Date: Fri, 14 Jan 2000 15:25:36 -0700 From: "J.C. Frazier" <wolfman@csocs.com> To: "Scot W. Hetzel" <hetzels@westbend.net> Cc: Dirk Froemberg <dirk@FreeBSD.ORG>, Vincent Poy <vince@venus.GAIANET.NET>, Patrick Bihan-Faou <patrick@mindstep.com>, freebsd-ports@FreeBSD.ORG, ache@FreeBSD.ORG, rse@engelschall.com, adam@algroup.co.uk Subject: Re: ports/15873: New Apache_fp+php+mod_ssl-1.3.9+3.0.12+2.4.8 port. Message-ID: <387FA260.4398E65B@csocs.com> References: <015d01bf57ef$34afcd00$8dfee0d1@westbend.net> <Pine.BSF.4.21.0001051943250.20208-100000@venus.GAIANET.NET> <20000108150504.B76402@physik.TU-Berlin.DE> <387799F8.3182DD68@csocs.com> <387EA9AD.99BB40E6@csocs.com> <019201bf5e51$1f5fd7c0$8dfee0d1@westbend.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Those aren't the only problems I've seen. If apache is compiled prior to the links being made for DES, the frontpage clients themselves will fail to be able to authenticate correctly. fpsrvadm.exe will correctly place DES passwords in the correct files, however it won't function until apache is recompiled and installed. On another note. Another php exploit has been found. (http://daily.daemonnews.org/view_story.php3?story_id=498) No php version under php-3.0.14 should be used because of it. Currently the one in our ports use a version which is effected by this bug. However, the 3.0.14 version has some serious problems compiling on systems as shown in their BUGTRAQ. "Scot W. Hetzel" wrote: > From: "J.C. Frazier" <wolfman@csocs.com> > > I've been reading through this thread again and think there may be some > problems in > > what we're all proposing. Frontpage in itself relies on DES, which is > > non-exportable, and that can not be changed. That means that Frontpage > itself would > > not be able to be included in the exportable version. Tell me if I'm > wrong, but that > > just about brings us back to the beginning. Without Frontpage and > mod-ssl/ssl...that > > sounds vaguely like the ports we already have. Just a thought... > > > No package would be available for the mod_frontpage port due to it's > interactive nature. > > The port will also warn that DES libraries needs to be installed and the > Apache Server might need to be recompiled. > > Can the Apache server be compiled Dynamically with libcrypt, so that when we > change the link to the libdescrypt libraries the Apache server would > understand DES encryption? > > If it can then this would solve the problem of having to recompile the > Apache server, after installing the DES libraries just to include > mod_frontpage. > > The only real requirement for the DES passwords has to do with fpsrvadm.exe, > as that program initially sets up the FP webs, and creates the DES passwords > that are placed into ${PREFIX}/www/data/_vti_pvt/service.pwd. Several > individuals have reported that they changed the DES password to an MD5 > password for the initial FP administrator account and they were able to > access the FP webs from their FP clients. The FP clients do have the > ability under an FP administrator account to add new FP users > (Administrators, Authors, Browse) to FP webs _vti_pvt/service.pwd file. I > don't know if they will create an MD5 password or a DES password thru a > non-DES aware Apache Server. > > Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?387FA260.4398E65B>