Is Raw Hide Apache RPM stable with RH 9?

[Scott Garman]

On Mon, 2003-08-18 at 00:34, Greg Bonnette wrote:
> My Apache 2.0.40 / RH 9 Web server seems to have been getting DoS’d
> more frequently as of late. I thought I had the most recent packages
> installed, but it turns out the latest RPM redhat has released was for
> 2.0.40, and the current release is 2.0.47. I searched rpmfind.net as
> usual and found an apache 2.0.47 rpm for the developmental Raw Hide
> release. Has anyone upgraded their RH 9 apache packages with this
> rawhide rpm? I know my other option is to remove the old package and
> install the latest version the old fashioned way, but I like the
> convenience of the RPM’s. If only up2date was actually up to date.
> Thanks

RedHat generally "backports" security patches to work with their
supported versions of packages if they don't want to offer the latest
version. This is especially true for packages such as apache and the
kernel.

If it's the case that the latest official update RPM for RH 9
(httpd-2.0.40-11.5) is vulnerable to a known DoS exploit, then I believe
RedHat is either working on releasing a new update or the exploit is
brand new and the 2.0.47 release is probably vulnerable to it as well. 

Rawhide RPMs are definitely *not* to be used on production systems, and
I wouldn't recommend it unless you're desperate. 

Scott

-- 
Scott A. Garman                            Unix System Administrator
sgarman at einstein dot unh dot edu        UNH Nuclear Physics Group