How to build latest n greatest Apache,PHP, OpenSSL rpms?
Joe Orton
jorton at redhat.com
Tue Apr 12 15:39:41 UTC 2005
On Mon, Apr 11, 2005 at 06:11:29PM +0100, Loki Choggio wrote:
> --- Alexander Dalloz <ad+lists at uni-x.org> wrote:
> > > For example while Apache 2.0.53 was released
> > Fedora
> > > didn't bother updating so the present 2.0.52 is
> > > theoretically exploitable. For example php 4.3.11
> > came
> > > out on March 31st but no updates are around the
> > corner
> > > Fedorawise. We know what happened with the holes
> > in
> > > php 4.3.9 and the exploits in existence.
> >
> > Security fixes are backported. Maybe you should read
> > the RPMs changelogs.
It's not true that fixes are backported for Fedora as policy; the
general guideline is to ship the latest version as an update.
> I have indeed read the changelogs
> (http://www.apache.org/dist/httpd/CHANGES_2.0.53 ) and
> note with concern that Apache 2.0.52 from fedora does
> not cover those issues.
> httpd-2.0.52-3.1.i386.rpm (latest update) was released
> 12-Nov-2004 at 15:57 and does not include the
> Apache 2.0.53 fixes.
The two security fixes in 2.0.53, for CVE CAN-2004-0942 and
CAN-2004-0885, were included in the FC3 httpd-2.0.52-3.1 package; see
the top two entries in "rpm -q --changelog httpd".
> Neither would php-4.3.10-3.2.i386.rpm released on
> 21-Dec-2004 at 13:54 contain the 31st March 2005
> updates rated as critical.
The PHP 4.3.11 update is still in testing due to the regressions
introduced upstream relative to 4.3.10; any additional testing is very
welcome. It'll be pushed live this week barring discovery of any
further regressions.
http://www.redhat.com/archives/fedora-test-list/2005-April/msg00741.html
Regards,
joe
More information about the users
mailing list