From owner-freebsd-apache@FreeBSD.ORG Mon Nov 28 11:06:24 2011 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 188841065673 for ; Mon, 28 Nov 2011 11:06:24 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E266F8FC1A for ; Mon, 28 Nov 2011 11:06:23 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pASB6Nno040631 for ; Mon, 28 Nov 2011 11:06:23 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pASB6MSx040605 for apache@FreeBSD.org; Mon, 28 Nov 2011 11:06:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Nov 2011 11:06:22 GMT Message-Id: <201111281106.pASB6MSx040605@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: apache@FreeBSD.org Cc: Subject: Current problem reports assigned to apache@FreeBSD.org X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 11:06:24 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- f ports/162814 apache [patch] www/mod_rivet -- update to 2.0.4 f ports/162080 apache [PATCH] devel/apr1: Improved decision IPv6 o ports/161758 apache www/mod_rpaf2: slave seperation and Apache22+ limitati o ports/160702 apache devel/apr1: CLANG build produces unusable library for o ports/159812 apache [PATCH] www/apache20,www/apache22 Strip Binaries o ports/159608 apache www/apache22: apache WITH_BDB_BASE settings described o ports/158565 apache www/apache22: Add rlimits based on login class for mpm o ports/157554 apache www/apache22: Apache RLimitNPROC does not work as inte o ports/156987 apache www/apache22: Harden SSL cipher suites strength and SS o ports/156787 apache www/mod_auth_kerb2 fails on undefined symbol with base f ports/156719 apache ab: apr_socket_recv: Connection reset by peer (54) o ports/156251 apache [PATCH] Enable module by default for www/mod_fastcgi o ports/153406 apache www/apache22's SUEXEC_RSRCLIMIT option does not take e o ports/153264 apache www/apache22 and apache13-modssl -- rc.d script improv o ports/147806 apache [PATCH] www/apache20: httpd doesn't start with WITH_LD o ports/147282 apache errors when starting www/apache22 after installation o o ports/146199 apache www/apache20: port does not use make config o ports/144010 apache devel/apr1 tries to use SYSVIPC even in jails o ports/137729 apache www/mod_auth_kerb2 port broken on 8.0-BETA2 due to sec o ports/130479 apache www/apache20 and www/apache22 configure_args busted o ports/125183 apache www/apache22 wrong SUEXEC_DOCROOT o ports/124375 apache security/heimdal: www/mod_auth_kerb doesn't compile ag s ports/108169 apache www/apache20 wrong AP_SAFE_PATH for suEXEC 23 problems total. From owner-freebsd-apache@FreeBSD.ORG Mon Nov 28 14:41:27 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED03C106566B for ; Mon, 28 Nov 2011 14:41:27 +0000 (UTC) (envelope-from miwi.freebsd@googlemail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id AD63A8FC12 for ; Mon, 28 Nov 2011 14:41:27 +0000 (UTC) Received: by yenq9 with SMTP id q9so7564739yen.13 for ; Mon, 28 Nov 2011 06:41:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=mNGBKSz2zuqyB2RKNCgnMFE1whaPW+pROR7iEcoTqi4=; b=KxLA3V6BH8RbkR4WjF93THf1CwBW64XUU9r7LRL7U366GPJooHve7j9724VlW8T0Bk XNZkj61m4ivpTr9v2RP8tRI4j+7bmMNiWPMKj3dAHatZQJo5cWu0CpG1BpNhv1DMrDGj vh+A9d5gsH3qz5agYts4hog29NfCFRwPuvqZM= Received: by 10.50.135.40 with SMTP id pp8mr51046351igb.1.1322489640876; Mon, 28 Nov 2011 06:14:00 -0800 (PST) Received: from yakim.homeunix.com ([175.143.228.155]) by mx.google.com with ESMTPS id eh34sm46348402ibb.5.2011.11.28.06.13.58 (version=SSLv3 cipher=OTHER); Mon, 28 Nov 2011 06:14:00 -0800 (PST) Sender: Martin Wilke Message-ID: <4ED4077D.4080308@gmail.com> Date: Mon, 28 Nov 2011 22:13:17 +0000 From: Martin Wilke User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111110 Thunderbird/8.0 MIME-Version: 1.0 To: apache@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 28 Nov 2011 16:39:03 +0000 Cc: Subject: further proxy/rewrite URL validation security issue X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 14:41:28 -0000 Hoi, can someone please have a look here, http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2 - martin From owner-freebsd-apache@FreeBSD.ORG Mon Nov 28 16:47:31 2011 