From nobody Thu Jun 9 23:51:55 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C761F8446DA for ; Thu, 9 Jun 2022 23:52:08 +0000 (UTC) (envelope-from moto@kawasaki3.org) Received: from flyingdutchman.kawasaki3.org (EE0475lan5.rev.em-net.ne.jp [124.109.182.21]) by mx1.freebsd.org (Postfix) with ESMTP id 4LK1936rtHz4ps0 for ; Thu, 9 Jun 2022 23:52:07 +0000 (UTC) (envelope-from moto@kawasaki3.org) Received: from localhost (feiyan.kawasaki3.org [192.168.29.73]) by flyingdutchman.kawasaki3.org (Postfix) with ESMTPSA id 1E6FD40ABF; Fri, 10 Jun 2022 08:51:32 +0900 (JST) Date: Fri, 10 Jun 2022 08:51:55 +0900 (JST) Message-Id: <20220610.085155.1636577084047793852.moto@kawasaki3.org> To: ish@amail.plala.or.jp Cc: freebsd-security@freebsd.org Subject: Re: Is apache24-2.4.54 vulnerable ? From: moto kawasaki In-Reply-To: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp> References: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp> X-Mailer: Mew version 6.8 on Emacs 28.1 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.103.3 at flyingdutchman.kawasaki3.org X-Virus-Status: Clean X-Rspamd-Queue-Id: 4LK1936rtHz4ps0 X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of moto@kawasaki3.org designates 124.109.182.21 as permitted sender) smtp.mailfrom=moto@kawasaki3.org X-Spamd-Result: default: False [1.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.28)[-0.283]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:124.109.182.21]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[kawasaki3.org]; NEURAL_SPAM_SHORT(0.48)[0.478]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2516, ipnet:124.109.182.0/23, country:JP]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Hi ISHIZUKA san, It seems like true for apache24-2.4.53 and prior, and fixed version is ...2.4.54. See also Apache httpd's Security Reports page: https://httpd.apache.org/security/vulnerabilities_24.html Thanks. -- moto kawasaki on Fri, 10 Jun 2022 08:15:07 +0900 (JST), Masachika ISHIZUKA wrote: > % uname -a > FreeBSD peach.ish.org 13.1-RELEASE FreeBSD 13.1-RELEASE releng/13.1-n250148-fc952ac2212 GENERIC amd64 > % pkg audit -F > vulnxml file up-to-date > apache24-2.4.54 is vulnerable: > Apache httpd -- Multiple vulnerabilities > CVE: CVE-2022-26377 > CVE: CVE-2022-28330 > CVE: CVE-2022-28614 > CVE: CVE-2022-28615 > CVE: CVE-2022-29404 > CVE: CVE-2022-30522 > CVE: CVE-2022-30556 > CVE: CVE-2022-31813 > WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html > 1 problem(s) in 1 installed package(s) found. > > Is this report true for apache24-2.4.54 ? > -- > Masachika ISHIZUKA >