[nycbug-talk] Fwd: no more apache updates
george at sddi.net
Mon Jun 21 21:35:42 EDT 2004
and apache responds to OpenBSD. . .
Begin forwarded message:
> From: Lars Eilebrecht <lars at apache.org>
> Date: June 21, 2004 8:24:58 PM EDT
> To: misc at openbsd.org
> Subject: Re: no more apache updates
> -----BEGIN PGP SIGNED MESSAGE-----
> According to Henning Brauer:
>> let me add one more thing.
>> it is of course possible to install an apache 1.3.31 or future ones
>> from source on OpenBSD.
>> however, doing so is one of the dumbest things you can do.
>> there is a number of serious security problems in apache that we have
>> fixed, and that have been offered them back, and they refused.
>> selfmade apache upgrade = security downgrade, ok?
> The Apache HTTP server security team is not aware of any pending
> patches/fixes for a security vulnerability (or other bug) in Apache
> proposed by the OpenBSD team.
> No patch or information about a bug has been submitted to the
> Apache security or development mailing list, thus, we don't know
> of any patch we could have "refused".
> In Apache 1.3.30 we added a fix to mod_access:
> *) SECURITY: CAN-2003-0993 (cve.mitre.org)
> Fix parsing of Allow/Deny rules using IP addresses without a
> netmask; issue is only known to affect big-endian 64-bit
> platforms; on affected platforms such rules would never produce
> matches. PR 23850. [Henning Brauer <henning openbsd.org>]
> We recently have been informed by an individual Apache developer, that
> he received a patch privately from Henning Brauer that replaces certain
> string functions with functions like strlcpy() and snprintf(). Most of
> changes are very BSD specific and not portable, which was also pointed
> out by Henning himself. Nothing was pointed out as a bug or security
> in Henning's email.
> We really don't have any information about "a number of serious
> problems in Apache". Please accept our apologies should we have missed
> particular email or report from someone from the OpenBSD team, but
> the most recent report submitted to our security list dates
> back to Febrary 2003.
> As you may know, information about Apache vulnerabilities, with or
> without patches, should be submitted to security at apache.org. Other
> or improvements to Apache httpd may be submitted to the PR database
> (http://issues.apache.org/bugzilla/) or the developer's mailing list.
> We always appreciate it, if people provide us with patches, but yes,
> sometimes we may be conservative in what we accept ... just like the
> OpenBSD team is conservative in what they accept for OpenBSD. :)
> - --
> Lars Eilebrecht
> lars at apache.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> -----END PGP SIGNATURE-----
More information about the talk