On Mon, Apr 11, 2005 at 06:11:29PM +0100, Loki Choggio wrote: > --- Alexander Dalloz <ad+lists@xxxxxxxxx> wrote: > > > For example while Apache 2.0.53 was released > > Fedora > > > didn't bother updating so the present 2.0.52 is > > > theoretically exploitable. For example php 4.3.11 > > came > > > out on March 31st but no updates are around the > > corner > > > Fedorawise. We know what happened with the holes > > in > > > php 4.3.9 and the exploits in existence. > > > > Security fixes are backported. Maybe you should read > > the RPMs changelogs. It's not true that fixes are backported for Fedora as policy; the general guideline is to ship the latest version as an update. > I have indeed read the changelogs > (http://www.apache.org/dist/httpd/CHANGES_2.0.53 ) and > note with concern that Apache 2.0.52 from fedora does > not cover those issues. > httpd-2.0.52-3.1.i386.rpm (latest update) was released > 12-Nov-2004 at 15:57 and does not include the > Apache 2.0.53 fixes. The two security fixes in 2.0.53, for CVE CAN-2004-0942 and CAN-2004-0885, were included in the FC3 httpd-2.0.52-3.1 package; see the top two entries in "rpm -q --changelog httpd". > Neither would php-4.3.10-3.2.i386.rpm released on > 21-Dec-2004 at 13:54 contain the 31st March 2005 > updates rated as critical. The PHP 4.3.11 update is still in testing due to the regressions introduced upstream relative to 4.3.10; any additional testing is very welcome. It'll be pushed live this week barring discovery of any further regressions. http://www.redhat.com/archives/fedora-test-list/2005-April/msg00741.html Regards, joe
