Hello, I see two patches to apr and apr-util, ostensibly fixing this (CVE-2009-2412, and other) security issues, yet I see no patch to the apache-httpd makefile tagged with OPENBSD_4_5 (-stable).
http://www.openbsd.org/cgi-bin/cvsweb/ports/devel/apr-util/Makefile?only_with_tag=OPENBSD_4_5 http://www.openbsd.org/cgi-bin/cvsweb/ports/devel/apr/Makefile After looking things over, it would seem that the -stable apache-httpd Makefile would need to have its dependencies changed to force the use of the mt (multithread) apr and apr-util library - I also observe that the -current fix for CVE-2009-2412, indeed does include a patch to the apache-httpd Makefile, to do just that - http://www.openbsd.org/cgi-bin/cvsweb/ports/www/apache-httpd/Makefile Am I missing something? Is CVE-2009-2412 fixed in -stable or not? Do I have to manually set the flavor (mt) and make apr and apr-util before making the apache-httpd port? Is there another workaround or recommendation for this CVE-2009-2412 security issue? Are apr and apr-util absolutely necessary to run Apache2, or can a minimalist version be run without it? (I would assume not, but I'm listening for ideas). Thanks, Joe
