Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 Oct 2010 07:56:39 +0000
From:      "Philip M. Gollucci" <pgollucci@p6m7g8.com>
To:        Andrea Venturoli <ml@netfence.it>
Cc:        pgollucci@freebsd.org, freebsd-ports@freebsd.org
Subject:   Re: apr vulnerability
Message-ID:  <4CC92CB7.50302@p6m7g8.com>
In-Reply-To: <4CC9266B.7000405@netfence.it>
References:  <4CC9266B.7000405@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/28/10 07:29, Andrea Venturoli wrote:
> On one of the servers I manage, portaudit claims:
> portaudit
> Affected package: apr-0.9.19.0.9.19
> Type of problem: apr -- multiple vulnerabilities.
> Reference:
> <http://portaudit.FreeBSD.org/eb9212f7-526b-11de-bbf2-001b77d09812.html>;
> 
> Following the above links, I find that apr<1.3.5.1.3.7 is involved.
> 
> 
> 
> I see on Freshports that apr was updated on 2010/10/20 to address a
> security risk: the link is:
> http://www.vuxml.org/freebsd/dd943fbb-d0fe-11df-95a8-00219b0fc4d8.html
> 
> There, however, it says apr0<0.9.19.0.9.19 is involved.
> 
> 
> 
> So, I'm confused: is apr-0.9.19.0.9.19 (which is the one I have)
> vulnerable or not?
apr has 3 tracks:

devel/apr0 - apr0: legacy: apr/0.9.19, apr-util/0.9.19
devel/apr1 - apr1: ga:     apr/1.3.5,  apr-util/1.3.7
devel/apr2 - apr2: devel   not released yet

neither devel/apr0 or devel/apr1 are vunerable.
devel/apr2 needs to be updated to a newer snapshot.

To fix your error, the PKGNAME for devel/apr0 needs to be updated to
match the security/vuxml entry.

I should able to get to that Friday during $work time.







- -- 
- ------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354
VP Apache Infrastructure; Member, Apache Software Foundation
Committer,                        FreeBSD Foundation
Consultant,                       P6M7G8 Inc.
Sr. System Admin,                 Ridecharge Inc.

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (FreeBSD)

iD8DBQFMySy2dbiP+9ubjBwRArPPAJ9qVkmlzYSy0oCetYFao8vfSKHTswCePFiK
jCyftRKJ6ki9NcQbmAohVzs=
=+Eqs
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CC92CB7.50302>