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B09E8106566C for ; Mon, 28 Nov 2011 16:47:31 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta10.westchester.pa.mail.comcast.net (qmta10.westchester.pa.mail.comcast.net [76.96.62.17]) by mx1.freebsd.org (Postfix) with ESMTP id 5F7608FC1A for ; Mon, 28 Nov 2011 16:47:31 +0000 (UTC) Received: from omta15.westchester.pa.mail.comcast.net ([76.96.62.87]) by qmta10.westchester.pa.mail.comcast.net with comcast id 2col1i0031swQuc5AgnXGu; Mon, 28 Nov 2011 16:47:31 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta15.westchester.pa.mail.comcast.net with comcast id 2gnW1i00o1t3BNj3bgnX06; Mon, 28 Nov 2011 16:47:31 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 6A747102C1D; Mon, 28 Nov 2011 08:47:29 -0800 (PST) Date: Mon, 28 Nov 2011 08:47:29 -0800 From: Jeremy Chadwick To: Martin Wilke Message-ID: <20111128164729.GA8555@icarus.home.lan> References: <4ED4077D.4080308@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4ED4077D.4080308@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-apache@FreeBSD.org Subject: Re: further proxy/rewrite URL validation security issue X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 16:47:31 -0000 On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote: > can someone please have a look here, > > http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2 > > - martin As was analysed by many people on Slashdot: http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access 1. you have to be using reverse proxy mode 2. you have to have misconfigured rewrite rules 3. you have to actually have some internal resources that are private 4. you have to be attacked by somebody, who knows how to access these private resources 5. they have to do some thing with those resources (perhaps just read) 6. you have to actually care that all of this just happened Though it's still something that should be fixed, it is not "oh my god this is huge/major/gigantic". The way it's being handled by news sites and so on makes it sound drastic. For the workaround, look very closely at the "proper" ruleset at the bottom -- note the extra slash: https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | From owner-freebsd-apache@FreeBSD.ORG Mon Nov 28 17:35:55 2011 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06EDE106564A for ; Mon, 28 Nov 2011 17:35:55 +0000 (UTC) (envelope-from miwi.freebsd@googlemail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id B78908FC12 for ; Mon, 28 Nov 2011 17:35:54 +0000 (UTC) Received: by ghbg20 with SMTP id g20so6566847ghb.13 for ; Mon, 28 Nov 2011 09:35:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=sender:message-id:date:from:reply-to:organization:user-agent :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=kriQTyK4awsq3pvJFtAOagQ4fMlVhUVHoJZnK1a/q4c=; b=TOSIew4lzE+NE7bIYy3+sKVTW9l7tvNk+7mwWgWkzERaPABTUQUMA9i7ZggTsHL+Jv 3UeJ+fwCFUnCBIRWIvKqONFpukYXKvwiDP8m5n7JJd4jhZJqg2TCRRARXipw8a6n+wyq +mY4hypOQq9ZKdCOwTpiVh2Wus8BOl4kvo5sw= Received: by 10.50.47.201 with SMTP id f9mr50725622ign.18.1322499863650; Mon, 28 Nov 2011 09:04:23 -0800 (PST) Received: from yakim.homeunix.com ([175.143.228.155]) by mx.google.com with ESMTPS id eh34sm47887980ibb.5.2011.11.28.09.04.21 (version=SSLv3 cipher=OTHER); Mon, 28 Nov 2011 09:04:22 -0800 (PST) Sender: Martin Wilke Message-ID: <4ED42F57.9010003@FreeBSD.org> Date: Tue, 29 Nov 2011 01:03:19 +0000 From: Martin Wilke Organization: FreeBSD User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111110 Thunderbird/8.0 MIME-Version: 1.0 To: Jeremy Chadwick References: <4ED4077D.4080308@gmail.com> <20111128164729.GA8555@icarus.home.lan> In-Reply-To: <20111128164729.GA8555@icarus.home.