FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-23-2011, 07:21 PM
 
Default was, This doesn't make sense, is the apache update

The one thing I don't understand is this: AFAIK, apache release not a
server update, but an update to the certificate chain, yanking Digitar's
CA. This isn't a binary compatibility issue, it's, as we said when I was
programming, just data. Can't that be pushed through, or are there code
updates in addition?

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 08:14 PM
Warren Young
 
Default was, This doesn't make sense, is the apache update

On 9/23/2011 1:21 PM, m.roth@5-cent.us wrote:
> The one thing I don't understand is this: AFAIK, apache release not a
> server update, but an update to the certificate chain, yanking Digitar's
> CA.

What, pray tell, are you talking about?

I assume you mean "DigiNotar", the defunct Dutch CA?

What does the complete collapse of a once-trusted CA have to do with
Apache? All this noise about DigiNotar is about bogus server-side
certs, and how they impact browsers and other client-side SSL users. I
have heard nothing about any resulting threat to Apache. The only one I
can conceive is something to do with bogus client-side certs, which
seems pretty unlikely, given how rarely they are used.

Additionally:

- "grep -Ris diginotar /etc/pki" returns nothing. Ditto for "vasco",
DigiNotar's parent organization. This file you are worried about...it
apparently lives somewhere else, or does not contain these words?

- Googling "diginotar site:mail-archives.apache.org" also returns
nothing. So there's a threat to Apache, but no one on any of the Apache
mailing lists is talking about it?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 08:21 PM
 
Default was, This doesn't make sense, is the apache update

Warren Young wrote:
> On 9/23/2011 1:21 PM, m.roth@5-cent.us wrote:
>> The one thing I don't understand is this: AFAIK, apache release not a
>> server update, but an update to the certificate chain, yanking Digitar's
>> CA.
>
> What, pray tell, are you talking about?
>
> I assume you mean "DigiNotar", the defunct Dutch CA?

Yeah, then. I thought they had several versions of their name, btw.
>
> What does the complete collapse of a once-trusted CA have to do with
> Apache? All this noise about DigiNotar is about bogus server-side
> certs, and how they impact browsers and other client-side SSL users. I
> have heard nothing about any resulting threat to Apache. The only one I
> can conceive is something to do with bogus client-side certs, which
> seems pretty unlikely, given how rarely they are used.

First, I thought that some websites had a CA on the server side, and I
thought I read that apache was pushing out a fix that merely removed the
CA from the chain. That you don't have one doesn't necessarily mean that
some other release might have one, or that some site installed it.

Also, I don't think I've seen the Mozilla update same for browsers, which
I'd *really* like to push to everybody on our subnet.

mark


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-23-2011, 08:24 PM
Craig White
 
Default was, This doesn't make sense, is the apache update

On Sep 23, 2011, at 12:21 PM, m.roth@5-cent.us wrote:

> The one thing I don't understand is this: AFAIK, apache release not a
> server update, but an update to the certificate chain, yanking Digitar's
> CA. This isn't a binary compatibility issue, it's, as we said when I was
> programming, just data. Can't that be pushed through, or are there code
> updates in addition?
----
the Apache update has nothing whatsoever to do with issues presented by the (now defunct) DigiNotar Certificate Authority.

That would be handled by updates to browser applications and/or OS Root Certificate store (ca-certificates) which is significant if you have users on the system but again, this all has nothing to do with security updates released for apache (httpd)

Craig
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 06:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org