> Please keep your replies on the mailing list so that everyone can benefit from the discussion.Oh, sorry, I probably click on Reply and not Reply All! Will keep an eye on that in the future!I'm worried that the version of Apache released by The Apache Software Foundation is less safe because of the warnings on this page of Red Hat:"Note that the versions of Apache HTTP Server included in the above products are in most cases vastly different from the upstream community releases of the same versionThis is explained by Red Hat's Security Backporting Policy and is the most common cause of admins/auditors trying to get a newer version of ApacheFor example: EWS 2.1.0 & EAP 6.4.0 include Apache httpd based on upstream v2.2.26; however, they also include multiple CVE security fixes which are not in the original community release of Apache httpd 2.2.266Community releases of Apache httpd are NOT supported"What do you think of this?- Jeroen--------------------------------------------------------Support the independent web, use Firefox
------- Original Message -------
On Tuesday, March 1st, 2022 at 5:27 PM, Yehuda Katz <yehuda@xxxxxxxxxx> wrote:
Please keep your replies on the mailing list so that everyone can benefit from the discussion.What is your "threat model" in which this way is less safe?For example: Are you worried that the packaged version from someone else has been modified with a backdoor? Are you worried that you would not be able to get RPMs for new versions in a timely fashion when a security issue is announced?There are different ways to address different concerns, but if you are more specific, we can make sure you get the best answer.- YSent from a device with a very small keyboard and hyperactive autocorrect.On Tue, Mar 1, 2022, 11:18 AM Jeroen Verhoeckx <j.verhoeckx@xxxxxxxxxxxxxx> wrote:> Since you don't have paid support from RedHat, there is absolutely no reason to not install your own version of httpd.I don't mind doing that but I'm afraid it's less safe?Thanks for thinking along!Jeroen Verhoeckx------- Original Message -------
On Thursday, February 24th, 2022 at 10:41 PM, Yehuda Katz <yehuda@xxxxxxxxxx> wrote:
In terms of getting a RedHat eningeer, it looks like you have done all you can do. There are RedHat developers on this list and on the RedHat forums and they also look at Bugzilla, so there probably isn't much more you can do.Since you don't have paid support from RedHat, there is absolutely no reason to not install your own version of httpd.- YOn Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx <j.verhoeckx@xxxxxxxxxxxxxx> wrote:Hello Yehuda,First: sorry for my very late reply!> You mention in the bug report that you are running an old version of HTTPD because you are using the version packaged by RedHat.
> Your bug report asks RedHat to backport the specific fixes for your issue.Yes, that's a really good summary of what I try to achieve!About the two options:
- I have the 'Red Hat Developer Subscription for Individuals' and thus I'm not entitled to get any official support.
- Red Hat strongly discourages the installation of a different version of Apache (https://access.redhat.com/solutions/445713) .
I asked the same question on Red Hat Community portal (https://access.redhat.com/discussions/6756211) but so far I didn't get any reaction.Does someone know where the Apache developers of Red Hat hang out?Jeroen Verhoeckx--------------------------------------------------------Support the independent web, use Firefox------- Original Message -------
On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz <yehuda@xxxxxxxxxx> wrote:
I see two options for you going forward:1. Contacting RedHat: You need a subscription to do this. Posting to the upstream HTTPD mailing list probably won't help.2. Use a different package: There are newer rpms available if you don't want to build your own. You can look at rpmfind or build the rpm yourself (https://httpd.apache.org/docs/2.4/platform/rpm.html)- YOn Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx <j.verhoeckx@xxxxxxxxxxxxxx.invalid> wrote:Hello Apache Administrators,On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but no one has responded since then.It's about this bug report:Does someone have an idea about what I could do next?Does someone know I place where I can contact RHEL Apache developers/administrators?Or is there another friendly way to get attention for this bug report?Yours sincerely,Jeroen Verhoeckx