Hi all, I run a FrontPage-enabled apache server on Woody. I apply the 1.3.22 FrontPage patch which is claimed by rtr.com to work with versions 1.3.22, 1.3.24, 1.3.26 and 1.3.27 to the Debian Apache sources and then build Debian binary packages. I append the procedure I use to do this below. The server has been running OK so far.
I have two questions: 1. The debs I build from the Debian apache source package come out with version number 1.3.26-0woody1 whereas the debs released to cover this vulnerability have version 1.3.26-0woody3. Why is this? Have the source packages not been updated? 2. (Related) Are the binary debs I build from the current debian 1.3.26 source package safe from this vulnerability? Does anyone have any input? Please copy me directly as I am not subscribed to the list. Debian Apache FrontPage Patch and Compile Procedure --------------------------------------------------- The patch is at ftp://ftp.rtr.com/pub/fp-patch-apache_1.3.22.Z To patch the server I follow the following procedure: Download and gunzip patch file fp-patch-apache_1.3.22.Z apt-get source apache cd apache-1.3.26/upstream/tarballs tar xvzf apache_1.3.26.tar.gz cd apache_1.3.26 patch -p1 <path_to>fp-patch-apache_1.3.22 cd <path-to-toplevel>apache-1.3.26 dpkg-buildpackage -rfakeroot -b cd .. dpkg -i apache-common dpkg -i apache Best regards, George Karaolides
