From owner-freebsd-apache@FreeBSD.ORG Mon Jan 30 11:06:24 2012 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65CA61065674 for ; Mon, 30 Jan 2012 11:06:24 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 538AF8FC15 for ; Mon, 30 Jan 2012 11:06:24 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0UB6OCa004718 for ; Mon, 30 Jan 2012 11:06:24 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0UB6Nwr004716 for apache@FreeBSD.org; Mon, 30 Jan 2012 11:06:23 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Jan 2012 11:06:23 GMT Message-Id: <201201301106.q0UB6Nwr004716@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: apache@FreeBSD.org Cc: Subject: Current problem reports assigned to apache@FreeBSD.org X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2012 11:06:24 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- f ports/162080 apache [PATCH] devel/apr1: Improved decision IPv6 o ports/159812 apache [PATCH] www/apache20,www/apache22 Strip Binaries o ports/159608 apache www/apache22: apache WITH_BDB_BASE settings described o ports/158565 apache www/apache22: Add rlimits based on login class for mpm o ports/157554 apache www/apache22: Apache RLimitNPROC does not work as inte o ports/156787 apache www/mod_auth_kerb2 fails on undefined symbol with base f ports/156719 apache ab: apr_socket_recv: Connection reset by peer (54) o ports/153406 apache www/apache22's SUEXEC_RSRCLIMIT option does not take e o ports/153264 apache www/apache22 and apache13-modssl -- rc.d script improv o ports/147806 apache [PATCH] www/apache20: httpd doesn't start with WITH_LD o ports/147282 apache errors when starting www/apache22 after installation o o ports/146199 apache www/apache20: port does not use make config o ports/144010 apache devel/apr1 tries to use SYSVIPC even in jails o ports/137729 apache www/mod_auth_kerb2 port broken on 8.0-BETA2 due to sec o ports/130479 apache www/apache20 and www/apache22 configure_args busted o ports/125183 apache www/apache22 wrong SUEXEC_DOCROOT o ports/124375 apache security/heimdal: www/mod_auth_kerb doesn't compile ag s ports/108169 apache www/apache20 wrong AP_SAFE_PATH for suEXEC 18 problems total. From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 00:11:56 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09E7F106564A; Wed, 1 Feb 2012 00:11:56 +0000 (UTC) (envelope-from jgh@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EC9528FC0C; Wed, 1 Feb 2012 00:11:55 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q110BtPj002907; Wed, 1 Feb 2012 00:11:55 GMT (envelope-from jgh@freefall.freebsd.org) Received: (from jgh@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q110Btm0002906; Wed, 1 Feb 2012 00:11:55 GMT (envelope-from jgh) Date: Wed, 1 Feb 2012 00:11:55 GMT Message-Id: <201202010011.q110Btm0002906@freefall.freebsd.org> To: FreeBSD-gnats-submit@freebsd.org From: Jason Helfman X-send-pr-version: 3.113 X-GNATS-Notify: apache@freebsd.org Cc: apache@freebsd.org Subject: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jason Helfman List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 00:11:56 -0000 >Submitter-Id: current-users >Originator: Jason Helfman >Organization: >Confidential: no >Synopsis: www/apache22: update to 2.2.22 (addresses multiple CVE reports) >Severity: critical >Priority: high >Category: ports >Class: change-request >Release: FreeBSD 8.2-STABLE i386 >Environment: System: FreeBSD freefall.freebsd.org 8.2-STABLE FreeBSD 8.2-STABLE #5 r227907: Wed Nov 23 21:55:50 UTC 2011 simon@freefall.freebsd.org:/usr/obj/usr/src/sys/FREEFALL i386 >Description: Update to 2.2.22 Buildlog: http://people.freebsd.org/~jgh/files/apache-2.2.22.log >How-To-Repeat: >Fix: Index: Makefile =================================================================== RCS file: /home/pcvs/ports/www/apache22/Makefile,v retrieving revision 1.294 diff -u -r1.294 Makefile --- Makefile 23 Sep 2011 22:25:53 -0000 1.294 +++ Makefile 1 Feb 2012 00:05:53 -0000 @@ -8,7 +8,7 @@ # PORTNAME= apache -PORTVERSION= 2.2.21 +PORTVERSION= 2.2.22 #PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} Index: Makefile.doc =================================================================== RCS file: /home/pcvs/ports/www/apache22/Makefile.doc,v retrieving revision 1.15 diff -u -r1.15 Makefile.doc --- Makefile.doc 31 Mar 2011 17:00:36 -0000 1.15 +++ Makefile.doc 1 Feb 2012 00:05:53 -0000 @@ -102,7 +102,7 @@ MAKE_ENV+= NOPORTDOCS=yes .endif -MAN1= dbmmanage.1 htdigest.1 htpasswd.1 htdbm.1 -MAN8= ab.8 apachectl.8 apxs.8 httpd.8 logresolve.8 rotatelogs.8 suexec.8 htcacheclean.8 +MAN1= ab.1 apxs.1 dbmmanage.1 htdbm.1 htdigest.1 htpasswd.1 httxt2dbm.1 logresolve.1 +MAN8= apachectl.8 htcacheclean.8 httpd.8 rotatelogs.8 suexec.8 PORTDOCS= * #don't blame me ;-) Index: distinfo =================================================================== RCS file: /home/pcvs/ports/www/apache22/distinfo,v retrieving revision 1.86 diff -u -r1.86 distinfo --- distinfo 15 Sep 2011 05:00:28 -0000 1.86 +++ distinfo 1 Feb 2012 00:05:53 -0000 @@ -1,2 +1,2 @@ -SHA256 (apache22/httpd-2.2.21.tar.bz2) = 18d5591fe48cfbac44fc20316036ffe17456df60bc3a2aaad238d56c6445577f -SIZE (apache22/httpd-2.2.21.tar.bz2) = 5324905 +SHA256 (apache22/httpd-2.2.22.tar.bz2) = dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231 +SIZE (apache22/httpd-2.2.22.tar.bz2) = 5378934 Index: files/patch-Makefile.in =================================================================== RCS file: /home/pcvs/ports/www/apache22/files/patch-Makefile.in,v retrieving revision 1.25 diff -u -r1.25 patch-Makefile.in --- files/patch-Makefile.in 7 May 2010 03:15:44 -0000 1.25 +++ files/patch-Makefile.in 1 Feb 2012 00:05:53 -0000 @@ -96,10 +96,10 @@ @test -d $(DESTDIR)$(manualdir) || $(MKINSTALLDIRS) $(DESTDIR)$(manualdir) - @cp -p $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1 - @cp -p $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8 -+ for i in dbmmanage htdbm htdigest htpasswd; do \ ++ for i in ab apxs dbmmanage htdbm htdigest htpasswd httxt2dbm logresolve; do \ + ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.1 $(DESTDIR)$(mandir)/man1; \ + done -+ for i in ab apachectl apxs htcacheclean httpd logresolve rotatelogs suexec; do \ ++ for i in apachectl htcacheclean httpd rotatelogs suexec; do \ + ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.8 $(DESTDIR)$(mandir)/man8; \ + done +.if !defined(NOPORTDOCS) Index: files/patch-docs__conf__extra__httpd-ssl.conf.in =================================================================== RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v retrieving revision 1.3 diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in --- files/patch-docs__conf__extra__httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3 +++ files/patch-docs__conf__extra__httpd-ssl.conf.in 1 Feb 2012 00:05:53 -0000 @@ -1,58 +1,22 @@ ---- ./docs/conf/extra/httpd-ssl.conf.in.orig 2008-02-04 23:00:07.000000000 +0000 -+++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-23 23:20:06.446390870 +0000 -@@ -77,17 +77,35 @@ +--- ./docs/conf/extra/httpd-ssl.conf.in.orig 2012-01-31 15:16:43.000000000 -0800 ++++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-31 15:17:47.000000000 -0800 +@@ -77,8 +77,8 @@ DocumentRoot "@exp_htdocsdir@" ServerName www.example.com:@@SSLPort@@ ServerAdmin you@example.com -ErrorLog "@exp_logfiledir@/error_log" -TransferLog "@exp_logfiledir@/access_log" -+ErrorLog "@exp_logfiledir@/httpd-error.log" -+TransferLog "@exp_logfiledir@/httpd-access.log" ++ErrorLog "@exp_logfiledir@/httpd-error_log" ++TransferLog "@exp_logfiledir@/httpd-access_log" # SSL Engine Switch: # Enable/Disable SSL for this virtual host. - SSLEngine on - -+# SSL Protocol support: -+# List the protocol versions which clients are allowed to -+# connect with. Disable SSLv2 by default (cf. RFC 6176). -+SSLProtocol all -SSLv2 -+ - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 -+ -+# Speed-optimized SSL Cipher configuration: -+# If speed is your main concern (on busy HTTPS servers e.g.), -+# you might want to force clients to specific, performance -+# optimized ciphers. In this case, prepend those ciphers -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA -+# (as in the example below), most connections will no longer -+# have perfect forward secrecy - if the server's key is -+# compromised, captures of past or future traffic must be -+# considered compromised, too. -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 -+#SSLHonorCipherOrder on - - # Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If -@@ -218,14 +236,14 @@ - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. --BrowserMatch ".*MSIE.*" \ -+BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - +@@ -243,7 +243,7 @@ # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. -CustomLog "@exp_logfiledir@/ssl_request_log" \ -+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \ ++CustomLog "@exp_logfiledir@/httpd-ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 00:20:11 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 034E9106566B; Wed, 1 Feb 2012 00:20:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CB8718FC16; Wed, 1 Feb 2012 00:20:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q110KATj004862; Wed, 1 Feb 2012 00:20:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q110KASM004861; Wed, 1 Feb 2012 00:20:10 GMT (envelope-from gnats) Resent-Date: Wed, 1 Feb 2012 00:20:10 GMT Resent-Message-Id: <201202010020.q110KASM004861@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: apache@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Jason Helfman Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09E7F106564A; Wed, 1 Feb 2012 00:11:56 +0000 (UTC) (envelope-from jgh@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EC9528FC0C; Wed, 1 Feb 2012 00:11:55 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q110BtPj002907; Wed, 1 Feb 2012 00:11:55 GMT (envelope-from jgh@freefall.freebsd.org) Received: (from jgh@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q110Btm0002906; Wed, 1 Feb 2012 00:11:55 GMT (envelope-from jgh) Message-Id: <201202010011.q110Btm0002906@freefall.freebsd.org> Date: Wed, 1 Feb 2012 00:11:55 GMT From: Jason Helfman To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: apache@freebsd.org Cc: apache@freebsd.org Subject: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jason Helfman List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 00:20:11 -0000 >Number: 164675 >Category: ports >Synopsis: www/apache22: update to 2.2.22 (addresses multiple CVE reports) >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Feb 01 00:20:10 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Jason Helfman >Release: FreeBSD 8.2-STABLE i386 >Organization: >Environment: System: FreeBSD freefall.freebsd.org 8.2-STABLE FreeBSD 8.2-STABLE #5 r227907: Wed Nov 23 21:55:50 UTC 2011 simon@freefall.freebsd.org:/usr/obj/usr/src/sys/FREEFALL i386 >Description: Update to 2.2.22 Buildlog: http://people.freebsd.org/~jgh/files/apache-2.2.22.log >How-To-Repeat: >Fix: Index: Makefile =================================================================== RCS file: /home/pcvs/ports/www/apache22/Makefile,v retrieving revision 1.294 diff -u -r1.294 Makefile --- Makefile 23 Sep 2011 22:25:53 -0000 1.294 +++ Makefile 1 Feb 2012 00:05:53 -0000 @@ -8,7 +8,7 @@ # PORTNAME= apache -PORTVERSION= 2.2.21 +PORTVERSION= 2.2.22 #PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} Index: Makefile.doc =================================================================== RCS file: /home/pcvs/ports/www/apache22/Makefile.doc,v retrieving revision 1.15 diff -u -r1.15 Makefile.doc --- Makefile.doc 31 Mar 2011 17:00:36 -0000 1.15 +++ Makefile.doc 1 Feb 2012 00:05:53 -0000 @@ -102,7 +102,7 @@ MAKE_ENV+= NOPORTDOCS=yes .endif -MAN1= dbmmanage.1 htdigest.1 htpasswd.1 htdbm.1 -MAN8= ab.8 apachectl.8 apxs.8 httpd.8 logresolve.8 rotatelogs.8 suexec.8 htcacheclean.8 +MAN1= ab.1 apxs.1 dbmmanage.1 htdbm.1 htdigest.1 htpasswd.1 httxt2dbm.1 logresolve.1 +MAN8= apachectl.8 htcacheclean.8 httpd.8 rotatelogs.8 suexec.8 PORTDOCS= * #don't blame me ;-) Index: distinfo =================================================================== RCS file: /home/pcvs/ports/www/apache22/distinfo,v retrieving revision 1.86 diff -u -r1.86 distinfo --- distinfo 15 Sep 2011 05:00:28 -0000 1.86 +++ distinfo 1 Feb 2012 00:05:53 -0000 @@ -1,2 +1,2 @@ -SHA256 (apache22/httpd-2.2.21.tar.bz2) = 18d5591fe48cfbac44fc20316036ffe17456df60bc3a2aaad238d56c6445577f -SIZE (apache22/httpd-2.2.21.tar.bz2) = 5324905 +SHA256 (apache22/httpd-2.2.22.tar.bz2) = dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231 +SIZE (apache22/httpd-2.2.22.tar.bz2) = 5378934 Index: files/patch-Makefile.in =================================================================== RCS file: /home/pcvs/ports/www/apache22/files/patch-Makefile.in,v retrieving revision 1.25 diff -u -r1.25 patch-Makefile.in --- files/patch-Makefile.in 7 May 2010 03:15:44 -0000 1.25 +++ files/patch-Makefile.in 1 Feb 2012 00:05:53 -0000 @@ -96,10 +96,10 @@ @test -d $(DESTDIR)$(manualdir) || $(MKINSTALLDIRS) $(DESTDIR)$(manualdir) - @cp -p $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1 - @cp -p $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8 -+ for i in dbmmanage htdbm htdigest htpasswd; do \ ++ for i in ab apxs dbmmanage htdbm htdigest htpasswd httxt2dbm logresolve; do \ + ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.1 $(DESTDIR)$(mandir)/man1; \ + done -+ for i in ab apachectl apxs htcacheclean httpd logresolve rotatelogs suexec; do \ ++ for i in apachectl htcacheclean httpd rotatelogs suexec; do \ + ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.8 $(DESTDIR)$(mandir)/man8; \ + done +.if !defined(NOPORTDOCS) Index: files/patch-docs__conf__extra__httpd-ssl.conf.in =================================================================== RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v retrieving revision 1.3 diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in --- files/patch-docs__conf__extra__httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3 +++ files/patch-docs__conf__extra__httpd-ssl.conf.in 1 Feb 2012 00:05:53 -0000 @@ -1,58 +1,22 @@ ---- ./docs/conf/extra/httpd-ssl.conf.in.orig 2008-02-04 23:00:07.000000000 +0000 -+++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-23 23:20:06.446390870 +0000 -@@ -77,17 +77,35 @@ +--- ./docs/conf/extra/httpd-ssl.conf.in.orig 2012-01-31 15:16:43.000000000 -0800 ++++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-31 15:17:47.000000000 -0800 +@@ -77,8 +77,8 @@ DocumentRoot "@exp_htdocsdir@" ServerName www.example.com:@@SSLPort@@ ServerAdmin you@example.com -ErrorLog "@exp_logfiledir@/error_log" -TransferLog "@exp_logfiledir@/access_log" -+ErrorLog "@exp_logfiledir@/httpd-error.log" -+TransferLog "@exp_logfiledir@/httpd-access.log" ++ErrorLog "@exp_logfiledir@/httpd-error_log" ++TransferLog "@exp_logfiledir@/httpd-access_log" # SSL Engine Switch: # Enable/Disable SSL for this virtual host. - SSLEngine on - -+# SSL Protocol support: -+# List the protocol versions which clients are allowed to -+# connect with. Disable SSLv2 by default (cf. RFC 6176). -+SSLProtocol all -SSLv2 -+ - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 -+ -+# Speed-optimized SSL Cipher configuration: -+# If speed is your main concern (on busy HTTPS servers e.g.), -+# you might want to force clients to specific, performance -+# optimized ciphers. In this case, prepend those ciphers -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA -+# (as in the example below), most connections will no longer -+# have perfect forward secrecy - if the server's key is -+# compromised, captures of past or future traffic must be -+# considered compromised, too. -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 -+#SSLHonorCipherOrder on - - # Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If -@@ -218,14 +236,14 @@ - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. --BrowserMatch ".*MSIE.*" \ -+BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - +@@ -243,7 +243,7 @@ # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. -CustomLog "@exp_logfiledir@/ssl_request_log" \ -+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \ ++CustomLog "@exp_logfiledir@/httpd-ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >Release-Note: >Audit-Trail: >Unformatted: From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 00:20:21 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 702A8106566B; Wed, 1 Feb 2012 00:20:21 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 460CF8FC08; Wed, 1 Feb 2012 00:20:21 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q110KLY5005121; Wed, 1 Feb 2012 00:20:21 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q110KLdi005112; Wed, 1 Feb 2012 00:20:21 GMT (envelope-from edwin) Date: Wed, 1 Feb 2012 00:20:21 GMT Message-Id: <201202010020.q110KLdi005112@freefall.freebsd.org> To: apache@freebsd.org, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, apache@FreeBSD.org From: edwin@FreeBSD.org Cc: Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 00:20:21 -0000 Synopsis: www/apache22: update to 2.2.22 (addresses multiple CVE reports) Responsible-Changed-From-To: freebsd-ports-bugs->apache Responsible-Changed-By: edwin Responsible-Changed-When: Wed Feb 1 00:20:20 UTC 2012 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=164675 From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 00:20:21 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 702A8106566B; Wed, 1 Feb 2012 00:20:21 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 460CF8FC08; Wed, 1 Feb 2012 00:20:21 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q110KLY5005121; Wed, 1 Feb 2012 00:20:21 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q110KLdi005112; Wed, 1 Feb 2012 00:20:21 GMT (envelope-from edwin) Date: Wed, 1 Feb 2012 00:20:21 GMT Message-Id: <201202010020.q110KLdi005112@freefall.freebsd.org> To: apache@freebsd.org, edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, apache@FreeBSD.org From: edwin@FreeBSD.org Cc: Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 00:20:21 -0000 Synopsis: www/apache22: update to 2.2.22 (addresses multiple CVE reports) Responsible-Changed-From-To: freebsd-ports-bugs->apache Responsible-Changed-By: edwin Responsible-Changed-When: Wed Feb 1 00:20:20 UTC 2012 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=164675 From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 01:00:30 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7A511065670 for ; Wed, 1 Feb 2012 01:00:30 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7C9DE8FC0C for ; Wed, 1 Feb 2012 01:00:30 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q1110UbS040973 for ; Wed, 1 Feb 2012 01:00:30 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q1110UK4040971; Wed, 1 Feb 2012 01:00:30 GMT (envelope-from gnats) Date: Wed, 1 Feb 2012 01:00:30 GMT Message-Id: <201202010100.q1110UK4040971@freefall.freebsd.org> To: apache@FreeBSD.org From: Jason Helfman Cc: Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jason Helfman List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 01:00:30 -0000 The following reply was made to PR ports/164675; it has been noted by GNATS. From: Jason Helfman To: bug-followup@freebsd.org Cc: Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) Date: Tue, 31 Jan 2012 16:50:51 -0800 here is the vuxml: http://people.freebsd.org/~jgh/files/vuln.xml.patch.txt -jgh -- Jason Helfman | FreeBSD Committer jgh@FreeBSD.org | http://people.freebsd.org/~jgh From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 02:47:01 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBB44106564A; Wed, 1 Feb 2012 02:47:01 +0000 (UTC) (envelope-from pgollucci@taximagic.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6DD988FC13; Wed, 1 Feb 2012 02:47:00 +0000 (UTC) Received: by qcmt40 with SMTP id t40so528497qcm.13 for ; Tue, 31 Jan 2012 18:46:59 -0800 (PST) Received: by 10.224.105.203 with SMTP id u11mr7719179qao.77.1328062767412; Tue, 31 Jan 2012 18:19:27 -0800 (PST) Received: from jlhewitt.home (pool-173-66-140-39.washdc.fios.verizon.net. [173.66.140.39]) by mx.google.com with ESMTPS id el3sm44622264qab.8.2012.01.31.18.19.26 (version=SSLv3 cipher=OTHER); Tue, 31 Jan 2012 18:19:26 -0800 (PST) Message-ID: <4F28A12D.2080504@p6m7g8.com> Date: Tue, 31 Jan 2012 21:19:25 -0500 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: Jason Helfman References: <201202010011.q110Btm0002906@freefall.freebsd.org> In-Reply-To: <201202010011.q110Btm0002906@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org Subject: Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 02:47:01 -0000 Do not change this file. You're reverting a local change we've pulled from trunk svn for security. Please commit the rest of the patch with my review / hat. > =================================================================== > RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v > retrieving revision 1.3 > diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in > --- files/patch-docs__conf__extra__httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3 > +++ files/patch-docs__conf__extra__httpd-ssl.conf.in 1 Feb 2012 00:05:53 -0000 > @@ -1,58 +1,22 @@ > ---- ./docs/conf/extra/httpd-ssl.conf.in.orig 2008-02-04 23:00:07.000000000 +0000 > -+++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-23 23:20:06.446390870 +0000 > -@@ -77,17 +77,35 @@ > +--- ./docs/conf/extra/httpd-ssl.conf.in.orig 2012-01-31 15:16:43.000000000 -0800 > ++++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-31 15:17:47.000000000 -0800 > +@@ -77,8 +77,8 @@ > DocumentRoot "@exp_htdocsdir@" > ServerName www.example.com:@@SSLPort@@ > ServerAdmin you@example.com > -ErrorLog "@exp_logfiledir@/error_log" > -TransferLog "@exp_logfiledir@/access_log" > -+ErrorLog "@exp_logfiledir@/httpd-error.log" > -+TransferLog "@exp_logfiledir@/httpd-access.log" > ++ErrorLog "@exp_logfiledir@/httpd-error_log" > ++TransferLog "@exp_logfiledir@/httpd-access_log" > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > - SSLEngine on > - > -+# SSL Protocol support: > -+# List the protocol versions which clients are allowed to > -+# connect with. Disable SSLv2 by default (cf. RFC 6176). > -+SSLProtocol all -SSLv2 > -+ > - # SSL Cipher Suite: > - # List the ciphers that the client is permitted to negotiate. > - # See the mod_ssl documentation for a complete list. > --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > -+ > -+# Speed-optimized SSL Cipher configuration: > -+# If speed is your main concern (on busy HTTPS servers e.g.), > -+# you might want to force clients to specific, performance > -+# optimized ciphers. In this case, prepend those ciphers > -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. > -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA > -+# (as in the example below), most connections will no longer > -+# have perfect forward secrecy - if the server's key is > -+# compromised, captures of past or future traffic must be > -+# considered compromised, too. > -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 > -+#SSLHonorCipherOrder on > - > - # Server Certificate: > - # Point SSLCertificateFile at a PEM encoded certificate. If > -@@ -218,14 +236,14 @@ > - # Similarly, one has to force some clients to use HTTP/1.0 to workaround > - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and > - # "force-response-1.0" for this. > --BrowserMatch ".*MSIE.*" \ > -+BrowserMatch "MSIE [2-5]" \ > - nokeepalive ssl-unclean-shutdown \ > - downgrade-1.0 force-response-1.0 > - > +@@ -243,7 +243,7 @@ > # Per-Server Logging: > # The home of a custom SSL log file. Use this when you want a > # compact non-error SSL logfile on a virtual host basis. > -CustomLog "@exp_logfiledir@/ssl_request_log" \ > -+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \ > ++CustomLog "@exp_logfiledir@/httpd-ssl_request_log" \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > _______________________________________________ > freebsd-apache@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-apache > To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org" > -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Director Operations, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 03:17:38 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB1AA106566B; Wed, 1 Feb 2012 03:17:38 +0000 (UTC) (envelope-from pgollucci@taximagic.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 66FDB8FC08; Wed, 1 Feb 2012 03:17:38 +0000 (UTC) Received: by qcmt40 with SMTP id t40so544057qcm.13 for ; Tue, 31 Jan 2012 19:17:37 -0800 (PST) Received: by 10.229.76.132 with SMTP id c4mr5218567qck.134.1328066257360; Tue, 31 Jan 2012 19:17:37 -0800 (PST) Received: from jlhewitt.home (pool-173-66-140-39.washdc.fios.verizon.net. [173.66.140.39]) by mx.google.com with ESMTPS id ft9sm44859429qab.20.2012.01.31.19.17.36 (version=SSLv3 cipher=OTHER); Tue, 31 Jan 2012 19:17:36 -0800 (PST) Message-ID: <4F28AECF.4060109@taximagic.com> Date: Tue, 31 Jan 2012 22:17:35 -0500 From: "Philip M. Gollucci" Organization: RideCharge Inc. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: Jason Helfman References: <201202010011.q110Btm0002906@freefall.freebsd.org> <4F28A12D.2080504@p6m7g8.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org Subject: Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 03:17:38 -0000 On 1/31/12 10:15 PM, Jason Helfman wrote: > > > On Tue, Jan 31, 2012 at 6:19 PM, Philip M. Gollucci > > wrote: > > Do not change this file. You're reverting a local change we've > pulled from trunk svn for security. > > Please commit the rest of the patch with my review / hat. > > > > ==============================__==============================__======= > RCS file: > /home/pcvs/ports/www/apache22/__files/patch-docs__conf__extra____httpd-ssl.conf.in > ,v > retrieving revision 1.3 > diff -u -r1.3 patch-docs__conf__extra____httpd-ssl.conf.in > > --- files/patch-docs__conf__extra____httpd-ssl.conf.in > 23 Jan > 2012 23:24:38 -0000 1.3 > +++ files/patch-docs__conf__extra____httpd-ssl.conf.in > 1 Feb > 2012 00:05:53 -0000 > @@ -1,58 +1,22 @@ > ---- ./docs/conf/extra/httpd-ssl.__conf.in.orig 2008-02-04 > 23:00:07.000000000 +0000 > -+++ ./docs/conf/extra/httpd-ssl.__conf.in > 2012-01-23 23 > :20:06.446390870 +0000 > -@@ -77,17 +77,35 @@ > +--- ./docs/conf/extra/httpd-ssl.__conf.in.orig 2012-01-31 15 > :16:43.000000000 -0800 > ++++ ./docs/conf/extra/httpd-ssl.__conf.in > 2012-01-31 15 > :17:47.000000000 -0800 > +@@ -77,8 +77,8 @@ > DocumentRoot "@exp_htdocsdir@" > ServerName www.example.com:@@SSLPort@@ > ServerAdmin you@example.com > -ErrorLog "@exp_logfiledir@/error_log" > -TransferLog "@exp_logfiledir@/access_log" > -+ErrorLog "@exp_logfiledir@/httpd-error.__log" > -+TransferLog "@exp_logfiledir@/httpd-__access.log" > ++ErrorLog "@exp_logfiledir@/httpd-error___log" > ++TransferLog "@exp_logfiledir@/httpd-__access_log" > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > - SSLEngine on > - > -+# SSL Protocol support: > -+# List the protocol versions which clients are allowed to > -+# connect with. Disable SSLv2 by default (cf. RFC 6176). > -+SSLProtocol all -SSLv2 > -+ > - # SSL Cipher Suite: > - # List the ciphers that the client is permitted to negotiate. > - # See the mod_ssl documentation for a complete list. > --SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+__HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:__+eNULL > -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > -+ > -+# Speed-optimized SSL Cipher configuration: > -+# If speed is your main concern (on busy HTTPS servers e.g.), > -+# you might want to force clients to specific, performance > -+# optimized ciphers. In this case, prepend those ciphers > -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. > -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA > -+# (as in the example below), most connections will no longer > -+# have perfect forward secrecy - if the server's key is > -+# compromised, captures of past or future traffic must be > -+# considered compromised, too. > -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:__MEDIUM:!aNULL:!MD5 > -+#SSLHonorCipherOrder on > - > - # Server Certificate: > - # Point SSLCertificateFile at a PEM encoded certificate. If > -@@ -218,14 +236,14 @@ > - # Similarly, one has to force some clients to use HTTP/1.0 > to workaround > - # their broken HTTP/1.1 implementation. Use variables > "downgrade-1.0" and > - # "force-response-1.0" for this. > --BrowserMatch ".*MSIE.*" \ > -+BrowserMatch "MSIE [2-5]" \ > - nokeepalive ssl-unclean-shutdown \ > - downgrade-1.0 force-response-1.0 > - > +@@ -243,7 +243,7 @@ > # Per-Server Logging: > # The home of a custom SSL log file. Use this when you want a > # compact non-error SSL logfile on a virtual host basis. > -CustomLog "@exp_logfiledir@/ssl_request___log" \ > -+CustomLog "@exp_logfiledir@/httpd-ssl___request.log" \ > ++CustomLog "@exp_logfiledir@/httpd-ssl___request_log" \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > _________________________________________________ > freebsd-apache@freebsd.org > mailing list > http://lists.freebsd.org/__mailman/listinfo/freebsd-__apache > > To unsubscribe, send any mail to > "freebsd-apache-unsubscribe@__freebsd.org > " > > > > -- > ------------------------------__------------------------------__------------ > 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C > Philip M. Gollucci (pgollucci@p6m7g8.com > ) c: 703.336.9354 > Member, Apache Software Foundation > Committer, FreeBSD Foundation > Consultant, P6M7G8 Inc. > Director Operations, Ridecharge Inc. > > Work like you don't need the money, > love like you'll never get hurt, > and dance like nobody's watching. > > > I will be glad to do that, however it didn't patch cleanly. The > additions were in the downloaded source, unless I am mistaken. > Can you please verify? I'm wiped tonight. I'll peak Wednesday am. ping me if you don't hear from me tomorrow. > -jgh From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 03:42:05 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0059D106566C; Wed, 1 Feb 2012 03:42:04 +0000 (UTC) (envelope-from bsd-src@helfman.org) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 921248FC08; Wed, 1 Feb 2012 03:42:04 +0000 (UTC) Received: by vbbfa15 with SMTP id fa15so915529vbb.13 for ; Tue, 31 Jan 2012 19:42:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.52.29.75 with SMTP id i11mr11913342vdh.23.1328066144033; Tue, 31 Jan 2012 19:15:44 -0800 (PST) Sender: bsd-src@helfman.org Received: by 10.220.231.134 with HTTP; Tue, 31 Jan 2012 19:15:43 -0800 (PST) In-Reply-To: <4F28A12D.2080504@p6m7g8.com> References: <201202010011.q110Btm0002906@freefall.freebsd.org> <4F28A12D.2080504@p6m7g8.com> Date: Tue, 31 Jan 2012 19:15:43 -0800 X-Google-Sender-Auth: 0oULl4MH7m53-j8yZxeHGhzRUtI Message-ID: From: Jason Helfman To: "Philip M. Gollucci" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org Subject: Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 03:42:05 -0000 On Tue, Jan 31, 2012 at 6:19 PM, Philip M. Gollucci wrote: > Do not change this file. You're reverting a local change we've pulled > from trunk svn for security. > > Please commit the rest of the patch with my review / hat. > > > > ==============================**==============================**======= >> RCS file: /home/pcvs/ports/www/apache22/**files/patch-docs__conf__extra_* >> *_httpd-ssl.conf.in ,v >> retrieving revision 1.3 >> diff -u -r1.3 patch-docs__conf__extra__**httpd-ssl.conf.in >> --- files/patch-docs__conf__extra_**_httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3 >> +++ files/patch-docs__conf__extra_**_httpd-ssl.conf.in 1 Feb 2012 00:05:53 -0000 >> @@ -1,58 +1,22 @@ >> ---- ./docs/conf/extra/httpd-ssl.**conf.in.orig 2008-02-04 >> 23:00:07.000000000 +0000 >> -+++ ./docs/conf/extra/httpd-ssl.**conf.in >> 2012-01-23 23:20:06.446390870 +0000 >> -@@ -77,17 +77,35 @@ >> +--- ./docs/conf/extra/httpd-ssl.**conf.in.orig 2012-01-31 15:16:43.000000000 >> -0800 >> ++++ ./docs/conf/extra/httpd-ssl.**conf.in >> 2012-01-31 15:17:47.000000000 -0800 >> +@@ -77,8 +77,8 @@ >> DocumentRoot "@exp_htdocsdir@" >> ServerName www.example.com:@@SSLPort@@ >> ServerAdmin you@example.com >> -ErrorLog "@exp_logfiledir@/error_log" >> -TransferLog "@exp_logfiledir@/access_log" >> -+ErrorLog "@exp_logfiledir@/httpd-error.**log" >> -+TransferLog "@exp_logfiledir@/httpd-**access.log" >> ++ErrorLog "@exp_logfiledir@/httpd-error_**log" >> ++TransferLog "@exp_logfiledir@/httpd-**access_log" >> >> # SSL Engine Switch: >> # Enable/Disable SSL for this virtual host. >> - SSLEngine on >> - >> -+# SSL Protocol support: >> -+# List the protocol versions which clients are allowed to >> -+# connect with. Disable SSLv2 by default (cf. RFC 6176). >> -+SSLProtocol all -SSLv2 >> -+ >> - # SSL Cipher Suite: >> - # List the ciphers that the client is permitted to negotiate. >> - # See the mod_ssl documentation for a complete list. >> --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+** >> HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:**+eNULL >> -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 >> -+ >> -+# Speed-optimized SSL Cipher configuration: >> -+# If speed is your main concern (on busy HTTPS servers e.g.), >> -+# you might want to force clients to specific, performance >> -+# optimized ciphers. In this case, prepend those ciphers >> -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. >> -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA >> -+# (as in the example below), most connections will no longer >> -+# have perfect forward secrecy - if the server's key is >> -+# compromised, captures of past or future traffic must be >> -+# considered compromised, too. >> -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:**MEDIUM:!aNULL:!MD5 >> -+#SSLHonorCipherOrder on >> - >> - # Server Certificate: >> - # Point SSLCertificateFile at a PEM encoded certificate. If >> -@@ -218,14 +236,14 @@ >> - # Similarly, one has to force some clients to use HTTP/1.0 to >> workaround >> - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" >> and >> - # "force-response-1.0" for this. >> --BrowserMatch ".*MSIE.*" \ >> -+BrowserMatch "MSIE [2-5]" \ >> - nokeepalive ssl-unclean-shutdown \ >> - downgrade-1.0 force-response-1.0 >> - >> +@@ -243,7 +243,7 @@ >> # Per-Server Logging: >> # The home of a custom SSL log file. Use this when you want a >> # compact non-error SSL logfile on a virtual host basis. >> -CustomLog "@exp_logfiledir@/ssl_request_**log" \ >> -+CustomLog "@exp_logfiledir@/httpd-ssl_**request.log" \ >> ++CustomLog "@exp_logfiledir@/httpd-ssl_**request_log" \ >> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >> >> >> ______________________________**_________________ >> freebsd-apache@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-**apache >> To unsubscribe, send any mail to "freebsd-apache-unsubscribe@** >> freebsd.org " >> >> > > -- > ------------------------------**------------------------------** > ------------ > 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C > Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 > Member, Apache Software Foundation > Committer, FreeBSD Foundation > Consultant, P6M7G8 Inc. > Director Operations, Ridecharge Inc. > > Work like you don't need the money, > love like you'll never get hurt, > and dance like nobody's watching. > > I will be glad to do that, however it didn't patch cleanly. The additions were in the downloaded source, unless I am mistaken. Can you please verify? -jgh From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 10:00:29 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8193B106567A for ; Wed, 1 Feb 2012 10:00:29 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 52B118FC1D for ; Wed, 1 Feb 2012 10:00:29 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q11A0Rcg068887 for ; Wed, 1 Feb 2012 10:00:27 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q11A0RVG068886; Wed, 1 Feb 2012 10:00:27 GMT (envelope-from gnats) Date: Wed, 1 Feb 2012 10:00:27 GMT Message-Id: <201202011000.q11A0RVG068886@freefall.freebsd.org> To: apache@FreeBSD.org From: Miroslav Lachman Cc: Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Miroslav Lachman List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 10:00:29 -0000 The following reply was made to PR ports/164675; it has been noted by GNATS. From: Miroslav Lachman To: bug-followup@FreeBSD.org, jgh@freebsd.org Cc: Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) Date: Wed, 01 Feb 2012 10:40:00 +0100 Yes, new httpd-ssl.conf.in already has changes in SSLProtocol and SSLCipherSuite, so we no longer need it in local patch. But please, don't change the log file names from httpd-error.log to httpd-error_log from httpd-access.log to httpd-access_log from httpd-ssl_request.log to httpd-ssl_request_log -- Miroslav Lachman From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 16:20:10 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E68E1065676 for ; Wed, 1 Feb 2012 16:20:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2D8698FC0A for ; Wed, 1 Feb 2012 16:20:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q11GKAop023031 for ; Wed, 1 Feb 2012 16:20:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q11GKAb0023030; Wed, 1 Feb 2012 16:20:10 GMT (envelope-from gnats) Date: Wed, 1 Feb 2012 16:20:10 GMT Message-Id: <201202011620.q11GKAb0023030@freefall.freebsd.org> To: apache@FreeBSD.org From: Jason Helfman Cc: Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jason Helfman List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 16:20:10 -0000 The following reply was made to PR ports/164675; it has been noted by GNATS. From: Jason Helfman To: Miroslav Lachman Cc: bug-followup@freebsd.org Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) Date: Wed, 1 Feb 2012 08:13:12 -0800 --bcaec531420f3cac4104b7e95b3b Content-Type: text/plain; charset=ISO-8859-1 2012/2/1 Miroslav Lachman > Yes, new httpd-ssl.conf.in already has changes in SSLProtocol and > SSLCipherSuite, so we no longer need it in local patch. > > But please, don't change the log file names > from httpd-error.log to httpd-error_log > from httpd-access.log to httpd-access_log > from httpd-ssl_request.log to httpd-ssl_request_log > > -- > Miroslav Lachman > > Doh! I can see that now. Thanks, I will update patch, confirm with apache@and get this committed soon. --bcaec531420f3cac4104b7e95b3b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

2012/2/1 Miroslav Lachman <quip@quip.cz>
Yes, new httpd-ssl.c= onf.in already has changes in SSLProtocol and SSLCipherSuite, so we no = longer need it in local patch.

But please, don't change the log file names
from httpd-error.log to httpd-error_log
from httpd-access.log to httpd-access_log
from httpd-ssl_request.log to httpd-ssl_request_log<= font color=3D"#888888">

--
Miroslav Lachman

Doh! I can see that now. Thanks, I will= update patch, confirm with apache@ and get this committed soon.=A0

--bcaec531420f3cac4104b7e95b3b-- From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 17:40:07 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DC91106566C for ; Wed, 1 Feb 2012 17:40:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 265498FC16 for ; Wed, 1 Feb 2012 17:40:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q11He7qZ097301 for ; Wed, 1 Feb 2012 17:40:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q11He7IW097300; Wed, 1 Feb 2012 17:40:07 GMT (envelope-from gnats) Date: Wed, 1 Feb 2012 17:40:07 GMT Message-Id: <201202011740.q11He7IW097300@freefall.freebsd.org> To: apache@FreeBSD.org From: Jason Helfman Cc: Subject: Re: ports/164675 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jason Helfman List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 17:40:07 -0000 The following reply was made to PR ports/164675; it has been noted by GNATS. From: Jason Helfman To: Miroslav Lachman Cc: bug-followup@FreeBSD.org Subject: Re: ports/164675 Date: Wed, 1 Feb 2012 09:30:57 -0800 --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline On Wed, Feb 01, 2012 at 10:40:00AM +0100, Miroslav Lachman thus spake: >Yes, new httpd-ssl.conf.in already has changes in SSLProtocol and >SSLCipherSuite, so we no longer need it in local patch. > >But please, don't change the log file names >from httpd-error.log to httpd-error_log >from httpd-access.log to httpd-access_log >from httpd-ssl_request.log to httpd-ssl_request_log > >-- >Miroslav Lachman > Attached is the updated patch. -jgh -- Jason Helfman | FreeBSD Committer jgh@FreeBSD.org | http://people.freebsd.org/~jgh --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="patch.txt" Index: Makefile =================================================================== RCS file: /home/pcvs/ports/www/apache22/Makefile,v retrieving revision 1.294 diff -u -r1.294 Makefile --- Makefile 23 Sep 2011 22:25:53 -0000 1.294 +++ Makefile 1 Feb 2012 17:30:19 -0000 @@ -8,7 +8,7 @@ # PORTNAME= apache -PORTVERSION= 2.2.21 +PORTVERSION= 2.2.22 #PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} Index: Makefile.doc =================================================================== RCS file: /home/pcvs/ports/www/apache22/Makefile.doc,v retrieving revision 1.15 diff -u -r1.15 Makefile.doc --- Makefile.doc 31 Mar 2011 17:00:36 -0000 1.15 +++ Makefile.doc 1 Feb 2012 17:30:19 -0000 @@ -102,7 +102,7 @@ MAKE_ENV+= NOPORTDOCS=yes .endif -MAN1= dbmmanage.1 htdigest.1 htpasswd.1 htdbm.1 -MAN8= ab.8 apachectl.8 apxs.8 httpd.8 logresolve.8 rotatelogs.8 suexec.8 htcacheclean.8 +MAN1= ab.1 apxs.1 dbmmanage.1 htdbm.1 htdigest.1 htpasswd.1 httxt2dbm.1 logresolve.1 +MAN8= apachectl.8 htcacheclean.8 httpd.8 rotatelogs.8 suexec.8 PORTDOCS= * #don't blame me ;-) Index: distinfo =================================================================== RCS file: /home/pcvs/ports/www/apache22/distinfo,v retrieving revision 1.86 diff -u -r1.86 distinfo --- distinfo 15 Sep 2011 05:00:28 -0000 1.86 +++ distinfo 1 Feb 2012 17:30:19 -0000 @@ -1,2 +1,2 @@ -SHA256 (apache22/httpd-2.2.21.tar.bz2) = 18d5591fe48cfbac44fc20316036ffe17456df60bc3a2aaad238d56c6445577f -SIZE (apache22/httpd-2.2.21.tar.bz2) = 5324905 +SHA256 (apache22/httpd-2.2.22.tar.bz2) = dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231 +SIZE (apache22/httpd-2.2.22.tar.bz2) = 5378934 Index: files/patch-Makefile.in =================================================================== RCS file: /home/pcvs/ports/www/apache22/files/patch-Makefile.in,v retrieving revision 1.25 diff -u -r1.25 patch-Makefile.in --- files/patch-Makefile.in 7 May 2010 03:15:44 -0000 1.25 +++ files/patch-Makefile.in 1 Feb 2012 17:30:19 -0000 @@ -96,10 +96,10 @@ @test -d $(DESTDIR)$(manualdir) || $(MKINSTALLDIRS) $(DESTDIR)$(manualdir) - @cp -p $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1 - @cp -p $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8 -+ for i in dbmmanage htdbm htdigest htpasswd; do \ ++ for i in ab apxs dbmmanage htdbm htdigest htpasswd httxt2dbm logresolve; do \ + ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.1 $(DESTDIR)$(mandir)/man1; \ + done -+ for i in ab apachectl apxs htcacheclean httpd logresolve rotatelogs suexec; do \ ++ for i in apachectl htcacheclean httpd rotatelogs suexec; do \ + ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.8 $(DESTDIR)$(mandir)/man8; \ + done +.if !defined(NOPORTDOCS) Index: files/patch-docs__conf__extra__httpd-ssl.conf.in =================================================================== RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v retrieving revision 1.3 diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in --- files/patch-docs__conf__extra__httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3 +++ files/patch-docs__conf__extra__httpd-ssl.conf.in 1 Feb 2012 17:30:19 -0000 @@ -1,6 +1,6 @@ ---- ./docs/conf/extra/httpd-ssl.conf.in.orig 2008-02-04 23:00:07.000000000 +0000 -+++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-23 23:20:06.446390870 +0000 -@@ -77,17 +77,35 @@ +--- ./docs/conf/extra/httpd-ssl.conf.in.orig 2012-02-01 08:25:55.000000000 -0800 ++++ ./docs/conf/extra/httpd-ssl.conf.in 2012-02-01 08:27:23.000000000 -0800 +@@ -77,8 +77,8 @@ DocumentRoot "@exp_htdocsdir@" ServerName www.example.com:@@SSLPort@@ ServerAdmin you@example.com @@ -11,43 +11,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. - SSLEngine on - -+# SSL Protocol support: -+# List the protocol versions which clients are allowed to -+# connect with. Disable SSLv2 by default (cf. RFC 6176). -+SSLProtocol all -SSLv2 -+ - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 -+ -+# Speed-optimized SSL Cipher configuration: -+# If speed is your main concern (on busy HTTPS servers e.g.), -+# you might want to force clients to specific, performance -+# optimized ciphers. In this case, prepend those ciphers -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA -+# (as in the example below), most connections will no longer -+# have perfect forward secrecy - if the server's key is -+# compromised, captures of past or future traffic must be -+# considered compromised, too. -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 -+#SSLHonorCipherOrder on - - # Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If -@@ -218,14 +236,14 @@ - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. --BrowserMatch ".*MSIE.*" \ -+BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - +@@ -243,7 +243,7 @@ # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. --wac7ysb48OaltWcw-- From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 17:59:54 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CB15106566B; Wed, 1 Feb 2012 17:59:54 +0000 (UTC) (envelope-from bsd-src@helfman.org) Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx1.freebsd.org (Postfix) with ESMTP id C7F248FC0C; Wed, 1 Feb 2012 17:59:53 +0000 (UTC) Received: by dakl33 with SMTP id l33so2216437dak.17 for ; Wed, 01 Feb 2012 09:59:53 -0800 (PST) Received: by 10.68.189.65 with SMTP id gg1mr61091198pbc.66.1328119193293; Wed, 01 Feb 2012 09:59:53 -0800 (PST) Received: from dormouse.experts-exchange.com ([72.29.164.238]) by mx.google.com with ESMTPS id c5sm64850255pbq.13.2012.02.01.09.59.52 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 01 Feb 2012 09:59:52 -0800 (PST) Sender: Jason Helfman Date: Wed, 1 Feb 2012 09:58:58 -0800 From: Jason Helfman To: rene@freebsd.org Message-ID: <20120201175858.GB46116@dormouse.experts-exchange.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="aVD9QWMuhilNxW9f" Content-Disposition: inline X-Operating-System: FreeBSD 8.2-RELEASE amd64 Organization: The FreeBSD Project, http://www.freebsd.org X-Living-The-Dream: I love the SLO Life! X-PGP-FingerPrint: 8E0D C457 9A0F C91C 23F3 0454 2059 9A63 4150 D3DC X-PGP-Key: http://people.freebsd.org/~jgh/jgh.asc User-Agent: Mutt/1.5.21 (2010-09-15) Cc: crees@freebsd.org, apache@freebsd.org Subject: documentation for apache vulnerability, over for approval X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 17:59:54 -0000 --aVD9QWMuhilNxW9f Content-Type: multipart/mixed; boundary="k1lZvvs/B4yU6o8G" Content-Disposition: inline --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Over for approval. -jgh Thanks, Jason --=20 Jason Helfman | FreeBSD Committer jgh@FreeBSD.org | http://people.freebsd.org/~jgh --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="vuln.xml.patch.txt" Content-Transfer-Encoding: quoted-printable ? vuln.xml.patch.txt ? files/test Index: vuln.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/pcvs/ports/security/vuxml/vuln.xml,v retrieving revision 1.2585 diff -u -r1.2585 vuln.xml --- vuln.xml 31 Jan 2012 13:34:00 -0000 1.2585 +++ vuln.xml 1 Feb 2012 00:53:25 -0000 @@ -46,6 +46,60 @@ Note: Please add new entries to the beginning of this file. =20 --> + + apache -- multiple vulnerabilities + + + apache + 2.*2.2.21 + + + + +

CVE Mitre reports:

+
+

Integer overflow in the ap_pregsub function in server/util.c in the + Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, whe= n the + mod_setenvif module is enabled, allows local users to gain privileges= via a + .htaccess file with a crafted SetEnvIf directive, in conjunction with= a + crafted HTTP request header, leading to a heap-based buffer overflow.=

+

A flaw was found in mod_log_config. If the '%{cookiename}C' log form= at + string is in use, a remote attacker could send a specific cookie caus= ing a + crash. This crash would only be a denial of service if using a thread= ed + MPM.

+

A flaw was found in the handling of the scoreboard. An unprivileged + child process could cause the parent process to crash at shutdown rat= her + than terminate cleanly.

+

An additional exposure was found when using mod_proxy in reverse pro= xy + mode. In certain configurations using RewriteRule with proxy flag or + ProxyPassMatch, a remote attacker could cause the reverse proxy to co= nnect + to an arbitrary server, possibly disclosing sensitive information from + internal web servers not directly accessible to attacker.

+

A flaw was found in the default error response for status code 400. = This + flaw could be used by an attacker to expose "httpOnly" cookies when no + custom ErrorDocument is specified.

+

An exposure was found when using mod_proxy in reverse proxy mode. In + certain configurations using RewriteRule with proxy flag or ProxyPass= Match, + a remote attacker could cause the reverse proxy to connect to an arbi= trary + server, possibly disclosing sensitive information from internal web s= ervers + not directly accessible to attacker.

+
+ +
+ + CVE-2011-3607 + CVE-2012-0021 + CVE-2012-0031 + CVE-2011-4317 + CVE-2012-0053 + CVE-2011-3368 + + + 2011-10-05 + 2012-01-31 + +
+ sudo -- format string vulnerability --k1lZvvs/B4yU6o8G-- --aVD9QWMuhilNxW9f Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBAgAGBQJPKX1iAAoJECBZmmNBUNPcmCwH/3e5pQYU443tSdnN9vasgH54 TDusH3iUkfWsBcUqAQ98ELgBjX/HO8oHwt2wDEDy91qBvSNQtJsE7T2qNZf0Erbs 51gOyrNyoKwcqiqUsUQ0mSrbLvCSMsGGtE0EbO5EcEQv43KpqQfiITIHpo13yspY 7imY/9A5gLkzJ2KEw5DAH03Kxp006NpFN2Y3RQJWidtygi1eMsxx5jzQej8TM/qI b+7b8XHwXGEgwV383Wl1w0A2DMKbOQStsxuwnsdG5xiJrwhRPnvyOBayRZBXyRif JY7f+O4VSxnUxuym7+sDKcjXreorrI1WupjAQMiQMRth1TuljBNHhr43kjtSBX8= =IE0b -----END PGP SIGNATURE----- --aVD9QWMuhilNxW9f-- From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 18:57:36 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDC29106564A; Wed, 1 Feb 2012 18:57:36 +0000 (UTC) (envelope-from jgh@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A40F18FC13; Wed, 1 Feb 2012 18:57:36 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q11Ivaax068657; Wed, 1 Feb 2012 18:57:36 GMT (envelope-from jgh@freefall.freebsd.org) Received: (from jgh@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q11IvaU9068653; Wed, 1 Feb 2012 18:57:36 GMT (envelope-from jgh) Date: Wed, 1 Feb 2012 18:57:36 GMT Message-Id: <201202011857.q11IvaU9068653@freefall.freebsd.org> To: apache@freebsd.org, jgh@freebsd.org, jgh@FreeBSD.org, apache@FreeBSD.org From: jgh@FreeBSD.org Cc: Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 18:57:36 -0000 Synopsis: www/apache22: update to 2.2.22 (addresses multiple CVE reports) State-Changed-From-To: open->closed State-Changed-By: jgh State-Changed-When: Wed Feb 1 18:57:36 UTC 2012 State-Changed-Why: Committed. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=164675 From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 18:57:36 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDC29106564A; Wed, 1 Feb 2012 18:57:36 +0000 (UTC) (envelope-from jgh@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A40F18FC13; Wed, 1 Feb 2012 18:57:36 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q11Ivaax068657; Wed, 1 Feb 2012 18:57:36 GMT (envelope-from jgh@freefall.freebsd.org) Received: (from jgh@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q11IvaU9068653; Wed, 1 Feb 2012 18:57:36 GMT (envelope-from jgh) Date: Wed, 1 Feb 2012 18:57:36 GMT Message-Id: <201202011857.q11IvaU9068653@freefall.freebsd.org> To: apache@freebsd.org, jgh@freebsd.org, jgh@FreeBSD.org, apache@FreeBSD.org From: jgh@FreeBSD.org Cc: Subject: Re: ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 18:57:37 -0000 Synopsis: www/apache22: update to 2.2.22 (addresses multiple CVE reports) State-Changed-From-To: open->closed State-Changed-By: jgh State-Changed-When: Wed Feb 1 18:57:36 UTC 2012 State-Changed-Why: Committed. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=164675 From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 19:00:24 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CAC20106564A for ; Wed, 1 Feb 2012 19:00:24 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B9DB08FC08 for ; Wed, 1 Feb 2012 19:00:24 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q11J0O6n068835 for ; Wed, 1 Feb 2012 19:00:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q11J0Ol1068834; Wed, 1 Feb 2012 19:00:24 GMT (envelope-from gnats) Date: Wed, 1 Feb 2012 19:00:24 GMT Message-Id: <201202011900.q11J0Ol1068834@freefall.freebsd.org> To: apache@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: ports/164675: commit references a PR X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 19:00:25 -0000 The following reply was made to PR ports/164675; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/164675: commit references a PR Date: Wed, 1 Feb 2012 18:56:20 +0000 (UTC) jgh 2012-02-01 18:56:08 UTC FreeBSD ports repository Modified files: www/apache22 Makefile Makefile.doc distinfo www/apache22/files patch-Makefile.in patch-docs__conf__extra__httpd-ssl.conf.in Log: - Update to 2.2.22 Addresses: * SECURITY: CVE-2011-3607 (cve.mitre.org) Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. * SECURITY: CVE-2012-0021 (cve.mitre.org) The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value. * SECURITY: CVE-2012-0031 (cve.mitre.org) scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function. * SECURITY: CVE-2011-4317 (cve.mitre.org) The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. * SECURITY: CVE-2012-0053 (cve.mitre.org) protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script. * SECURITY: CVE-2011-3368 (cve.mitre.org) The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. PR: ports/164675 Reviewed by: pgollucci Approved by: pgollucci, crees, rene (mentors, implicit) With Hat: apache@ Revision Changes Path 1.295 +1 -1 ports/www/apache22/Makefile 1.16 +3 -3 ports/www/apache22/Makefile.doc 1.87 +2 -2 ports/www/apache22/distinfo 1.26 +2 -2 ports/www/apache22/files/patch-Makefile.in 1.4 +4 -40 ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 20:46:10 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23E6B1065673 for ; Wed, 1 Feb 2012 20:46:10 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id E0F858FC1C for ; Wed, 1 Feb 2012 20:46:09 +0000 (UTC) Received: by iaeo4 with SMTP id o4so3130861iae.13 for ; Wed, 01 Feb 2012 12:46:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=pxh2uH6tY2tWrew4GdUzx6ZrTA4/M00MurmgxAtFakk=; b=WIhK5QTVrFA6MqLjtDmkZvUPz01fw9vks2GZ55kaTfUpqpTySK4l4ZmSn2Qcxe192m 7rs8h4BKkaRBsKRBUCsTJQVd2Khi+QDRsqSR+c3NTVOYyOid9CgYt4IibgkK39JnncGF D2PSgYesPUS7prJIF1lu0UIr+TJ2fsIdhcBZs= Received: by 10.42.131.136 with SMTP id z8mr89401ics.5.1328127294376; Wed, 01 Feb 2012 12:14:54 -0800 (PST) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.231.183.21 with HTTP; Wed, 1 Feb 2012 12:14:24 -0800 (PST) In-Reply-To: <20120201195637.GD46116@dormouse.experts-exchange.com> References: <20120201175858.GB46116@dormouse.experts-exchange.com> <20120201195637.GD46116@dormouse.experts-exchange.com> From: Chris Rees Date: Wed, 1 Feb 2012 20:14:24 +0000 X-Google-Sender-Auth: eaxFz9S-KUKlO94yD_3jCr48IGg Message-ID: To: Jason Helfman , apache@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: rene@freebsd.org Subject: Re: documentation for apache vulnerability, over for approval X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 20:46:10 -0000 On 1 February 2012 19:56, Jason Helfman wrote: > On Wed, Feb 01, 2012 at 07:35:41PM +0000, Chris Rees thus spake: > >> Hm, did you use make newentry? The vulnerability appears before the >> tag ;) >> >> Chris >> >> On 1 February 2012 17:58, Jason Helfman wrote: >>> >>> Over for approval. >>> >>> -jgh >>> >>> Thanks, >>> Jason >>> >>> -- >>> Jason Helfman =A0 =A0 =A0 =A0 | FreeBSD Committer >>> jgh@FreeBSD.org =A0 =A0 =A0 | http://people.freebsd.org/~jgh >> >> > gotcha. here is an updated patch. > -jgh Fine by me, as long as it builds and matches the right ports (and -apache@ are OK with it) http://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html#S= ECURITY-NOTIFY-VUXML-TESTING Chris From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 20:55:29 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF30D1065676; Wed, 1 Feb 2012 20:55:29 +0000 (UTC) (envelope-from pgollucci@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 19F708FC0A; Wed, 1 Feb 2012 20:55:29 +0000 (UTC) Received: by qaea17 with SMTP id a17so1331870qae.13 for ; Wed, 01 Feb 2012 12:55:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:x-enigmail-version:content-type; bh=KjgjZoHoDTIMvNADuf4ajz/vtDWPjgMcRt8QvcpVPzg=; b=L6NLACWnotGWsfEemSEl+6J/oRUnBJIHYMSiJY23DtsU0DZpRZ63/G4+BcJQXipZDM aapqe0TK0nT+hGTK8c4mFLKE9RJh3sq4wDGGHhLicTmVce8LUcovtAtx3CJRXMa04YgB 5Qbi1pgT6H0Z6erVdSxQPcM8AAnFRCTwDpcnM= Received: by 10.224.33.65 with SMTP id g1mr389110qad.98.1328129728592; Wed, 01 Feb 2012 12:55:28 -0800 (PST) Received: from philip.hq.rws (wsip-174-79-184-239.dc.dc.cox.net. [174.79.184.239]) by mx.google.com with ESMTPS id gd3sm769978qab.6.2012.02.01.12.55.25 (version=SSLv3 cipher=OTHER); Wed, 01 Feb 2012 12:55:26 -0800 (PST) Message-ID: <4F29A6BB.1060506@p6m7g8.com> Date: Wed, 01 Feb 2012 20:55:23 +0000 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111029 Thunderbird/7.0.1 MIME-Version: 1.0 To: Chris Rees References: <20120201175858.GB46116@dormouse.experts-exchange.com> <20120201195637.GD46116@dormouse.experts-exchange.com> In-Reply-To: X-Enigmail-Version: undefined Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig3104F64B6EF1CFD2469238F7" Cc: rene@freebsd.org, apache@freebsd.org Subject: Re: documentation for apache vulnerability, over for approval X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 20:55:29 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3104F64B6EF1CFD2469238F7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 02/01/12 20:14, Chris Rees wrote: > Fine by me, as long as it builds and matches the right ports (and > -apache@ are OK with it) The approval you're looking for is from secteam@. apache's approval should be implicit by approving the update to the port itself. --=20 ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Director Operations, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. --------------enig3104F64B6EF1CFD2469238F7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPKaa9dbiP+9ubjBwRAtfHAJ4z9w7LFn053yWzOvB04aCoSnGshwCghZnY 72KgRTvhLPyHT6BjGp3n+BI= =AyxI -----END PGP SIGNATURE----- --------------enig3104F64B6EF1CFD2469238F7-- From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 21:22:02 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB224106566B; Wed, 1 Feb 2012 21:22:01 +0000 (UTC) (envelope-from bsd-src@helfman.org) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 671C28FC14; Wed, 1 Feb 2012 21:22:01 +0000 (UTC) Received: by daec6 with SMTP id c6so1505848dae.13 for ; Wed, 01 Feb 2012 13:22:01 -0800 (PST) Received: by 10.68.138.167 with SMTP id qr7mr1206952pbb.0.1328131321155; Wed, 01 Feb 2012 13:22:01 -0800 (PST) Received: from dormouse.experts-exchange.com ([72.29.164.238]) by mx.google.com with ESMTPS id li19sm924452pbb.17.2012.02.01.13.21.59 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 01 Feb 2012 13:22:00 -0800 (PST) Sender: Jason Helfman Date: Wed, 1 Feb 2012 13:21:05 -0800 From: Jason Helfman To: Chris Rees Message-ID: <20120201212105.GG46116@dormouse.experts-exchange.com> References: <20120201175858.GB46116@dormouse.experts-exchange.com> <20120201195637.GD46116@dormouse.experts-exchange.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EDJsL2R9iCFAt7IV" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 8.2-RELEASE amd64 Organization: The FreeBSD Project, http://www.freebsd.org X-Living-The-Dream: I love the SLO Life! X-PGP-FingerPrint: 8E0D C457 9A0F C91C 23F3 0454 2059 9A63 4150 D3DC X-PGP-Key: http://people.freebsd.org/~jgh/jgh.asc User-Agent: Mutt/1.5.21 (2010-09-15) Cc: rene@freebsd.org, apache@freebsd.org, secteam@freebsd.org Subject: Re: documentation for apache vulnerability, over for approval X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 21:22:02 -0000 --EDJsL2R9iCFAt7IV Content-Type: multipart/mixed; boundary="kbCYTQG2MZjuOjyn" Content-Disposition: inline --kbCYTQG2MZjuOjyn Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 01, 2012 at 08:14:24PM +0000, Chris Rees thus spake: >On 1 February 2012 19:56, Jason Helfman wrote: >> On Wed, Feb 01, 2012 at 07:35:41PM +0000, Chris Rees thus spake: >> >>> Hm, did you use make newentry? The vulnerability appears before the >>> tag ;) >>> >>> Chris >>> >>> On 1 February 2012 17:58, Jason Helfman wrote: >>>> >>>> Over for approval. >>>> >>>> -jgh >>>> >>>> Thanks, >>>> Jason >>>> >>>> -- >>>> Jason Helfman =A0 =A0 =A0 =A0 | FreeBSD Committer >>>> jgh@FreeBSD.org =A0 =A0 =A0 | http://people.freebsd.org/~jgh >>> >>> >> gotcha. here is an updated patch. >> -jgh > >Fine by me, as long as it builds and matches the right ports (and >-apache@ are OK with it) > >http://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html#= SECURITY-NOTIFY-VUXML-TESTING > >Chris > Attached is updated patch, and was able to fully verify per the url above. Range was off =3D> lt 2.2.22 [jhelfman@dormouse /usr/ports/security/vuxml]$ portaudit apache-2.2.21 Affected package: apache-2.2.21 Type of problem: apache -- multiple vulnerabilities. Reference: http://www.freebsd.org/ports/portaudit/4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0= =2Ehtml 1 problem(s) found. [jhelfman@dormouse ~/workspace/ports/security]$ sudo portaudit -f /usr/ports/INDEX-8 -r 4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0 Affected package: apache-2.0.64_2 Type of problem: apache -- multiple vulnerabilities. Reference: http://www.freebsd.org/ports/portaudit/4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0= =2Ehtml Affected package: apache-2.2.21 Type of problem: apache -- multiple vulnerabilities. Reference: http://www.freebsd.org/ports/portaudit/4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0= =2Ehtml -jgh --=20 Jason Helfman | FreeBSD Committer jgh@FreeBSD.org | http://people.freebsd.org/~jgh --kbCYTQG2MZjuOjyn Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="patch.txt" Content-Transfer-Encoding: quoted-printable Index: vuln.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/pcvs/ports/security/vuxml/vuln.xml,v retrieving revision 1.2586 diff -u -r1.2586 vuln.xml --- vuln.xml 1 Feb 2012 09:46:07 -0000 1.2586 +++ vuln.xml 1 Feb 2012 21:19:16 -0000 @@ -47,6 +47,60 @@ =20 --> + + apache -- multiple vulnerabilities + + + apache + 2.*2.2.22 + + + + +

CVE Mitre reports:

+
+

Integer overflow in the ap_pregsub function in server/util.c in the + Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, whe= n the + mod_setenvif module is enabled, allows local users to gain privileges= via a + .htaccess file with a crafted SetEnvIf directive, in conjunction with= a + crafted HTTP request header, leading to a heap-based buffer overflow.=

+

A flaw was found in mod_log_config. If the '%{cookiename}C' log form= at + string is in use, a remote attacker could send a specific cookie caus= ing a + crash. This crash would only be a denial of service if using a thread= ed + MPM.

+

A flaw was found in the handling of the scoreboard. An unprivileged + child process could cause the parent process to crash at shutdown rat= her + than terminate cleanly.

+

An additional exposure was found when using mod_proxy in reverse pro= xy + mode. In certain configurations using RewriteRule with proxy flag or + ProxyPassMatch, a remote attacker could cause the reverse proxy to co= nnect + to an arbitrary server, possibly disclosing sensitive information from + internal web servers not directly accessible to attacker.

+

A flaw was found in the default error response for status code 400. = This + flaw could be used by an attacker to expose "httpOnly" cookies when no + custom ErrorDocument is specified.

+

An exposure was found when using mod_proxy in reverse proxy mode. In + certain configurations using RewriteRule with proxy flag or ProxyPass= Match, + a remote attacker could cause the reverse proxy to connect to an arbi= trary + server, possibly disclosing sensitive information from internal web s= ervers + not directly accessible to attacker.

+
+ +
+ + CVE-2011-3607 + CVE-2012-0021 + CVE-2012-0031 + CVE-2011-4317 + CVE-2012-0053 + CVE-2011-3368 + + + 2011-10-05 + 2012-01-31 + +
+ mozilla -- multiple vulnerabilities --kbCYTQG2MZjuOjyn-- --EDJsL2R9iCFAt7IV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBAgAGBQJPKazBAAoJECBZmmNBUNPcyTMH/3jw2Bq/5qBySJ+q/ASM4QNa 40BkseK2uwvwl1AUFp6z2FlJ8fPZhtZDjP5gUXTq5WDakwzU0uIyWtnQC64j0aP3 4lJWTcA/7/oF9RlrbiZlIi2O6IWPnRH7Pw8zhdCKDGNvGjp3PrJ/GLOGdWgKUReI GwyveN6KcZDMJ0uV5ScFypZpyep4FL8J2ngMNtKt8V1qsoiBx7bx6shfo1pglqR0 h8PTTZgtU1mf6TfTDF633QdvBPgWynpcr7ynDwYymQWsJLz8X0hVBWH703GHk0Uh wMZuqdUWakVi2VOXPZoiZbKwj9cDGruaVXLXRLPUq4hC6R9lyJCEMEeYDNwjxZE= =B2fC -----END PGP SIGNATURE----- --EDJsL2R9iCFAt7IV-- From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 23:50:25 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE513106566C; Wed, 1 Feb 2012 23:50:25 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9458D8FC0A; Wed, 1 Feb 2012 23:50:25 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q11NoP82036507; Wed, 1 Feb 2012 23:50:25 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q11NoPxm036498; Wed, 1 Feb 2012 23:50:25 GMT (envelope-from edwin) Date: Wed, 1 Feb 2012 23:50:25 GMT Message-Id: <201202012350.q11NoPxm036498@freefall.freebsd.org> To: edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, apache@FreeBSD.org From: edwin@FreeBSD.org Cc: Subject: Re: ports/164698: [patch] www/apache22: remove custom user creation in favor of USERS framework X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 23:50:25 -0000 Synopsis: [patch] www/apache22: remove custom user creation in favor of USERS framework Responsible-Changed-From-To: freebsd-ports-bugs->apache Responsible-Changed-By: edwin Responsible-Changed-When: Wed Feb 1 23:50:25 UTC 2012 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=164698 From owner-freebsd-apache@FreeBSD.ORG Thu Feb 2 01:40:10 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 90169106566B for ; Thu, 2 Feb 2012 01:40:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 801D18FC13 for ; Thu, 2 Feb 2012 01:40:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q121eAsU040104 for ; Thu, 2 Feb 2012 01:40:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q121eA2V040103; Thu, 2 Feb 2012 01:40:10 GMT (envelope-from gnats) Date: Thu, 2 Feb 2012 01:40:10 GMT Message-Id: <201202020140.q121eA2V040103@freefall.freebsd.org> To: apache@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: ports/164675: commit references a PR X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2012 01:40:10 -0000 The following reply was made to PR ports/164675; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/164675: commit references a PR Date: Thu, 2 Feb 2012 01:32:28 +0000 (UTC) jgh 2012-02-02 01:32:18 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: document latest Apache vulnerabilities PR: ports/164675 Reviewed by: crees, eadler Approved by: crees (mentor) Revision Changes Path 1.2587 +55 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-apache@FreeBSD.ORG Thu Feb 2 07:12:13 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74F34106566C; Thu, 2 Feb 2012 07:12:13 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailgate.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:141:5061::25]) by mx1.freebsd.org (Postfix) with ESMTP id 07DFB8FC13; Thu, 2 Feb 2012 07:12:13 +0000 (UTC) Received: from [IPv6:2001:470:d701::b087:8878:f4fb:4a46] (unknown [IPv6:2001:470:d701:0:b087:8878:f4fb:4a46]) by mailgate.jr-hosting.nl (Postfix) with ESMTPSA id 3BCE03F467; Thu, 2 Feb 2012 08:12:11 +0100 (CET) References: <20120201175858.GB46116@dormouse.experts-exchange.com> <20120201195637.GD46116@dormouse.experts-exchange.com> <20120201212105.GG46116@dormouse.experts-exchange.com> In-Reply-To: <20120201212105.GG46116@dormouse.experts-exchange.com> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <5D83ADA3-CBBA-41B7-A314-84886AE9BDA6@elvandar.org> X-Mailer: iPad Mail (9A405) From: Remko Lodder Date: Thu, 2 Feb 2012 08:12:12 +0100 To: Jason Helfman Cc: Chris Rees , "rene@freebsd.org" , "apache@freebsd.org" , "secteam@freebsd.org" Subject: Re: documentation for apache vulnerability, over for approval X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2012 07:12:13 -0000 Dear Jason, The entry looks pretty good. Did you issue the 'make validate' command? In additon the references are not sorted on year and number, please look int= o that and dont forget to change the entry date :-) =46rom my ipad i couldnt see whether or not the indentation was done properl= y. Cheers Remko Sent from my iPad On Feb 1, 2012, at 10:21 PM, Jason Helfman wrote: >=20 From owner-freebsd-apache@FreeBSD.ORG Thu Feb 2 07:16:35 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CA37106564A; Thu, 2 Feb 2012 07:16:35 +0000 (UTC) (envelope-from bsd-src@helfman.org) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 09CB58FC13; Thu, 2 Feb 2012 07:16:34 +0000 (UTC) Received: by iaeo4 with SMTP id o4so4247512iae.13 for ; Wed, 01 Feb 2012 23:16:34 -0800 (PST) Received: by 10.50.42.199 with SMTP id q7mr1965012igl.9.1328166994684; Wed, 01 Feb 2012 23:16:34 -0800 (PST) Received: from dormouse.experts-exchange.com ([72.29.164.238]) by mx.google.com with ESMTPS id or2sm18408049igc.5.2012.02.01.23.16.33 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 01 Feb 2012 23:16:34 -0800 (PST) Sender: Jason Helfman Date: Wed, 1 Feb 2012 23:15:38 -0800 From: Jason Helfman To: Remko Lodder Message-ID: <20120202071538.GA99609@dormouse.experts-exchange.com> References: <20120201175858.GB46116@dormouse.experts-exchange.com> <20120201195637.GD46116@dormouse.experts-exchange.com> <20120201212105.GG46116@dormouse.experts-exchange.com> <5D83ADA3-CBBA-41B7-A314-84886AE9BDA6@elvandar.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed In-Reply-To: <5D83ADA3-CBBA-41B7-A314-84886AE9BDA6@elvandar.org> X-Operating-System: FreeBSD 8.2-RELEASE amd64 Organization: The FreeBSD Project, http://www.freebsd.org X-Living-The-Dream: I love the SLO Life! X-PGP-FingerPrint: 8E0D C457 9A0F C91C 23F3 0454 2059 9A63 4150 D3DC X-PGP-Key: http://people.freebsd.org/~jgh/jgh.asc User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Chris Rees , "rene@freebsd.org" , "apache@freebsd.org" , "secteam@freebsd.org" Subject: Re: documentation for apache vulnerability, over for approval X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2012 07:16:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Feb 02, 2012 at 08:12:12AM +0100, Remko Lodder thus spake: >Dear Jason, > >The entry looks pretty good. Did you issue the 'make validate' command? > >In additon the references are not sorted on year and number, please look into that and dont forget to change the entry date :-) > >From my ipad i couldnt see whether or not the indentation was done properly. > >Cheers >Remko > >Sent from my iPad > >On Feb 1, 2012, at 10:21 PM, Jason Helfman wrote: > >> > can't believe i'm actually up looking at my freebsd mail this late ;) crees looked this over, and said as long as it tested out right, it was good by him. i tested it and all looked great. make validate, packaudit, portaudit all tested good. eadler reviewed, as well. i committed it later this afternoon. http://www.vuxml.org/freebsd/4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0.html Let me know if anything needs to be addressed, and I can take care of it. Thanks! - -jgh - -- Jason Helfman | FreeBSD Committer jgh@FreeBSD.org | http://people.freebsd.org/~jgh -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBAgAGBQJPKjgaAAoJECBZmmNBUNPcruEIALFSJhn6lKUkD4At6Ujs87wP NEjlw1VugHUbRmiW2vXwnV4X/7XJmaAKkG+YCEQHv3Z5aExLc9bBLl9uIGYo4N/0 7ATc9rGYP5zyKV3hnOIjdIsTcvRx1VuJKA3Y+KaPXPHxvmCPhUe+Vg5DJr3OEiA4 LjG+MidIcuTOYiRpM5/fnZyx1wqnf5xvUYUpB93YcLLzHiZACSKdz80PTAKD6FHb JRlPPLuqKQRDLq59t8mP4XbCYs0yFTpbFrWghezypM7Ft7cQ2Pvro8ySmjhE1F3J X8jmRckRp9U3eQzWy5Bw2fteaJZZUzSNTc8TvM7TZkCGcgJwdbsscOxZ57Vb+4Q= =vMAX -----END PGP SIGNATURE----- From owner-freebsd-apache@FreeBSD.ORG Thu Feb 2 16:40:20 2012 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C20FC106564A; Thu, 2 Feb 2012 16:40:20 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9478A8FC0C; Thu, 2 Feb 2012 16:40:20 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q12GeKU4008387; Thu, 2 Feb 2012 16:40:20 GMT (envelope-from edwin@freefall.freebsd.org) Received: (from edwin@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q12GeKs8008382; Thu, 2 Feb 2012 16:40:20 GMT (envelope-from edwin) Date: Thu, 2 Feb 2012 16:40:20 GMT Message-Id: <201202021640.q12GeKs8008382@freefall.freebsd.org> To: edwin@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, apache@FreeBSD.org From: edwin@FreeBSD.org Cc: Subject: Re: ports/164711: www/apache22 2.2.22 proxy connect patch update X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2012 16:40:20 -0000 Synopsis: www/apache22 2.2.22 proxy connect patch update Responsible-Changed-From-To: freebsd-ports-bugs->apache Responsible-Changed-By: edwin Responsible-Changed-When: Thu Feb 2 16:40:20 UTC 2012 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=164711