[cobalt-users] Re: Re: is this what we've been discussing - CERT Advisory CA-2002-27 Apache/mod_ssl Worm

[Chris Adams <cmadams@xxxxxxxxxx>]

Once upon a time, Dave Thurman (Mailing List Email) <listonly@xxxxxxxxxxxxxxxxxxxx> said:
> Problem is Chris, and I see your point on what I was attempting may not be
> the fix, waiting for Sun/Cobalt could take a while, remember the Apache
> issue? Or about 4 others that they said updates out in next week (SHP) and
> we are still waiting. I think we (the community) is going to have to start
> relying on our selves to fix the exploits starting to appear. Starting to
> sound like open source talk to me:). Many of us are running production boxes
> with no choice but to keep the boxes up and running and cross our fingers.

This would be easy if Sun followed the rules and released the sources
that go with each update.  Then it would be trivial to take their source
RPM, add the necessary patch, and rebuild.  I've complained about this
lots of times, and several times Cobalt/Sun people have responded that
they're working on it and to watch for something "soon", but I haven't
seen anything.  Maybe the Free Software Foundation needs to be contacted
to get on Sun's case about violating the GPL.

Of course, that wouldn't necessarily help with Apache, since it is under
a BSD-style license, not the GPL.  Hopefully, if Sun had a procedure to
handle GPL licensed software, they'd follow it for all Open Source
software.
-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.