From owner-freebsd-apache@FreeBSD.ORG Wed Jul 10 19:10:01 2013 Return-Path: Delivered-To: apache@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 922A3591 for ; Wed, 10 Jul 2013 19:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 70F57164E for ; Wed, 10 Jul 2013 19:10:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r6AJA1rv092227 for ; Wed, 10 Jul 2013 19:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r6AJA1w6092212; Wed, 10 Jul 2013 19:10:01 GMT (envelope-from gnats) Date: Wed, 10 Jul 2013 19:10:01 GMT Message-Id: <201307101910.r6AJA1w6092212@freefall.freebsd.org> To: apache@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Subject: Re: ports/180248: commit references a PR X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: dfilter service List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 19:10:01 -0000 The following reply was made to PR ports/180248; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/180248: commit references a PR Date: Wed, 10 Jul 2013 19:01:53 +0000 (UTC) Author: ohauer Date: Wed Jul 10 19:01:44 2013 New Revision: 322728 URL: http://svnweb.freebsd.org/changeset/ports/322728 Log: - update to apache-2.2.25 - update vuxml with additional CVE-2013-1896 entry Changes with Apache 2.2.25 http://www.apache.org/dist/httpd/CHANGES_2.2.25 *) SECURITY: CVE-2013-1896 (cve.mitre.org) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. [Ben Reser ] *) SECURITY: CVE-2013-1862 (cve.mitre.org) mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. [Eric Covener, Jeff Trawick, Joe Orton] *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer strings. The default limit for ap_pregsub() can be adjusted at compile time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick] *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun ] *) mod_setenvif: Log error on substitution overflow. [Stefan Fritsch] *) mod_ssl/proxy: enable the SNI extension for backend TLS connections [Kaspar Brand] *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when forwarding to SSL backends. PR 53134. [Michael Weiser , Ruediger Pluem] *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits in the error log to debug level. [William Rowe] *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. [Keith Burdis , Joe Orton, Kaspar Brand] *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server admin to configure an IO timeout as an error in the balancer. [Daniel Ruggeri] *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind password. [Daniel Ruggeri] *) htdigest: Fix buffer overflow when reading digest password file with very long lines. PR 54893. [Rainer Jung] *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611 [Timothy Wood ] *) mod_dav: Make sure that when we prepare an If URL for Etag comparison, we compare unencoded paths. PR 53910 [Timothy Wood ] *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't result in a 412 Precondition Failed for a COPY operation. PR54610 [Timothy Wood ] *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead property on a resource for which there is no dead property in the same namespace httpd segfaults. PR 52559 [Diego Santa Cruz ] *) mod_dav: Do not fail PROPPATCH when prop namespace is not known. PR 52559 [Diego Santa Cruz ] *) mod_dav: Do not segfault on PROPFIND with a zero length DBM. PR 52559 [Diego Santa Cruz ] PR: ports/180248 Submitted by: Jason Helfman jgh@ Deleted: head/www/apache22/files/patch-modules__mappers__mod_rewrite.c Modified: head/security/vuxml/vuln.xml head/www/apache22/Makefile head/www/apache22/Makefile.modules head/www/apache22/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Jul 10 17:57:38 2013 (r322727) +++ head/security/vuxml/vuln.xml Wed Jul 10 19:01:44 2013 (r322728) @@ -121,27 +121,27 @@ Note: Please add new entries to the beg - apache22 -- mod_rewrite vulnerability + apache22 -- several vulnerabilities apache22 - 2.2.02.2.24_1 + 2.2.02.2.25 apache22-event-mpm - 2.2.02.2.24_1 + 2.2.02.2.25 apache22-itk-mpm - 2.2.02.2.24_1 + 2.2.02.2.25 apache22-peruser-mpm - 2.2.02.2.24_1 + 2.2.02.2.25 apache22-worker-mpm - 2.2.02.2.24_1 + 2.2.02.2.25 @@ -153,16 +153,21 @@ Note: Please add new entries to the beg non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator.

+

mod_dav: Sending a MERGE request against a URI handled by + mod_dav_svn with the source href (sent as part of the request + body as XML) pointing to a URI that is not configured for DAV + will trigger a segfault.

 CVE-2013-1862 + CVE-2013-1896 2013-06-21 2013-07-05 - 2013-07-06 + 2013-07-10 Modified: head/www/apache22/Makefile ============================================================================== --- head/www/apache22/Makefile Wed Jul 10 17:57:38 2013 (r322727) +++ head/www/apache22/Makefile Wed Jul 10 19:01:44 2013 (r322728) @@ -1,8 +1,8 @@ # $FreeBSD$ PORTNAME= apache22 -PORTVERSION= 2.2.24 -PORTREVISION?= 1 +PORTVERSION= 2.2.25 +#PORTREVISION?= 1 CATEGORIES= www ipv6 MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} DISTNAME= httpd-${PORTVERSION} @@ -98,7 +98,7 @@ IGNORE= suEXEC resource limit patch req .endif .if ${PORT_OPTIONS:MSUEXEC_USERDIR} -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_userdir +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_userdir . if empty(PORT_OPTIONS:MSUEXEC) IGNORE= suEXEC UserDir patch requires mod_suexec.\ Please (re)run 'make config' and choose SUEXEC option also Modified: head/www/apache22/Makefile.modules ============================================================================== --- head/www/apache22/Makefile.modules Wed Jul 10 17:57:38 2013 (r322727) +++ head/www/apache22/Makefile.modules Wed Jul 10 19:01:44 2013 (r322728) @@ -72,7 +72,7 @@ LATEST_LINK= apache22-${WITH_MPM}-mpm .if ${WITH_MPM} == "worker" || ${WITH_MPM} == "event" PORT_OPTIONS+= CGID .if ${PORT_OPTIONS:MCGI} -IGNORE= When using a multi-threaded MPM, the module CGID should be used in place CGI. \ +IGNORE= When using a multi-threaded MPM, the module CGID should be used in place CGI. \ Please de-select CGI and select CGID instead. \ See http://httpd.apache.org/docs/2.2/mod/mod_cgi.html .endif Modified: head/www/apache22/distinfo ============================================================================== --- head/www/apache22/distinfo Wed Jul 10 17:57:38 2013 (r322727) +++ head/www/apache22/distinfo Wed Jul 10 19:01:44 2013 (r322728) @@ -1,2 +1,2 @@ -SHA256 (apache22/httpd-2.2.24.tar.bz2) = 0453f5d2d7e3b1975a1c6a8a22b6d6ff768715a3b0a89b51e5f7b5851628fad7 -SIZE (apache22/httpd-2.2.24.tar.bz2) = 5490439 +SHA256 (apache22/httpd-2.2.25.tar.bz2) = 4bcaf3524796a514b31aa5c64ce80b0cdb484bab5735416de29d00f6d50fa65a +SIZE (apache22/httpd-2.2.25.tar.bz2) = 5524905 _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"