Date: Wed, 21 Dec 2016 00:42:42 +0000 From: bugzilla-noreply@freebsd.org To: apache@FreeBSD.org Subject: [Bug 215457] www/apache24 2.4.23 requires security update per listed CVEs Message-ID: <bug-215457-16115@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215457 Bug ID: 215457 Summary: www/apache24 2.4.23 requires security update per listed CVEs Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: apache@FreeBSD.org Reporter: dewayne@heuristicsystems.com.au Flags: maintainer-feedback?(apache@FreeBSD.org) Assignee: apache@FreeBSD.org Apache announced the following CVE's that are addressed in apache 2.4.25.=20 Might be time for an update to the port.=20=20 CVE-2016-0736 (cve.mitre.org) mod_session_crypto: Authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack. CVE-2016-2161 (cve.mitre.org) mod_auth_digest: Prevent segfaults during client entry allocation when the shared memory space is exhausted. CVE-2016-5387 (cve.mitre.org) core: Mitigate [f]cgi "httpoxy" issues. CVE-2016-8740 (cve.mitre.org) mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames. CVE-2016-8743 (cve.mitre.org) Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. After changing the PORTVERSION, makesum and removing the patch "files/patch-CVE-2016-8740" I came across other issues that may pertain to = my env?? This was on 11.0Stable amd64, as a hint that it may not be straight-forward. Thanks to doctor@doctor.nl2k.ab.ca for circulating the announcement. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-215457-16115>