Sorry, I missunderstood your answer. I thought you were redirecting me to the other ml. I've also read the answer sent by Matthew Wilcox <[EMAIL PROTECTED]> to this same thread (amongst other related messages and likes).
My opinion is that if a security bug is discovered it should be fixed ASAP. It's really simple. The argument: "We believe that there is no security update required because intentionally exploiting this vulnerability requires access to apache's configuration (either http.conf or .htaccess)." is equivalent to: "yes, we know that our .deb is vulnerable but we are not going to fix it because it is difficult to exploit or the exploitability is limited". Wrong, wrong, wrong. We're talking about a known security issue. Why not fixing it? All security issues should be taken into account and should be fixed!!! What would it happen if someone has discovered a different attack vector for the *same* bug? Should we wait for this event to occur? Not really a good idea... Regards, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] On Thu, 30 Oct 2003 14:04:35 -0500, you wrote: >On Thu, Oct 30, 2003 at 07:58:50PM +0100, Roman Medina wrote: > >> On Thu, 30 Oct 2003 12:21:09 -0500, you wrote: >> >> > Ask [EMAIL PROTECTED] >> > >> >See above. >> >> I'm not subscribed to debian-apache neither I'm going to subscribe only >> to ask this. If this is a security issue in Debian, why not to discuss it >> in a Debian security ml? I repeat it: I have segfaults in my apache >> error-logs and this happened only recently (this week) so I probably have >> reasons to be scared... or not? > >I didn't say that you should subscribe. I told you where the decision came >from so that you could ask someone who could give you a more specific >answer, and in exchange for this, you keep complaining to me about your >server error logs. If you cared enough about this issue, you would make the >effort to investigate it yourself. > >-- > - mdz
