Date: Thu, 2 Aug 2012 03:17:26 +0000 (UTC) From: Wesley Shields <wxs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r301849 - in head: security/vuxml www/apache22 www/apache22/files Message-ID: <201208020317.q723HQ53031269@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: wxs Date: Thu Aug 2 03:17:26 2012 New Revision: 301849 URL: http://svn.freebsd.org/changeset/ports/301849 Log: Document Apache 2.2.x insecure handling of LD_LIBRARY_PATH. Add patch[1] to address problem to apache port. [1]: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/envvars-std.in?view=log&pathrev=1296428 Approved by: apache@ (pgollucci@) Obtained from: Apache SVN Modified: head/security/vuxml/vuln.xml head/www/apache22/Makefile head/www/apache22/files/patch-support__envvars-std.in (contents, props changed) Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Aug 2 03:09:40 2012 (r301848) +++ head/security/vuxml/vuln.xml Thu Aug 2 03:17:26 2012 (r301849) @@ -52,6 +52,52 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="de2bc01f-dc44-11e1-9f4d-002354ed89bc"> + <topic>Apache -- Insecure LD_LIBRARY_PATH handling</topic> + <affects> + <package> + <name>apache</name> + <range><le>2.2.22_5</le></range> + </package> + <package> + <name>apache-event</name> + <range><le>2.2.22_5</le></range> + </package> + <package> + <name>apache-itk</name> + <range><le>2.2.22_5</le></range> + </package> + <package> + <name>apache-peruser</name> + <range><le>2.2.22_5</le></range> + </package> + <package> + <name>apache-worker</name> + <range><le>2.2.22_5</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Apache reports:</p> + <blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">; + <p>Insecure handling of LD_LIBRARY_PATH was found that could lead to + the current working directory to be searched for DSOs. This could + allow a local user to execute code as root if an administrator runs + apachectl from an untrusted directory.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-0883</cvename> + <url>http://httpd.apache.org/security/vulnerabilities_24.html</url>; + <url>http://www.apache.org/dist/httpd/CHANGES_2.4.2</url>; + </references> + <dates> + <discovery>2012-03-02</discovery> + <entry>2012-08-01</entry> + </dates> + </vuln> + <vuln vid="f01292a0-db3c-11e1-a84b-00e0814cab4e"> <topic>django -- multiple vulnerabilities</topic> <affects> Modified: head/www/apache22/Makefile ============================================================================== --- head/www/apache22/Makefile Thu Aug 2 03:09:40 2012 (r301848) +++ head/www/apache22/Makefile Thu Aug 2 03:17:26 2012 (r301849) @@ -9,7 +9,7 @@ PORTNAME= apache PORTVERSION= 2.2.22 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} DISTNAME= httpd-${PORTVERSION} Modified: head/www/apache22/files/patch-support__envvars-std.in ============================================================================== --- head/www/apache22/files/patch-support__envvars-std.in Thu Aug 2 03:09:40 2012 (r301848) +++ head/www/apache22/files/patch-support__envvars-std.in Thu Aug 2 03:17:26 2012 (r301849) @@ -1,6 +1,15 @@ ---- ./support/envvars-std.in.orig 2006-07-11 23:38:44.000000000 -0400 -+++ ./support/envvars-std.in 2010-05-06 19:37:54.270732510 -0400 -@@ -22,3 +22,10 @@ +--- support/envvars-std.in.orig 2006-07-11 23:38:44.000000000 -0400 ++++ support/envvars-std.in 2012-08-01 23:11:16.000000000 -0400 +@@ -18,7 +18,18 @@ + # + # This file is generated from envvars-std.in + # +-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" ++if test "x$@SHLIBPATH_VAR@" != "x" ; then ++ @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" ++else ++ @SHLIBPATH_VAR@="@exp_libdir@" ++fi export @SHLIBPATH_VAR@ # @OS_SPECIFIC_VARS@
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201208020317.q723HQ53031269>