Re: Apache httpd vulnerability - how fix OpenBSD 2.9

[Søren Thing Andersen <soeren@thing.dk>]

On Thu, Jun 20, 2002 at 09:40:00AM +0200, Ingolf Schuchardt wrote:
> Hello!
> 
> I know 2.9 is not longer 'supported' ... but, is there anyhow a patch
> for 2.9 ??? :-)

Look at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/src/main/http_protocol.c.
The patch for OpenBSD 3.0 is Revision 1.9.4.1:
  Revision 1.9.4.1 / (download) - annotate - [select for diffs] , 
                 Wed Jun 19 07:37:11 2002 UTC (37 hours, 45 minutes ago) by miod 
  Branch: OPENBSD_3_0 
  Changes since 1.9: +22 -4 lines
  Diff to previous 1.9 (colored) next main 1.10 (colored) 
  Pull in patch from current:
  Fix (henning):
  - work around a possible buffer overflow in chunk handling.
  ok beck@
  - The Real Fix for the buffer overflow; from apache.org
  ok beck@

If you look at revision 1.9 is says:
  Revision 1.9 / (download) - annotate - [select for diffs] , 
    Thu Mar 29 10:21:43 2001 UTC (14 months, 3 weeks ago) by beck 
  Branch: MAIN 
  CVS Tags: OPENBSD_3_0_BASE, OPENBSD_2_9_BASE, OPENBSD_2_9 
  Branch point for: OPENBSD_3_0 
  Changes since 1.8: +244 -177 lines
  Diff to previous 1.8 (colored) 


What I try to say is that http_protocol.c didn't change between 2.9 and 3.0.
Yoy can use the 3.0-patch for 2.9.
(Actually it seems that also 2.8 can be patched by this patch.)

Best regards
Søren Thing.