From owner-freebsd-security Sat Apr 6 11:33: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from tp.databus.com (p72-186.acedsl.com [66.114.72.186]) by hub.freebsd.org (Postfix) with ESMTP id D163F37B41D for ; Sat, 6 Apr 2002 11:32:43 -0800 (PST) Received: (from barney@localhost) by tp.databus.com (8.11.6/8.11.6) id g36JWhv08919 for security@FreeBSD.ORG; Sat, 6 Apr 2002 14:32:43 -0500 (EST) (envelope-from barney) Date: Sat, 6 Apr 2002 14:32:43 -0500 From: Barney Wolff To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Notice FreeBSD-SN-02:01 Message-ID: <20020406143243.A8409@tp.databus.com> References: <200204051512.g35FCOr11637@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200204051512.g35FCOr11637@freefall.freebsd.org>; from security-advisories@FreeBSD.ORG on Fri, Apr 05, 2002 at 07:12:24AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't understand the status of "Not yet fixed." The advisory says mod_ssl versions < 2.8.7 have the bug, while 2.8.8 is the port distfile as of 3/28/02. What am I missing? On Fri, Apr 05, 2002 at 07:12:24AM -0800, FreeBSD Security Advisories wrote: > +------------------------------------------------------------------------+ > Port name: apache13-ssl, apache13-modssl > Affected: all versions of apache+ssl > all versions of apache+mod_ssl > Status: Not yet fixed. > Buffer overflows in SSL session cache handling. > > -- Barney Wolff I never met a computer I didn't like. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message