Christian Hammers wrote: > > I cannot find a reference to CAN-2003-0987 for Debian Woody. > It has been fixed in unstable/sarge in version 1.3.29.0.2-5. While it appears to be true that this hasn't been fixed in Woody, it's also pretty low risk, since mod_digest doesn't even work with modern browsers, and hence is rarely used. (mod_auth_digest, which does work with modern browsers, doesn't have the security hole) ... Adam