On 6/20/07, David Hartburn <[EMAIL PROTECTED]> wrote:
Hi,

I've got a couple of questions regarding mod_coldfusion and issues
running older versions of apache.

First of all, does anyone have a copy of the modified source code for
combining ColdFusion 5 and Apache 2? The official mod_coldfusion does
not interface between the two, however resources on the web suggest some
people wrote a modified (unsupported) version back in 2002. Being so
long ago, I've been unable to find the code on the web anywhere.

Given that a number of security flaws have arisen since Apache 2.0.52,
would anyone advise still using it? I do have a pre-compiled
mod_coldfusion module for that version, currently running on our old web
servers, which would be a quick fix for the problem. My feeling is that
we should completely drop the old version, as it is insecure and move to
the very latest. Does anyone think that running 2.0.52 is still ok on
live public facing web servers?

It is always best to keep up with the latest version. You'll need to
do it eventually anyway.

But to answer your specific question, read through this page:
http://httpd.apache.org/security/vulnerabilities_20.html

You'll see there that the only "important" security vulnerabilities
are a denial-of-service attack, a problem with SSLVerifyClient, and a
problem with a specific type of mod_rewrite configuration. You should
evaluate how serious those problems are for your setup.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to