From owner-freebsd-bugs@FreeBSD.ORG  Sun Jun 24 07:10:10 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id BFB591065675
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 24 Jun 2012 07:10:10 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 962968FC0C
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 24 Jun 2012 07:10:10 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5O7AAJY084815
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 24 Jun 2012 07:10:10 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5O7AAsl084814;
	Sun, 24 Jun 2012 07:10:10 GMT (envelope-from gnats)
Resent-Date: Sun, 24 Jun 2012 07:10:10 GMT
Resent-Message-Id: <201206240710.q5O7AAsl084814@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Kenji Rikitake <kenji.rikitake@acm.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 338D51065675
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sun, 24 Jun 2012 07:05:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 1D5398FC14
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sun, 24 Jun 2012 07:05:32 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q5O75VQK066715
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 24 Jun 2012 07:05:31 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q5O75Vxp066714;
	Sun, 24 Jun 2012 07:05:31 GMT (envelope-from nobody)
Message-Id: <201206240705.q5O75Vxp066714@red.freebsd.org>
Date: Sun, 24 Jun 2012 07:05:31 GMT
From: Kenji Rikitake <kenji.rikitake@acm.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: misc/169363: www/yaws needs to be updated to 1.93 for a security fix
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jun 2012 07:10:10 -0000


>Number:         169363
>Category:       misc
>Synopsis:       www/yaws needs to be updated to 1.93 for a security fix
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 24 07:10:10 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Kenji Rikitake
>Release:        9.0-STABLE
>Organization:
>Environment:
FreeBSD minimax.priv.k2r.org 9.0-STABLE FreeBSD 9.0-STABLE #5: Wed Jun 13 12:46:09 JST 2012     root@minimax.priv.k2r.org:/usr/obj/usr/src/sys/MINIMAX  amd64
>Description:
Yaws 1.92 has a critical vulnerability when using cookies which may result in session hijacking.  This vulnerability is addressesd on 1.93. Details:
http://sourceforge.net/mailarchive/message.php?msg_id=29435297



>How-To-Repeat:
Yaws 1.92 or the older version has the vulnerability.
>Fix:
Updating yaws to 1.93 will fix this issue.  The patch included is a diff for a quick fix from the current port (yaws 1.92 based) to the 1.93. (use patch -p1 to apply)
The details are also on GitHub at:
https://github.com/jj1bdx/yaws-freebsd-port

Patch attached with submission follows:

diff --git a/yaws/Makefile b/yaws/Makefile
index 363aac2..d1bd67b 100644
--- a/yaws/Makefile
+++ b/yaws/Makefile
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	yaws
-PORTVERSION=	1.92
+PORTVERSION=	1.93
 CATEGORIES=	www
 MASTER_SITES=	http://yaws.hyber.org/download/
 
@@ -32,6 +32,8 @@ APPDIR=${PREFIX}/lib/erlang/lib/yaws-${PORTVERSION}
 
 SUB_FILES=      pkg-message
 
+CONFIGURE_ARGS+=--prefix=${PREFIX} --localstatedir=/var
+
 .include <bsd.port.pre.mk>
 
 .if defined(WITH_SENDFILE)
@@ -55,16 +57,22 @@ do-install:
 	@${MKDIR} ${ETCDIR}
 	@${INSTALL_DATA} ${FILESDIR}/yaws.conf.sample ${ETCDIR}
 	@${MKDIR} ${APPDIR}/ebin
+	@${MKDIR} ${APPDIR}/examples
+	@${MKDIR} ${APPDIR}/examples/ebin
+	@${MKDIR} ${APPDIR}/examples/src
 	@${MKDIR} ${APPDIR}/include
 	@${MKDIR} ${APPDIR}/priv
 	@${MKDIR} ${APPDIR}/priv/lib
 	@${MKDIR} ${APPDIR}/src
 	@${MKDIR} ${PREFIX}/www/yaws
 	@${INSTALL_DATA} ${WRKSRC}/ebin/* ${APPDIR}/ebin
-.for FILE in envelope.xsd mime.types soap.xsd wsdl.xsd epam
+	@${INSTALL_DATA} ${WRKSRC}/examples/ebin/* ${APPDIR}/examples/ebin
+	@${INSTALL_DATA} ${WRKSRC}/examples/src/* ${APPDIR}/examples/src
+.for FILE in envelope.xsd mime.types soap.xsd wsdl.xsd soap-envelope.xsd wsdl11soap12.xsd xml.xsd
 	@${INSTALL_DATA} ${WRKSRC}/priv/${FILE} ${APPDIR}/priv
 .endfor
-	@${INSTALL_DATA} ${WRKSRC}/priv/lib/* ${APPDIR}/priv/lib
+	@${INSTALL_PROGRAM} ${WRKSRC}/priv/epam ${APPDIR}/priv
+	@${INSTALL_LIB} ${WRKSRC}/priv/lib/* ${APPDIR}/priv/lib
 	@${INSTALL_DATA} ${WRKSRC}/include/* ${APPDIR}/include
 	@${INSTALL_DATA} ${WRKSRC}/src/*.?rl ${APPDIR}/src
 	@cd ${WRKSRC}/www && (${FIND} * | ${CPIO} -pu ${WWWDIR})
diff --git a/yaws/distinfo b/yaws/distinfo
index 6e0db3d..276d47f 100644
--- a/yaws/distinfo
+++ b/yaws/distinfo
@@ -1,2 +1,2 @@
-SHA256 (yaws-1.92.tar.gz) = cde83ca55d8e1b10a89094e1cfdc3e78d91ba9b1036cb5ea4e1994f5922c2357
-SIZE (yaws-1.92.tar.gz) = 894749
+SHA256 (yaws-1.93.tar.gz) = 56e26ebbbb7cac15993dcab431f01a120510603567e696b9e09fa0a9e644a38f
+SIZE (yaws-1.93.tar.gz) = 1138147
diff --git a/yaws/files/patch-man_yaws.conf.5 b/yaws/files/patch-man_yaws.conf.5
index 51b9adf..2fce0af 100644
--- a/yaws/files/patch-man_yaws.conf.5
+++ b/yaws/files/patch-man_yaws.conf.5
@@ -1,4 +1,4 @@
-
+Modified by Kenji Rikitake
 $FreeBSD: ports/www/yaws/files/patch-man_yaws.conf.5,v 1.4 2010/03/20 16:30:16 olgeni Exp $
 
