From owner-freebsd-security  Tue Apr  9  8:12:11 2002
Delivered-To: freebsd-security@freebsd.org
Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id 261F837B417
	for <security@FreeBSD.ORG>; Tue,  9 Apr 2002 08:12:04 -0700 (PDT)
Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111])
	by gw.nectar.cc (Postfix) with ESMTP
	id 8FEA910; Tue,  9 Apr 2002 10:12:03 -0500 (CDT)
Received: (from nectar@localhost)
	by madman.nectar.cc (8.11.6/8.11.6) id g39FC3c48264;
	Tue, 9 Apr 2002 10:12:03 -0500 (CDT)
	(envelope-from nectar)
Date: Tue, 9 Apr 2002 10:12:03 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.ORG>
To: Barney Wolff <barney@databus.com>
Cc: security@FreeBSD.ORG
Subject: Re: FreeBSD Security Notice FreeBSD-SN-02:01
Message-ID: <20020409151202.GE19961@madman.nectar.cc>
References: <200204051512.g35FCOr11637@freefall.freebsd.org> <20020406143243.A8409@tp.databus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020406143243.A8409@tp.databus.com>
User-Agent: Mutt/1.3.28i
X-Url: http://www.nectar.cc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, Apr 06, 2002 at 02:32:43PM -0500, Barney Wolff wrote:
> I don't understand the status of "Not yet fixed."  The advisory says
> mod_ssl versions < 2.8.7 have the bug, while 2.8.8 is the port
> distfile as of 3/28/02.  What am I missing?
> 
> On Fri, Apr 05, 2002 at 07:12:24AM -0800, FreeBSD Security Advisories wrote:
> > +------------------------------------------------------------------------+
> > Port name:      apache13-ssl, apache13-modssl
> > Affected:       all versions of apache+ssl
> >                 all versions of apache+mod_ssl
> > Status:         Not yet fixed.
> > Buffer overflows in SSL session cache handling.
> > <URL:http://www.apache-ssl.org/advisory-20020301.txt>
> > <URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html>

You aren't missing anything.  The port was updated while the notice
was undergoing review, and the new version was missed.  Revisions to
the security notice will follow as ports are fixed.

Cheers, 
-- 
Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message