dick hoogendijk wrote:
> Normally I upgrade my ports if I see new versions.
> But now I have a question: I saw a new apache22 version (apache-2.2.2_1)
> but on the apache site I could not find anything related to security bugs
> or whatever. I *did* find a version 2.2.3 though (not yet in ports!)
> 
> So now I wonder, what is the difference of port apache-2.2.2 and the
> latest one "apache-2.2.2_1"
> Imho it should be nice to have some kind of info file in the port telling
> the reasons to upgrade. Does anyone know?
> Or should I just wait for apache-2.2.3 (can't be that long).
> 

You should check out freshports.org

        Fix security issue in mod_rewrite.
        All people using mod_rewrite are strongly encouraged to update.

        An off-by-one flaw exists in the Rewrite module, mod_rewrite.
        Depending on the manner in which Apache httpd was compiled, this
        software defect may result in a vulnerability which, in
        combination with certain types of Rewrite rules in the web
        server configuration files, could be triggered remotely.  For
        vulnerable builds, the nature of the vulnerability can be denial
        of service (crashing of web server processes) or potentially
        allow arbitrary code execution. This issue has been rated as
        having important security impact by the Apache HTTP Server
        Security Team

        Updates to latest versions will follow soon.


In addition to show changelogs for the ports, freshports also lets you
"watch" one or more ports and be pinged whenever there's a new version.

You should also install portaudit. This will give a list of installed
ports on your system with known security issues. Also, if installed, it
will will warn you if you try to install a port with such issues, and
prompt you to update your ports tree.


        Svein Halvor

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to