Sean Conner wrote:
Why would you want to go back in time?Any number of reasons, including size restrictions, custom modules that haven't been ported to 2.x, support issues, etc. etc.A burning desire to expose oneself to security problems? http://httpd.apache.org/security/vulnerabilities_13.htmlMaybe. Maybe not. It depends on which modules are in use, platforms used, etc. etc. (I'm running 1.3.31 on a server---the bugs listed past 1.3.31 don't affect the server at all since I'm not using the modules inquestion, or the conditions don't apply).-spc (Again, if it ain't broke, don't fix it)
Exactly Sean; you answered your own statement. If you read that list of vulnerabilites_13 and compare your two paragraphs above, you will prove yourself the fool, considering that core itself on windows was vulnerable (a 'module' that's impossible to work around) and the inquiry was for Windows version 1.3.12, so they determined the platform in use and the target version they desired to install. You are right in the sense that features-not-in-use aren't a vulnerability. But it overlooks the fact that when you install a version with vulnerabilities, and then you (or another admin) later enable the feature-with-vulnerability, you prove your original 'legacy install' was a poor choice in the first place. Anyways, Shai answered the poster's question, heaven help him :) But hey, what is one more windows zombie box anyways? A raindrop in the hurricane doesn't make all that much difference : Besides vulnerabilities, do be aware that much smaller, but sometimes bugs that affect you, do get stealth fixes without hitting CHANGES. The only way to see all the changes is to review all the commits between versions. The developers try to mention most of the big stuff that folks will frequently notice, but if your server isn't behaving correctly - using the latest version (**especially** for fresh installs!) will get you faster results from a bug report. The devs often ignore bug reports against 2 year old versions of the software. Those are your problem, trunk (or the current releases) is what the devs feel some pride and ownership of. Bill --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx