From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 09:44:22 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF7D21065675; Fri, 2 Sep 2011 09:44:22 +0000 (UTC) (envelope-from flo@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 823178FC13; Fri, 2 Sep 2011 09:44:22 +0000 (UTC) Received: from bender.solomo.local (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p829iKeI092451; Fri, 2 Sep 2011 09:44:21 GMT (envelope-from flo@freebsd.org) Message-ID: <4E60A574.5040705@freebsd.org> Date: Fri, 02 Sep 2011 11:44:20 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.1) Gecko/20110901 Thunderbird/6.0.1 MIME-Version: 1.0 To: Jeremy Chadwick References: <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org> <20110902090342.GA48221@icarus.home.lan> In-Reply-To: <20110902090342.GA48221@icarus.home.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Pavel Timofeev , apache@freebsd.org, ade@freebsd.org Subject: Re: Install apache-2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 09:44:22 -0000 On 02.09.2011 11:03, Jeremy Chadwick wrote: > On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: >> On 02.09.2011 10:41, Jeremy Chadwick wrote: >>> On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: >>>> Hi, there's a problem >>>> [root@timbsd /usr/ports/www/apache22]# make >>>> >>>> ===> apache-2.2.20 has known vulnerabilities: >>>> => apache -- Range header DoS vulnerability. >>>> Reference: >>>> http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html >>>> => Please update your ports tree and try again. >>>> *** Error code 1 >>>> >>>> Stop in /usr/ports/www/apache22. >>>> *** Error code 1 >>>> >>>> Stop in /usr/ports/www/apache22. >>> >>> Looks like someone may have screwed up the portaudit (security/vuxml) >>> update. >>> >> >> You just need to download the current database. >> >> # portaudit -F >> >> That worked for me. > > Look at the message he's receiving. "apache-2.2.20 has known > vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known > vulnerabilities. The first vuxml entry that was added for this vulnerability had | + 2.* It was fixed yesterday to match only versions lower than 2.2.20 | - 2.* | + 2.*2.2.20 That's why i suggested to download the new database. > > So again: someone messed up the portaudit (security/vuxml) database. If > it got fixed, I'm not seeing any evidence of that yet either: > If you download the newest db Pavels problem should be fixed. > Let's recap: > > 1) The message the OP is receiving is that Apache 2.2.20 is insecure, > which is wrong. see above. > > 2) I'm using apache22 with the ITK MPM and I receive no such security > concern message. > > 3) portaudit -Fda doesn't indicate anything is insecure besides PHP on > my system, even though it obviously is (using Apache 2.2.19). > Ok, that's a different problem. 2 and 3 are basically the same problem, no? I think the slave ports need to added to the entry, too. > 4) Here's the relevant contents of the portaudit db: > > icarus# bzcat /var/db/portaudit/auditfile.tbz | strings -a | egrep ^apache | grep Range > apache>2.*<2.2.20|http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html|apache -- Range header DoS vulnerability > You have the current database :) > In my case (re: not receiving the security warning), it may be that > someone did not add the apache-itk-XXX shims to the portaudit db, which > are the direct result of the "stub" ports for Apache. I don't know who > maintains this, but it's obviously incomplete. > Yes, the should be added. Cheers, Florian