Hopefully this is not a redundant question.. Does this patch cover issues in mod_proxy as well, or were the issues introduced in 1.3.23 and later?
-N -----Original Message----- From: Bill Stoddard [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 9:44 AM To: [EMAIL PROTECTED] Subject: Re: CAN-2002-0392 : what about older versions of Apache? > > Some wrote... > > ... > > I must say I'm mystified by this discussion. It seems to be an > odd argument between this good practice vs that good practice. > > Roy's patch is simple, safe, and reduces the exposure substantially to a > known threat. I can't see any reason to defer letting it out; > particularly now that people have been given a few days to give voice to > any technical concerns about it. The worst outcome is that we are > embaressed - we can handle that. > > Certainly it's a good thing to be careful. Giving the right folks > a chance to look over a patch for stuff like this is a good thing. > Careful is good. It's a lot easier to be careful before the exploit > becomes widely known. > > Leaving the users with no option but to stay exposed, write their own > patch, or upgrade is pretty stern medicine for us to be proscribing. It > is very hard for some sites to upgrade. > > Let's put the patch back. +1 Bill
