How about do some testing on it using slapper exploit(I mean for mirror that running Red Hat).
p/s: Sorry for my bad idea and I also not blaming Red Hat.
Andrew Kenna <[EMAIL PROTECTED]> wrote:
Thats my thoughts too, but obviously people being people all have their different opinions on things.
I'm just concentrating on the content of the mirrors now to make sure they are configured properly, and carry the latest versions. If each admin wants to rely on Redhat making their rpm's secure its their own network that will suffer if all holes aren't patched up.
Regards
Andrew
n.b. These are my personal thoughts and do not reflect the ideas/policies of the Apache Software Foundation in any way shape or form.
-----Original Message-----
From: Haesu [mailto:[EMAIL PROTECTED]
Sent: Friday, 25 October 2002 10:23 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Mirror Update time
Hello,
I personally believe that everyone operating the mirror must run
at least 1.3.26 or above.. I mean it would be better if all the mirrors
are *totally secure* from any possibilities of exploits, rather than just
cutting corners with redhat rpm updates that fix the problem w/o upgrading
completely. Accepted, my opinion may not be 100% correct. But the reason
for anyone to operate an official mirror is to help apache foundation to
begin with, and I believe each mirror should be proactive in its
responsibilities, including security.
--HC
On Thu, 24 Oct 2002, myfriend.is.not.my.enemies.org wrote:
>
> Actually Andrew concern is about security for all apache mirror.
> I think this can seatle if every administrator/maintainer apply pathes for their Apache webserver. But how we know's which Apache have been patch or not. I think that's why Andrew want to do like that.
>
> Thom May <[EMAIL PROTECTED]>wrote: * Andrew Kenna ([EMAIL PROTECTED]) wrote :
> > People, please follow the steps outlines on http://httpd.apache.org/
> > The following are mirrors that are no longer valid, meaning 1 of the following
> >
> > 1) They are un-reachable
> > 2) They do not contain the latest version of apache
> > 3) They are running a version of apache pre-dating 1.3.26
> >
> > Does anyone have any problems with removing mirror sites that are running versions of apache prior to 1.3.26 ?
>
> Yes, this is bogus. Most OS distributions prefer to backport patches rather
> than enforce an upgrade on their users.
> Debian's 2.2 release (the last but one, and still recieving updates) has a
> fully patched 1.3.9 version in, which is as secure as 1.3.26.
> So you're just causing admins extra work for no real reason.
> -Thom
>
>
> ---------------------------------
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
