Date: Fri, 2 Sep 2011 02:03:42 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Florian Smeets <flo@freebsd.org> Cc: Pavel Timofeev <timp87@gmail.com>, apache@freebsd.org, ade@freebsd.org Subject: Re: Install apache-2.2.20 Message-ID: <20110902090342.GA48221@icarus.home.lan> In-Reply-To: <4E609855.9070507@freebsd.org> References: <CAAoTqfuCAQ2-bUYJD35Xj_kZ_Mc7H-Y3fgPuD-13L8rLm8%2BbUw@mail.gmail.com> <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: > On 02.09.2011 10:41, Jeremy Chadwick wrote: > >On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: > >>Hi, there's a problem > >>[root@timbsd /usr/ports/www/apache22]# make > >> > >> To enable a module category: WITH_<CATEGORY>_MODULES > >> To disable a module category: WITHOUT_<CATEGORY>_MODULES > >> > >> Per default categories are: > >> AUTH AUTHN AUTHZ DAV CACHE MISC > >> Categories available: > >> AUTH AUTHN AUTHZ CACHE DAV EXPERIMENTAL LDAP MISC PROXY SSL SUEXEC > >>THREADS > >> > >> To see all available knobs, type make show-options > >> To see all modules in different categories, type make show-categories > >> You can check your modules configuration by using make show-modules > >> > >>===> apache-2.2.20 has known vulnerabilities: > >>=> apache -- Range header DoS vulnerability. > >> Reference: > >>http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html > >>=> Please update your ports tree and try again. > >>*** Error code 1 > >> > >>Stop in /usr/ports/www/apache22. > >>*** Error code 1 > >> > >>Stop in /usr/ports/www/apache22. > > > >Looks like someone may have screwed up the portaudit (security/vuxml) > >update. > > > > You just need to download the current database. > > # portaudit -F > > That worked for me. Look at the message he's receiving. "apache-2.2.20 has known vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known vulnerabilities. So again: someone messed up the portaudit (security/vuxml) database. If it got fixed, I'm not seeing any evidence of that yet either: icarus# pkg_info | egrep ^apache apache-itk-2.2.19 Version 2.2.x of Apache web server with itk MPM. icarus# portaudit -Fda New database installed. Database created: Thu Sep 1 12:20:00 PDT 2011 Affected package: php5-5.3.6 Type of problem: php -- multiple vulnerabilities. Reference: http://portaudit.FreeBSD.org/057bf770-cac4-11e0-aea3-00215c6a37bb.html 1 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. icarus# egrep ^PORTVERSION /usr/ports/www/apache22/Makefile PORTVERSION= 2.2.20 Let's recap: 1) The message the OP is receiving is that Apache 2.2.20 is insecure, which is wrong. 2) I'm using apache22 with the ITK MPM and I receive no such security concern message. 3) portaudit -Fda doesn't indicate anything is insecure besides PHP on my system, even though it obviously is (using Apache 2.2.19). 4) Here's the relevant contents of the portaudit db: icarus# bzcat /var/db/portaudit/auditfile.tbz | strings -a | egrep ^apache | grep Range apache>2.*<2.2.20|http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html|apache -- Range header DoS vulnerability In my case (re: not receiving the security warning), it may be that someone did not add the apache-itk-XXX shims to the portaudit db, which are the direct result of the "stub" ports for Apache. I don't know who maintains this, but it's obviously incomplete. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110902090342.GA48221>