Date: Fri, 29 Jul 2005 23:46:19 +0700 (NOVST) From: Dmitry A Grigorovich <odip@bionet.nsc.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: security@FreeBSD.org Subject: ports/84312: portaudit doesn't report about all security bugs Message-ID: <20050729164619.AA49A21720@manticore.bionet.nsc.ru> Resent-Message-ID: <200507291650.j6TGoJRf030131@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 84312 >Category: ports >Synopsis: portaudit doesn't report about all security bugs >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 29 16:50:19 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Dmitry A Grigorovich >Release: FreeBSD 5.4-RELEASE-p2 i386 >Organization: ICiG SB RAS, Russia >Environment: System: FreeBSD manticore.bionet.nsc.ru 5.4-RELEASE-p2 FreeBSD 5.4-RELEASE-p2 #1: Wed Jul 27 19:15:09 NOVST 2005 root@manticore.bionet.nsc.ru:/usr/obj/usr/src/sys/ODIP i386 >Description: On the page http://www.vuxml.org/freebsd/651996e0-fe07-11d9-8329-000e0c2e438a.html reported that package apache+mod_ssl < 1.3.33+2.8.22_1 have security bug Also in /var/db/portaudit/ presented line: apache+mod_ssl<1.3.33+2.8.22_1|http://www.FreeBSD.org/ports/portaudit/651996e0-fe07-11d9-8329-000e0c2e438a.html|apache -- http request smuggling But port /usr/ports/www/apache13-modssl may install different packages: apache+mod_ssl-1.3.33+2.8.22 or apache+mod_ssl+mod_deflate-1.3.33+2.8.22 or some other. When I have installed apache+mod_ssl+mod_deflate-1.3.33+2.8.22 package then portaudit does not report about security bug !!! >How-To-Repeat: Update ports to current state cd /usr/ports/www/apache13-modssl Edit Makefile - remove PORTREVISION line This turn this port from current version apache+mod_ssl-1.3.33+2.8.22_1 to old version apache+mod_ssl-1.3.33+2.8.22 Try fetch apache+mod_ssl: root@manticore# make fetch ===> apache+mod_ssl-1.3.33+2.8.22 has known vulnerabilities: => apache -- http request smuggling. Reference: <http://www.FreeBSD.org/ports/portaudit/651996e0-fe07-11d9-8329-000e0c2e438a.html>; => Please update your ports tree and try again. *** Error code 1 Stop in /usr/ports/www/apache13-modssl. portaudit worked for apache+mod_ssl But try fetch apache+mod_ssl+mod_deflate: root@manticore# make WITH_APACHE_MODDEFLATE=yes fetch You may use the following build options: .... Ups - portaudit permit you install version with security bug !!! >Fix: I see two ways: 1) Add to portaudit all FLAVOURS ports of BASE port: E.g. when bug in mod_apache+mod_ssl also add mod_apache+mod_ssl+mod_deflate. This need some work for dependencies. 2) When checking security bugs in portaudit we need get name of BASE port: e.g. if we need checking mod_apache+mod_ssl+mod_deflate then we get BASE port as mod_apache+mod_ssl and check in portaudit this BASE port. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050729164619.AA49A21720>