On 6/20/07, David Hartburn <David.Hartburn@xxxxxxxxxxxxxxxxxxxx> wrote:
Hi, I've got a couple of questions regarding mod_coldfusion and issues running older versions of apache. First of all, does anyone have a copy of the modified source code for combining ColdFusion 5 and Apache 2? The official mod_coldfusion does not interface between the two, however resources on the web suggest some people wrote a modified (unsupported) version back in 2002. Being so long ago, I've been unable to find the code on the web anywhere. Given that a number of security flaws have arisen since Apache 2.0.52, would anyone advise still using it? I do have a pre-compiled mod_coldfusion module for that version, currently running on our old web servers, which would be a quick fix for the problem. My feeling is that we should completely drop the old version, as it is insecure and move to the very latest. Does anyone think that running 2.0.52 is still ok on live public facing web servers?
It is always best to keep up with the latest version. You'll need to do it eventually anyway. But to answer your specific question, read through this page: http://httpd.apache.org/security/vulnerabilities_20.html You'll see there that the only "important" security vulnerabilities are a denial-of-service attack, a problem with SSLVerifyClient, and a problem with a specific type of mod_rewrite configuration. You should evaluate how serious those problems are for your setup. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|