Hello, In regards to OPENBSD_4_5<http://www.openbsd.org/cgi-bin/cvsweb/ports/www/apache-httpd/Makefile?only_with_tag=OPENBSD_4_5>. Since the update for 2.2.9 CVSweb reports:
Tue Sep 22 2009 apache-httpd (stable branch) was updated to 2.2.9 due to fixes on CVE-2008-2364 and CVE-2007-6420 Sun Jun 28 2009 there was a commit for apache-httpd update to 2.2.11 due to fixes on CVE-2008-2939 On the other hand, http://httpd.apache.org/security/vulnerabilities_22.htmlreports many more vulnerabilities for 2.2.9, and 2.2.11 ( see below). Does it mean that these vulnerabilities where not patched when 2.2.9 was live, and are neither patched with 2.2.11 now hence they are not mentioned in the commits? Thank you Daniel ______________________________________________________________________________________________________________________ important: mod_proxy reverse proxy DoS CVE-2009-1890 A denial of service flaw was found in the mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. Update Released: 27th July 2009 Affects: 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 ______________________________________________________________________________________________________________________ low: mod_deflate DoS CVE-2009-1891 A denial of service flaw was found in the mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. Update Released: 27th July 2009 Affects: 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 ______________________________________________________________________________________________________________________ low: AllowOverride Options handling bypass CVE-2009-1195 A flaw was found in the handling of the "Options" and "AllowOverride" directives. In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended. Update Released: 27th July 2009 Affects: 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 _____________________________________________________________________________________________________________________ moderate: APR-util off-by-one overflow CVE-2009-1956 An off-by-one overflow flaw was found in the way the bundled copy of the APR-util library processed a variable list of arguments. An attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service. Update Released: 72th 2009 Affects: 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 ______________________________________________________________________________________________________________________ moderate: APR-util XML DoS CVE-2009-1955 A denial of service flaw was found in the bundled copy of the APR-util library Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine. Update Released: 27th July 2009 Affects: 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 _____________________________________________________________________________________________________________________ moderate: APR-util heap underwrite CVE-2009-0023 A heap-based underwrite flaw was found in the way the bundled copy of the APR-util library created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine. Update Released: 27th July 2009 Affects: 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 ____________________________________________________________________________________________________________________