From nobody Fri Jun 10 00:54:48 2022
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 79C788551E7
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Fri, 10 Jun 2022 00:55:03 +0000 (UTC)
	(envelope-from ish@amail.plala.or.jp)
Received: from msc11.plala.or.jp (msc11.plala.or.jp [IPv6:2400:7800:0:502e::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 4LK2Yd452wz3Dkd
	for <freebsd-security@freebsd.org>; Fri, 10 Jun 2022 00:55:01 +0000 (UTC)
	(envelope-from ish@amail.plala.or.jp)
Received: from localhost ([2400:4050:9320:7a00::8]) by msc11.plala.or.jp
          with ESMTP
          id <20220610005457.LCKL31769.msc11.plala.or.jp@localhost>
          for <freebsd-security@freebsd.org>;
          Fri, 10 Jun 2022 09:54:57 +0900
Date: Fri, 10 Jun 2022 09:54:48 +0900 (JST)
Message-Id: <20220610.095448.1735421952196505841.ish@amail.plala.or.jp>
To: freebsd-security@freebsd.org
Subject: Re: Is apache24-2.4.54 vulnerable ?
From: Masachika ISHIZUKA <ish@amail.plala.or.jp>
In-Reply-To: <20220610.085155.1636577084047793852.moto@kawasaki3.org>
References: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp>
	<20220610.085155.1636577084047793852.moto@kawasaki3.org>
X-Mailer: Mew version 6.8 on Emacs 28.1
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-VirusScan: Outbound; mvir-ac11; Fri, 10 Jun 2022 09:54:57 +0900
X-Rspamd-Queue-Id: 4LK2Yd452wz3Dkd
X-Spamd-Bar: +
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of ish@amail.plala.or.jp designates 2400:7800:0:502e::21 as permitted sender) smtp.mailfrom=ish@amail.plala.or.jp
X-Spamd-Result: default: False [1.06 / 15.00];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-0.98)[-0.984];
	 FROM_HAS_DN(0.00)[];
	 MV_CASE(0.50)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	 TO_DN_NONE(0.00)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 DMARC_NA(0.00)[plala.or.jp];
	 R_SPF_ALLOW(-0.20)[+ip6:2400:7800:0:502e::/60];
	 MID_CONTAINS_FROM(1.00)[];
	 NEURAL_SPAM_SHORT(0.74)[0.741];
	 MLMMJ_DEST(0.00)[freebsd-security];
	 RCVD_NO_TLS_LAST(0.10)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:4713, ipnet:2400:7800::/32, country:JP];
	 SUBJECT_ENDS_QUESTION(1.00)[];
	 RCVD_COUNT_TWO(0.00)[2]
X-ThisMailContainsUnwantedMimeParts: N

>> % pkg audit -F
>> vulnxml file up-to-date
>> apache24-2.4.54 is vulnerable:
>> Apache httpd -- Multiple vulnerabilities
>>   CVE: CVE-2022-26377
>>   CVE: CVE-2022-28330
>>   CVE: CVE-2022-28614
>>   CVE: CVE-2022-28615
>>   CVE: CVE-2022-29404
>>   CVE: CVE-2022-30522
>>   CVE: CVE-2022-30556
>>   CVE: CVE-2022-31813
>>   WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html
>> 1 problem(s) in 1 installed package(s) found.
>
> It seems like true for apache24-2.4.53 and prior, and fixed version is
> ...2.4.54.
> 
> See also Apache httpd's Security Reports page:
> https://httpd.apache.org/security/vulnerabilities_24.html

  My question is that apache24-2.4.54 is shown vulnerable on
security/vuxml 959028638c9e3236ab91a2d8865fb3893775a28a.

vuln-2022.xml:
  <affects>
    <package>
    <name>apache24</name>
    <range><lt>2.5.54</lt></range>   <------- 2.4.54 ???
    </package> ~~~~~~
  </affects>
-- 
Masachika ISHIZUKA