Re: Is apache24-2.4.54 vulnerable ?

Reply: Wall, Stephen: "RE: Is apache24-2.4.54 vulnerable ?"
In reply to: moto kawasaki : "Re: Is apache24-2.4.54 vulnerable ?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Masachika ISHIZUKA <ish_at_amail.plala.or.jp>
Date: Fri, 10 Jun 2022 00:54:48 UTC

>> % pkg audit -F
>> vulnxml file up-to-date
>> apache24-2.4.54 is vulnerable:
>> Apache httpd -- Multiple vulnerabilities
>>   CVE: CVE-2022-26377
>>   CVE: CVE-2022-28330
>>   CVE: CVE-2022-28614
>>   CVE: CVE-2022-28615
>>   CVE: CVE-2022-29404
>>   CVE: CVE-2022-30522
>>   CVE: CVE-2022-30556
>>   CVE: CVE-2022-31813
>>   WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html
>> 1 problem(s) in 1 installed package(s) found.
>
> It seems like true for apache24-2.4.53 and prior, and fixed version is
> ...2.4.54.
> 
> See also Apache httpd's Security Reports page:
> https://httpd.apache.org/security/vulnerabilities_24.html

  My question is that apache24-2.4.54 is shown vulnerable on
security/vuxml 959028638c9e3236ab91a2d8865fb3893775a28a.

vuln-2022.xml:
  <affects>
    <package>
    <name>apache24</name>
    <range><lt>2.5.54</lt></range>   <------- 2.4.54 ???
    </package> ~~~~~~
  </affects>
-- 
Masachika ISHIZUKA