 --- man/yaws.conf.5.orig
@@ -6,8 +6,8 @@ $FreeBSD: ports/www/yaws/files/patch-man_yaws.conf.5,v 1.4 2010/03/20 16:30:16 o
 @@ -1,6 +1,6 @@
  .TH YAWS.CONF "5" "" "" "User Commands"
  .SH NAME
--/etc/yaws/yaws.conf \- Configuration file for the yaws web server
-+!!PREFIX!!/etc/yaws/yaws.conf \- Configuration file for the yaws web server
+-/etc/yaws/yaws.conf \- Configuration file for the Yaws web server
++!!PREFIX!!/etc/yaws/yaws.conf \- Configuration file for the Yaws web server
  .SH DESCRIPTION
  .\" Add any additional description here
  .PP
diff --git a/yaws/files/patch-scripts__gen-yaws b/yaws/files/patch-scripts__gen-yaws
new file mode 100644
index 0000000..50a7352
--- /dev/null
+++ b/yaws/files/patch-scripts__gen-yaws
@@ -0,0 +1,20 @@
+--- scripts/gen-yaws.ORIG	2012-06-24 15:27:11.000000000 +0900
++++ scripts/gen-yaws	2012-06-24 15:33:26.000000000 +0900
+@@ -1,13 +1,15 @@
+ #!/bin/sh
+ 
++# CAUTION: Modified for FreeBSD Port installation
++# referring yawsdir in the installed yaws library
++
+ # Used by scripts/Makefile and scripts/rebar-pre-script to generate
+ # the yaws execution script
+ 
+ set -e
+ 
+-topdir=`cd .. && pwd`
+ cat yaws.template | \
+-    ./Subst %yawsdir% "${topdir}" | \
++    ./Subst %yawsdir% "/usr/local/lib/erlang/lib/yaws" | \
+     ./Subst %vardir% "${VARDIR}" | \
+     ./Subst %run_erl% "${ERLBINDIR}/run_erl" | \
+     ./Subst %to_erl% "${ERLBINDIR}/to_erl" | \
diff --git a/yaws/pkg-plist b/yaws/pkg-plist
index fc34021..3238b3d 100644
--- a/yaws/pkg-plist
+++ b/yaws/pkg-plist
@@ -1,6 +1,5 @@
 bin/yaws
 %%ETCDIR%%/yaws.conf.sample
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/authmod_gssapi.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/haxe.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/json.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/json2.beam
@@ -38,29 +37,42 @@ bin/yaws
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_server.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_session_server.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_shaper.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_soap12_lib.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_soap_lib.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_soap_srv.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_stats.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_sup.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_sup_restarts.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_ticker.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_trace.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_vdir.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_websockets.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_xmlrpc.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_zlib.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/advanced_echo_callback.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/authmod_gssapi.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/basic_echo_callback.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/myappmod.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/shopcart.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/src/advanced_echo_callback.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/src/authmod_gssapi.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/src/basic_echo_callback.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/soap-envelope.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/soap.hrl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/wsdl11soap12.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws_api.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws_dav.hrl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws_soap.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/envelope.xsd
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/epam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/lib/setuid_drv.so
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/mime.types
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/soap-envelope.xsd
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/soap.xsd
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/wsdl.xsd
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/advanced_echo_callback.erl
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/authmod_gssapi.erl
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/basic_echo_callback.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/wsdl11soap12.xsd
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/xml.xsd
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/haxe.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/json.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/json2.erl
@@ -99,12 +111,14 @@ bin/yaws
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_server.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_session_server.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_shaper.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_soap12_lib.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_soap_lib.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_soap_srv.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_stats.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_sup.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_sup_restarts.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_ticker.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_trace.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_vdir.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_websockets.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_xmlrpc.erl
@@ -269,6 +283,7 @@ bin/yaws
 %%WWWDIR%%/json_intro.yaws
 %%WWWDIR%%/json_sample.html
 %%WWWDIR%%/json_sample.yaws
+%%WWWDIR%%/logger_mod.yaws
 %%WWWDIR%%/man.yaws
 %%WWWDIR%%/motivation.yaws
 %%WWWDIR%%/news
@@ -328,6 +343,7 @@ bin/yaws
 %%WWWDIR%%/websockets_example_endpoint.yaws
 %%WWWDIR%%/yapp_intro.yaws
 %%WWWDIR%%/yaws-1.55_to_1.56.patch
+%%WWWDIR%%/yaws.eps
 %%WWWDIR%%/ybed.erl
 %%WWWDIR%%/ybed_sup.erl
 %%WWWDIR%%/yman.yaws


>Release-Note:
>Audit-Trail:
>Unformatted: