Mike, I read through this errata and the major areas seem to be addressed but why does RedHat do it this way? To me it would seem far easier to just issue an upgrade to httpd-2.0.43 and openssl 0.97 or 0.96h than to go through all the effort to extract the fixes between 2.0.40 and 2.0.43 and then back apply them to 2.0.40. Sure seems like a lot of monkey business! Also could introduce weird RedHat specific problems to apps. It would seem to be just as much work to do this as it would be to just provide an upgrade to the official Apache version. Additionally, then users would be able to take advantage of some of the newer capabilities in the official upgrade release - specifically referring to mod_jk2 improvements. Lastly, once you have your system apps RedHatized then its really hard to correlate general public comments about specific app version issues with the versions on your system. I'm really not liking the way RedHat is doing this.
Thanks, Gerry Reno --- [EMAIL PROTECTED] wrote: > Hello Gerry, > > Are you sure that the latest release from Red Hat does not secure > your > system to your satisfaction? Red Hat has their own version > definitions > which do not translate back to the Apache releases at Apache.org. The > > "-11" bit in the RH version: httpd-2.0.40-11.i386.rpm (from the > latest > errata package at: > > ( https://rhn.redhat.com/errata/RHSA-2002-222.html ) > > is a custom RH only mechanism to identify releases. Since there is > no > way to correlate this back to Apache.org releases that I can see, you > > should read the errata page carefully to be sure that the issues that > > you are concerned about have been addressed. I am told that you can > also download the .src.rpm and there will be a detailed change log > for > the package. > > On this particular package the date of the errata listed at the page > above is a bit of a mystery. It was actually released on Dec 17th. > It > appears that RH backdates the errata pages for some reason which is > unclear to me. There may be a good reason, but I just don' know what > > it is. > > Regards, Mike Klinke > > On Tuesday 31 December 2002 16:06, grenoml wrote: > > There are some security holes with the version of Apache > > webserver (httpd-2.0.40) that ships with RedHat 8.0. There are > also > > security holes with regard to the RH8 OpenSSL version 0.96b (need > > 0.96h or later to plug them). There are also issues with Apache > > mod_jk2 versions that are only compatible with httpd-2.0.42 or .43. > > I ran up2date but there are only the same versions of these > > applications available. I would like to upgrade to at least > OpenSSL > > 0.96h and Apache httpd-2.0.43 on my RH8 system to close these > > security holes and to take advantage of mod_jk2 improvements. How > > can I do this and still retain the proper package dependencies in > the > > RPM database? When I do a rpm -q --whatrequires on openssl I see a > > number of packages. If I just download the source for a newer > > version of openssl and build it how do I install it and not mess > > things up in the RPM world? > > > > Thanks, > > Gerry Reno > > > > > > __________________________________________________ > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > http://mailplus.yahoo.com > > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
