From nobody Fri Jun 10 14:36:16 2022
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9A61083B646
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Fri, 10 Jun 2022 14:36:25 +0000 (UTC)
	(envelope-from pblok@bsd4all.org)
Received: from mail.bsd4all.org (mail.bsd4all.org [88.99.169.216])
	by mx1.freebsd.org (Postfix) with ESMTP id 4LKNnN50K6z3jKc
	for <freebsd-security@freebsd.org>; Fri, 10 Jun 2022 14:36:24 +0000 (UTC)
	(envelope-from pblok@bsd4all.org)
Received: from mail.bsd4all.org (localhost [127.0.0.1])
	by mail.bsd4all.org (Postfix) with ESMTP id F037A581A;
	Fri, 10 Jun 2022 16:36:19 +0200 (CEST)
X-Virus-Scanned: amavisd-new at bsd4all.org
Received: from mail.bsd4all.org ([127.0.0.1])
	by mail.bsd4all.org (mail.bsd4all.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Ab4WQjF_ZUCa; Fri, 10 Jun 2022 16:36:19 +0200 (CEST)
Received: from [192.168.34.65] (pony_ip [136.143.2.230])
	by mail.bsd4all.org (Postfix) with ESMTPSA id 0DA5A5818;
	Fri, 10 Jun 2022 16:36:18 +0200 (CEST)
Content-Type: text/plain;
	charset=us-ascii
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Subject: Re: Is apache24-2.4.54 vulnerable ?
From: Peter Blok <pblok@bsd4all.org>
In-Reply-To: <MN2PR09MB46676762E2DC426D7C555690EEA69@MN2PR09MB4667.namprd09.prod.outlook.com>
Date: Fri, 10 Jun 2022 16:36:16 +0200
Cc: Masachika ISHIZUKA <ish@amail.plala.or.jp>,
 "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9CA37653-27D5-4A27-A5D2-9E47287B345E@bsd4all.org>
References: <20220610.081507.1134393150579572029.ish@amail.plala.or.jp>
 <20220610.085155.1636577084047793852.moto@kawasaki3.org>
 <20220610.095448.1735421952196505841.ish@amail.plala.or.jp>
 <MN2PR09MB46676762E2DC426D7C555690EEA69@MN2PR09MB4667.namprd09.prod.outlook.com>
To: "Wall, Stephen" <stephen.wall@redcom.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
X-Rspamd-Queue-Id: 4LKNnN50K6z3jKc
X-Spamd-Bar: ++
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of pblok@bsd4all.org designates 88.99.169.216 as permitted sender) smtp.mailfrom=pblok@bsd4all.org
X-Spamd-Result: default: False [2.10 / 15.00];
	 TO_DN_EQ_ADDR_SOME(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 FROM_HAS_DN(0.00)[];
	 RCPT_COUNT_THREE(0.00)[3];
	 MV_CASE(0.50)[];
	 R_SPF_ALLOW(-0.20)[+mx];
	 MIME_GOOD(-0.10)[text/plain];
	 DMARC_NA(0.00)[bsd4all.org];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 TO_DN_SOME(0.00)[];
	 NEURAL_SPAM_MEDIUM(0.80)[0.797];
	 RCVD_COUNT_THREE(0.00)[4];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 NEURAL_SPAM_SHORT(1.00)[1.000];
	 MLMMJ_DEST(0.00)[freebsd-security];
	 RCVD_NO_TLS_LAST(0.10)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:24940, ipnet:88.99.0.0/16, country:DE];
	 SUBJECT_ENDS_QUESTION(1.00)[];
	 MID_RHS_MATCH_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

I think the question is this a typo in the vuln-2022.xml, because the =
changelog shows the CVE are fixed in 2.4.54



> On 10 Jun 2022, at 15:20, Wall, Stephen <stephen.wall@redcom.com> =
wrote:
>=20
>> vuln-2022.xml:
>>  <affects>
>>    <package>
>>    <name>apache24</name>
>>    <range><lt>2.5.54</lt></range>   <------- 2.4.54 ???
>>    </package> ~~~~~~
>>  </affects>
>> --
>> Masachika ISHIZUKA
>=20
> `<lt>` indicates it affects versions less than 2.5.54.
>=20
>=20
> -spw