From owner-freebsd-apache@FreeBSD.ORG Fri Sep 2 10:34:39 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FFBC1065691 for ; Fri, 2 Sep 2011 10:34:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta10.emeryville.ca.mail.comcast.net (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17]) by mx1.freebsd.org (Postfix) with ESMTP id 653728FC08 for ; Fri, 2 Sep 2011 10:34:39 +0000 (UTC) Received: from omta24.emeryville.ca.mail.comcast.net ([76.96.30.92]) by qmta10.emeryville.ca.mail.comcast.net with comcast id TmTk1h0011zF43QAAmaaaJ; Fri, 02 Sep 2011 10:34:34 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta24.emeryville.ca.mail.comcast.net with comcast id TmbM1h00m1t3BNj8kmbMtu; Fri, 02 Sep 2011 10:35:21 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 827E3102C36; Fri, 2 Sep 2011 03:34:38 -0700 (PDT) Date: Fri, 2 Sep 2011 03:34:38 -0700 From: Jeremy Chadwick To: Florian Smeets Message-ID: <20110902103438.GA50999@icarus.home.lan> References: <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org> <20110902090342.GA48221@icarus.home.lan> <4E60A574.5040705@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E60A574.5040705@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Pavel Timofeev , apache@freebsd.org, ade@freebsd.org Subject: Re: Install apache-2.2.20 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 10:34:39 -0000 On Fri, Sep 02, 2011 at 11:44:20AM +0200, Florian Smeets wrote: > On 02.09.2011 11:03, Jeremy Chadwick wrote: > >On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: > >>On 02.09.2011 10:41, Jeremy Chadwick wrote: > >>>On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: > >>>>Hi, there's a problem > >>>>[root@timbsd /usr/ports/www/apache22]# make > >>>> > >>>>===> apache-2.2.20 has known vulnerabilities: > >>>>=> apache -- Range header DoS vulnerability. > >>>> Reference: > >>>>http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html > >>>>=> Please update your ports tree and try again. > >>>>*** Error code 1 > >>>> > >>>>Stop in /usr/ports/www/apache22. > >>>>*** Error code 1 > >>>> > >>>>Stop in /usr/ports/www/apache22. > >>> > >>>Looks like someone may have screwed up the portaudit (security/vuxml) > >>>update. > >>> > >> > >>You just need to download the current database. > >> > >># portaudit -F > >> > >>That worked for me. > > > >Look at the message he's receiving. "apache-2.2.20 has known > >vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known > >vulnerabilities. > > The first vuxml entry that was added for this vulnerability had > > | + 2.* > > It was fixed yesterday to match only versions lower than 2.2.20 > > | - 2.* > | + 2.*2.2.20 Right, so it was buggered, and someone fixed it. It's fixed *now*, but it was broken at some point. *sigh* Well it's fixed, there's no real point to me going on about it. Thank you for providing the history though, I appreciate it. > That's why i suggested to download the new database. Understood. > >2) I'm using apache22 with the ITK MPM and I receive no such security > >concern message. > > > >3) portaudit -Fda doesn't indicate anything is insecure besides PHP on > >my system, even though it obviously is (using Apache 2.2.19). > > > > Ok, that's a different problem. 2 and 3 are basically the same > problem, no? I think the slave ports need to added to the entry, > too. Yes, they're related. I guess I should have put them under a single item instead of separating them. > >In my case (re: not receiving the security warning), it may be that > >someone did not add the apache-itk-XXX shims to the portaudit db, which > >are the direct result of the "stub" ports for Apache. I don't know who > >maintains this, but it's obviously incomplete. > > Yes, the should be added. Agreed, and someone should take the time to look at all the other Apache stub ports to make sure they get added as well. An "egrep ^apache" on the audit db returns quite a lot of entries -- I imagine some are legacy/for classic purposes that don't apply to the "present-day" ports system, but going through all the www/apache* ports that rely on www/apache22 would be best. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |