On Mon, Apr 12, 2004 at 03:39:44PM -0400, Chuck Swiger wrote: > Matthew Seaman wrote: > [ ... ] > >Your friend is being unnecessarily alarmist. apache2 is not > >significantly different to apache13 in security terms. > > There have been 16 CVE entries list for Apache 2, and 8 for Apache 1.x: > > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+2 > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+1
Errr -- did you look at the lists of entries those searches actually turn up? Quite a few of the entries for the 'apache+2' search are actually apache-1.3.x specific... In fact, by my reckoning most of the CVE entries which are generic apache problems (i.e. they aren't OS or distribution specific, or they don't depend on some 3rd party code, like PHP) -- most of those apply equally to both apache-1.3.x and apache-2.0.x. If you search for the currently released apache versions, there are 2 entries mentioning apache-1.3.29 (one of which is actually for versions *before* 1.3.29), and also 2 mentioning apache-2.0.49 (again one of which only applies to versions *before* 2.0.49) I don't think that simply counting CVE entries is going to tell you very much useful. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature