Date: Wed, 21 Dec 2016 00:42:42 +0000 From: bugzilla-noreply@freebsd.org To: apache@FreeBSD.org Subject: maintainer-feedback requested: [Bug 215457] www/apache24 2.4.23 requires security update per listed CVEs Message-ID: <bug-215457-16115-0CgLMZ3Krs@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-215457-16115@https.bugs.freebsd.org/bugzilla/> References: <bug-215457-16115@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
dewayne@heuristicsystems.com.au has reassigned Bugzilla Automation <bugzilla@FreeBSD.org>'s request for maintainer-feedback to apache@FreeBSD.= org: Bug 215457: www/apache24 2.4.23 requires security update per listed CVEs https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215457 --- Description --- Apache announced the following CVE's that are addressed in apache 2.4.25.=20 Might be time for an update to the port.=20=20 CVE-2016-0736 (cve.mitre.org) mod_session_crypto: Authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack. CVE-2016-2161 (cve.mitre.org) mod_auth_digest: Prevent segfaults during client entry allocation when the shared memory space is exhausted. CVE-2016-5387 (cve.mitre.org) core: Mitigate [f]cgi "httpoxy" issues. CVE-2016-8740 (cve.mitre.org) mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames. CVE-2016-8743 (cve.mitre.org) Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. After changing the PORTVERSION, makesum and removing the patch "files/patch-CVE-2016-8740" I came across other issues that may pertain to = my env?? This was on 11.0Stable amd64, as a hint that it may not be straight-forward. Thanks to doctor@doctor.nl2k.ab.ca for circulating the announcement.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-215457-16115-0CgLMZ3Krs>