215096 – www/apache24: Fix HTTP/2 DoS vulnerability

Bug 215096 - www/apache24: Fix HTTP/2 DoS vulnerability

Summary: www/apache24: Fix HTTP/2 DoS vulnerability

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-apache (Nobody)

URL:	http://mail-archives.apache.org/mod_m...
Keywords:	patch, security

Depends on:
Blocks:

Reported:	2016-12-06 11:23 UTC by Bernard Spil
Modified:	2016-12-06 17:09 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (apache) brnrd: merge-quarterly?

Attachments
svn diff for www/apache24 (4.89 KB, patch) 2016-12-06 11:23 UTC, Bernard Spil	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernard Spil freebsd_committer

2016-12-06 11:23:54 UTC

Created attachment 177716 [details]
svn diff for www/apache24

www/apache24: Fix HTTP/2 DoS vulnerability

  - Add patch from upstream security advisory
  - Bump PORTREVISION

Security: cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
Security: CVE-2016-8740
MFH: 2016Q4

Comment 1 Olli Hauer freebsd_committer

2016-12-06 12:04:09 UTC

Hi Bernhard,

I've read about the CVE note this morning in the train, but have not time to test until weekend ..
If the build is OK, please go on and commit the patch!

Since http2 is off by default, I'm not sure if we need PORTREV. bump and MFH, but without I see no way to handle the vuxml entry ...

Comment 2 Mathieu Arnold freebsd_committer

2016-12-06 12:21:08 UTC

The vulnerability is there.  Wether the thing is enabled or not by default does not enter into account.  Bumping PORTREVISION is always necessary.  See https://www.freebsd.org/doc/en/books/porters-handbook/makefile-naming.html

Comment 3 commit-hook freebsd_committer

2016-12-06 12:44:11 UTC

A commit references this bug:

Author: brnrd
Date: Tue Dec  6 12:43:37 UTC 2016
New revision: 427953
URL: https://svnweb.freebsd.org/changeset/ports/427953

Log:
  www/apache24: Fix HTTP/2 DoS vulnerability

    - Add patch from upstream security advisory
    - Bump PORTREVISION

  PR:		215096
  MFH:		2016Q4
  Security:	cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
  Security:	CVE-2016-8740

Changes:
  head/www/apache24/Makefile
  head/www/apache24/files/patch-CVE-2016-8740

Comment 4 commit-hook freebsd_committer

2016-12-06 12:53:20 UTC

A commit references this bug:

Author: brnrd
Date: Tue Dec  6 12:52:28 UTC 2016
New revision: 427954
URL: https://svnweb.freebsd.org/changeset/ports/427954

Log:
  MFH: r427953

  www/apache24: Fix HTTP/2 DoS vulnerability

    - Add patch from upstream security advisory
    - Bump PORTREVISION

  PR:		215096
  Security:	cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
  Security:	CVE-2016-8740

  Approved by:	ports-secteam (implicit, "Backport of security and reliability fixes")

Changes:
_U  branches/2016Q4/
  branches/2016Q4/www/apache24/Makefile
  branches/2016Q4/www/apache24/files/patch-CVE-2016-8740