[nycbug-talk] Fwd: no more apache updates

Okan Demirmen okan
Mon Jun 21 21:39:38 EDT 2004


On Mon 2004.06.21 at 21:35 -0400, G. Rosamond wrote:
> and apache responds to OpenBSD. . .

well, its hard to say exactly what was sent to apache, but if you
watch source-changes@, a whole crap load of fixes has gone into the
openbsd tree.

okan

> Begin forwarded message:
> 
> >From: Lars Eilebrecht <lars at apache.org>
> >Date: June 21, 2004 8:24:58 PM EDT
> >To: misc at openbsd.org
> >Subject: Re: no more apache updates
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >According to Henning Brauer:
> >
> >>let me add one more thing.
> >>
> >>it is of course possible to install an apache 1.3.31 or future ones
> >>from source on OpenBSD.
> >>
> >>however, doing so is one of the dumbest things you can do.
> >>
> >>there is a number of serious security problems in apache that we have
> >>fixed, and that have been offered them back, and they refused.
> >>
> >>selfmade apache upgrade = security downgrade, ok?
> >
> >The Apache HTTP server security team is not aware of any pending
> >patches/fixes for a security vulnerability (or other bug) in Apache
> >proposed by the OpenBSD team.
> >
> >No patch or information about a bug has been submitted to the
> >Apache security or development mailing list, thus, we don't know
> >of any patch we could have "refused".
> >
> >In Apache 1.3.30 we added a fix to mod_access:
> >
> >  *) SECURITY: CAN-2003-0993 (cve.mitre.org)
> >     Fix parsing of Allow/Deny rules using IP addresses without a
> >     netmask; issue is only known to affect big-endian 64-bit
> >     platforms; on affected platforms such rules would never produce
> >     matches.  PR 23850.  [Henning Brauer <henning openbsd.org>]
> >
> >
> >We recently have been informed by an individual Apache developer, that
> >he received a patch privately from Henning Brauer that replaces certain
> >string functions with functions like strlcpy() and snprintf(). Most of 
> >the
> >changes are very BSD specific and not portable, which was also pointed
> >out by Henning himself. Nothing was pointed out as a bug or security 
> >fix
> >in Henning's email.
> >
> >We really don't have any information about "a number of serious 
> >security
> >problems in Apache". Please accept our apologies should we have missed 
> >a
> >particular email or report from someone from the OpenBSD team, but
> >the most recent report submitted to our security list dates
> >back to Febrary 2003.
> >
> >As you may know, information about Apache vulnerabilities, with or
> >without patches, should be submitted to security at apache.org. Other 
> >fixes
> >or improvements to Apache httpd may be submitted to the PR database
> >(http://issues.apache.org/bugzilla/) or the developer's mailing list.
> >
> >We always appreciate it, if people provide us with patches, but yes,
> >sometimes we may be conservative in what we accept ... just like the
> >OpenBSD team is conservative in what they accept for OpenBSD. :)
> >
> >
> >Regards...
> >- --
> >Lars Eilebrecht
> >lars at apache.org
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.2.4 (GNU/Linux)
> >
> >iQCSAwUBQNd8Wj6Pt/L4g0HZAQGXewPmMdnc35eM2ZuwJI43w3Em0Ea9Xvq3Idrb
> >DZnkkE2EGL8wHgy+2j1GwQb8/RPtleA3I9WDNqFgkWrLbj2CxtBnaDgS/MPvpMoh
> >06PTEnDOH7M0UlzROMfDEjOREmx83/8c1RRLJxbPTxCSvjWCVGpMWdsk/8fE1QGo
> >kvfVCqA=
> >=moLa
> >-----END PGP SIGNATURE-----
> >
> 
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

-- 
Okan Demirmen <okan at demirmen.com>
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB3670934
PGP-Fingerprint: 226D B4AE 78A9 7F4E CD2B 1B44 C281 AF18 B367 0934




More information about the talk mailing list