From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Aug 30 11:10:02 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96277106566B for ; Sun, 30 Aug 2009 11:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 72FF98FC1A for ; Sun, 30 Aug 2009 11:10:02 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7UBA20l041529 for ; Sun, 30 Aug 2009 11:10:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7UBA29t041528; Sun, 30 Aug 2009 11:10:02 GMT (envelope-from gnats) Resent-Date: Sun, 30 Aug 2009 11:10:02 GMT Resent-Message-Id: <200908301110.n7UBA29t041528@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, olli hauer Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2466B1065687 for ; Sun, 30 Aug 2009 11:00:14 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 993A38FC08 for ; Sun, 30 Aug 2009 11:00:13 +0000 (UTC) Received: (qmail invoked by alias); 30 Aug 2009 11:00:11 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO u18-124.dsl.vianetworks.de) [194.231.39.124] by mail.gmx.net (mp021) with SMTP; 30 Aug 2009 13:00:11 +0200 Received: by u18-124.dsl.vianetworks.de (Postfix, from userid 1100) id 327D826145; Sun, 30 Aug 2009 13:00:06 +0200 (CEST) Message-Id: <20090830110006.327D826145@u18-124.dsl.vianetworks.de> Date: Sun, 30 Aug 2009 13:00:05 +0200 (CEST) From: olli hauer To: FreeBSD-gnats-submit@FreeBSD.org, lev@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: ohauer@gmx.de Subject: ports/138337: [patch] port neon28 update to 28.6 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: olli hauer List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Aug 2009 11:10:02 -0000 >Number: 138337 >Category: ports >Synopsis: [patch] port neon28 update to 28.6 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Aug 30 11:10:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: olli hauer >Release: FreeBSD 7.2-RELEASE-p3 i386 >Organization: >Environment: >Description: Changes in release neon 0.28.6, 18 August 2009 * SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat; could allow a Denial of Service attack by a malicious server. * SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in a certificate subject name; could allow an undetected MITM attack against an SSL server if a trusted CA issues such a cert. Note: CVE-2009-2474 does affect GnuTLS as well as OpenSSL, contrary to previous announcement. Changes in release neon 0.28.5, 3 July 2009 * Enable support for X.509v1 CA certificates in GnuTLS. * Fix handling of EINTR in connect() calls. * Fix use of builds with SOCK_CLOEXEC support on older Linux kernels. Important message about CVE-2009-2473 from http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html neon 0.28.6 has a fix for the "billion laughs" entity expansion attack against expat. If a client application visited a malicious DAV server, or used the XML parsing interfaces (ne_xml*) to parse an XML document from an attacker, a denial of service attack was possible. This issue has been assigned CVE name CVE-2009-2473. All versions of neon older than 0.28.6 are affected, where linked against expat. This issue does not affect versions of neon which are compiled to use libxml2 instead of expat, provided the libxml2 version is 2.6.32 or greater. @lev Is there a reason to keep --enable-xml in the CONFIGURE_ARGS? A search over the port history showed it was introduced in this version http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/neon/Attic/Makefile?annotate=1.5 (Tue Jun 5 20:50:03 2001 UTC (8 years, 2 months ago) by olgeni) However, in the build logs you can find this message. - configure: WARNING: unrecognized options: --enable-xml I guess it is a forgotten parameter from Year 2002 http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/neon/Attic/Makefile.diff?r2=1.13&r1=1.12&f=u //olli >How-To-Repeat: >Fix: --- patch_neon28.6.txt begins here --- --- Makefile +++ Makefile @@ -6,7 +6,7 @@ # PORTNAME= neon28 -PORTVERSION= 0.28.4 +PORTVERSION= 0.28.6 CATEGORIES= www MASTER_SITES= http://www.webdav.org/neon/ \ http://keyserver.kjsl.com/~jharris/distfiles/ @@ -29,7 +29,6 @@ USE_GNOME= gnomehack gnometarget GNU_CONFIGURE= yes CONFIGURE_ARGS= --with-ssl \ - --enable-xml \ --enable-shared \ --with-expat \ --with-libs=${LOCALBASE}:${PREFIX} --- distinfo +++ distinfo @@ -1,3 +1,3 @@ -MD5 (neon-0.28.4.tar.gz) = 6c3b94362af743d046e198e9fcbe4a85 -SHA256 (neon-0.28.4.tar.gz) = be151943df34e5884b2c7f4b5f4ebe83b8e74e665d90474aca06006e3b9530bd -SIZE (neon-0.28.4.tar.gz) = 775886 +MD5 (neon-0.28.6.tar.gz) = 252578ed555552b71d15909641484951 +SHA256 (neon-0.28.6.tar.gz) = 06ee8b1aa37a14a956a1158bf6b5a8c3388976d61c1dc3773a3ffe18ac8ecc0e +SIZE (neon-0.28.6.tar.gz) = 789193 --- patch_neon28.6.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted: