From owner-freebsd-apache@FreeBSD.ORG Mon Aug 29 11:06:20 2011 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFB2E106564A for ; Mon, 29 Aug 2011 11:06:20 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9F7298FC1E for ; Mon, 29 Aug 2011 11:06:20 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p7TB6KRc088598 for ; Mon, 29 Aug 2011 11:06:20 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p7TB6JOM088596 for apache@FreeBSD.org; Mon, 29 Aug 2011 11:06:19 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 29 Aug 2011 11:06:19 GMT Message-Id: <201108291106.p7TB6JOM088596@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: apache@FreeBSD.org Cc: Subject: Current problem reports assigned to apache@FreeBSD.org X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2011 11:06:20 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o ports/159812 apache [PATCH] www/apache20,www/apache22 Strip Binaries o ports/159661 apache [maintainer] Minor cleanup to www/mod_macro22 o ports/159608 apache www/apache22: apache WITH_BDB_BASE settings described o ports/158565 apache www/apache22: Add rlimits based on login class for mpm f ports/158544 apache Port www/mod_perl2 fails to build o ports/157554 apache www/apache22: Apache RLimitNPROC does not work as inte o ports/156987 apache www/apache22: Harden SSL cipher suites strength and SS o ports/156787 apache www/mod_auth_kerb2 fails on undefined symbol with base f ports/156719 apache ab: apr_socket_recv: Connection reset by peer (54) o ports/156251 apache [PATCH] Enable module by default for www/mod_fastcgi o ports/153406 apache www/apache22's SUEXEC_RSRCLIMIT option does not take e o ports/153264 apache www/apache22 and apache13-modssl -- rc.d script improv o ports/147806 apache [PATCH] www/apache20: httpd doesn't start with WITH_LD o ports/147282 apache errors when starting www/apache22 after installation o o ports/146199 apache www/apache20: port does not use make config o ports/144010 apache devel/apr1 tries to use SYSVIPC even in jails o ports/130479 apache www/apache20 and www/apache22 configure_args busted o ports/125183 apache www/apache22 wrong SUEXEC_DOCROOT o ports/124375 apache security/heimdal: www/mod_auth_kerb doesn't compile ag s ports/108169 apache www/apache20 wrong AP_SAFE_PATH for suEXEC 20 problems total. From owner-freebsd-apache@FreeBSD.ORG Thu Sep 1 07:40:00 2011 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DCA7106566C for ; Thu, 1 Sep 2011 07:40:00 +0000 (UTC) (envelope-from prvs=0225d48c64=ob@gruft.de) Received: from main.mx.e-gitt.net (service.rules.org [IPv6:2001:1560:2342::2]) by mx1.freebsd.org (Postfix) with ESMTP id 166A78FC1C for ; Thu, 1 Sep 2011 07:40:00 +0000 (UTC) Received: from ob by main.mx.e-gitt.net with local (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qz1sT-000MMG-H6 for apache@FreeBSD.org; Thu, 01 Sep 2011 09:39:57 +0200 Date: Thu, 1 Sep 2011 09:39:57 +0200 From: Oliver Brandmueller To: apache@FreeBSD.org Message-ID: <20110901073957.GI96792@e-Gitt.NET> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: Oliver Brandmueller Cc: Subject: apache 2.2.20 ? X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2011 07:40:00 -0000 Hi, desperately waiting for apache 2.2.20 security update in the ports, is there anything at the horizon? Thank you, Oliver -- | Oliver Brandmueller http://sysadm.in/ ob@sysadm.in | | Ich bin das Internet. Sowahr ich Gott helfe. | From owner-freebsd-apache@FreeBSD.ORG Thu Sep 1 08:33:09 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B31A01065673 for ; Thu, 1 Sep 2011 08:33:09 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta02.emeryville.ca.mail.comcast.net (qmta02.emeryville.ca.mail.comcast.net [76.96.30.24]) by mx1.freebsd.org (Postfix) with ESMTP id 9CCE68FC12 for ; Thu, 1 Sep 2011 08:33:09 +0000 (UTC) Received: from omta01.emeryville.ca.mail.comcast.net ([76.96.30.11]) by qmta02.emeryville.ca.mail.comcast.net with comcast id TLVh1h0020EPchoA2LZ4n1; Thu, 01 Sep 2011 08:33:04 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta01.emeryville.ca.mail.comcast.net with comcast id TLYr1h0041t3BNj8MLYr7p; Thu, 01 Sep 2011 08:32:51 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id C3AC8102C36; Thu, 1 Sep 2011 01:33:08 -0700 (PDT) Date: Thu, 1 Sep 2011 01:33:08 -0700 From: Jeremy Chadwick To: Oliver Brandmueller Message-ID: <20110901083308.GA21588@icarus.home.lan> References: <20110901073957.GI96792@e-Gitt.NET> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110901073957.GI96792@e-Gitt.NET> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: apache@FreeBSD.org Subject: Re: apache 2.2.20 ? X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2011 08:33:09 -0000 On Thu, Sep 01, 2011 at 09:39:57AM +0200, Oliver Brandmueller wrote: > desperately waiting for apache 2.2.20 security update in the ports, is > there anything at the horizon? Apache 2.2.20 was released in the early evening on 08/30 (mirrors say around 18:xx, Pacific Time I believe), which means it's only been available for about ~30 hours. What bothers me more is: 1) That there's no standalone patch available for CVE-2011-3192 (the Range/Request-Range DoS), e.g. a patch someone could drop into files/patch-XXX and be done with it, 2) The portaudit database (security/vuxml) has not been updated to reflect this situation (I have done "portaudit -Fda" more times than I can count), so I believe there are people who have no idea they're affected (keep reading), 3) There are *lots* of people who run Apache who have no knowledge of this issue. Fellow senior-level SAs I know out east had never even heard of it, so I wouldn't be surprised if subscribers to freebsd-apache hadn't either. I don't understand how/why this issue was disclosed so quietly (in my opinion). Be