169363 – www/yaws needs to be updated to 1.93 for a security fix

Bug 169363 - www/yaws needs to be updated to 1.93 for a security fix

Summary: www/yaws needs to be updated to 1.93 for a security fix

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Jimmy Olgeni

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-06-24 08:10 UTC by kenji.rikitake
Modified:	2012-06-25 02:20 UTC (History)
CC List:	0 users

See Also:

Attachments
file.diff (8.28 KB, patch) 2012-06-24 08:10 UTC, kenji.rikitake	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description kenji.rikitake 2012-06-24 08:10:10 UTC

Yaws 1.92 has a critical vulnerability when using cookies which may result in session hijacking.  This vulnerability is addressesd on 1.93. Details:
http://sourceforge.net/mailarchive/message.php?msg_id=29435297

Fix: Updating yaws to 1.93 will fix this issue.  The patch included is a diff for a quick fix from the current port (yaws 1.92 based) to the 1.93. (use patch -p1 to apply)
The details are also on GitHub at:
https://github.com/jj1bdx/yaws-freebsd-port

Patch attached with submission follows:
How-To-Repeat: Yaws 1.92 or the older version has the vulnerability.

Comment 1 kenji.rikitake 2012-06-24 08:22:39 UTC

This PR should have been categorized as ports. My apologies.

++> FreeBSD-gnats-submit@FreeBSD.org <FreeBSD-gnats-submit@FreeBSD.org> [2012-06-24 07:10:10 +0000]:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=169363
> 
> >Category:       misc
> >Responsible:    freebsd-bugs
> >Synopsis:       www/yaws needs to be updated to 1.93 for a security fix
> >Arrival-Date:   Sun Jun 24 07:10:10 UTC 2012

Comment 2 Po-Chuan Hsieh freebsd_committer

2012-06-24 08:48:13 UTC

Responsible Changed
From-To: freebsd-bugs->olgeni

Over to maintainer.

Comment 3 Jimmy Olgeni freebsd_committer

2012-06-25 02:10:51 UTC

State Changed
From-To: open->closed

Committed. Thanks!

Comment 4 dfilter service freebsd_committer

2012-06-25 02:10:56 UTC

olgeni      2012-06-25 01:10:44 UTC

  FreeBSD ports repository

  Modified files:
    www/yaws             Makefile distinfo pkg-plist 
    www/yaws/files       patch-man_yaws.conf.5 
  Added files:
    www/yaws/files       patch-scripts__gen-yaws 
  Log:
  Upgrade to version 1.93, which contains a security fix among other changes.
  
  From Erlyaws-list:
  
  "Use crypto:rand_bytes() instead of the cryptographically weak random
  module. Swedish security consultant and cryptographer Kalle
  Zetterlund discovered a way to - given a sequence of cookies produced
  by yaws_session_server - predict the next session id. Thus providing
  a gaping security hole into yaws servers that use the yaws_session_server
  to maintain cookie based HTTP sessions (klacke/kallez)"
  
  PR:             ports/169363
  Submitted by:   Kenji Rikitake <kenji.rikitake@acm.org>
  
  Revision  Changes    Path
  1.60      +11 -3     ports/www/yaws/Makefile
  1.40      +2 -2      ports/www/yaws/distinfo
  1.5       +4 -4      ports/www/yaws/files/patch-man_yaws.conf.5
  1.1       +20 -0     ports/www/yaws/files/patch-scripts__gen-yaws (new)
  1.37      +24 -4     ports/www/yaws/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"