[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA-594-1] New Apache packages fix arbitrary code execution

This one time, at band camp, Adam Morley said:
> Hi security and Steve,
> I thought so too.  Then I upgraded a box with apache (not apache-ssl)
> and apache got ugpraded. . .but I found:
> http://lists.debian.org/debian-security/2004/11/msg00095.html
> So I know the things he lists as vulnerable are indeed in
> apache-common (dpkg -x'd the package), but then I'm left with a
> question, perhaps simply because I don't know much about Debian's
> security release engineering methods:
> Why did apache need to get upgraded too, if the vulnerabilities were
> in apache-common?  If apache is upgraded, then why isn't apache-ssl?
> They can (obviously) be installed independant of each other, so I'm
> just a tad confused.

steve@hadrian:~$ apt-cache showsrc apache
Package: apache
Binary: apache-common, apache-dev, apache-doc, apache

So all the binary packages that are built from the same source get
upgraded.  apache-ssl and apache-perl have different source packages,
and so are unaffected.

|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |

Attachment: pgpeMG9LRQhja.pgp
Description: PGP signature

Reply to: