ports/156997: www/apache22 is vulnerable
olli hauer
ohauer at gmx.de
Fri May 13 20:29:34 UTC 2011
On 2011-05-13 11:22, Jeremy Chadwick wrote:
> On Fri, May 13, 2011 at 09:10:29AM +0000, edwin at FreeBSD.org wrote:
>> Synopsis: www/apache22 is vulnerable
>>
>> Responsible-Changed-From-To: freebsd-ports-bugs->apache
>> Responsible-Changed-By: edwin
>> Responsible-Changed-When: Fri May 13 09:10:28 UTC 2011
>> Responsible-Changed-Why:
>> Over to maintainer (via the GNATS Auto Assign Tool)
>>
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=156997
>
> Note: this should probably be modified to refer to devel/apr* (I'm not
> sure which port; apr0, apr1, or apr2 -- or maybe all of them), which is
> what the Apache port relies on.
>
> The security hole appears to be in apr_fnmatch(), so ultimately what
> needs to be fixed is/are the apr port(s).
>
> https://lwn.net/Articles/442625/
>
Hi Jeremy,
yes, this issue is apr1 related.
I just start working on a patch for the update of apr1 and apache22.
--
Thanks,
olli
More information about the freebsd-apache
mailing list