* Ken Smith ([EMAIL PROTECTED]) wrote : > On Thu, Oct 24, 2002 at 05:00:23PM +0100, Thom May wrote: > > * myfriend.is.not.my.enemies.org ([EMAIL PROTECTED]) wrote : > > > > > > Actually Andrew concern is about security for all apache mirror. > > > I think this can seatle if every administrator/maintainer apply pathes > > > for their Apache webserver. But how we know's which Apache have been > > > patch or not. I think that's why Andrew want to do like that. > > > > > Apache may suggest that the best practise would be to run 1.3.26 or better; > > but it's a decision that is _entirely_ up to the server admins who are > > _freely_ donating time and resources. > > -Thom > > The counterpoint to that being Apache has the "responsibility" of > making their distribution channel as free of potential tampering > as possible. httpd versionf older than 1.3.26 have known security > issues that can allow remote attackers access to the machine and > the opportunity to tamper with the files being distributed. > Unpatched versions, yes. As I said earlier in the thread, most distributions backport patches to older versions rather than introduce new versions in stable distributions. How are you planning to test for this?
> If the mirror admins are interested in helping out Apache by donating > their time and resources perhaps they can extend that interest enough > to help make the distribution mechanism as trustworthy (hack-proof) > as possible. In this day and age of "the bad guys" playing games > with attacking the root DNS servers and whatnot IMO it isn't out of > line for Apache to request the *official* mirrors be secure within > reason. > I think running an older version with the correct patchset is totally within reason. -Thom
