Who do you trust? OBSD and the maintainer of that package or the lighttpd upstream maintainers? I'm sure it is being looked at. Please use another OS that is more dedicated to security if this overly concerns you.
On Sat, Mar 16, 2013, at 04:36 AM, Alexander Nusov wrote: > Hello, > I'm trying to get why to use binary packages if they are not updated? > > For example, this package confuses me: lighttpd > > ftp://ftp.openbsd.org/pub/OpenBSD/5.2/packages/amd64/ > lighttpd-1.4.31p0-ldap-mysql.tgz339 kB31.07.12 0:00:00 > lighttpd-1.4.31p0-ldap.tgz335 kB31.07.12 0:00:00 > lighttpd-1.4.31p0-mysql.tgz337 kB31.07.12 0:00:00 > lighttpd-1.4.31p0.tgz > > But now the latest version is 1.4.32 because of vulnerability fix > November, 21 (One important denial of service (in 1.4.31) fix: > CVE-2012-5533.)
