From owner-freebsd-apache@FreeBSD.ORG  Fri Sep  2 09:47:21 2011
Return-Path: <owner-freebsd-apache@FreeBSD.ORG>
Delivered-To: apache@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6A5E81065679;
	Fri,  2 Sep 2011 09:47:21 +0000 (UTC)
	(envelope-from timp87@gmail.com)
Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com
	[209.85.161.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 91DB78FC0C;
	Fri,  2 Sep 2011 09:47:20 +0000 (UTC)
Received: by fxe4 with SMTP id 4so1942907fxe.13
	for <multiple recipients>; Fri, 02 Sep 2011 02:47:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=i0IOkY/tEJ1N8sUrxWRvkHH9mjjE4UY2J+W4o6Smh4k=;
	b=DpypQJhJpXcpJadD7AlrPDVgis88jR82nSYEIWLMCzE6sqRL54ZU+mMv5eLfRmHYhn
	vcUK0FIaNGOtMSaNnJiT8haYx0bxdW8AxaR3ztOZrNPeZ3AJek0jwysms+RXSqT8QTp4
	/jvfnt7oUeErGJa93+o1N2X6Gr1MXYPnDW+e4=
MIME-Version: 1.0
Received: by 10.223.94.147 with SMTP id z19mr1418343fam.107.1314956839526;
	Fri, 02 Sep 2011 02:47:19 -0700 (PDT)
Received: by 10.152.39.35 with HTTP; Fri, 2 Sep 2011 02:47:19 -0700 (PDT)
In-Reply-To: <4E60A574.5040705@freebsd.org>
References: <CAAoTqfuCAQ2-bUYJD35Xj_kZ_Mc7H-Y3fgPuD-13L8rLm8+bUw@mail.gmail.com>
	<20110902084108.GA46572@icarus.home.lan>
	<4E609855.9070507@freebsd.org>
	<20110902090342.GA48221@icarus.home.lan>
	<4E60A574.5040705@freebsd.org>
Date: Fri, 2 Sep 2011 13:47:19 +0400
Message-ID: <CAAoTqfv9i+teehUEX-bgyMzr08h+EDBqUsqZL2bUhazkjg_aUg@mail.gmail.com>
From: Pavel Timofeev <timp87@gmail.com>
To: Florian Smeets <flo@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: ade@freebsd.org, apache@freebsd.org
Subject: Re: Install apache-2.2.20
X-BeenThere: freebsd-apache@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Support of apache-related ports  <freebsd-apache.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>, 
	<mailto:freebsd-apache-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-apache>
List-Post: <mailto:freebsd-apache@freebsd.org>
List-Help: <mailto:freebsd-apache-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>,
	<mailto:freebsd-apache-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Sep 2011 09:47:21 -0000

Yea, portaudit -F worked for me.
Thank you!

2011/9/2 Florian Smeets <flo@freebsd.org>

> On 02.09.2011 11:03, Jeremy Chadwick wrote:
>
>> On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote:
>>
>>> On 02.09.2011 10:41, Jeremy Chadwick wrote:
>>>
>>>> On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote:
>>>>
>>>>> Hi, there's a problem
>>>>> [root@timbsd /usr/ports/www/apache22]# make
>>>>>
>>>>> ===>    apache-2.2.20 has known vulnerabilities:
>>>>> =>   apache -- Range header DoS vulnerability.
>>>>>    Reference:
>>>>> http://portaudit.FreeBSD.org/**7f6108d2-cea8-11e0-9d58-**
>>>>> 0800279895ea.html<http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html>
>>>>> =>   Please update your ports tree and try again.
>>>>> *** Error code 1
>>>>>
>>>>> Stop in /usr/ports/www/apache22.
>>>>> *** Error code 1
>>>>>
>>>>> Stop in /usr/ports/www/apache22.
>>>>>
>>>>
>>>> Looks like someone may have screwed up the portaudit (security/vuxml)
>>>> update.
>>>>
>>>>
>>> You just need to download the current database.
>>>
>>> # portaudit -F
>>>
>>> That worked for me.
>>>
>>
>> Look at the message he's receiving.  "apache-2.2.20 has known
>> vulnerabilities".  This is wrong.  Versions *PRIOR* to 2.2.20 have known
>> vulnerabilities.
>>
>
> The first vuxml entry that was added for this vulnerability had
>
> | +     <range><gt>2.*</gt></range>
>
> It was fixed yesterday to match only versions lower than 2.2.20
>
> | -     <range><gt>2.*</gt></range>
> | +     <range><gt>2.*</gt><lt>2.2.20<**/lt></range>
>
>
> That's why i suggested to download the new database.
>
>
>
>> So again: someone messed up the portaudit (security/vuxml) database.  If
>> it got fixed, I'm not seeing any evidence of that yet either:
>>
>>
> If you download the newest db Pavels problem should be fixed.
>
>
>  Let's recap:
>>
>> 1) The message the OP is receiving is that Apache 2.2.20 is insecure,
>> which is wrong.
>>
>
> see above.
>
>
>
>> 2) I'm using apache22 with the ITK MPM and I receive no such security
>> concern message.
>>
>> 3) portaudit -Fda doesn't indicate anything is insecure besides PHP on
>> my system, even though it obviously is (using Apache 2.2.19).
>>
>>
> Ok, that's a different problem. 2 and 3 are basically the same problem, no?
> I think the slave ports need to added to the entry, too.
>
>
>  4) Here's the relevant contents of the portaudit db:
>>
>> icarus# bzcat /var/db/portaudit/auditfile.**tbz | strings -a | egrep
>> ^apache | grep Range
>> apache>2.*<2.2.20|http://**portaudit.FreeBSD.org/**
>> 7f6108d2-cea8-11e0-9d58-**0800279895ea.html|apache<http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html%7Capache>-- Range header DoS vulnerability
>>
>>
> You have the current database :)
>
>
>  In my case (re: not receiving the security warning), it may be that
>> someone did not add the apache-itk-XXX shims to the portaudit db, which
>> are the direct result of the "stub" ports for Apache.  I don't know who
>> maintains this, but it's obviously incomplete.
>>
>>
> Yes, the should be added.
>
> Cheers,
> Florian
>