*Hello, Sun Aug 16 01:50:40 2009 UTC* (3 weeks, 4 days ago) by *william* Branches: OPENBSD_4_5<http://www.openbsd.org/cgi-bin/cvsweb/ports/devel/apr/Makefile?only_with_tag=OPENBSD_4_5> SECURITY FIX Resolves CVE-2009-2412
According to that commit, there was a patch applied to apr and apr-utils for that CVE. However looking at the CVE page I find that only these versions of apr and apr-util are affected: "Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x" The versions I have installed with a stable checkout 2months ago is: apr-1.2.11p2 Apache Portable Runtime apr-util-1.2.10p2 companion library to APR Versions are different.. so this wouldnt apply.. right? Also, if it does apply and I missed something obvious.. how critical is it for an apache2 user.... would mod-security mitigate this, or is there any workarround for the -stable user that doesnt want to upgrade to -current? Thanks
