Date: Mon, 12 Apr 2004 17:00:51 -0400 From: Chuck Swiger <cswiger@mac.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk>, freebsd Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: apache13-modssl Message-ID: <407B0383.8080004@mac.com> In-Reply-To: <20040412203209.GA69747@happy-idiot-talk.infracaninophile.co.uk> References: <20040412095020.M76613@maa-net.net> <20040412102829.GB7692@happy-idiot-talk.infracaninophile.co.uk> <407AF080.5070109@mac.com> <20040412203209.GA69747@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote: [ ... ] >>http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+2 >>http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+1 > > > Errr -- did you look at the lists of entries those searches actually turn > up? [ ...some analysis snipped... ] I don't think that simply counting > CVE entries is going to tell you very much useful. No, I didn't look closely at the results. Without a lot more knowledge of the anonymous friend's security concerns (what their security policy is; whether local compromise vs remote matters, for instance; exploits related to specific modules they were running [simply considering the interactions of mod_ssl with OpenSSL vulnerabilities is a topic of considerable complexity]; etc), the # of CVE entries is as relevant as any other statistic. I agree with you, in other words: not very...useful. :-) However, someone who cared to make a meaningful comparision might start with the CVEs, plus checking the ChangeLogs, security-focus/bugtrak/etc mailing lists, and any other convenient data sources besides. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?407B0383.8080004>