From nobody Fri Jun 10 17:23:20 2022
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 68A06833BCA
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Fri, 10 Jun 2022 17:23:29 +0000 (UTC)
	(envelope-from joneum@FreeBSD.org)
Received: from toco-domains.de (mail.toco-domains.de [176.9.100.27])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LKSV83SRYz4dWq
	for <freebsd-security@freebsd.org>; Fri, 10 Jun 2022 17:23:28 +0000 (UTC)
	(envelope-from joneum@FreeBSD.org)
Received: from [192.168.188.77] (p57993354.dip0.t-ipconnect.de [87.153.51.84])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by toco-domains.de (Postfix) with ESMTPSA id C1EAF8A0A8;
	Fri, 10 Jun 2022 19:23:20 +0200 (CEST)
Message-ID: <da55675e-a1f3-d4bb-12a9-5d5398a71786@FreeBSD.org>
Date: Fri, 10 Jun 2022 19:23:20 +0200
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
 Gecko/20100101 Thunderbird/91.10.0
Subject: Re: Is apache24-2.4.54 vulnerable ?
Content-Language: de-DE
To: Peter Blok <pblok@bsd4all.org>, "Wall, Stephen" <stephen.wall@redcom.com>
Cc: Masachika ISHIZUKA <ish@amail.plala.or.jp>,
 "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
References: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp>
 <20220610.085155.1636577084047793852.moto@kawasaki3.org>
 <20220610.095448.1735421952196505841.ish@amail.plala.or.jp>
 <MN2PR09MB46676762E2DC426D7C555690EEA69@MN2PR09MB4667.namprd09.prod.outlook.com>
 <9CA37653-27D5-4A27-A5D2-9E47287B345E@bsd4all.org>
From: Jochen Neumeister <joneum@FreeBSD.org>
In-Reply-To: <9CA37653-27D5-4A27-A5D2-9E47287B345E@bsd4all.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4LKSV83SRYz4dWq
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=softfail (mx1.freebsd.org: 176.9.100.27 is neither permitted nor denied by domain of joneum@FreeBSD.org) smtp.mailfrom=joneum@FreeBSD.org
X-Spamd-Result: default: False [-2.10 / 15.00];
	 ARC_NA(0.00)[];
	 TO_DN_EQ_ADDR_SOME(0.00)[];
	 FREEFALL_USER(0.00)[joneum];
	 FROM_HAS_DN(0.00)[];
	 RCPT_COUNT_THREE(0.00)[4];
	 TO_DN_SOME(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 SUBJECT_ENDS_QUESTION(1.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 R_SPF_SOFTFAIL(0.00)[~all:c];
	 DMARC_NA(0.00)[FreeBSD.org];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 NEURAL_HAM_SHORT(-1.00)[-0.998];
	 NEURAL_HAM_MEDIUM(-1.00)[-0.999];
	 MLMMJ_DEST(0.00)[freebsd-security];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 RCVD_COUNT_TWO(0.00)[2];
	 ASN(0.00)[asn:24940, ipnet:176.9.0.0/16, country:DE];
	 RCVD_TLS_ALL(0.00)[];
	 RECEIVED_SPAMHAUS_PBL(0.00)[87.153.51.84:received]
X-ThisMailContainsUnwantedMimeParts: N


Am 10.06.22 um 16:36 schrieb Peter Blok:
> I think the question is this a typo in the vuln-2022.xml, because the changelog shows the CVE are fixed in 2.4.54


See: 
https://cgit.freebsd.org/ports/commit/?id=0bb1abdb20498df239e15e7f9e9eec33e2eec499


>
>
>
>> On 10 Jun 2022, at 15:20, Wall, Stephen <stephen.wall@redcom.com> wrote:
>>
>>> vuln-2022.xml:
>>>   <affects>
>>>     <package>
>>>     <name>apache24</name>
>>>     <range><lt>2.5.54</lt></range>   <------- 2.4.54 ???
>>>     </package> ~~~~~~
>>>   </affects>
>>> --
>>> Masachika ISHIZUKA
>> `<lt>` indicates it affects versions less than 2.5.54.
>>
>>
>> -spw
>