apache2 port
Clement Laforet
sheepkiller at cultdeadsheep.org
Fri Oct 1 00:31:32 PDT 2004
On Thu, 30 Sep 2004 17:41:19 -0400
"Peter C. Lai" <sirmoo at cowbert.net> wrote:
[please next time, CC' me]
hi,
> On Thu, Sep 30, 2004 at 02:10:00PM -0700, Eli Dart wrote:
> >
> > In reply to "Peter C. Lai" <sirmoo at cowbert.net> :
> >
> > > if PORTVERSION isn't 2.0.51 then you shouldn't be getting anything
> > > in 2.0.51(if you say the vulnerability was only introduced with
> > > 2.0.51).
> >
> > Of course. However, the main reason for rolling version 2.0.51 was
> > to fix 3 security problems. The maintainer chose to keep version
> > 2.0.50 and apply patches for those vulnerabilities rather than
> > update the port to version 2.0.51. If those patches were the only
> > changes between 2.0.50 and 2.0.51, then the version in ports (as
> > installed) is vulnerable, whatever PORTVERSION says.
I choose to keep 2.0.50 to avoid, during ports freeze, possible
regression problems (and they happened).
Apache 2.0.51 wasn't a security only release, it has just been
prematurily released due to potential critical security issues.
CAN-2004-0811 was introduced by changes in Stafisfy directive.
(please refer to CHANGES file)
I didn't backport it, so apache-2.0.50_3 is NOT vulnerable.
In case of, it'd be surely fixed by now.
> It would appear from the description to be linked to changes made to
> correct CAN-2004-0747: Buffer overflow in Apache 2.0.50 and earlier
> allows local users to gain apache privileges via a .htaccess file that
> causes the overflow during expansion of environment variables.
it fixed too, http://www.vuxml.org/freebsd/4d49f4ba-071f-11d9-b45d-000c41e2cdad.html
> Then it is vulnerable. Could the port maintainer confirm this and if
> so, file a vuxml document for 2.0.50_3?
AFAIK, apache2 port is known-vulnerabilities free.
clem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20041001/3c45fdd7/attachment.bin
More information about the freebsd-ports
mailing list