From owner-svn-ports-all@FreeBSD.ORG Thu Aug 2 03:17:27 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3269A106564A; Thu, 2 Aug 2012 03:17:27 +0000 (UTC) (envelope-from wxs@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 1D2D98FC0C; Thu, 2 Aug 2012 03:17:27 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q723HQ3b031274; Thu, 2 Aug 2012 03:17:26 GMT (envelope-from wxs@svn.freebsd.org) Received: (from wxs@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q723HQ53031269; Thu, 2 Aug 2012 03:17:26 GMT (envelope-from wxs@svn.freebsd.org) Message-Id: <201208020317.q723HQ53031269@svn.freebsd.org> From: Wesley Shields Date: Thu, 2 Aug 2012 03:17:26 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r301849 - in head: security/vuxml www/apache22 www/apache22/files X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 03:17:27 -0000 Author: wxs Date: Thu Aug 2 03:17:26 2012 New Revision: 301849 URL: http://svn.freebsd.org/changeset/ports/301849 Log: Document Apache 2.2.x insecure handling of LD_LIBRARY_PATH. Add patch[1] to address problem to apache port. [1]: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/envvars-std.in?view=log&pathrev=1296428 Approved by: apache@ (pgollucci@) Obtained from: Apache SVN Modified: head/security/vuxml/vuln.xml head/www/apache22/Makefile head/www/apache22/files/patch-support__envvars-std.in (contents, props changed) Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Aug 2 03:09:40 2012 (r301848) +++ head/security/vuxml/vuln.xml Thu Aug 2 03:17:26 2012 (r301849) @@ -52,6 +52,52 @@ Note: Please add new entries to the beg --> + + Apache -- Insecure LD_LIBRARY_PATH handling + + + apache + 2.2.22_5 + + + apache-event + 2.2.22_5 + + + apache-itk + 2.2.22_5 + + + apache-peruser + 2.2.22_5 + + + apache-worker + 2.2.22_5 + + + + +

Apache reports:

+
+

Insecure handling of LD_LIBRARY_PATH was found that could lead to + the current working directory to be searched for DSOs. This could + allow a local user to execute code as root if an administrator runs + apachectl from an untrusted directory.

+
+ +
+ + CVE-2012-0883 + http://httpd.apache.org/security/vulnerabilities_24.html + http://www.apache.org/dist/httpd/CHANGES_2.4.2 + + + 2012-03-02 + 2012-08-01 + +
+ django -- multiple vulnerabilities Modified: head/www/apache22/Makefile ============================================================================== --- head/www/apache22/Makefile Thu Aug 2 03:09:40 2012 (r301848) +++ head/www/apache22/Makefile Thu Aug 2 03:17:26 2012 (r301849) @@ -9,7 +9,7 @@ PORTNAME= apache PORTVERSION= 2.2.22 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} DISTNAME= httpd-${PORTVERSION} Modified: head/www/apache22/files/patch-support__envvars-std.in ============================================================================== --- head/www/apache22/files/patch-support__envvars-std.in Thu Aug 2 03:09:40 2012 (r301848) +++ head/www/apache22/files/patch-support__envvars-std.in Thu Aug 2 03:17:26 2012 (r301849) @@ -1,6 +1,15 @@ ---- ./support/envvars-std.in.orig 2006-07-11 23:38:44.000000000 -0400 -+++ ./support/envvars-std.in 2010-05-06 19:37:54.270732510 -0400 -@@ -22,3 +22,10 @@ +--- support/envvars-std.in.orig 2006-07-11 23:38:44.000000000 -0400 ++++ support/envvars-std.in 2012-08-01 23:11:16.000000000 -0400 +@@ -18,7 +18,18 @@ + # + # This file is generated from envvars-std.in + # +-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" ++if test "x$@SHLIBPATH_VAR@" != "x" ; then ++ @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" ++else ++ @SHLIBPATH_VAR@="@exp_libdir@" ++fi export @SHLIBPATH_VAR@ # @OS_SPECIFIC_VARS@