apr vulnerability

Philip M. Gollucci pgollucci at p6m7g8.com
Thu Oct 28 07:56:43 UTC 2010

Hash: SHA1

On 10/28/10 07:29, Andrea Venturoli wrote:
> On one of the servers I manage, portaudit claims:
> portaudit
> Affected package: apr-
> Type of problem: apr -- multiple vulnerabilities.
> Reference:
> <http://portaudit.FreeBSD.org/eb9212f7-526b-11de-bbf2-001b77d09812.html>
> Following the above links, I find that apr< is involved.
> I see on Freshports that apr was updated on 2010/10/20 to address a
> security risk: the link is:
> http://www.vuxml.org/freebsd/dd943fbb-d0fe-11df-95a8-00219b0fc4d8.html
> There, however, it says apr0< is involved.
> So, I'm confused: is apr- (which is the one I have)
> vulnerable or not?
apr has 3 tracks:

devel/apr0 - apr0: legacy: apr/0.9.19, apr-util/0.9.19
devel/apr1 - apr1: ga:     apr/1.3.5,  apr-util/1.3.7
devel/apr2 - apr2: devel   not released yet

neither devel/apr0 or devel/apr1 are vunerable.
devel/apr2 needs to be updated to a newer snapshot.

To fix your error, the PKGNAME for devel/apr0 needs to be updated to
match the security/vuxml entry.

I should able to get to that Friday during $work time.

- -- 
- ------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollucci at p6m7g8.com) c: 703.336.9354
VP Apache Infrastructure; Member, Apache Software Foundation
Committer,                        FreeBSD Foundation
Consultant,                       P6M7G8 Inc.
Sr. System Admin,                 Ridecharge Inc.

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.
Version: GnuPG v2.0.16 (FreeBSD)


More information about the freebsd-ports mailing list