ports/156997: www/apache22 is vulnerable

Jeremy Chadwick freebsd at jdc.parodius.com
Fri May 13 09:22:54 UTC 2011

On Fri, May 13, 2011 at 09:10:29AM +0000, edwin at FreeBSD.org wrote:
> Synopsis: www/apache22 is vulnerable
> Responsible-Changed-From-To: freebsd-ports-bugs->apache
> Responsible-Changed-By: edwin
> Responsible-Changed-When: Fri May 13 09:10:28 UTC 2011
> Responsible-Changed-Why: 
> Over to maintainer (via the GNATS Auto Assign Tool)
> http://www.freebsd.org/cgi/query-pr.cgi?pr=156997

Note: this should probably be modified to refer to devel/apr* (I'm not
sure which port; apr0, apr1, or apr2 -- or maybe all of them), which is
what the Apache port relies on.

The security hole appears to be in apr_fnmatch(), so ultimately what
needs to be fixed is/are the apr port(s).


| Jeremy Chadwick                                   jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.               PGP 4BD6C0CB |

More information about the freebsd-apache mailing list