Hi

I have got a guestion about OpenBSD and Apache regarding security.

OpenBSD ships with Apache (not enablet by default) but I can't remember that I have seen any patches for security isues with Apache. (There have been some security holes).

My impresseion is that the OpenBSD team doesn't care about this because the web-server isn't enablet by default. So I compile Apache by hand and updates it when nessary.

Can any of you enlight this. I would like to be able to use the Apache that ships with OpenBSD - which now is chrooted - but I'm not sure if it is secure since I haven't seen any patches for security isues with Apache.

There was a patch released for 3.1 which fixed a remote hole that allowed root access on OBSD that ran Apache. The exploit was released by Gobbles security. I think it's not really a question regarding OBSD not caring as much as it's just not their product. See patch 005 for 3.1, here's a link:

http://www.openbsd.org/errata31.html

OpenBSD ships with Apache and hence have a responsibility. Otherwise I don't think that they take security seriously after my opinion.

I think that other users also have problems regarding this. What is recomended:
- use the Apache shiped with OpenBSD
- compile it your self and keep it op to date

I have problem detemining whether using the Apache shiped with OpenBSD and aplying patches when made avaiable is safe enough. What is your opinion on this?

OpenBSD does care about security of apache. The 3.2 release has Apache running in a chroot jail by default.

see http://openbsd.org/32.html

Also worth noting in this thread is the recent discussion on misc@ about the fact that OBSD will no longer update Apache beyond 1.3.29 since the Apache foundation started making changes to the license. In that discussion Theo and Henning mentioned the fact that they actually submitted security fixes to the apache foundation which were ignored by the apache foundation. So, basically, upgrading to >1.3.29 apache on OpenBSD is a security downgrade.