Re: patch for SSL renegotiation vulnerability in apache1/2/OpenSSL?

Hello On Thu, Nov 26, 2009 at 2:58 AM, Landry Breuil wrote: > On Wed, Nov 25, 2009 at 07:01:19PM -0500, Rodolfo Gouveia wrote: >> On Wed, Nov 25, 2009 at 05:53:05PM -0600, David Taveras wrote: >> > Hello, >> > >> > If it has been commited.. to stable I sup

Re: patch for SSL renegotiation vulnerability in apache1/2/OpenSSL?

5PM -0600, David Taveras wrote: >> Also curious as to why this has been released yet in the errata for >> the apache1 /openssl included in base? > > I'm not sure if you just mean errata.html, but just to be clear > AFAIK the fixed version has been committed to 4.6 as well as 4.5 > > --rodolfo >

patch for SSL renegotiation vulnerability in apache1/2/OpenSSL?

Hello, We are apache2 users. Id like clarification from the maintainer , or anybody else informed if a patch could be released for apache2 openssl renegotiation vulnerability? Also curious as to why this has been released yet in the errata for the apache1 /openssl included in base? Thanks Davi

http firewall: modsecurity excessive logging.. how to manage?

practice is to have secure PHP code.. but in an environment where you cannot trust the code. This is my only path. Thank you. David Taveras

Re: Why was a patch submitted if version is not vulnerable? apr-util and apr (apache2) CVE-2009-2412

Hello William, On Fri, Sep 11, 2009 at 8:38 PM, William Yodlowsky wrote: > > The same fix applies to 1.2.x. As in, the diff is the same, excepting line > numbers. Other OS's also patched 1.2.x; see redhat, mandriva... > > Hence you are informed about the fix applied for apr-apr-util id like t

Why was a patch submitted if version is not vulnerable? apr-util and apr (apache2) CVE-2009-2412

*Hello, Sun Aug 16 01:50:40 2009 UTC* (3 weeks, 4 days ago) by *william* Branches: OPENBSD_4_5 SECURITY FIX Resolves CVE-2009-2412 According to that commit, there was a patch applied to apr and apr-utils fo

About the Mysql commits

Hello, Iam a user of mysql-client 5.0.77 ... according to the commits for OPENBSD_4.5 there is a security fix and that is why it has been updated to 5.0.83 ... The problem is the maintener does annotate the CVEs or other sources of information about the security fix. I tried looking at : http://d

Re: Why does OBSD advise to use packages if they are outdated?

Josh, et all: So, in other words the rule of thumb i understand from this thread should be to compile a new box as follows: Compile the kernel/userland to -stable Install the necessary software from packages (-release) and ONLY use ports (-stable) if: a.) the -stable branch has released a versi

Re: Why does OBSD advise to use packages if they are outdated?

Hello, On Tue, Sep 1, 2009 at 10:29 PM, Amarendra Godbole < amarendra.godb...@gmail.com> wrote: > > 15.4.6 also says: > Of course, there are a few good reasons to use ports over packages in > some cases: >* Distribution rules prohibit OpenBSD from distributing a package. >* You wish to mo

Re: Why does OBSD advise to use packages if they are outdated?

> > > What am I missing? > > Are you building -current ports on -stable? > > -- > Best Regards No iam not. My question is based the packages (which are -release) and -stable ports from CVS mirrors.

Why does OBSD advise to use packages if they are outdated?

Hello community,Thanks for all the hard work for the developers and testers out there, I have a confusion: W hy OBSD strongly advises to use packages over building an application from ports (according to FAQ 15.4.6) if : a.) Obsd does not maintain the stable packages since 4.0 (source: http://www.

Best way to compile specific php5-extensions. Flavors or Subpackages?

Hello, In the past I have compiled the php5-extensions from stable by simply doing: cd /usr/ports/www/php5/extensions; make; make install Then, once the packages where generated using pkg_add to install the package from /usr/ports/packages/i386/all/ However, i noticed that before I actually did

Re: About apache vulnerability updates applied to ports on stable branch

Hello, On Tue, Aug 25, 2009 at 12:18 PM, Stuart Henderson wrote > > > > It needs to be updated in -current first. People need to test and report > back on http://marc.info/?l=openbsd-ports&m=125120705212520&w=2 before > this can happen. > > I understand that 2.2.13 is already being worked out in

About apache vulnerability updates applied to ports on stable branch

Hello, In regards to OPENBSD_4_5. Since the update for 2.2.9 CVSweb reports: Tue Sep 22 2009 apache-httpd (stable branch) was updated to 2.2.9 due to fixes on CVE-2008-2364 and CVE-2007-6420 Sun Jun 2

CVS checkout of two past dates will not compile php5-extensions.. why?

Hello, Iam trying to checkout PHP 5.2.8 from stable branch. I picked two dates and downloaded both src , and ports. export cvsroot=anon...@anoncvs3.usa.openbsd.org:/cvs cd /usr; cvs checkout -D "18 Jul 2009" -P -rOPENBSD_4_5 ports; cvs checkout -D "18 Jul 2009" -P -rOPENBSD_4_5 src Second test u

How to downgrade to PHP 5.2.8 from ports stable due to the suhosin/PHP problem?

Hello, I realised after updating my ports collection that PHP 5.2.10 comes with a suhosin/php issue whereas session encryption needs to remain off. In our case we cannot "live" without session encryption and thus would prefer to go back to the previous version introduced in stable. My question is