On 2009/08/25 12:05, David Taveras wrote: > Hello, In regards to > OPENBSD_4_5<http://www.openbsd.org/cgi-bin/cvsweb/ports/www/apache-httpd/Makefile?only_with_tag=OPENBSD_4_5>. > Since the update for 2.2.9 CVSweb reports: > > Tue Sep 22 2009 apache-httpd (stable branch) was updated to 2.2.9 due to > fixes on CVE-2008-2364 and CVE-2007-6420 > Sun Jun 28 2009 there was a commit for apache-httpd update to 2.2.11 due to > fixes on CVE-2008-2939 > > On the other hand, > http://httpd.apache.org/security/vulnerabilities_22.htmlreports many > more vulnerabilities for 2.2.9, and 2.2.11 ( see below). > > Does it mean that these vulnerabilities where not patched when 2.2.9 was > live, and are neither patched with 2.2.11 now hence they are not mentioned > in the commits?
It needs to be updated in -current first. People need to test and report back on http://marc.info/?l=openbsd-ports&m=125120705212520&w=2 before this can happen.