From owner-freebsd-apache@FreeBSD.ORG  Fri May 13 20:29:34 2011
Return-Path: <owner-freebsd-apache@FreeBSD.ORG>
Delivered-To: apache@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 940841065672
	for <apache@FreeBSD.org>; Fri, 13 May 2011 20:29:34 +0000 (UTC)
	(envelope-from ohauer@gmx.de)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23])
	by mx1.freebsd.org (Postfix) with SMTP id DF6808FC1B
	for <apache@FreeBSD.org>; Fri, 13 May 2011 20:29:33 +0000 (UTC)
Received: (qmail invoked by alias); 13 May 2011 20:02:52 -0000
Received: from u18-124.dslaccess.de (EHLO [172.20.1.100]) [194.231.39.124]
	by mail.gmx.net (mp049) with SMTP; 13 May 2011 22:02:52 +0200
X-Authenticated: #1956535
X-Provags-ID: V01U2FsdGVkX1+twCRXOyqtKOfdNkO7tMjbMoJjTtO8jtlV9BK0bi
	VHTeUuXdBwxsAY
Message-ID: <4DCD8E6D.4010001@gmx.de>
Date: Fri, 13 May 2011 22:02:53 +0200
From: olli hauer <ohauer@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Jeremy Chadwick <freebsd@jdc.parodius.com>
References: <201105130910.p4D9ATZd079583@freefall.freebsd.org>
	<20110513092251.GA27132@icarus.home.lan>
In-Reply-To: <20110513092251.GA27132@icarus.home.lan>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: freebsd-ports-bugs@FreeBSD.org, apache@FreeBSD.org,
	Olli Hauer <ohauer@FreeBSD.org>
Subject: Re: ports/156997: www/apache22 is vulnerable
X-BeenThere: freebsd-apache@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Support of apache-related ports  <freebsd-apache.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>, 
	<mailto:freebsd-apache-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-apache>
List-Post: <mailto:freebsd-apache@freebsd.org>
List-Help: <mailto:freebsd-apache-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>,
	<mailto:freebsd-apache-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2011 20:29:34 -0000

On 2011-05-13 11:22, Jeremy Chadwick wrote:
> On Fri, May 13, 2011 at 09:10:29AM +0000, edwin@FreeBSD.org wrote:
>> Synopsis: www/apache22 is vulnerable
>>
>> Responsible-Changed-From-To: freebsd-ports-bugs->apache
>> Responsible-Changed-By: edwin
>> Responsible-Changed-When: Fri May 13 09:10:28 UTC 2011
>> Responsible-Changed-Why: 
>> Over to maintainer (via the GNATS Auto Assign Tool)
>>
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=156997
> 
> Note: this should probably be modified to refer to devel/apr* (I'm not
> sure which port; apr0, apr1, or apr2 -- or maybe all of them), which is
> what the Apache port relies on.
> 
> The security hole appears to be in apr_fnmatch(), so ultimately what
> needs to be fixed is/are the apr port(s).
> 
> https://lwn.net/Articles/442625/
> 

Hi Jeremy,

yes, this issue is apr1 related.

I just start working on a patch for the update of apr1 and apache22.

--
Thanks,
olli