On Mon, Apr 12, 2004 at 03:39:44PM -0400, Chuck Swiger wrote:
> Matthew Seaman wrote:
> [ ... ]
> >Your friend is being unnecessarily alarmist.  apache2 is not
> >significantly different to apache13 in security terms.
> There have been 16 CVE entries list for Apache 2, and 8 for Apache 1.x:
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+2
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+1

Errr -- did you look at the lists of entries those searches actually
turn up?  Quite a few of the entries for the 'apache+2' search are
actually apache-1.3.x specific...  In fact, by my reckoning most of
the CVE entries which are generic apache problems (i.e. they aren't OS
or distribution specific, or they don't depend on some 3rd party code,
like PHP) -- most of those apply equally to both apache-1.3.x and
apache-2.0.x.  If you search for the currently released apache
versions, there are 2 entries mentioning apache-1.3.29 (one of which
is actually for versions *before* 1.3.29), and also 2 mentioning
apache-2.0.49 (again one of which only applies to versions *before*

I don't think that simply counting CVE entries is going to tell you
very much useful.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to