Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 May 2011 22:02:53 +0200
From:      olli hauer <ohauer@gmx.de>
To:        Jeremy Chadwick <freebsd@jdc.parodius.com>
Cc:        freebsd-ports-bugs@FreeBSD.org, apache@FreeBSD.org, Olli Hauer <ohauer@FreeBSD.org>
Subject:   Re: ports/156997: www/apache22 is vulnerable
Message-ID:  <4DCD8E6D.4010001@gmx.de>
In-Reply-To: <20110513092251.GA27132@icarus.home.lan>
References:  <201105130910.p4D9ATZd079583@freefall.freebsd.org> <20110513092251.GA27132@icarus.home.lan>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2011-05-13 11:22, Jeremy Chadwick wrote:
> On Fri, May 13, 2011 at 09:10:29AM +0000, edwin@FreeBSD.org wrote:
>> Synopsis: www/apache22 is vulnerable
>>
>> Responsible-Changed-From-To: freebsd-ports-bugs->apache
>> Responsible-Changed-By: edwin
>> Responsible-Changed-When: Fri May 13 09:10:28 UTC 2011
>> Responsible-Changed-Why: 
>> Over to maintainer (via the GNATS Auto Assign Tool)
>>
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=156997
> 
> Note: this should probably be modified to refer to devel/apr* (I'm not
> sure which port; apr0, apr1, or apr2 -- or maybe all of them), which is
> what the Apache port relies on.
> 
> The security hole appears to be in apr_fnmatch(), so ultimately what
> needs to be fixed is/are the apr port(s).
> 
> https://lwn.net/Articles/442625/
> 

Hi Jeremy,

yes, this issue is apr1 related.

I just start working on a patch for the update of apr1 and apache22.

--
Thanks,
olli



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DCD8E6D.4010001>