aware the initial CVE announcement was inadequate and lacked directives that would ignore the old-yet-still-honoured Request-Range header, so some who think they're immune may not fully be. Furthermore, some of the Linux-oriented sites provided badly-written directives that are incorrect/wrong, and those are making their way into the "blogosphere", The icing on the cake comes from "security experts" who posted "vulnerability test" scripts which are completely and entirely broken -- their perl code fails miserably (awful coding errors) and can/will report you as vulnerable when in fact you aren't. These made rounds on security lists all over -- what a nightmare. If there are people here who do not know how to *properly* make themselves immune to the DoS mentioned in CVE-2011-3192, please reply to the list (not me personally) and I will take the time to do a full write-up, as well as provide a test methodology for you to use (requires www/p5-libwww). And I don't bother with Apache 1.3.x, sorry. And finally, for those wondering what the DoS looks like on a FreeBSD box, one of our customers was hit with this twice (on the 29th and 30th) before I was able to deploy the workaround, so I can describe the behaviour of the system and all of the symptoms. Just let me know on-list and I can provide a write-up (I had to do one for the customer). Be aware said box is FreeBSD 7.x, but I'm certain the behaviour would be the exact same on all FreeBSD versions. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 03:42:52 2011 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 8EF051065672; Fri, 2 Sep 2011 03:42:52 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-198-245.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 7321C14F2B9; Fri, 2 Sep 2011 03:42:50 +0000 (UTC) Message-ID: <4E6050B9.6090907@FreeBSD.org> Date: Thu, 01 Sep 2011 20:42:49 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.1) Gecko/20110901 Thunderbird/6.0.1 MIME-Version: 1.0 To: Chris Rees References: <201109011906.p81J6RVU069402@repoman.freebsd.org> <20110901194253.GA84679@vniz.net> In-Reply-To: X-Enigmail-Version: undefined OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: cvs-ports@freebsd.org, apache@FreeBSD.org, cvs-all@freebsd.org, ports-committers@freebsd.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 03:42:52 -0000 Meanwhile, is there an update on 2.2.20 getting into the tree? A simple version upgrade has worked for me so far. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 04:00:35 2011 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 279111065670; Fri, 2 Sep 2011 04:00:35 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F39FF8FC19; Fri, 2 Sep 2011 04:00:34 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8240Y7d035935; Fri, 2 Sep 2011 04:00:34 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8240YGq035925; Fri, 2 Sep 2011 04:00:34 GMT (envelope-from edwin) Date: Fri, 2 Sep 2011 04:00:34 GMT Message-Id: <201109020400.p8240YGq035925@freefall.freebsd.org> To: edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, apache@FreeBSD.org From: edwin@FreeBSD.org Cc: Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 04:00:35 -0000 Synopsis: [patch] www/apache22: update to 2.2.20 Responsible-Changed-From-To: freebsd-ports-bugs->apache Responsible-Changed-By: edwin Responsible-Changed-When: Fri Sep 2 04:00:33 UTC 2011 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=160381 From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 06:18:33 2011 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DAC1106566C; Fri, 2 Sep 2011 06:18:33 +0000 (UTC) (envelope-from ade@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 056D68FC1E; Fri, 2 Sep 2011 06:18:33 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p826IWBV069049; Fri, 2 Sep 2011 06:18:32 GMT (envelope-from ade@freefall.freebsd.org) Received: (from ade@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p826IWUS069045; Fri, 2 Sep 2011 06:18:32 GMT (envelope-from ade) Date: Fri, 2 Sep 2011 06:18:32 GMT Message-Id: <201109020618.p826IWUS069045@freefall.freebsd.org> To: jhelfman@experts-exchange.com, ade@FreeBSD.org, apache@FreeBSD.org From: ade@FreeBSD.org Cc: Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 06:18:33 -0000 Synopsis: [patch] www/apache22: update to 2.2.20 State-Changed-From-To: open->closed State-Changed-By: ade State-Changed-When: Fri Sep 2 06:18:15 UTC 2011 State-Changed-Why: Committed. http://www.freebsd.org/cgi/query-pr.cgi?pr=160381 From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 06:20:12 2011 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 099CB1065678 for ; Fri, 2 Sep 2011 06:20:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A57BE8FC0A for ; Fri, 2 Sep 2011 06:20:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p826KBAY069339 for ; Fri, 2 Sep 2011 06:20:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p826KBDX069338; Fri, 2 Sep 2011 06:20:11 GMT (envelope-from gnats) Date: Fri, 2 Sep 2011 06:20:11 GMT Message-Id: <201109020620.p826KBDX069338@freefall.freebsd.org> To: apache@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: ports/160381: commit references a PR X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 06:20:12 -0000 The following reply was made to PR ports/160381; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/160381: commit references a PR Date: Fri, 2 Sep 2011 06:18:16 +0000 (UTC) ade 2011-09-02 06:18:02 UTC FreeBSD ports repository Modified files: www/apache22 Makefile distinfo Log: Emergency upgrade to 2.2.20 - CVE-2011-3192. Any complaints, talk to me. PR: 160381 Revision Changes Path 1.291 +1 -2 ports/www/apache22/Makefile 1.85 +2 -2 ports/www/apache22/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 07:00:22 2011 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0B291065670 for ; Fri, 2 Sep 2011 07:00:22 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 739558FC13 for ; Fri, 2 Sep 2011 07:00:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8270MXb008974 for ; Fri, 2 Sep 2011 07:00:22 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8270M0Z008973; Fri, 2 Sep 2011 07:00:22 GMT (envelope-from gnats) Date: Fri, 2 Sep 2011 07:00:22 GMT Message-Id: <201109020700.p8270M0Z008973@freefall.freebsd.org> To: apache@FreeBSD.org From: Jo Rhett Cc: Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jo Rhett List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 07:00:22 -0000 The following reply was made to PR ports/160381; it has been noted by GNATS. From: Jo Rhett To: bug-followup@FreeBSD.org, jhelfman@experts-exchange.com Cc: Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 Date: Thu, 1 Sep 2011 23:46:21 -0700 If we're upgrading the port, can we consider fixing WITH_BDB_BASE ? --=20 Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and = other randomness From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 08:32:16 2011 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 062EF106566B for ; Fri, 2 Sep 2011 08:32:15 +0000 (UTC) (envelope-from timp87@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 5F4788FC08 for ; Fri, 2 Sep 2011 08:32:14 +0000 (UTC) Received: by wwi36 with SMTP id 36so2699712wwi.31 for ; Fri, 02 Sep 2011 01:32:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=QlI0R6Yc2s4QP7AyWkwZqAEFE9DMF0+Qf5kqX8QWxJw=; b=cfAGCbG7A5jhgNrnru3nta+0G4UNRo9RsP0/u3aIj7JgB4fDqBUYft/IdLdkqeDgZu pDsY1xRyUPs54pMLXlM1ko5V9RYKnZ0KrNg/fKRBQeFiud5BapIyp7ceW4WrWpg5imaO dIvUomsHduxco5aFazPprcDRk9wiYPSV9IeBQ= MIME-Version: 1.0 Received: by 10.216.53.4 with SMTP id f4mr1002365wec.105.1314950786221; Fri, 02 Sep 2011 01:06:26 -0700 (PDT) Received: by 10.216.13.84 with HTTP; Fri, 2 Sep 2011 01:06:26 -0700 (PDT) Date: Fri, 2 Sep 2011 12:06:26 +0400 Message-ID: From: Pavel Timofeev To: apache@FreeBSD.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Install apache-2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 08:32:16 -0000 Hi, there's a problem [root@timbsd /usr/ports/www/apache22]# make To enable a module category: WITH__MODULES To disable a module category: WITHOUT__MODULES Per default categories are: AUTH AUTHN AUTHZ DAV CACHE MISC Categories available: AUTH AUTHN AUTHZ CACHE DAV EXPERIMENTAL LDAP MISC PROXY SSL SUEXEC THREADS To see all available knobs, type make show-options To see all modules in different categories, type make show-categories You can check your modules configuration by using make show-modules ===> apache-2.2.20 has known vulnerabilities: => apache -- Range header DoS vulnerability. Reference: http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html => Please update your ports tree and try again. *** Error code 1 Stop in /usr/ports/www/apache22. *** Error code 1 Stop in /usr/ports/www/apache22. From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 08:41:10 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 165EA106564A for ; Fri, 2 Sep 2011 08:41:10 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta14.emeryville.ca.mail.comcast.net (qmta14.emeryville.ca.mail.comcast.net [76.96.27.212]) by mx1.freebsd.org (Postfix) with ESMTP id F20E98FC14 for ; Fri, 2 Sep 2011 08:41:09 +0000 (UTC) Received: from omta20.emeryville.ca.mail.comcast.net ([76.96.30.87]) by qmta14.emeryville.ca.mail.comcast.net with comcast id TkgN1h0021smiN4AEkh4Lq; Fri, 02 Sep 2011 08:41:04 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta20.emeryville.ca.mail.comcast.net with comcast id TkgL1h0051t3BNj8gkgL8c; Fri, 02 Sep 2011 08:40:20 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id BC4C8102C36; Fri, 2 Sep 2011 01:41:08 -0700 (PDT) Date: Fri, 2 Sep 2011 01:41:08 -0700 From: Jeremy Chadwick To: Pavel Timofeev Message-ID: <20110902084108.GA46572@icarus.home.lan> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: apache@FreeBSD.org Subject: Re: Install apache-2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 08:41:10 -0000 On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: > Hi, there's a problem > [root@timbsd /usr/ports/www/apache22]# make > > To enable a module category: WITH__MODULES > To disable a module category: WITHOUT__MODULES > > Per default categories are: > AUTH AUTHN AUTHZ DAV CACHE MISC > Categories available: > AUTH AUTHN AUTHZ CACHE DAV EXPERIMENTAL LDAP MISC PROXY SSL SUEXEC > THREADS > > To see all available knobs, type make show-options > To see all modules in different categories, type make show-categories > You can check your modules configuration by using make show-modules > > ===> apache-2.2.20 has known vulnerabilities: > => apache -- Range header DoS vulnerability. > Reference: > http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html > => Please update your ports tree and try again. > *** Error code 1 > > Stop in /usr/ports/www/apache22. > *** Error code 1 > > Stop in /usr/ports/www/apache22. Looks like someone may have screwed up the portaudit (security/vuxml) update. You can override this by doing: cd /usr/ports/www/apache22 DISABLE_VULNERABILITIES=true make DISABLE_VULNERABILITIES=true make install Etc... -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 08:48:23 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DAEC1065670 for ; Fri, 2 Sep 2011 08:48:23 +0000 (UTC) (envelope-from flo@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4B9468FC15; Fri, 2 Sep 2011 08:48:23 +0000 (UTC) Received: from bender.solomo.local (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p828mLIq038145; Fri, 2 Sep 2011 08:48:22 GMT (envelope-from flo@freebsd.org) Message-ID: <4E609855.9070507@freebsd.org> Date: Fri, 02 Sep 2011 10:48:21 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.1) Gecko/20110901 Thunderbird/6.0.1 MIME-Version: 1.0 To: Jeremy Chadwick References: <20110902084108.GA46572@icarus.home.lan> In-Reply-To: <20110902084108.GA46572@icarus.home.