Date: Fri, 2 Sep 2011 03:34:38 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Florian Smeets <flo@freebsd.org> Cc: Pavel Timofeev <timp87@gmail.com>, apache@freebsd.org, ade@freebsd.org Subject: Re: Install apache-2.2.20 Message-ID: <20110902103438.GA50999@icarus.home.lan> In-Reply-To: <4E60A574.5040705@freebsd.org> References: <CAAoTqfuCAQ2-bUYJD35Xj_kZ_Mc7H-Y3fgPuD-13L8rLm8%2BbUw@mail.gmail.com> <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org> <20110902090342.GA48221@icarus.home.lan> <4E60A574.5040705@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 02, 2011 at 11:44:20AM +0200, Florian Smeets wrote: > On 02.09.2011 11:03, Jeremy Chadwick wrote: > >On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: > >>On 02.09.2011 10:41, Jeremy Chadwick wrote: > >>>On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: > >>>>Hi, there's a problem > >>>>[root@timbsd /usr/ports/www/apache22]# make > >>>> > >>>>===> apache-2.2.20 has known vulnerabilities: > >>>>=> apache -- Range header DoS vulnerability. > >>>> Reference: > >>>>http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html > >>>>=> Please update your ports tree and try again. > >>>>*** Error code 1 > >>>> > >>>>Stop in /usr/ports/www/apache22. > >>>>*** Error code 1 > >>>> > >>>>Stop in /usr/ports/www/apache22. > >>> > >>>Looks like someone may have screwed up the portaudit (security/vuxml) > >>>update. > >>> > >> > >>You just need to download the current database. > >> > >># portaudit -F > >> > >>That worked for me. > > > >Look at the message he's receiving. "apache-2.2.20 has known > >vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known > >vulnerabilities. > > The first vuxml entry that was added for this vulnerability had > > | + <range><gt>2.*</gt></range> > > It was fixed yesterday to match only versions lower than 2.2.20 > > | - <range><gt>2.*</gt></range> > | + <range><gt>2.*</gt><lt>2.2.20</lt></range> Right, so it was buggered, and someone fixed it. It's fixed *now*, but it was broken at some point. *sigh* Well it's fixed, there's no real point to me going on about it. Thank you for providing the history though, I appreciate it. > That's why i suggested to download the new database. Understood. > >2) I'm using apache22 with the ITK MPM and I receive no such security > >concern message. > > > >3) portaudit -Fda doesn't indicate anything is insecure besides PHP on > >my system, even though it obviously is (using Apache 2.2.19). > > > > Ok, that's a different problem. 2 and 3 are basically the same > problem, no? I think the slave ports need to added to the entry, > too. Yes, they're related. I guess I should have put them under a single item instead of separating them. > >In my case (re: not receiving the security warning), it may be that > >someone did not add the apache-itk-XXX shims to the portaudit db, which > >are the direct result of the "stub" ports for Apache. I don't know who > >maintains this, but it's obviously incomplete. > > Yes, the should be added. Agreed, and someone should take the time to look at all the other Apache stub ports to make sure they get added as well. An "egrep ^apache" on the audit db returns quite a lot of entries -- I imagine some are legacy/for classic purposes that don't apply to the "present-day" ports system, but going through all the www/apache* ports that rely on www/apache22 would be best. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110902103438.GA50999>