On Fri, 2002-12-13 at 10:25, Chuck Mead wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, 13 Dec 2002, Matthew Boeckman enscribed the following: > > MB>> Are you sure that they're not addresing the issues? *My* understanding is > MB>> that, in most cases, the security patches are applied to the version of > MB>> the app currently being distributed by RH. This was certainly true with > MB>> regard to the OpenSSH bugs, and I'm fairly sure that philosophy is true > MB>> with Apache...there were a number of updates released for it, over the > MB>> last few months. > MB> > MB>Are they? I suppose it is possible as I inexplicably find openssh-3.1p1 > MB>RPM's in updates.redhat.com. Not that I doubt you, but I would like to > MB>see some page somewhere that says so. Likewise I'd like to see the page, > MB>dated in August that lets us all know that they patched apache1.3.26 to > MB>fix that vulnerability and it's now available for download. > MB> > MB>If they are doing as you say, why the advisory that I posted earlier? > MB>Reading it it certainly doesn't say anything about "pull down the > MB>apache-1.3.26-2.rpm", but it does say to apply immeadiately the updates > MB>for 1.3.27 (which did not ship with 7.2, or 7.3). > > Psyche: https://rhn.redhat.com/errata/rh8-errata.html > Valhalla: https://rhn.redhat.com/errata/rh73-errata.html > Enigma: https://rhn.redhat.com/errata/rh72-errata.html > Seawolf: https://rhn.redhat.com/errata/rh71-errata.html >
Chuck, I think this makes his point although a little research shows it not to bequite as bad as first thought at least in my mind. http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0012.html reports the time line as : VII. DISCLOSURE TIMELINE 8/27/2002 Issue disclosed to iDEFENSE 9/18/2002 Vendor notified at [EMAIL PROTECTED] 9/18/2002 iDEFENSE clients notified 9/19/2002 Response received from Mark J Cox ([EMAIL PROTECTED]) 10/3/2002 Coordinated public disclosure A fix for CAN-2002-0839 was first reported by apache week on October 4 when 1.3.27 was released. http://www.apacheweek.com/issues/02-10-04#security redhat issued rpms for Apache 1.3.277.3 on Nov 25 according to the errata pages https://rhn.redhat.com/errata/RHSA-2002-222.html the timestamp for the apache rpm on updates.redhat.com: ncftp /7.3/en/os/i386 > ls -l apache-1.3.27* -rw-rw-r-- 1 2220 235 551561 Nov 20 22:55 apache-1.3.27-2.i386.rpm ncftp /7.3/en/os/i386 > pwd ftp://updates.redhat.com/7.3/en/os/i386/ and a buzilla email sent yesterday? That does seem a little strange. Bret -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