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Pavel Timofeev , apache@freebsd.org Subject: Re: Install apache-2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 08:48:23 -0000 On 02.09.2011 10:41, Jeremy Chadwick wrote: > On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: >> Hi, there's a problem >> [root@timbsd /usr/ports/www/apache22]# make >> >> To enable a module category: WITH__MODULES >> To disable a module category: WITHOUT__MODULES >> >> Per default categories are: >> AUTH AUTHN AUTHZ DAV CACHE MISC >> Categories available: >> AUTH AUTHN AUTHZ CACHE DAV EXPERIMENTAL LDAP MISC PROXY SSL SUEXEC >> THREADS >> >> To see all available knobs, type make show-options >> To see all modules in different categories, type make show-categories >> You can check your modules configuration by using make show-modules >> >> ===> apache-2.2.20 has known vulnerabilities: >> => apache -- Range header DoS vulnerability. >> Reference: >> http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html >> => Please update your ports tree and try again. >> *** Error code 1 >> >> Stop in /usr/ports/www/apache22. >> *** Error code 1 >> >> Stop in /usr/ports/www/apache22. > > Looks like someone may have screwed up the portaudit (security/vuxml) > update. > You just need to download the current database. # portaudit -F That worked for me. HTH, Florian From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 09:17:00 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9EB2E1065690 for ; Fri, 2 Sep 2011 09:17:00 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by mx1.freebsd.org (Postfix) with ESMTP id 5F5218FC16 for ; Fri, 2 Sep 2011 09:17:00 +0000 (UTC) Received: from omta13.westchester.pa.mail.comcast.net ([76.96.62.52]) by qmta08.westchester.pa.mail.comcast.net with comcast id Tl1P1h00117dt5G58l3lyS; Fri, 02 Sep 2011 09:03:45 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta13.westchester.pa.mail.comcast.net with comcast id Tl3j1h00N1t3BNj3Zl3k0i; Fri, 02 Sep 2011 09:03:45 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 5CDA4102C36; Fri, 2 Sep 2011 02:03:42 -0700 (PDT) Date: Fri, 2 Sep 2011 02:03:42 -0700 From: Jeremy Chadwick To: Florian Smeets Message-ID: <20110902090342.GA48221@icarus.home.lan> References: <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E609855.9070507@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Pavel Timofeev , apache@freebsd.org, ade@freebsd.org Subject: Re: Install apache-2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 09:17:00 -0000 On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: > On 02.09.2011 10:41, Jeremy Chadwick wrote: > >On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: > >>Hi, there's a problem > >>[root@timbsd /usr/ports/www/apache22]# make > >> > >> To enable a module category: WITH__MODULES > >> To disable a module category: WITHOUT__MODULES > >> > >> Per default categories are: > >> AUTH AUTHN AUTHZ DAV CACHE MISC > >> Categories available: > >> AUTH AUTHN AUTHZ CACHE DAV EXPERIMENTAL LDAP MISC PROXY SSL SUEXEC > >>THREADS > >> > >> To see all available knobs, type make show-options > >> To see all modules in different categories, type make show-categories > >> You can check your modules configuration by using make show-modules > >> > >>===> apache-2.2.20 has known vulnerabilities: > >>=> apache -- Range header DoS vulnerability. > >> Reference: > >>http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html > >>=> Please update your ports tree and try again. > >>*** Error code 1 > >> > >>Stop in /usr/ports/www/apache22. > >>*** Error code 1 > >> > >>Stop in /usr/ports/www/apache22. > > > >Looks like someone may have screwed up the portaudit (security/vuxml) > >update. > > > > You just need to download the current database. > > # portaudit -F > > That worked for me. Look at the message he's receiving. "apache-2.2.20 has known vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known vulnerabilities. So again: someone messed up the portaudit (security/vuxml) database. If it got fixed, I'm not seeing any evidence of that yet either: icarus# pkg_info | egrep ^apache apache-itk-2.2.19 Version 2.2.x of Apache web server with itk MPM. icarus# portaudit -Fda New database installed. Database created: Thu Sep 1 12:20:00 PDT 2011 Affected package: php5-5.3.6 Type of problem: php -- multiple vulnerabilities. Reference: http://portaudit.FreeBSD.org/057bf770-cac4-11e0-aea3-00215c6a37bb.html 1 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. icarus# egrep ^PORTVERSION /usr/ports/www/apache22/Makefile PORTVERSION= 2.2.20 Let's recap: 1) The message the OP is receiving is that Apache 2.2.20 is insecure, which is wrong. 2) I'm using apache22 with the ITK MPM and I receive no such security concern message. 3) portaudit -Fda doesn't indicate anything is insecure besides PHP on my system, even though it obviously is (using Apache 2.2.19). 4) Here's the relevant contents of the portaudit db: icarus# bzcat /var/db/portaudit/auditfile.tbz | strings -a | egrep ^apache | grep Range apache>2.*<2.2.20|http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html|apache -- Range header DoS vulnerability In my case (re: not receiving the security warning), it may be that someone did not add the apache-itk-XXX shims to the portaudit db, which are the direct result of the "stub" ports for Apache. I don't know who maintains this, but it's obviously incomplete. