From owner-freebsd-ports@FreeBSD.ORG Thu Oct 28 07:56:42 2010 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEB95106566B; Thu, 28 Oct 2010 07:56:42 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from cell.p6m7g8.net (static-71-178-236-107.washdc.fios.verizon.net [71.178.236.107]) by mx1.freebsd.org (Postfix) with ESMTP id 918388FC20; Thu, 28 Oct 2010 07:56:42 +0000 (UTC) Received: from philip.hq.rws (wsip-174-79-184-239.dc.dc.cox.net [174.79.184.239]) (authenticated bits=0) by cell.p6m7g8.net (8.14.4/8.14.3) with ESMTP id o9S7ucdY020886 (version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO); Thu, 28 Oct 2010 07:56:39 GMT (envelope-from pgollucci@p6m7g8.com) Message-ID: <4CC92CB7.50302@p6m7g8.com> Date: Thu, 28 Oct 2010 07:56:39 +0000 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.12) Gecko/20100908 Thunderbird/3.0.7 MIME-Version: 1.0 To: Andrea Venturoli References: <4CC9266B.7000405@netfence.it> In-Reply-To: <4CC9266B.7000405@netfence.it> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,RDNS_DYNAMIC autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on cell.p6m7g8.net Cc: pgollucci@freebsd.org, freebsd-ports@freebsd.org Subject: Re: apr vulnerability X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2010 07:56:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/28/10 07:29, Andrea Venturoli wrote: > On one of the servers I manage, portaudit claims: > portaudit > Affected package: apr-0.9.19.0.9.19 > Type of problem: apr -- multiple vulnerabilities. > Reference: > > > Following the above links, I find that apr<1.3.5.1.3.7 is involved. > > > > I see on Freshports that apr was updated on 2010/10/20 to address a > security risk: the link is: > http://www.vuxml.org/freebsd/dd943fbb-d0fe-11df-95a8-00219b0fc4d8.html > > There, however, it says apr0<0.9.19.0.9.19 is involved. > > > > So, I'm confused: is apr-0.9.19.0.9.19 (which is the one I have) > vulnerable or not? apr has 3 tracks: devel/apr0 - apr0: legacy: apr/0.9.19, apr-util/0.9.19 devel/apr1 - apr1: ga: apr/1.3.5, apr-util/1.3.7 devel/apr2 - apr2: devel not released yet neither devel/apr0 or devel/apr1 are vunerable. devel/apr2 needs to be updated to a newer snapshot. To fix your error, the PKGNAME for devel/apr0 needs to be updated to match the security/vuxml entry. I should able to get to that Friday during $work time. - -- - ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 VP Apache Infrastructure; Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iD8DBQFMySy2dbiP+9ubjBwRArPPAJ9qVkmlzYSy0oCetYFao8vfSKHTswCePFiK jCyftRKJ6ki9NcQbmAohVzs= =+Eqs -----END PGP SIGNATURE-----