstable packages is in no sense a solution, for > > people doing serious security setups. > What should be realised of course, is that Apache recommended > moving to 1.3.19 and quite some time ago 1.3.23 - so while you > might consider the packaging to be unstable, the product is not. > > PHP are supplying patches, but recommend an upgrade to 4.1.2 <...> > I don't really understand why other dists are able to package up > the upstream recommended versions, but Debian cannot?
It is Debian security policy to backport fixes for `stable' instead of putting whole new package version there. And I can see several good reasons for doing that (it was also discussed to some extent at LWN some time ago). I wouldn't rush to upgrade to 1.3.23/4.1.2 before it floats around for some time. First, it may fix not all of the holes; second, fix in a hurry could introduce more bugs. And mixing potato with unstable/testing is no better (actually, worse) than switching to woody altogether. As you could see, Wichert is working on fix backport, and I would wait until he's done, and grab security update for potato. -- Dmitry Borodaenko
