[nycbug-talk] Fwd: no more apache updates

G.Rosamond george
Mon Jun 21 21:35:42 EDT 2004

and apache responds to OpenBSD. . .

Begin forwarded message:

> From: Lars Eilebrecht <lars at apache.org>
> Date: June 21, 2004 8:24:58 PM EDT
> To: misc at openbsd.org
> Subject: Re: no more apache updates
> According to Henning Brauer:
>> let me add one more thing.
>> it is of course possible to install an apache 1.3.31 or future ones
>> from source on OpenBSD.
>> however, doing so is one of the dumbest things you can do.
>> there is a number of serious security problems in apache that we have
>> fixed, and that have been offered them back, and they refused.
>> selfmade apache upgrade = security downgrade, ok?
> The Apache HTTP server security team is not aware of any pending
> patches/fixes for a security vulnerability (or other bug) in Apache
> proposed by the OpenBSD team.
> No patch or information about a bug has been submitted to the
> Apache security or development mailing list, thus, we don't know
> of any patch we could have "refused".
> In Apache 1.3.30 we added a fix to mod_access:
>   *) SECURITY: CAN-2003-0993 (cve.mitre.org)
>      Fix parsing of Allow/Deny rules using IP addresses without a
>      netmask; issue is only known to affect big-endian 64-bit
>      platforms; on affected platforms such rules would never produce
>      matches.  PR 23850.  [Henning Brauer <henning openbsd.org>]
> We recently have been informed by an individual Apache developer, that
> he received a patch privately from Henning Brauer that replaces certain
> string functions with functions like strlcpy() and snprintf(). Most of 
> the
> changes are very BSD specific and not portable, which was also pointed
> out by Henning himself. Nothing was pointed out as a bug or security 
> fix
> in Henning's email.
> We really don't have any information about "a number of serious 
> security
> problems in Apache". Please accept our apologies should we have missed 
> a
> particular email or report from someone from the OpenBSD team, but
> the most recent report submitted to our security list dates
> back to Febrary 2003.
> As you may know, information about Apache vulnerabilities, with or
> without patches, should be submitted to security at apache.org. Other 
> fixes
> or improvements to Apache httpd may be submitted to the PR database
> (http://issues.apache.org/bugzilla/) or the developer's mailing list.
> We always appreciate it, if people provide us with patches, but yes,
> sometimes we may be conservative in what we accept ... just like the
> OpenBSD team is conservative in what they accept for OpenBSD. :)
> Regards...
> - --
> Lars Eilebrecht
> lars at apache.org
> Version: GnuPG v1.2.4 (GNU/Linux)
> iQCSAwUBQNd8Wj6Pt/L4g0HZAQGXewPmMdnc35eM2ZuwJI43w3Em0Ea9Xvq3Idrb
> DZnkkE2EGL8wHgy+2j1GwQb8/RPtleA3I9WDNqFgkWrLbj2CxtBnaDgS/MPvpMoh
> 06PTEnDOH7M0UlzROMfDEjOREmx83/8c1RRLJxbPTxCSvjWCVGpMWdsk/8fE1QGo
> kvfVCqA=
> =moLa

More information about the talk mailing list