I'm using apache-1.3.33-r1 on one of my servers with mod_ssl, there is some days appear the GLSA alert about mod_ssl. So, i've updated to mod_ssl-2.8.24-r1, but glsa-check -t all always return this alert (200509-12) Reproducible: Always Steps to Reproduce: 1. ... using apache-1.3.33-r1 2. emerge --ask --oneshot --verbose ">=net-www/mod_ssl-2.8.24" 3. glsa-check -t all Actual Results: srv31 root # glsa-check -t all WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. This system is affected by the following GLSA: 200509-12 srv31 root # Expected Results: srv31 root # glsa-check -t all WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. This system is not affected by any of the listed GLSA srv31 root # srv31 root # qpkg -I -v | grep apache net-www/apache-1.3.33-r1 * srv31 root # qpkg -I -v | grep mod_ssl net-www/mod_ssl-2.8.24-r1 * srv31 root # qpkg -I -v | grep mod_php dev-php/mod_php-4.4.0 *
Fixed in GLSAmaker with: <package name="net-www/apache" auto="yes" arch="*"> <unaffected range="ge">2.0.54-r15</unaffected> + <unaffected range="lt">2</unaffected> <vulnerable range="lt">2.0.54-r15</vulnerable> </package> Security please review. Perhaps we should make it clear from the text that only Apache 2 is affected?
(In reply to comment #1) > Security please review. Perhaps we should make it clear from the text that > only Apache 2 is affected? I'm french and i'm not sure that i understand exactly what you said. -> Do you ask another person to correct the alert ? -> Do you ask to remove this : "All Apache 2 users should upgrade to the latest version:" -> I say that, today, i'm always alerted by "glsa-check -t all" to be affected. Thanks to you.
Hi David, Security refers to the other members of the security team. I asked them to review the changes before I commit them.
jaervosz: it's ok for me
Thx for the report. Fixed in CVS.