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 09:44:22 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF7D21065675; Fri, 2 Sep 2011 09:44:22 +0000 (UTC) (envelope-from flo@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 823178FC13; Fri, 2 Sep 2011 09:44:22 +0000 (UTC) Received: from bender.solomo.local (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p829iKeI092451; Fri, 2 Sep 2011 09:44:21 GMT (envelope-from flo@freebsd.org) Message-ID: <4E60A574.5040705@freebsd.org> Date: Fri, 02 Sep 2011 11:44:20 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.1) Gecko/20110901 Thunderbird/6.0.1 MIME-Version: 1.0 To: Jeremy Chadwick References: <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org> <20110902090342.GA48221@icarus.home.lan> In-Reply-To: <20110902090342.GA48221@icarus.home.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Pavel Timofeev , apache@freebsd.org, ade@freebsd.org Subject: Re: Install apache-2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 09:44:22 -0000 On 02.09.2011 11:03, Jeremy Chadwick wrote: > On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: >> On 02.09.2011 10:41, Jeremy Chadwick wrote: >>> On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: >>>> Hi, there's a problem >>>> [root@timbsd /usr/ports/www/apache22]# make >>>> >>>> ===> apache-2.2.20 has known vulnerabilities: >>>> => apache -- Range header DoS vulnerability. >>>> Reference: >>>> http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html >>>> => Please update your ports tree and try again. >>>> *** Error code 1 >>>> >>>> Stop in /usr/ports/www/apache22. >>>> *** Error code 1 >>>> >>>> Stop in /usr/ports/www/apache22. >>> >>> Looks like someone may have screwed up the portaudit (security/vuxml) >>> update. >>> >> >> You just need to download the current database. >> >> # portaudit -F >> >> That worked for me. > > Look at the message he's receiving. "apache-2.2.20 has known > vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known > vulnerabilities. The first vuxml entry that was added for this vulnerability had | + 2.* It was fixed yesterday to match only versions lower than 2.2.20 | - 2.* | + 2.*2.2.20 That's why i suggested to download the new database. > > So again: someone messed up the portaudit (security/vuxml) database. If > it got fixed, I'm not seeing any evidence of that yet either: > If you download the newest db Pavels problem should be fixed. > Let's recap: > > 1) The message the OP is receiving is that Apache 2.2.20 is insecure, > which is wrong. see above. > > 2) I'm using apache22 with the ITK MPM and I receive no such security > concern message. > > 3) portaudit -Fda doesn't indicate anything is insecure besides PHP on > my system, even though it obviously is (using Apache 2.2.19). > Ok, that's a different problem. 2 and 3 are basically the same problem, no? I think the slave ports need to added to the entry, too. > 4) Here's the relevant contents of the portaudit db: > > icarus# bzcat /var/db/portaudit/auditfile.tbz | strings -a | egrep ^apache | grep Range > apache>2.*<2.2.20|http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html|apache -- Range header DoS vulnerability > You have the current database :) > In my case (re: not receiving the security warning), it may be that > someone did not add the apache-itk-XXX shims to the portaudit db, which > are the direct result of the "stub" ports for Apache. I don't know who > maintains this, but it's obviously incomplete. > Yes, the should be added. Cheers, Florian From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 09:47:21 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A5E81065679; Fri, 2 Sep 2011 09:47:21 +0000 (UTC) (envelope-from timp87@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 91DB78FC0C; Fri, 2 Sep 2011 09:47:20 +0000 (UTC) Received: by fxe4 with SMTP id 4so1942907fxe.13 for ; Fri, 02 Sep 2011 02:47:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=i0IOkY/tEJ1N8sUrxWRvkHH9mjjE4UY2J+W4o6Smh4k=; b=DpypQJhJpXcpJadD7AlrPDVgis88jR82nSYEIWLMCzE6sqRL54ZU+mMv5eLfRmHYhn vcUK0FIaNGOtMSaNnJiT8haYx0bxdW8AxaR3ztOZrNPeZ3AJek0jwysms+RXSqT8QTp4 /jvfnt7oUeErGJa93+o1N2X6Gr1MXYPnDW+e4= MIME-Version: 1.0 Received: by 10.223.94.147 with SMTP id z19mr1418343fam.107.1314956839526; Fri, 02 Sep 2011 02:47:19 -0700 (PDT) Received: by 10.152.39.35 with HTTP; Fri, 2 Sep 2011 02:47:19 -0700 (PDT) In-Reply-To: <4E60A574.5040705@freebsd.org> References: <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org> <20110902090342.GA48221@icarus.home.lan> <4E60A574.5040705@freebsd.org> Date: Fri, 2 Sep 2011 13:47:19 +0400 Message-ID: From: Pavel Timofeev To: Florian Smeets Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: ade@freebsd.org, apache@freebsd.org Subject: Re: Install apache-2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 09:47:21 -0000 Yea, portaudit -F worked for me. Thank you! 2011/9/2 Florian Smeets > On 02.09.2011 11:03, Jeremy Chadwick wrote: > >> On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: >> >>> On 02.09.2011 10:41, Jeremy Chadwick wrote: >>> >>>> On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: >>>> >>>>> Hi, there's a problem >>>>> [root@timbsd /usr/ports/www/apache22]# make >>>>> >>>>> ===> apache-2.2.20 has known vulnerabilities: >>>>> => apache -- Range header DoS vulnerability. >>>>> Reference: >>>>> http://portaudit.FreeBSD.org/**7f6108d2-cea8-11e0-9d58-** >>>>> 0800279895ea.html >>>>> => Please update your ports tree and try again. >>>>> *** Error code 1 >>>>> >>>>> Stop in /usr/ports/www/apache22. >>>>> *** Error code 1 >>>>> >>>>> Stop in /usr/ports/www/apache22. >>>>> >>>> >>>> Looks like someone may have screwed up the portaudit (security/vuxml) >>>> update. >>>> >>>> >>> You just need to download the current database. >>> >>> # portaudit -F >>> >>> That worked for me. >>> >> >> Look at the message he's receiving. "apache-2.2.20 has known >> vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known >> vulnerabilities. >> > > The first vuxml entry that was added for this vulnerability had > > | + 2.