[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Apache httpd vulnerability - how fix OpenBSD 2.9
On Thu, Jun 20, 2002 at 09:40:00AM +0200, Ingolf Schuchardt wrote:
> I know 2.9 is not longer 'supported' ... but, is there anyhow a patch
> for 2.9 ??? :-)
Look at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/src/main/http_protocol.c.
The patch for OpenBSD 3.0 is Revision 184.108.40.206:
Revision 220.127.116.11 / (download) - annotate - [select for diffs] ,
Wed Jun 19 07:37:11 2002 UTC (37 hours, 45 minutes ago) by miod
Changes since 1.9: +22 -4 lines
Diff to previous 1.9 (colored) next main 1.10 (colored)
Pull in patch from current:
- work around a possible buffer overflow in chunk handling.
- The Real Fix for the buffer overflow; from apache.org
If you look at revision 1.9 is says:
Revision 1.9 / (download) - annotate - [select for diffs] ,
Thu Mar 29 10:21:43 2001 UTC (14 months, 3 weeks ago) by beck
CVS Tags: OPENBSD_3_0_BASE, OPENBSD_2_9_BASE, OPENBSD_2_9
Branch point for: OPENBSD_3_0
Changes since 1.8: +244 -177 lines
Diff to previous 1.8 (colored)
What I try to say is that http_protocol.c didn't change between 2.9 and 3.0.
Yoy can use the 3.0-patch for 2.9.
(Actually it seems that also 2.8 can be patched by this patch.)