Date: Wed, 10 Jul 2013 19:10:01 GMT From: dfilter@FreeBSD.ORG (dfilter service) To: apache@FreeBSD.org Subject: Re: ports/180248: commit references a PR Message-ID: <201307101910.r6AJA1w6092212@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/180248; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/180248: commit references a PR Date: Wed, 10 Jul 2013 19:01:53 +0000 (UTC) Author: ohauer Date: Wed Jul 10 19:01:44 2013 New Revision: 322728 URL: http://svnweb.freebsd.org/changeset/ports/322728 Log: - update to apache-2.2.25 - update vuxml with additional CVE-2013-1896 entry Changes with Apache 2.2.25 http://www.apache.org/dist/httpd/CHANGES_2.2.25 *) SECURITY: CVE-2013-1896 (cve.mitre.org) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. [Ben Reser <ben reser.org>] *) SECURITY: CVE-2013-1862 (cve.mitre.org) mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. [Eric Covener, Jeff Trawick, Joe Orton] *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer strings. The default limit for ap_pregsub() can be adjusted at compile time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick] *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun <apache heilbrun.org>] *) mod_setenvif: Log error on substitution overflow. [Stefan Fritsch] *) mod_ssl/proxy: enable the SNI extension for backend TLS connections [Kaspar Brand] *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when forwarding to SSL backends. PR 53134. [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem] *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits in the error log to debug level. [William Rowe] *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand] *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server admin to configure an IO timeout as an error in the balancer. [Daniel Ruggeri] *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind password. [Daniel Ruggeri] *) htdigest: Fix buffer overflow when reading digest password file with very long lines. PR 54893. [Rainer Jung] *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611 [Timothy Wood <tjw omnigroup.com>] *) mod_dav: Make sure that when we prepare an If URL for Etag comparison, we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>] *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't result in a 412 Precondition Failed for a COPY operation. PR54610 [Timothy Wood <tjw omnigroup.com>] *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead property on a resource for which there is no dead property in the same namespace httpd segfaults. PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] *) mod_dav: Do not fail PROPPATCH when prop namespace is not known. PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] *) mod_dav: Do not segfault on PROPFIND with a zero length DBM. PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] PR: ports/180248 Submitted by: Jason Helfman jgh@ Deleted: head/www/apache22/files/patch-modules__mappers__mod_rewrite.c Modified: head/security/vuxml/vuln.xml head/www/apache22/Makefile head/www/apache22/Makefile.modules head/www/apache22/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Jul 10 17:57:38 2013 (r322727) +++ head/security/vuxml/vuln.xml Wed Jul 10 19:01:44 2013 (r322728) @@ -121,27 +121,27 @@ Note: Please add new entries to the beg </vuln> <vuln vid="f3d24aee-e5ad-11e2-b183-20cf30e32f6d"> - <topic>apache22 -- mod_rewrite vulnerability</topic> + <topic>apache22 -- several vulnerabilities</topic> <affects> <package> <name>apache22</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> <package> <name>apache22-event-mpm</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> <package> <name>apache22-itk-mpm</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> <package> <name>apache22-peruser-mpm</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> <package> <name>apache22-worker-mpm</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> </affects> <description> @@ -153,16 +153,21 @@ Note: Please add new entries to the beg non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator.</p> + <p>mod_dav: Sending a MERGE request against a URI handled by + mod_dav_svn with the source href (sent as part of the request + body as XML) pointing to a URI that is not configured for DAV + will trigger a segfault.</p> </blockquote> </body> </description> <references> <cvename>CVE-2013-1862</cvename> + <cvename>CVE-2013-1896</cvename> </references> <dates> <discovery>2013-06-21</discovery> <entry>2013-07-05</entry> - <modified>2013-07-06</modified> + <modified>2013-07-10</modified> </dates> </vuln> Modified: head/www/apache22/Makefile ============================================================================== --- head/www/apache22/Makefile Wed Jul 10 17:57:38 2013 (r322727) +++ head/www/apache22/Makefile Wed Jul 10 19:01:44 2013 (r322728) @@ -1,8 +1,8 @@ # $FreeBSD$ PORTNAME= apache22 -PORTVERSION= 2.2.24 -PORTREVISION?= 1 +PORTVERSION= 2.2.25 +#PORTREVISION?= 1 CATEGORIES= www ipv6 MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} DISTNAME= httpd-${PORTVERSION} @@ -98,7 +98,7 @@ IGNORE= suEXEC resource limit patch req .endif .if ${PORT_OPTIONS:MSUEXEC_USERDIR} -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_userdir +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_userdir . if empty(PORT_OPTIONS:MSUEXEC) IGNORE= suEXEC UserDir patch requires mod_suexec.\ Please (re)run 'make config' and choose SUEXEC option also Modified: head/www/apache22/Makefile.modules ============================================================================== --- head/www/apache22/Makefile.modules Wed Jul 10 17:57:38 2013 (r322727) +++ head/www/apache22/Makefile.modules Wed Jul 10 19:01:44 2013 (r322728) @@ -72,7 +72,7 @@ LATEST_LINK= apache22-${WITH_MPM}-mpm .if ${WITH_MPM} == "worker" || ${WITH_MPM} == "event" PORT_OPTIONS+= CGID .if ${PORT_OPTIONS:MCGI} -IGNORE= When using a multi-threaded MPM, the module CGID should be used in place CGI. \ +IGNORE= When using a multi-threaded MPM, the module CGID should be used in place CGI. \ Please de-select CGI and select CGID instead. \ See http://httpd.apache.org/docs/2.2/mod/mod_cgi.html .endif Modified: head/www/apache22/distinfo ============================================================================== --- head/www/apache22/distinfo Wed Jul 10 17:57:38 2013 (r322727) +++ head/www/apache22/distinfo Wed Jul 10 19:01:44 2013 (r322728) @@ -1,2 +1,2 @@ -SHA256 (apache22/httpd-2.2.24.tar.bz2) = 0453f5d2d7e3b1975a1c6a8a22b6d6ff768715a3b0a89b51e5f7b5851628fad7 -SIZE (apache22/httpd-2.2.24.tar.bz2) = 5490439 +SHA256 (apache22/httpd-2.2.25.tar.bz2) = 4bcaf3524796a514b31aa5c64ce80b0cdb484bab5735416de29d00f6d50fa65a +SIZE (apache22/httpd-2.2.25.tar.bz2) = 5524905 _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307101910.r6AJA1w6092212>