apr vulnerability
Philip M. Gollucci
pgollucci at p6m7g8.com
Thu Oct 28 07:56:43 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/28/10 07:29, Andrea Venturoli wrote:
> On one of the servers I manage, portaudit claims:
> portaudit
> Affected package: apr-0.9.19.0.9.19
> Type of problem: apr -- multiple vulnerabilities.
> Reference:
> <http://portaudit.FreeBSD.org/eb9212f7-526b-11de-bbf2-001b77d09812.html>
>
> Following the above links, I find that apr<1.3.5.1.3.7 is involved.
>
>
>
> I see on Freshports that apr was updated on 2010/10/20 to address a
> security risk: the link is:
> http://www.vuxml.org/freebsd/dd943fbb-d0fe-11df-95a8-00219b0fc4d8.html
>
> There, however, it says apr0<0.9.19.0.9.19 is involved.
>
>
>
> So, I'm confused: is apr-0.9.19.0.9.19 (which is the one I have)
> vulnerable or not?
apr has 3 tracks:
devel/apr0 - apr0: legacy: apr/0.9.19, apr-util/0.9.19
devel/apr1 - apr1: ga: apr/1.3.5, apr-util/1.3.7
devel/apr2 - apr2: devel not released yet
neither devel/apr0 or devel/apr1 are vunerable.
devel/apr2 needs to be updated to a newer snapshot.
To fix your error, the PKGNAME for devel/apr0 needs to be updated to
match the security/vuxml entry.
I should able to get to that Friday during $work time.
- --
- ------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollucci at p6m7g8.com) c: 703.336.9354
VP Apache Infrastructure; Member, Apache Software Foundation
Committer, FreeBSD Foundation
Consultant, P6M7G8 Inc.
Sr. System Admin, Ridecharge Inc.
Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (FreeBSD)
iD8DBQFMySy2dbiP+9ubjBwRArPPAJ9qVkmlzYSy0oCetYFao8vfSKHTswCePFiK
jCyftRKJ6ki9NcQbmAohVzs=
=+Eqs
-----END PGP SIGNATURE-----
More information about the freebsd-ports
mailing list