From owner-freebsd-isp@FreeBSD.ORG  Mon Jun 14 14:02:34 2004
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1887716A4CF
	for <freebsd-isp@freebsd.org>; Mon, 14 Jun 2004 14:02:34 +0000 (GMT)
Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0B7C643D46
	for <freebsd-isp@freebsd.org>; Mon, 14 Jun 2004 14:02:33 +0000 (GMT)
	(envelope-from andrew@scoop.co.nz)
Received: from localhost (localhost [127.0.0.1])
	by a2.scoop.co.nz (8.12.8p2/8.12.8) with ESMTP id i5EE1QUC010256;
	Tue, 15 Jun 2004 02:01:28 +1200 (NZST)
	(envelope-from andrew@scoop.co.nz)
Date: Tue, 15 Jun 2004 02:01:26 +1200 (NZST)
From: Andrew McNaughton <andrew@scoop.co.nz>
To: Mark Bojara <mark@aboutit.co.za>
In-Reply-To: <1087193170.42134.23.camel@mark.aboutit.co.za>
Message-ID: <20040615014403.M26088@a2.scoop.co.nz>
References: <375DD163B075E34EA3C10A6286E34A545489E6@exhsto1.se.dataphone.com>
 <1087193170.42134.23.camel@mark.aboutit.co.za>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: clamd / ClamAV version 0.71, clamav-milter version 0.71
X-Virus-Status: Clean
cc: freebsd-isp@freebsd.org
Subject: Re: apache13 security problems
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2004 14:02:34 -0000

On Mon, 14 Jun 2004, Mark Bojara wrote:

> Since this weekend new security holes in apache1.3.31 have been discovered.
> However I have cvsupped my ports collection from both cvsup2.freebsd.org
> and cvsup.ca.freebsd.org and there arent any changes in the cvs tree for
> www/apache13
>
> ===>  apache-1.3.31_1 has known vulnerabilities:
> >> mod_ssl stack-based buffer overflow.
>    Reference: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488>
> >> Please update your ports tree and try again.
> *** Error code 1
>
> Does anybody have advise on how I could sort this out?

Looking at the CVS repository, the comment on the makefile revision for
Revision 1.151 of the Makefile says that it fixes the problem with
mod_proxy.

Looks like files/patch-proxy_util.c got added, and the PORTREVISION number
updated in the Makefile.  apache-1.3.31_1 or apache-1.3.31_2 (the later is
half an hour old) should be OK.

Andrew McNaughton

--

No added Sugar.  Not tested on animals.  May contain traces of Nuts.  If
irritation occurs, discontinue use.

-------------------------------------------------------------------
Andrew McNaughton           Living in a shack in Tasmania
andrew@scoop.co.nz          Between the bush and the sea

Mobile: +61 422 753 792     http://staff.scoop.co.nz/andrew/cv.doc
                            http://www.scoop.co.nz/