@Yehuda Katz: what do you think of my e-mail/comment below? ------- Original Message ------- On Tuesday, March 1st, 2022 at 8:11 PM, Jeroen Verhoeckx <j.verhoe...@protonmail.com> wrote:
>> Please keep your replies on the mailing list so that everyone can benefit >> from the discussion. > > Oh, sorry, I probably click on Reply and not Reply All! Will keep an eye on > that in the future! > > I'm worried that the version of Apache released by The Apache Software > Foundation is less safe because of the warnings [on this page of Red > Hat](https://access.redhat.com/solutions/445713): > https://access.redhat.com/solutions/445713 > > "Note that the versions of Apache HTTP Server included in the above products > are in most cases vastly different from the upstream community releases of > the same version > This is explained by Red Hat's Security Backporting Policy and is the most > common cause of admins/auditors trying to get a newer version of Apache > For example: EWS 2.1.0 & EAP 6.4.0 include Apache httpd based on upstream > v2.2.26; however, they also include multiple CVE security fixes which are not > in the original community release of Apache httpd 2.2.266 > Community releases of Apache httpd are NOT supported" > > What do you think of this? > > - Jeroen > > -------------------------------------------------------- > Support the independent web, use > [Firefox](https://www.mozilla.org/en-US/firefox/new/) > ------- Original Message ------- > On Tuesday, March 1st, 2022 at 5:27 PM, Yehuda Katz <yeh...@ymkatz.net> wrote: > >> Please keep your replies on the mailing list so that everyone can benefit >> from the discussion. >> >> What is your "threat model" in which this way is less safe? >> >> For example: Are you worried that the packaged version from someone else has >> been modified with a backdoor? Are you worried that you would not be able to >> get RPMs for new versions in a timely fashion when a security issue is >> announced? >> >> There are different ways to address different concerns, but if you are more >> specific, we can make sure you get the best answer. >> >> - Y >> >> Sent from a device with a very small keyboard and hyperactive autocorrect. >> >> On Tue, Mar 1, 2022, 11:18 AM Jeroen Verhoeckx <j.verhoe...@protonmail.com> >> wrote: >> >>>> Since you don't have paid support from RedHat, there is absolutely no >>>> reason to not install your own version of httpd. >>> >>> I don't mind doing that but I'm afraid it's less safe? >>> >>> Thanks for thinking along! >>> >>> Jeroen Verhoeckx >>> >>> -------------------------------------------------------- >>> Support the independent web, use >>> [Firefox](https://www.mozilla.org/en-US/firefox/new/) >>> >>> ------- Original Message ------- >>> On Thursday, February 24th, 2022 at 10:41 PM, Yehuda Katz >>> <yeh...@ymkatz.net> wrote: >>> >>>> In terms of getting a RedHat eningeer, it looks like you have done all you >>>> can do. There are RedHat developers on this list and on the RedHat forums >>>> and they also look at Bugzilla, so there probably isn't much more you can >>>> do. >>>> >>>> Since you don't have paid support from RedHat, there is absolutely no >>>> reason to not install your own version of httpd. >>>> >>>> - Y >>>> >>>> On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx >>>> <j.verhoe...@protonmail.com> wrote: >>>> >>>>> Hello Yehuda, >>>>> >>>>> First: sorry for my very late reply! >>>>> >>>>>> You mention in the bug report that you are running an old version of >>>>>> HTTPD because you are using the version packaged by RedHat. >>>>>> Your bug report asks RedHat to backport the specific fixes for your >>>>>> issue. >>>>> >>>>> Yes, that's a really good summary of what I try to achieve! >>>>> >>>>> About the two options: >>>>> >>>>> - I have the 'Red Hat Developer Subscription for Individuals' and thus >>>>> I'm not entitled to get any official support. >>>>> - Red Hat strongly discourages the installation of a different version of >>>>> Apache (https://access.redhat.com/solutions/445713) . >>>>> >>>>> I asked the same question on Red Hat Community portal >>>>> (https://access.redhat.com/discussions/6756211) but so far I didn't get >>>>> any reaction. >>>>> >>>>> Does someone know where the Apache developers of Red Hat hang out? >>>>> >>>>> Jeroen Verhoeckx >>>>> >>>>> -------------------------------------------------------- >>>>> Support the independent web, use >>>>> [Firefox](https://www.mozilla.org/en-US/firefox/new/) >>>>> >>>>> ------- Original Message ------- >>>>> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz >>>>> <yeh...@ymkatz.net> wrote: >>>>> >>>>>> I see two options for you going forward: >>>>>> 1. Contacting RedHat: You need a subscription to do this. Posting to the >>>>>> upstream HTTPD mailing list probably won't help. >>>>>> >>>>>> 2. Use a different package: There are newer rpms available if you don't >>>>>> want to build your own. You can look at rpmfind or build the rpm >>>>>> yourself (https://httpd.apache.org/docs/2.4/platform/rpm.html) >>>>>> >>>>>> - Y >>>>>> >>>>>> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx >>>>>> <j.verhoe...@protonmail.com.invalid> wrote: >>>>>> >>>>>>> Hello Apache Administrators, >>>>>>> >>>>>>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, >>>>>>> but no one has responded since then. >>>>>>> >>>>>>> It's about this bug report: >>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967 >>>>>>> >>>>>>> Does someone have an idea about what I could do next? >>>>>>> Does someone know I place where I can contact RHEL Apache >>>>>>> developers/administrators? >>>>>>> Or is there another friendly way to get attention for this bug report? >>>>>>> >>>>>>> Yours sincerely, >>>>>>> >>>>>>> Jeroen Verhoeckx >>>>>>> >>>>>>> -------------------------------------------------------- >>>>>>> Support the independent web, use >>>>>>> [Firefox](https://www.mozilla.org/en-US/firefox/new/)