[nycbug-talk] Fwd: no more apache updates
Mon Jun 21 21:39:38 EDT 2004
On Mon 2004.06.21 at 21:35 -0400, G. Rosamond wrote:
> and apache responds to OpenBSD. . .
well, its hard to say exactly what was sent to apache, but if you
watch source-changes@, a whole crap load of fixes has gone into the
> Begin forwarded message:
> >From: Lars Eilebrecht <lars at apache.org>
> >Date: June 21, 2004 8:24:58 PM EDT
> >To: misc at openbsd.org
> >Subject: Re: no more apache updates
> >-----BEGIN PGP SIGNED MESSAGE-----
> >According to Henning Brauer:
> >>let me add one more thing.
> >>it is of course possible to install an apache 1.3.31 or future ones
> >>from source on OpenBSD.
> >>however, doing so is one of the dumbest things you can do.
> >>there is a number of serious security problems in apache that we have
> >>fixed, and that have been offered them back, and they refused.
> >>selfmade apache upgrade = security downgrade, ok?
> >The Apache HTTP server security team is not aware of any pending
> >patches/fixes for a security vulnerability (or other bug) in Apache
> >proposed by the OpenBSD team.
> >No patch or information about a bug has been submitted to the
> >Apache security or development mailing list, thus, we don't know
> >of any patch we could have "refused".
> >In Apache 1.3.30 we added a fix to mod_access:
> > *) SECURITY: CAN-2003-0993 (cve.mitre.org)
> > Fix parsing of Allow/Deny rules using IP addresses without a
> > netmask; issue is only known to affect big-endian 64-bit
> > platforms; on affected platforms such rules would never produce
> > matches. PR 23850. [Henning Brauer <henning openbsd.org>]
> >We recently have been informed by an individual Apache developer, that
> >he received a patch privately from Henning Brauer that replaces certain
> >string functions with functions like strlcpy() and snprintf(). Most of
> >changes are very BSD specific and not portable, which was also pointed
> >out by Henning himself. Nothing was pointed out as a bug or security
> >in Henning's email.
> >We really don't have any information about "a number of serious
> >problems in Apache". Please accept our apologies should we have missed
> >particular email or report from someone from the OpenBSD team, but
> >the most recent report submitted to our security list dates
> >back to Febrary 2003.
> >As you may know, information about Apache vulnerabilities, with or
> >without patches, should be submitted to security at apache.org. Other
> >or improvements to Apache httpd may be submitted to the PR database
> >(http://issues.apache.org/bugzilla/) or the developer's mailing list.
> >We always appreciate it, if people provide us with patches, but yes,
> >sometimes we may be conservative in what we accept ... just like the
> >OpenBSD team is conservative in what they accept for OpenBSD. :)
> >- --
> >Lars Eilebrecht
> >lars at apache.org
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.2.4 (GNU/Linux)
> >-----END PGP SIGNATURE-----
> talk mailing list
> talk at lists.nycbug.org
Okan Demirmen <okan at demirmen.com>
PGP-Fingerprint: 226D B4AE 78A9 7F4E CD2B 1B44 C281 AF18 B367 0934
More information about the talk