106907 – using apache-1.3.33-r1 with mod_ssl-2.8.24-r1 return GLSA affected 200509-12

Bug 106907 - using apache-1.3.33-r1 with mod_ssl-2.8.24-r1 return GLSA affected 200509-12

Summary: using apache-1.3.33-r1 with mod_ssl-2.8.24-r1 return GLSA affected 200509-12

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-09-22 11:00 UTC by David CHANIAL
Modified:	2005-09-23 09:06 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David CHANIAL 2005-09-22 11:00:03 UTC

I'm using apache-1.3.33-r1 on one of my servers with mod_ssl, there is some 
days appear the GLSA alert about mod_ssl. So, i've updated to 
mod_ssl-2.8.24-r1, but glsa-check -t all always return this alert (200509-12) 
 

Reproducible: Always
Steps to Reproduce:
1. ... using apache-1.3.33-r1 
2. emerge --ask --oneshot --verbose ">=net-www/mod_ssl-2.8.24" 
3. glsa-check -t all 
 
Actual Results:  
srv31 root # glsa-check -t all 
WARNING: This tool is completely new and not very tested, so it should not be 
used on production systems. It's mainly a test tool for the new GLSA release 
and distribution system, it's functionality will later be merged into emerge 
and equery. 
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml 
before using this tool AND before reporting a bug. 
 
This system is affected by the following GLSA: 
200509-12 
srv31 root #     

Expected Results:  
srv31 root # glsa-check -t all 
WARNING: This tool is completely new and not very tested, so it should not be 
used on production systems. It's mainly a test tool for the new GLSA release 
and distribution system, it's functionality will later be merged into emerge 
and equery. 
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml 
before using this tool AND before reporting a bug. 
 
This system is not affected by any of the listed GLSA 
srv31 root #  

srv31 root # qpkg -I -v | grep apache 
net-www/apache-1.3.33-r1 * 
srv31 root # qpkg -I -v | grep mod_ssl 
net-www/mod_ssl-2.8.24-r1 * 
srv31 root # qpkg -I -v | grep mod_php 
dev-php/mod_php-4.4.0 *

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-22 12:07:11 UTC

Fixed in GLSAmaker with: 
 
     <package name="net-www/apache" auto="yes" arch="*"> 
       <unaffected range="ge">2.0.54-r15</unaffected> 
+      <unaffected range="lt">2</unaffected> 
       <vulnerable range="lt">2.0.54-r15</vulnerable> 
     </package> 
 
Security please review. Perhaps we should make it clear from the text that 
only Apache 2 is affected?

Comment 2 David CHANIAL 2005-09-22 22:18:24 UTC

(In reply to comment #1) 
> Security please review. Perhaps we should make it clear from the text that  
> only Apache 2 is affected?  
 
I'm french and i'm not sure that i understand exactly what you said. 
 
-> Do you ask another person to correct the alert ? 
 
-> Do you ask to remove this : 
        "All Apache 2 users should upgrade to the latest version:" 
 
-> I say that, today, i'm always alerted by "glsa-check -t all" to be affected. 
 
Thanks to you.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-22 23:32:01 UTC

Hi David, 
 
Security refers to the other members of the security team. I asked them to 
review the changes before I commit them.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-09-23 00:31:11 UTC

jaervosz: it's ok for me

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-23 09:06:48 UTC

Thx for the report. 
 
Fixed in CVS.