From owner-freebsd-apache@FreeBSD.ORG  Fri Sep  2 09:17:00 2011
Return-Path: <owner-freebsd-apache@FreeBSD.ORG>
Delivered-To: apache@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9EB2E1065690
	for <apache@freebsd.org>; Fri,  2 Sep 2011 09:17:00 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from qmta08.westchester.pa.mail.comcast.net
	(qmta08.westchester.pa.mail.comcast.net [76.96.62.80])
	by mx1.freebsd.org (Postfix) with ESMTP id 5F5218FC16
	for <apache@freebsd.org>; Fri,  2 Sep 2011 09:17:00 +0000 (UTC)
Received: from omta13.westchester.pa.mail.comcast.net ([76.96.62.52])
	by qmta08.westchester.pa.mail.comcast.net with comcast
	id Tl1P1h00117dt5G58l3lyS; Fri, 02 Sep 2011 09:03:45 +0000
Received: from koitsu.dyndns.org ([67.180.84.87])
	by omta13.westchester.pa.mail.comcast.net with comcast
	id Tl3j1h00N1t3BNj3Zl3k0i; Fri, 02 Sep 2011 09:03:45 +0000
Received: by icarus.home.lan (Postfix, from userid 1000)
	id 5CDA4102C36; Fri,  2 Sep 2011 02:03:42 -0700 (PDT)
Date: Fri, 2 Sep 2011 02:03:42 -0700
From: Jeremy Chadwick <freebsd@jdc.parodius.com>
To: Florian Smeets <flo@freebsd.org>
Message-ID: <20110902090342.GA48221@icarus.home.lan>
References: <CAAoTqfuCAQ2-bUYJD35Xj_kZ_Mc7H-Y3fgPuD-13L8rLm8+bUw@mail.gmail.com>
	<20110902084108.GA46572@icarus.home.lan>
	<4E609855.9070507@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4E609855.9070507@freebsd.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Pavel Timofeev <timp87@gmail.com>, apache@freebsd.org, ade@freebsd.org
Subject: Re: Install apache-2.2.20
X-BeenThere: freebsd-apache@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Support of apache-related ports  <freebsd-apache.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>, 
	<mailto:freebsd-apache-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-apache>
List-Post: <mailto:freebsd-apache@freebsd.org>
List-Help: <mailto:freebsd-apache-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>,
	<mailto:freebsd-apache-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Sep 2011 09:17:00 -0000

On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote:
> On 02.09.2011 10:41, Jeremy Chadwick wrote:
> >On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote:
> >>Hi, there's a problem
> >>[root@timbsd /usr/ports/www/apache22]# make
> >>
> >>  To enable a module category: WITH_<CATEGORY>_MODULES
> >>  To disable a module category: WITHOUT_<CATEGORY>_MODULES
> >>
> >>  Per default categories are:
> >>   AUTH AUTHN AUTHZ DAV CACHE MISC
> >>  Categories available:
> >>   AUTH AUTHN AUTHZ CACHE DAV EXPERIMENTAL LDAP  MISC PROXY SSL SUEXEC
> >>THREADS
> >>
> >>   To see all available knobs, type make show-options
> >>   To see all modules in different categories, type make show-categories
> >>   You can check your modules configuration by using make show-modules
> >>
> >>===>   apache-2.2.20 has known vulnerabilities:
> >>=>  apache -- Range header DoS vulnerability.
> >>    Reference:
> >>http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html
> >>=>  Please update your ports tree and try again.
> >>*** Error code 1
> >>
> >>Stop in /usr/ports/www/apache22.
> >>*** Error code 1
> >>
> >>Stop in /usr/ports/www/apache22.
> >
> >Looks like someone may have screwed up the portaudit (security/vuxml)
> >update.
> >
> 
> You just need to download the current database.
> 
> # portaudit -F
> 
> That worked for me.

Look at the message he's receiving.  "apache-2.2.20 has known
vulnerabilities".  This is wrong.  Versions *PRIOR* to 2.2.20 have known
vulnerabilities.

So again: someone messed up the portaudit (security/vuxml) database.  If
it got fixed, I'm not seeing any evidence of that yet either:

icarus# pkg_info | egrep ^apache
apache-itk-2.2.19   Version 2.2.x of Apache web server with itk MPM.

icarus# portaudit -Fda
New database installed.
Database created: Thu Sep  1 12:20:00 PDT 2011
Affected package: php5-5.3.6
Type of problem: php -- multiple vulnerabilities.
Reference: http://portaudit.FreeBSD.org/057bf770-cac4-11e0-aea3-00215c6a37bb.html

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s)
immediately.

icarus# egrep ^PORTVERSION /usr/ports/www/apache22/Makefile
PORTVERSION=    2.2.20

Let's recap:

1) The message the OP is receiving is that Apache 2.2.20 is insecure,
which is wrong.

2) I'm using apache22 with the ITK MPM and I receive no such security
concern message.

3) portaudit -Fda doesn't indicate anything is insecure besides PHP on
my system, even though it obviously is (using Apache 2.2.19).

4) Here's the relevant contents of the portaudit db:

icarus# bzcat /var/db/portaudit/auditfile.tbz | strings -a | egrep ^apache | grep Range
apache>2.*<2.2.20|http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html|apache -- Range header DoS vulnerability

In my case (re: not receiving the security warning), it may be that
someone did not add the apache-itk-XXX shims to the portaudit db, which
are the direct result of the "stub" ports for Apache.  I don't know who
maintains this, but it's obviously incomplete.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, US |
| Making life hard for others since 1977.               PGP 4BD6C0CB |