macports apache2 CVE-2009-3555?

Todd Fleisher todd at tokoni.com
Tue Nov 17 14:02:42 PST 2009


Ah, appears I was looking under the wrong rock. Thanks!

-T

On Nov 17, 2009, at 12:39 PM, Daniel J. Luke wrote:

> On Nov 17, 2009, at 3:18 PM, Todd Fleisher wrote:
>> Greetings,
>> I'm wondering if the the macports apache2 port has been patched in any way for CVE-2009-3555?
>> 
>>> From the Debian security list:
>> "As a partial mitigation against this attack, this apache2 update
>> disables client-initiated renegotiations. This should fix the
>> vulnerability for the majority of Apache configurations in use."
> 
> It looks like Debian decided to do that instead of shipping a new openssl. See also:
> 
> http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
> 
> MacPorts has openssl 0.9.8l
> --
> Daniel J. Luke                                                                   
> +========================================================+                        
> | *---------------- dluke at geeklair.net ----------------* |                          
> | *-------------- http://www.geeklair.net -------------* |                          
> +========================================================+                        
> |   Opinions expressed are mine and do not necessarily   |                          
> |          reflect the opinions of my employer.          |                          
> +========================================================+
> 
> 
> 
> 



More information about the macports-users mailing list