On Fri, 2002-12-13 at 09:40, Matthew Boeckman wrote: > > > > Are you sure that they're not addresing the issues? *My* understanding is > > that, in most cases, the security patches are applied to the version of > > the app currently being distributed by RH. This was certainly true with > > regard to the OpenSSH bugs, and I'm fairly sure that philosophy is true > > with Apache...there were a number of updates released for it, over the > > last few months. > > Are they? I suppose it is possible as I inexplicably find openssh-3.1p1 > RPM's in updates.redhat.com. Not that I doubt you, but I would like to > see some page somewhere that says so. Likewise I'd like to see the page, > dated in August that lets us all know that they patched apache1.3.26 to > fix that vulnerability and it's now available for download. > > If they are doing as you say, why the advisory that I posted earlier? > Reading it it certainly doesn't say anything about "pull down the > apache-1.3.26-2.rpm", but it does say to apply immeadiately the updates > for 1.3.27 (which did not ship with 7.2, or 7.3). >
Not sure what happened here with apache but redhat is typically VERY quick to produce security updates. Often they will be backported to a version that more closely resembles the version current in the distro. Or sometimes the version of a app as shipped does not have the vulnerability mentioned in the notification. THis doesn not seem to be the case here though. Bret -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list