[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA-594-1] New Apache packages fix arbitrary code execution

Hi security and Steve,

I thought so too.  Then I upgraded a box with apache (not apache-ssl) and apache got ugpraded. . .but I found:


So I know the things he lists as vulnerable are indeed in apache-common (dpkg -x'd the package), but then I'm left with a question, perhaps simply because I don't know much about Debian's security release engineering methods:

Why did apache need to get upgraded too, if the vulnerabilities were in apache-common?  If apache is upgraded, then why isn't apache-ssl?  They can (obviously) be installed independant of each other, so I'm just a tad confused.

FWIW, I have to say that I would then ask the same question about apache-dev: if there was no vulnerability, then why was it included in the security announcement?

(and I'll say again, maybe I'm totally missing something here. . .)

Reminder: I'm not on the list, so please CC me if you reply!


On Wed, Nov 17, 2004 at 07:26:28PM -0600, Steve Suehring wrote:
> If I'm not mistaken the vulnerabilities existed in two files found in
> apache-common.  Since apache-common is a prerequisite for apache-ssl,
> updating apache-common should correct the vulnerability.  I could be
> wrong and I'm sure someone will correct me if I am.  :)
> Steve
> On Wed, Nov 17, 2004, Adam Morley wrote:
> > Hi,
> > 
> > What about apache-ssl?  I see updates for apache, apache-common and 
> > apache-doc, but not apache-ssl:
> > 


Reply to: