On Mon, 2005-04-11 at 18:11 +0100, Loki Choggio wrote: > --- Alexander Dalloz <ad+lists@xxxxxxxxx> wrote: > > > http://www.gurulabs.com/goodies/guru+guides.php > I was not looking at how to build an rpm in general > but the specific Apache 2.0.53, php 4.3.11 and openssl > 0.9.7f rpms. Having built firefox & ttfonts rpms for > example i know the process but need the spec files. > > > > For example while Apache 2.0.53 was released > > Fedora > > > didn't bother updating so the present 2.0.52 is > > > theoretically exploitable. For example php 4.3.11 > > came > > > out on March 31st but no updates are around the > > corner > > > Fedorawise. We know what happened with the holes > > in > > > php 4.3.9 and the exploits in existence. > > > > Security fixes are backported. Maybe you should read > the RPMs changelogs. > > I have indeed read the changelogs > (http://www.apache.org/dist/httpd/CHANGES_2.0.53 ) and > note with concern that Apache 2.0.52 from fedora does > not cover those issues. > httpd-2.0.52-3.1.i386.rpm (latest update) was released > 12-Nov-2004 at 15:57 and does not include the > Apache 2.0.53 fixes. ---- seemed to me that they do - which one specifically (ICANN #) are you concerned with? ---- > > Neither would php-4.3.10-3.2.i386.rpm released on > 21-Dec-2004 at 13:54 contain the 31st March 2005 > updates rated as critical. ---- I am looking at... http://www.php.net/ChangeLog-4.php Which is the 'critical update' that you feel you are missing? ---- > Perhaps you would like to elaborate further on your > "backporting claim". ---- There is a Red Hat policy of back porting which I presume Fedora is following but I don't know of the URL of any official policy for Fedora. Craig