* > > It was fixed yesterday to match only versions lower than 2.2.20 > > | - 2.* > | + 2.*2.2.20<**/lt> > > > That's why i suggested to download the new database. > > > >> So again: someone messed up the portaudit (security/vuxml) database. If >> it got fixed, I'm not seeing any evidence of that yet either: >> >> > If you download the newest db Pavels problem should be fixed. > > > Let's recap: >> >> 1) The message the OP is receiving is that Apache 2.2.20 is insecure, >> which is wrong. >> > > see above. > > > >> 2) I'm using apache22 with the ITK MPM and I receive no such security >> concern message. >> >> 3) portaudit -Fda doesn't indicate anything is insecure besides PHP on >> my system, even though it obviously is (using Apache 2.2.19). >> >> > Ok, that's a different problem. 2 and 3 are basically the same problem, no? > I think the slave ports need to added to the entry, too. > > > 4) Here's the relevant contents of the portaudit db: >> >> icarus# bzcat /var/db/portaudit/auditfile.**tbz | strings -a | egrep >> ^apache | grep Range >> apache>2.*<2.2.20|http://**portaudit.FreeBSD.org/** >> 7f6108d2-cea8-11e0-9d58-**0800279895ea.html|apache-- Range header DoS vulnerability >> >> > You have the current database :) > > > In my case (re: not receiving the security warning), it may be that >> someone did not add the apache-itk-XXX shims to the portaudit db, which >> are the direct result of the "stub" ports for Apache. I don't know who >> maintains this, but it's obviously incomplete. >> >> > Yes, the should be added. > > Cheers, > Florian > From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 10:34:39 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FFBC1065691 for ; Fri, 2 Sep 2011 10:34:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta10.emeryville.ca.mail.comcast.net (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17]) by mx1.freebsd.org (Postfix) with ESMTP id 653728FC08 for ; Fri, 2 Sep 2011 10:34:39 +0000 (UTC) Received: from omta24.emeryville.ca.mail.comcast.net ([76.96.30.92]) by qmta10.emeryville.ca.mail.comcast.net with comcast id TmTk1h0011zF43QAAmaaaJ; Fri, 02 Sep 2011 10:34:34 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta24.emeryville.ca.mail.comcast.net with comcast id TmbM1h00m1t3BNj8kmbMtu; Fri, 02 Sep 2011 10:35:21 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 827E3102C36; Fri, 2 Sep 2011 03:34:38 -0700 (PDT) Date: Fri, 2 Sep 2011 03:34:38 -0700 From: Jeremy Chadwick To: Florian Smeets Message-ID: <20110902103438.GA50999@icarus.home.lan> References: <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org> <20110902090342.GA48221@icarus.home.lan> <4E60A574.5040705@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E60A574.5040705@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Pavel Timofeev , apache@freebsd.org, ade@freebsd.org Subject: Re: Install apache-2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 10:34:39 -0000 On Fri, Sep 02, 2011 at 11:44:20AM +0200, Florian Smeets wrote: > On 02.09.2011 11:03, Jeremy Chadwick wrote: > >On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: > >>On 02.09.2011 10:41, Jeremy Chadwick wrote: > >>>On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: > >>>>Hi, there's a problem > >>>>[root@timbsd /usr/ports/www/apache22]# make > >>>> > >>>>===> apache-2.2.20 has known vulnerabilities: > >>>>=> apache -- Range header DoS vulnerability. > >>>> Reference: > >>>>http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html > >>>>=> Please update your ports tree and try again. > >>>>*** Error code 1 > >>>> > >>>>Stop in /usr/ports/www/apache22. > >>>>*** Error code 1 > >>>> > >>>>Stop in /usr/ports/www/apache22. > >>> > >>>Looks like someone may have screwed up the portaudit (security/vuxml) > >>>update. > >>> > >> > >>You just need to download the current database. > >> > >># portaudit -F > >> > >>That worked for me. > > > >Look at the message he's receiving. "apache-2.2.20 has known > >vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known > >vulnerabilities. > > The first vuxml entry that was added for this vulnerability had > > | + 2.* > > It was fixed yesterday to match only versions lower than 2.2.20 > > | - 2.* > | + 2.*2.2.20 Right, so it was buggered, and someone fixed it. It's fixed *now*, but it was broken at some point. *sigh* Well it's fixed, there's no real point to me going on about it. Thank you for providing the history though, I appreciate it. > That's why i suggested to download the new database. Understood. > >2) I'm using apache22 with the ITK MPM and I receive no such security > >concern message. > > > >3) portaudit -Fda doesn't indicate anything is insecure besides PHP on > >my system, even though it obviously is (using Apache 2.2.19). > > > > Ok, that's a different problem. 2 and 3 are basically the same > problem, no? I think the slave ports need to added to the entry, > too. Yes, they're related. I guess I should have put them under a single item instead of separating them. > >In my case (re: not receiving the security warning), it may be that > >someone did not add the apache-itk-XXX shims to the portaudit db, which > >are the direct result of the "stub" ports for Apache. I don't know who > >maintains this, but it's obviously incomplete. > > Yes, the should be added. Agreed, and someone should take the time to look at all the other Apache stub ports to make sure they get added as well. An "egrep ^apache" on the audit db returns quite a lot of entries -- I imagine some are legacy/for classic purposes that don't apply to the "present-day" ports system, but going through all the www/apache* ports that rely on www/apache22 would be best. