Bug 146389

Summary:

[regression] www/apache20: mod_ssl doesn't work with CVE-2009-3555

Product:

Ports & Packages

Reporter:

Kazuo Dohzono <dohzono>

Component:

Individual Port(s)

Assignee:

freebsd-apache (Nobody) <apache>

Status:

Closed FIXED

Severity:

Affects Only Me

Priority:

Normal

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
diff.txt	none

Description Kazuo Dohzono 2010-05-08 09:10:03 UTC

# /usr/local/etc/rc.d/apache2 restart
Performing sanity check on apache2 configuration:
Syntax error on line 259 of /usr/local/etc/apache2/httpd.conf:
Cannot load /usr/local/libexec/apache2/mod_ssl.so into server:
/usr/local/libexec/apache2/mod_ssl.so: Undefined symbol "mySrvFromConn"
#

How-To-Repeat: # cd /usr/ports/www/apache20/
# make clean deinstall-all
# rm -rf /usr/local/libexec/apache2/
# make WITH_DBM=bdb WITH_LDAP=yes \
WITH_SSL_MODULES=yes WITH_SUEXEC_MODULES=yes \
WITH_PROXY_MODULES=yes WITH_KQUEUE_MODULES=yes \
WITHOUT_IPV6=yes WITH_ACCESS=yes WITH_ACTIONS=yes \
WITH_ALIAS=yes WITH_ASIS=yes WITH_AUTH=yes \
WITH_AUTH_ANON=yes WITH_AUTH_DBM=yes \
WITH_AUTH_DIGEST=yes WITH_AUTOINDEX=yes \
WITH_CACHE=yes WITH_CERN_META=yes WITH_CGI=yes \
WITH_CHARSET_LITE=yes WITH_DAV=yes WITH_DAV_FS=yes \
WITH_DEFLATE=yes WITH_DIR=yes WITH_DISK_CACHE=yes \
WITH_ENV=yes WITH_EXPIRES=yes WITH_FILE_CACHE=yes \
WITH_HEADERS=yes WITH_IMAP=yes WITH_INCLUDE=yes \
WITH_INFO=yes WITH_LOGIO=yes WITH_LOG_CONFIG=yes \
WITH_MEM_CACHE=yes WITH_MIME=yes \
WITH_MIME_MAGIC=yes WITH_NEGOTIATION=yes \
WITH_PROXY=yes WITH_PROXY_CONNECT=yes \
WITH_PROXY_FTP=yes WITH_PROXY_HTTP=yes \
WITH_REWRITE=yes WITH_SETENVIF=yes \
WITH_SPELING=yes WITH_STATUS=yes WITH_SUEXEC=yes \
WITH_UNIQUE_ID=yes WITH_USERDIR=yes \
WITH_USERTRACK=yes WITH_VHOST_ALIAS=yes \
all install
# /usr/local/etc/rc.d/apache2 restart
Performing sanity check on apache2 configuration:
Syntax error on line 259 of /usr/local/etc/apache2/httpd.conf:
Cannot load /usr/local/libexec/apache2/mod_ssl.so into server:
/usr/local/libexec/apache2/mod_ssl.so: Undefined symbol "mySrvFromConn"
#

Comment 1 Edwin Groothuis freebsd_committer

2010-05-08 09:10:14 UTC

Responsible Changed
From-To: freebsd-ports-bugs->apache

Over to maintainer (via the GNATS Auto Assign Tool)

Comment 2 Kazuo Dohzono 2010-05-08 14:14:47 UTC

Here is a patch.

Comment 3 dfilter service freebsd_committer

2010-05-13 01:30:34 UTC

pgollucci    2010-05-13 00:30:19 UTC

  FreeBSD ports repository

  Modified files:
    www/apache20         Makefile 
    www/apache20/files   patch-CVE-2009-3555 
  Added files:
    www/apache20/files   patch-CVE-2008-2364 patch-CVE-2010-0434 
  Log:
  - Fix openssl rengotiation patch [1]
  - Fix the openssl from ports flag
  - Bump PORTREVISION
  - Also patch 2 more CVEs
  
   *) SECURITY: CVE-2010-0434 (cve.mitre.org)
       Ensure each subrequest has a shallow copy of headers_in so that the
       parent request headers are not corrupted.  Elimiates a problematic
       optimization in the case of no request body.  PR 48359
       [Jake Scott, William Rowe, Ruediger Pluem]
  
    *) SECURITY: CVE-2008-2364 (cve.mitre.org)
       mod_proxy_http: Better handling of excessive interim responses
       from origin server to prevent potential denial of service and high
       memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
       Joe Orton, Jim Jagielski]
  
  PR:             ports/146389 [1]
  Submitted by:   several [1]
  With Hat:       apache@
  
  Revision  Changes    Path
  1.278     +2 -2      ports/www/apache20/Makefile
  1.1       +62 -0     ports/www/apache20/files/patch-CVE-2008-2364 (new)
  1.2       +73 -271   ports/www/apache20/files/patch-CVE-2009-3555
  1.1       +11 -0     ports/www/apache20/files/patch-CVE-2010-0434 (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"

Comment 4 Philip M. Gollucci freebsd_committer

2010-05-13 01:35:53 UTC

State Changed
From-To: open->closed

Committed. Thanks!