From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 21:22:02 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB224106566B; Wed, 1 Feb 2012 21:22:01 +0000 (UTC) (envelope-from bsd-src@helfman.org) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 671C28FC14; Wed, 1 Feb 2012 21:22:01 +0000 (UTC) Received: by daec6 with SMTP id c6so1505848dae.13 for ; Wed, 01 Feb 2012 13:22:01 -0800 (PST) Received: by 10.68.138.167 with SMTP id qr7mr1206952pbb.0.1328131321155; Wed, 01 Feb 2012 13:22:01 -0800 (PST) Received: from dormouse.experts-exchange.com ([72.29.164.238]) by mx.google.com with ESMTPS id li19sm924452pbb.17.2012.02.01.13.21.59 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 01 Feb 2012 13:22:00 -0800 (PST) Sender: Jason Helfman Date: Wed, 1 Feb 2012 13:21:05 -0800 From: Jason Helfman To: Chris Rees Message-ID: <20120201212105.GG46116@dormouse.experts-exchange.com> References: <20120201175858.GB46116@dormouse.experts-exchange.com> <20120201195637.GD46116@dormouse.experts-exchange.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EDJsL2R9iCFAt7IV" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 8.2-RELEASE amd64 Organization: The FreeBSD Project, http://www.freebsd.org X-Living-The-Dream: I love the SLO Life! X-PGP-FingerPrint: 8E0D C457 9A0F C91C 23F3 0454 2059 9A63 4150 D3DC X-PGP-Key: http://people.freebsd.org/~jgh/jgh.asc User-Agent: Mutt/1.5.21 (2010-09-15) Cc: rene@freebsd.org, apache@freebsd.org, secteam@freebsd.org Subject: Re: documentation for apache vulnerability, over for approval X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 21:22:02 -0000 --EDJsL2R9iCFAt7IV Content-Type: multipart/mixed; boundary="kbCYTQG2MZjuOjyn" Content-Disposition: inline --kbCYTQG2MZjuOjyn Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 01, 2012 at 08:14:24PM +0000, Chris Rees thus spake: >On 1 February 2012 19:56, Jason Helfman wrote: >> On Wed, Feb 01, 2012 at 07:35:41PM +0000, Chris Rees thus spake: >> >>> Hm, did you use make newentry? The vulnerability appears before the >>> tag ;) >>> >>> Chris >>> >>> On 1 February 2012 17:58, Jason Helfman wrote: >>>> >>>> Over for approval. >>>> >>>> -jgh >>>> >>>> Thanks, >>>> Jason >>>> >>>> -- >>>> Jason Helfman =A0 =A0 =A0 =A0 | FreeBSD Committer >>>> jgh@FreeBSD.org =A0 =A0 =A0 | http://people.freebsd.org/~jgh >>> >>> >> gotcha. here is an updated patch. >> -jgh > >Fine by me, as long as it builds and matches the right ports (and >-apache@ are OK with it) > >http://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html#= SECURITY-NOTIFY-VUXML-TESTING > >Chris > Attached is updated patch, and was able to fully verify per the url above. Range was off =3D> lt 2.2.22 [jhelfman@dormouse /usr/ports/security/vuxml]$ portaudit apache-2.2.21 Affected package: apache-2.2.21 Type of problem: apache -- multiple vulnerabilities. Reference: http://www.freebsd.org/ports/portaudit/4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0= =2Ehtml 1 problem(s) found. [jhelfman@dormouse ~/workspace/ports/security]$ sudo portaudit -f /usr/ports/INDEX-8 -r 4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0 Affected package: apache-2.0.64_2 Type of problem: apache -- multiple vulnerabilities. Reference: http://www.freebsd.org/ports/portaudit/4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0= =2Ehtml Affected package: apache-2.2.21 Type of problem: apache -- multiple vulnerabilities. Reference: http://www.freebsd.org/ports/portaudit/4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0= =2Ehtml -jgh --=20 Jason Helfman | FreeBSD Committer jgh@FreeBSD.org | http://people.freebsd.org/~jgh --kbCYTQG2MZjuOjyn Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="patch.txt" Content-Transfer-Encoding: quoted-printable Index: vuln.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/pcvs/ports/security/vuxml/vuln.xml,v retrieving revision 1.2586 diff -u -r1.2586 vuln.xml --- vuln.xml 1 Feb 2012 09:46:07 -0000 1.2586 +++ vuln.xml 1 Feb 2012 21:19:16 -0000 @@ -47,6 +47,60 @@ =20 --> + + apache -- multiple vulnerabilities + + + apache + 2.*2.2.22 + + + + +

CVE Mitre reports:

+
+

Integer overflow in the ap_pregsub function in server/util.c in the + Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, whe= n the + mod_setenvif module is enabled, allows local users to gain privileges= via a + .htaccess file with a crafted SetEnvIf directive, in conjunction with= a + crafted HTTP request header, leading to a heap-based buffer overflow.=

+

A flaw was found in mod_log_config. If the '%{cookiename}C' log form= at + string is in use, a remote attacker could send a specific cookie caus= ing a + crash. This crash would only be a denial of service if using a thread= ed + MPM.

+

A flaw was found in the handling of the scoreboard. An unprivileged + child process could cause the parent process to crash at shutdown rat= her + than terminate cleanly.

+

An additional exposure was found when using mod_proxy in reverse pro= xy + mode. In certain configurations using RewriteRule with proxy flag or + ProxyPassMatch, a remote attacker could cause the reverse proxy to co= nnect + to an arbitrary server, possibly disclosing sensitive information from + internal web servers not directly accessible to attacker.

+

A flaw was found in the default error response for status code 400. = This + flaw could be used by an attacker to expose "httpOnly" cookies when no + custom ErrorDocument is specified.

+

An exposure was found when using mod_proxy in reverse proxy mode. In + certain configurations using RewriteRule with proxy flag or ProxyPass= Match, + a remote attacker could cause the reverse proxy to connect to an arbi= trary + server, possibly disclosing sensitive information from internal web s= ervers + not directly accessible to attacker.

+
+ + + + CVE-2011-3607 + CVE-2012-0021 + CVE-2012-0031 + CVE-2011-4317 + CVE-2012-0053 + CVE-2011-3368 + + + 2011-10-05 + 2012-01-31 + + + mozilla -- multiple vulnerabilities --kbCYTQG2MZjuOjyn-- --EDJsL2R9iCFAt7IV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBAgAGBQJPKazBAAoJECBZmmNBUNPcyTMH/3jw2Bq/5qBySJ+q/ASM4QNa 40BkseK2uwvwl1AUFp6z2FlJ8fPZhtZDjP5gUXTq5WDakwzU0uIyWtnQC64j0aP3 4lJWTcA/7/oF9RlrbiZlIi2O6IWPnRH7Pw8zhdCKDGNvGjp3PrJ/GLOGdWgKUReI GwyveN6KcZDMJ0uV5ScFypZpyep4FL8J2ngMNtKt8V1qsoiBx7bx6shfo1pglqR0 h8PTTZgtU1mf6TfTDF633QdvBPgWynpcr7ynDwYymQWsJLz8X0hVBWH703GHk0Uh wMZuqdUWakVi2VOXPZoiZbKwj9cDGruaVXLXRLPUq4hC6R9lyJCEMEeYDNwjxZE= =B2fC -----END PGP SIGNATURE----- --EDJsL2R9iCFAt7IV--