CentOS - Mar 2009 - Backporting and Apache 2.0.52 is 4 1/2 years old

http://httpd.apache.org/security/vulnerabilities_20.html

states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68.
i am no longer a httpd expert, but at least one of the security fixes
involves XSS attacks via malformed ftp commands.  I also realize that
redhat / centos may patch things separately from Apache and that the
sysadmin has  a great deal to do with how secure things are, but
almost 5 years?

Does the sysadmin for www.centos.org get paid?
-------------- next part --------------
HTTP/1.1 200 OK
Date: Sun, 22 Mar 2009 19:37:51 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.9
Set-Cookie: PHPSESSID=f12ba53116e0f192b7653131d951a17d; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private, no-cache
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Connection: keep-alive

Am 22.03.2009 um 20:40 schrieb Rob Townley:
> http://httpd.apache.org/security/vulnerabilities_20.html
>
> states that Apache 2.0.52 is 4 years old and the latest version is  
> 2.0.68.
> i am no longer a httpd expert, but at least one of the security fixes
> involves XSS attacks via malformed ftp commands.  I also realize that
> redhat / centos may patch things separately from Apache and that the
> sysadmin has  a great deal to do with how secure things are, but
> almost 5 years?
>


Download the src-RPM and make a checklist which CVEs are fixed and  
which not.
(It's in a changelog-file somewhere - I don't remember the details,  
it's a while that I actually looked)

Then, return here.



Best Regards,
Rainer

On 3/22/09, Rob Townley <rob.townley at gmail.com>
wrote:
> http://httpd.apache.org/security/vulnerabilities_20.html
> states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68.
> i am no longer a httpd expert, but at least one of the security fixes
> involves XSS attacks via malformed ftp commands.  I also realize that
> redhat / centos may patch things separately from Apache and that the
> sysadmin has  a great deal to do with how secure things are, but
> almost 5 years?
This is an Enterprise Distro and very  rarely has the latest and
greatest. It is supported for a long time and  security updates are
backported. The life is 7 years. Much longer than the life of a Distro
with the latest and greatest.
> Does the sysadmin for www.centos.org get paid?
The CentOS team work for free on this project and they do an
outstanding job. They also have full times jobs, so they are very
busy.

If you want the latest and greatest, you can install it yourself, but
if it breaks, it's your problem. Decide which you want; (a) Long life,
stability and security or (b) latest and greatest stuff.