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 13:10:10 2011 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9AD211065675 for ; Fri, 2 Sep 2011 13:10:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 724678FC12 for ; Fri, 2 Sep 2011 13:10:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p82DAAVa080157 for ; Fri, 2 Sep 2011 13:10:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p82DAAvx080156; Fri, 2 Sep 2011 13:10:10 GMT (envelope-from gnats) Date: Fri, 2 Sep 2011 13:10:10 GMT Message-Id: <201109021310.p82DAAvx080156@freefall.freebsd.org> To: apache@FreeBSD.org From: Chris Rees Cc: Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Chris Rees List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 13:10:10 -0000 The following reply was made to PR ports/160381; it has been noted by GNATS. From: Chris Rees To: bug-followup@FreeBSD.org, Jo Rhett Cc: Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 Date: Fri, 2 Sep 2011 14:02:10 +0100 Hi Jo, Certainly it could be considered, but please open new PR, email ports@ or apache@. Thanks! Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 15:33:41 2011 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 668CF106566B; Fri, 2 Sep 2011 15:33:41 +0000 (UTC) (envelope-from jrhett@netconsonance.com) Received: from mail.netconsonance.com (mail.netconsonance.com [198.207.204.4]) by mx1.freebsd.org (Postfix) with ESMTP id 505018FC12; Fri, 2 Sep 2011 15:33:41 +0000 (UTC) Received: from [172.31.2.8] (99-124-207-89.uvs.sntcca.sbcglobal.net [99.124.207.89]) (authenticated bits=0) by mail.netconsonance.com (8.14.5/8.14.5) with ESMTP id p82FXaqw051989; Fri, 2 Sep 2011 08:33:39 -0700 (PDT) (envelope-from jrhett@netconsonance.com) X-Virus-Scanned: amavisd-new at netconsonance.com X-Spam-Flag: NO X-Spam-Score: -11 X-Spam-Level: X-Spam-Status: No, score=-11 tagged_above=-999 required=3.5 tests=[ALL_TRUSTED=-1, LOCAL_AUTH_RCVD=-10] autolearn=disabled Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Jo Rhett In-Reply-To: Date: Fri, 2 Sep 2011 08:33:35 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Chris Rees X-Mailer: Apple Mail (2.1084) Cc: freebsd-apache@freebsd.org Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 15:33:41 -0000 >> If we're upgrading the port, can we consider fixing WITH_BDB_BASE ? On Sep 2, 2011, at 6:02 AM, Chris Rees wrote: > Certainly it could be considered, but please open new PR, email ports@ = or apache@. I reported this problem on the mailing list months ago, and created a PR = 159608 as well. It's been out there with no activity. --=20 Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and = other randomness From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 16:33:42 2011 Return-Path: Delivered-To: freebsd-apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14813106564A; Fri, 2 Sep 2011 16:33:42 +0000 (UTC) (envelope-from jrhett@netconsonance.com) Received: from mail.netconsonance.com (mail.netconsonance.com [198.207.204.4]) by mx1.freebsd.org (Postfix) with ESMTP id EFED18FC14; Fri, 2 Sep 2011 16:33:41 +0000 (UTC) Received: from jopen.us.win.equinix.com (somehost-5.equinix.net [207.20.85.157]) (authenticated bits=0) by mail.netconsonance.com (8.14.5/8.14.5) with ESMTP id p82GXMHI052377; Fri, 2 Sep 2011 09:33:39 -0700 (PDT) (envelope-from jrhett@netconsonance.com) X-Virus-Scanned: amavisd-new at netconsonance.com X-Spam-Flag: NO X-Spam-Score: -11 X-Spam-Level: X-Spam-Status: No, score=-11 tagged_above=-999 required=3.5 tests=[ALL_TRUSTED=-1, LOCAL_AUTH_RCVD=-10] autolearn=disabled Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Jo Rhett In-Reply-To: Date: Fri, 2 Sep 2011 09:33:12 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <26A9C6FF-C298-44C3-929E-D9FED1633970@netconsonance.com> References: To: Chris Rees X-Mailer: Apple Mail (2.1084) Cc: freebsd-apache@FreeBSD.org Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 16:33:42 -0000 Since the option does not work, shouldn't you at least update = ports/UPDATING and the Makefile? On Sep 2, 2011, at 9:20 AM, Chris Rees wrote: > On 2 September 2011 16:33, Jo Rhett wrote: >>>> If we're upgrading the port, can we consider fixing WITH_BDB_BASE ? >> On Sep 2, 2011, at 6:02 AM, Chris Rees wrote: >>> Certainly it could be considered, but please open new PR, email = ports@ or apache@. >=20 >> I reported this problem on the mailing list months ago, and created a = PR 159608 as well. It's been out there with no activity. >=20 > I expect you're referring to: >=20 > = http://lists.freebsd.org/pipermail/freebsd-apache/2011-July/002397.html >=20 > I'm sorry you haven't had a lot of luck with this, hopefully someone > will be able to help. Unfortunately the apache team is a little > stretched at the moment-- I'm sure they'll help when they can. >=20 > Chris --=20 Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and = other randomness From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 16:48:50 2011 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 75E39106567A for ; Fri, 2 Sep 2011 16:48:50 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 35B958FC14 for ; Fri, 2 Sep 2011 16:48:50 +0000 (UTC) Received: by gwb15 with SMTP id 15so2291585gwb.13 for ; Fri, 02 Sep 2011 09:48:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=FxscZ82LFXnU7fHV5fsZ0ToJ6R4hyG9J3eNC10wNtQQ=; b=UoqiiU2ir/hogarFhLB2l0pY3PLEogc9Xmzrqeyo+N5D0KLwLtFKb4DV+vhXgNujDq ockQgEimpjuVuC0M7HNpwnlBlgrp6x2zjESpNAMfipuwOJ9TLfFfMgKTM4czlH7c3/Un 1P2gKPBFq5wroHpoVmcCUB9x23seR8X/mohaI= Received: by 10.43.44.73 with SMTP id uf9mr1065852icb.507.1314980451107; Fri, 02 Sep 2011 09:20:51 -0700 (PDT) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.231.61.148 with HTTP; Fri, 2 Sep 2011 09:20:21 -0700 (PDT) In-Reply-To: References: From: Chris Rees Date: Fri, 2 Sep 2011 17:20:21 +0100 X-Google-Sender-Auth: eLz4pAxc7_awUXkQiWwPAsdLpTc Message-ID: To: Jo Rhett Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-apache@freebsd.org Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 16:48:50 -0000 On 2 September 2011 16:33, Jo Rhett wrote: >>> If we're upgrading the port, can we consider fixing WITH_BDB_BASE ? > On Sep 2, 2011, at 6:02 AM, Chris Rees wrote: >> Certainly it could be considered, but please open new PR, email ports@ or apache@. > I reported this problem on the mailing list months ago, and created a PR 159608 as well. It's been out there with no activity. I expect you're referring to: http://lists.freebsd.org/pipermail/freebsd-apache/2011-July/002397.html I'm sorry you haven't had a lot of luck with this, hopefully someone will be able to help. Unfortunately the apache team is a little stretched at the moment-- I'm sure they'll help when they can. Chris From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 17:06:32 2011 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0055710657BF for ; Fri, 2 Sep 2011 17:06:32 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id BDE668FC12 for ; Fri, 2 Sep 2011 17:06:31 +0000 (UTC) Received: by iadx2 with SMTP id x2so4354295iad.13 for ; Fri, 02 Sep 2011 10:06:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=cI/MF/vtT+dqS4JvnbYpfQKHIReBZcITv75JcwI8i5I=; b=IoarsnsCyBGWGq7StmCoq7idPmSbIB+mRUCXEtTP8+zfY92Ba+b2E9bgcDh08Vi+co Pi7HmzUWi492cyKHZfLTnrDbCeBWm+Kct8SYL8AbhbX21QyPhdlt8N5adCkbrsF6JWZR 8PRlBLWK7gbLLK+sH3/XWzwFHIeYimt+7+hAA= Received: by 10.231.26.68 with SMTP id d4mr2364650ibc.66.1314983191100; Fri, 02 Sep 2011 10:06:31 -0700 (PDT) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.231.61.148 with HTTP; Fri, 2 Sep 2011 10:06:01 -0700 (PDT) In-Reply-To: <26A9C6FF-C298-44C3-929E-D9FED1633970@netconsonance.com> References: <26A9C6FF-C298-44C3-929E-D9FED1633970@netconsonance.com> From: Chris Rees Date: Fri, 2 Sep 2011 18:06:01 +0100 X-Google-Sender-Auth: EimRM4ovuB-n_D6EFa_293WsdXI Message-ID: To: Jo Rhett Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-apache@freebsd.org Subject: Re: ports/160381: [patch] www/apache22: update to 2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 17:06:32 -0000 On 2 September 2011 17:33, Jo Rhett wrote: > Since the option does not work, shouldn't you at least update ports/UPDATING and the Makefile? > I just redirected you to the list because I noticed you'd replied to a closed PR -- I'm afraid I'm not a member of apache@ and thus don't have the intimate knowledge of the port needed to mess about with it, and neither do I have authority to commit to it without authorisation. Sorry. Chris From owner-freebsd-apache@FreeBSD.ORG Sat Sep 3 12:27:26 2011 Return-Path: Delivered-To: freebsd-apache@FreeBSD.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 59E64106564A for ; Sat, 3 Sep 2011 12:27:26 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-198-245.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 368A8150C29 for ; Sat, 3 Sep 2011 12:27:24 +0000 (UTC) Message-ID: <4E621D2C.2090204@FreeBSD.org> Date: Sat, 03 Sep 2011 05:27:24 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.1) Gecko/20110901 Thunderbird/6.0.1 MIME-Version: 1.0 To: freebsd-apache@FreeBSD.org References: <4E621BDD.9000207@FreeBSD.org> In-Reply-To: <4E621BDD.9000207@FreeBSD.org> X-Enigmail-Version: undefined OpenPGP: id=1A1ABC84 X-Forwarded-Message-Id: <4E621BDD.9000207@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: FreeBSD port(s) you maintain which are currently vulnerable X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Sep 2011 12:27:26 -0000 Howdy, According to the latest portaudit database the following ports are currently vulnerable. You maintain one or more of these ports. Please consider one of the following courses of action: 1. Removing the port 2. Fixing the port 3. Allowing it to be returned to the ports@FreeBSD.org maintainer pool so that another interested party can take over maintenance of it. If I haven't heard back from you in 1 week I plan to mark the port FORBIDDEN with an expiration date of 2011-09-30. To see how the port is vulnerable you can install ports-mgmt/portaudit, run (as root) 'portaudit -Fa', then cd into the directory of the affected port and run 'portaudit -C'. Regards, Doug /usr/ports/archivers/pecl-phar /usr/ports/databases/mysql323-server /usr/ports/databases/mysql40-server /usr/ports/devel/apr0 /usr/ports/devel/libsoup22 /usr/ports/dns/bind9-sdb-ldap /usr/ports/dns/bind9-sdb-postgresql /usr/ports/dns/nsd2 /usr/ports/editors/emacs21 /usr/ports/editors/openoffice.org-2 /usr/ports/ftp/wgetpro /usr/ports/games/quake2forge /usr/ports/graphics/linux-tiff /usr/ports/japanese/mutt /usr/ports/lang/php52 /usr/ports/lang/tcl82 /usr/ports/lang/tcl83 /usr/ports/mail/horde4-imp /usr/ports/mail/libspf2-10 /usr/ports/net-mgmt/nagios2 /usr/ports/net/asterisk14 /usr/ports/net/isc-dhcp31-client /usr/ports/russian/apache13 /usr/ports/russian/apache13-modssl /usr/ports/security/gnutls-devel /usr/ports/security/stunnel /usr/ports/sysutils/dtc /usr/ports/sysutils/syslog-ng /usr/ports/textproc/kn-aspell /usr/ports/textproc/ky-aspell /usr/ports/www/apache13-ssl /usr/ports/www/apache20 /usr/ports/www/gforge /usr/ports/www/linux-flashplugin7 /usr/ports/www/mediawiki115 /usr/ports/www/opera-devel /usr/ports/www/plone3 /usr/ports/www/pyblosxom /usr/ports/www/seamonkey2 /usr/ports/www/serendipity-devel /usr/ports/www/ziproxy /usr/ports/x11-toolkits/linux-pango /usr/ports/x11-toolkits/tk82 /usr/ports/x11-toolkits/tk83 -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/