Hello,
I personally believe that everyone operating the mirror must run
at least 1.3.26 or above.. I mean it would be better if all the mirrors
are *totally secure* from any possibilities of exploits, rather than just
cutting corners with redhat rpm updates that fix the problem w/o upgrading
completely. Accepted, my opinion may not be 100% correct. But the reason
for anyone to operate an official mirror is to help apache foundation to
begin with, and I believe each mirror should be proactive in its
responsibilities, including security.
--HC
On Thu, 24 Oct 2002, myfriend.is.not.my.enemies.org wrote:
>
> Actually Andrew concern is about security for all apache mirror.
> I think this can seatle if every administrator/maintainer apply pathes for
> their Apache webserver. But how we know's which Apache have been patch or
> not. I think that's why Andrew want to do like that.
>
> Thom May <[EMAIL PROTECTED]> wrote: * Andrew Kenna ([EMAIL PROTECTED]) wrote
> :
> > People, please follow the steps outlines on http://httpd.apache.org/
> > The following are mirrors that are no longer valid, meaning 1 of the
> > following
> >
> > 1) They are un-reachable
> > 2) They do not contain the latest version of apache
> > 3) They are running a version of apache pre-dating 1.3.26
> >
> > Does anyone have any problems with removing mirror sites that are running
> > versions of apache prior to 1.3.26 ?
>
> Yes, this is bogus. Most OS distributions prefer to backport patches rather
> than enforce an upgrade on their users.
> Debian's 2.2 release (the last but one, and still recieving updates) has a
> fully patched 1.3.9 version in, which is as secure as 1.3.26.
> So you're just causing admins extra work for no real reason.
> -Thom
>
>
> ---------------------------------
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
