From owner-freebsd-questions@FreeBSD.ORG Mon Apr 12 14:01:29 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C775916B1D3 for ; Mon, 12 Apr 2004 14:01:29 -0700 (PDT) Received: from out008.verizon.net (out008pub.verizon.net [206.46.170.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C8E443D49 for ; Mon, 12 Apr 2004 14:01:29 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.160.247.127]) by out008.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040412210128.QZN27801.out008.verizon.net@mac.com>; Mon, 12 Apr 2004 16:01:28 -0500 Message-ID: <407B0383.8080004@mac.com> Date: Mon, 12 Apr 2004 17:00:51 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040316 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew Seaman , freebsd Questions References: <20040412095020.M76613@maa-net.net> <20040412102829.GB7692@happy-idiot-talk.infracaninophile.co.uk> <407AF080.5070109@mac.com> <20040412203209.GA69747@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20040412203209.GA69747@happy-idiot-talk.infracaninophile.co.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out008.verizon.net from [68.160.247.127] at Mon, 12 Apr 2004 16:01:28 -0500 Subject: Re: apache13-modssl X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2004 21:01:29 -0000 Matthew Seaman wrote: [ ... ] >>http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+2 >>http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+1 > > > Errr -- did you look at the lists of entries those searches actually turn > up? [ ...some analysis snipped... ] I don't think that simply counting > CVE entries is going to tell you very much useful. No, I didn't look closely at the results. Without a lot more knowledge of the anonymous friend's security concerns (what their security policy is; whether local compromise vs remote matters, for instance; exploits related to specific modules they were running [simply considering the interactions of mod_ssl with OpenSSL vulnerabilities is a topic of considerable complexity]; etc), the # of CVE entries is as relevant as any other statistic. I agree with you, in other words: not very...useful. :-) However, someone who cared to make a meaningful comparision might start with the CVEs, plus checking the ChangeLogs, security-focus/bugtrak/etc mailing lists, and any other convenient data sources besides. -- -Chuck