From owner-freebsd-apache@freebsd.org Wed Dec 21 00:42:43 2016 Return-Path: Delivered-To: freebsd-apache@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 846F8C8807C for ; Wed, 21 Dec 2016 00:42:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 6E0DE1028 for ; Wed, 21 Dec 2016 00:42:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 6D7B2C8807A; Wed, 21 Dec 2016 00:42:43 +0000 (UTC) Delivered-To: apache@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D2A1C88077 for ; Wed, 21 Dec 2016 00:42:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D4F91027 for ; Wed, 21 Dec 2016 00:42:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uBL0ghTe098998 for ; Wed, 21 Dec 2016 00:42:43 GMT (envelope-from bugzilla-noreply@freebsd.org) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" From: bugzilla-noreply@freebsd.org To: apache@FreeBSD.org Subject: maintainer-feedback requested: [Bug 215457] www/apache24 2.4.23 requires security update per listed CVEs Date: Wed, 21 Dec 2016 00:42:42 +0000 X-Bugzilla-Type: request X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: apache@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? Message-ID: In-Reply-To: References: X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Dec 2016 00:42:43 -0000 dewayne@heuristicsystems.com.au has reassigned Bugzilla Automation 's request for maintainer-feedback to apache@FreeBSD.= org: Bug 215457: www/apache24 2.4.23 requires security update per listed CVEs https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215457 --- Description --- Apache announced the following CVE's that are addressed in apache 2.4.25.=20 Might be time for an update to the port.=20=20 CVE-2016-0736 (cve.mitre.org) mod_session_crypto: Authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack. CVE-2016-2161 (cve.mitre.org) mod_auth_digest: Prevent segfaults during client entry allocation when the shared memory space is exhausted. CVE-2016-5387 (cve.mitre.org) core: Mitigate [f]cgi "httpoxy" issues. CVE-2016-8740 (cve.mitre.org) mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames. CVE-2016-8743 (cve.mitre.org) Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. After changing the PORTVERSION, makesum and removing the patch "files/patch-CVE-2016-8740" I came across other issues that may pertain to = my env?? This was on 11.0Stable amd64, as a hint that it may not be straight-forward. Thanks to doctor@doctor.nl2k.ab.ca for circulating the announcement.