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 28 Nov 2011 17:52:08 +0000 Cc: freebsd-apache@FreeBSD.org Subject: Re: further proxy/rewrite URL validation security issue X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: miwi@FreeBSD.org List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 17:35:55 -0000 On 11/28/2011 16:47, Jeremy Chadwick wrote: > On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote: >> can someone please have a look here, >> >> http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2 >> >> - martin > As was analysed by many people on Slashdot: > > http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access > > 1. you have to be using reverse proxy mode > 2. you have to have misconfigured rewrite rules > 3. you have to actually have some internal resources that are private > 4. you have to be attacked by somebody, who knows how to access these private resources > 5. they have to do some thing with those resources (perhaps just read) > 6. you have to actually care that all of this just happened > > Though it's still something that should be fixed, it is not "oh my god > this is huge/major/gigantic". The way it's being handled by news sites > and so on makes it sound drastic. > > For the workaround, look very closely at the "proper" ruleset at the > bottom -- note the extra slash: > > https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue > Hi Jeremy, Thx for the explanation :). - Martin -- +-----------------oOO--(_)--OOo-------------------------+ With best Regards, Martin Wilke (miwi_(at)_FreeBSD.org) Mess with the Best, Die like the Rest From owner-freebsd-apache@FreeBSD.ORG Fri Dec 2 03:09:35 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06AD9106566C for ; Fri, 2 Dec 2011 03:09:35 +0000 (UTC) (envelope-from recky@pt-starsafety.com) Received: from secure1.asialookup.com (server1.indodigital.net [202.158.39.98]) by mx1.freebsd.org (Postfix) with ESMTP id 7ED388FC15 for ; Fri, 2 Dec 2011 03:09:34 +0000 (UTC) X-ClientAddr: 110.139.169.129 Received: from Recky (129.subnet110-139-169.speedy.telkom.net.id [110.139.169.129] (may be forged)) (authenticated bits=0) by secure1.asialookup.com (8.13.8/8.13.8) with ESMTP id pB22UQJC021512 for ; Fri, 2 Dec 2011 09:30:27 +0700 From: "Recky@pt-STARSAFETY.com" To: "apache@freebsd.org" Date: Fri, 02 Dec 2011 08:55:22 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: X-asialookup-MailScanner-Information: Please contact the ISP for more information X-asialookup-MailScanner-ID: pB22UQJC021512 X-asialookup-MailScanner-From: recky@pt-starsafety.com X-Spam-Status: No Cc: Subject: Pelatihan & Sertifikasi X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: recky@pt-starsafety.com List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 03:09:35 -0000 Bapak/Ibu Yth,=0D=0A=0D=0ABerikut ini jadwal Pelatihan =26 Sertifikasi ya= ng akan dillaksanakan oleh STARSAFETY :=0D=0A=0D=0A1=2E Pelatihan =26 Eva= luasi Penunjukan Ahli Kesehatan =26 Keselamatan Kerja Umum (AK3 Umum)=0D=0A= Date : 14 - 24 Desember 2011=0D=0A Time : 08=2E30 - = 16=2E00=0D=0A Venue : Hotel Satelit Surabaya - Jawa Timur=0D=0A = Investasi : Rp=2E 8=2E320=2E000=0D=0A=0D=0A1=2E Pelatihan =26 Evaluasi = Penunjukan Ahli Kesehatan =26 Keselamatan Kerja Umum (AK3 Umum)=0D=0A = Date : 7 - 17 Desember 2011=0D=0A Time : 08=2E30 - 16=2E= 00=0D=0A Venue : Hotel Herly Balikpapan - Kalimantan Timur=0D=0A = Investasi : Rp=2E 7=2E520=2E000=0D=0A=0D=0A Fasilities :=0D=0A = Sertifikat, Skep, ID dikeluarkan oleh Kementrian Tenaga Kerja dan Transmi= grasi RI=2E=0D=0A Training Kit, Backpack, Module=0D=0A Lunch =26 2 = Coffee Break=0D=0A=0D=0A2=2E Safety Officer Development Program (SODP)=0D= =0A Date : 7 Desember 2011 - 7 February 2011 (1 Month teorytica= l =26 1 Month Work Practice)=0D=0A Time : 08=2E30 - 16=2E00=0D=0A= Venue : Hotel Herly Balikpapan =26 Class Rooms STARSAFETY - Kali= mantan Timur=0D=0A Investasi : Rp=2E 25=2E000=2E000=0D=0A=0D=0A Fas= ilities :=0D=0A Sertifikat, Skep, ID dikeluarkan oleh Kementrian Tena= ga Kerja dan Transmigrasi RI=2E=0D=0A Termasuk 15 Sertifikat Pelatihan= (Integrated ISO 9000, 14000 =26 ISO 18001, Fisrt Aid, Basic Fire, Basic = Safety, Schematic Cause Analysis Tecniqe, Sea Survival, Safety Behavior, = etc=2E)=0D=0A Training Kit, Backpack, Module, Safety Shoes, Safety Hel= met, Googles, Overall, etc=2E=0D=0A =0D=0A=0D=0ANote : All Training non= residential=2E=0D=0A=0D=0A=0D=0ARegards=0D=0A=0D=0ARecky HM=0D=0ACorpora= te Business Development =26 Training Manager=0D=0A=0D=0APh=2E +62 21 7099= 6506=0D=0AM=2E +62 811 596677