Re: [SECURITY] [DSA-594-1] New Apache packages fix arbitrary code execution
Hi security and Steve,
I thought so too. Then I upgraded a box with apache (not apache-ssl) and apache got ugpraded. . .but I found:
So I know the things he lists as vulnerable are indeed in apache-common (dpkg -x'd the package), but then I'm left with a question, perhaps simply because I don't know much about Debian's security release engineering methods:
Why did apache need to get upgraded too, if the vulnerabilities were in apache-common? If apache is upgraded, then why isn't apache-ssl? They can (obviously) be installed independant of each other, so I'm just a tad confused.
FWIW, I have to say that I would then ask the same question about apache-dev: if there was no vulnerability, then why was it included in the security announcement?
(and I'll say again, maybe I'm totally missing something here. . .)
Reminder: I'm not on the list, so please CC me if you reply!
On Wed, Nov 17, 2004 at 07:26:28PM -0600, Steve Suehring wrote:
> If I'm not mistaken the vulnerabilities existed in two files found in
> apache-common. Since apache-common is a prerequisite for apache-ssl,
> updating apache-common should correct the vulnerability. I could be
> wrong and I'm sure someone will correct me if I am. :)
> On Wed, Nov 17, 2004, Adam Morley wrote:
> > Hi,
> > What about apache-ssl? I see updates for apache, apache-common and
> > apache-doc, but not apache-ssl: