Bug 164675

Summary:

www/apache22: update to 2.2.22 (addresses multiple CVE reports)

Product:

Ports & Packages

Reporter:

Jason Helfman <jgh>

Component:

Individual Port(s)

Assignee:

freebsd-apache (Nobody) <apache>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

apache

Priority:

Normal

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
file.diff	none
patch.txt	none

Description Jason Helfman freebsd_committer

2012-02-01 00:20:10 UTC

Update to 2.2.22

Buildlog: http://people.freebsd.org/~jgh/files/apache-2.2.22.log
and here
https://redports.org/buildarchive/20120201011451-36374/

Comment 1 Edwin Groothuis freebsd_committer

2012-02-01 00:20:20 UTC

Responsible Changed
From-To: freebsd-ports-bugs->apache

Over to maintainer (via the GNATS Auto Assign Tool)

Comment 2 Jason Helfman freebsd_committer

2012-02-01 00:50:51 UTC

here is the vuxml:
http://people.freebsd.org/~jgh/files/vuln.xml.patch.txt

-jgh

-- 
Jason Helfman         | FreeBSD Committer
jgh@FreeBSD.org       | http://people.freebsd.org/~jgh

Comment 3 Philip M. Gollucci 2012-02-01 02:19:25 UTC

Do not change this file.  You're reverting a local change we've pulled 
from trunk svn for security.

Please commit the rest of the patch with my review / hat.

> ===================================================================
> RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v
> retrieving revision 1.3
> diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in
> --- files/patch-docs__conf__extra__httpd-ssl.conf.in	23 Jan 2012 23:24:38 -0000	1.3
> +++ files/patch-docs__conf__extra__httpd-ssl.conf.in	1 Feb 2012 00:05:53 -0000
> @@ -1,58 +1,22 @@
> ---- ./docs/conf/extra/httpd-ssl.conf.in.orig	2008-02-04 23:00:07.000000000 +0000
> -+++ ./docs/conf/extra/httpd-ssl.conf.in	2012-01-23 23:20:06.446390870 +0000
> -@@ -77,17 +77,35 @@
> +--- ./docs/conf/extra/httpd-ssl.conf.in.orig	2012-01-31 15:16:43.000000000 -0800
> ++++ ./docs/conf/extra/httpd-ssl.conf.in	2012-01-31 15:17:47.000000000 -0800
> +@@ -77,8 +77,8 @@
>    DocumentRoot "@exp_htdocsdir@"
>    ServerName www.example.com:@@SSLPort@@
>    ServerAdmin you@example.com
>   -ErrorLog "@exp_logfiledir@/error_log"
>   -TransferLog "@exp_logfiledir@/access_log"
> -+ErrorLog "@exp_logfiledir@/httpd-error.log"
> -+TransferLog "@exp_logfiledir@/httpd-access.log"
> ++ErrorLog "@exp_logfiledir@/httpd-error_log"
> ++TransferLog "@exp_logfiledir@/httpd-access_log"
>
>    #   SSL Engine Switch:
>    #   Enable/Disable SSL for this virtual host.
> - SSLEngine on
> -
> -+#   SSL Protocol support:
> -+#   List the protocol versions which clients are allowed to
> -+#   connect with. Disable SSLv2 by default (cf. RFC 6176).
> -+SSLProtocol all -SSLv2
> -+
> - #   SSL Cipher Suite:
> - #   List the ciphers that the client is permitted to negotiate.
> - #   See the mod_ssl documentation for a complete list.
> --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
> -+
> -+#   Speed-optimized SSL Cipher configuration:
> -+#   If speed is your main concern (on busy HTTPS servers e.g.),
> -+#   you might want to force clients to specific, performance
> -+#   optimized ciphers. In this case, prepend those ciphers
> -+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
> -+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
> -+#   (as in the example below), most connections will no longer
> -+#   have perfect forward secrecy - if the server's key is
> -+#   compromised, captures of past or future traffic must be
> -+#   considered compromised, too.
> -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
> -+#SSLHonorCipherOrder on
> -
> - #   Server Certificate:
> - #   Point SSLCertificateFile at a PEM encoded certificate.  If
> -@@ -218,14 +236,14 @@
> - #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
> - #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
> - #   "force-response-1.0" for this.
> --BrowserMatch ".*MSIE.*" \
> -+BrowserMatch "MSIE [2-5]" \
> -          nokeepalive ssl-unclean-shutdown \
> -          downgrade-1.0 force-response-1.0
> -
> +@@ -243,7 +243,7 @@
>    #   Per-Server Logging:
>    #   The home of a custom SSL log file. Use this when you want a
>    #   compact non-error SSL logfile on a virtual host basis.
>   -CustomLog "@exp_logfiledir@/ssl_request_log" \
> -+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \
> ++CustomLog "@exp_logfiledir@/httpd-ssl_request_log" \
>              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>    </VirtualHost>
> _______________________________________________
> freebsd-apache@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-apache
> To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org"
>


-- 
------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354
Member,                           Apache Software Foundation
Committer,                        FreeBSD Foundation
Consultant,                       P6M7G8 Inc.
Director Operations,              Ridecharge Inc.

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

Comment 4 Jason Helfman freebsd_committer

2012-02-01 03:15:43 UTC

I will be glad to do that, however it didn't patch cleanly. The additions
were in the downloaded source, unless I am mistaken.
Can you please verify?
-jgh

Comment 5 Philip M. Gollucci 2012-02-01 03:17:35 UTC

On 1/31/12 10:15 PM, Jason Helfman wrote:
> I will be glad to do that, however it didn't patch cleanly. The
> additions were in the downloaded source, unless I am mistaken.
> Can you please verify?

I'm wiped tonight. I'll peek Wednesday am. ping me if you don't hear 
from me tomorrow.

> -jgh

Comment 6 quip 2012-02-01 09:40:00 UTC

Yes, new httpd-ssl.conf.in already has changes in SSLProtocol and 
SSLCipherSuite, so we no longer need it in local patch.

But please, don't change the log file names
from httpd-error.log to httpd-error_log
from httpd-access.log to httpd-access_log
from httpd-ssl_request.log to httpd-ssl_request_log

-- 
Miroslav Lachman

Comment 7 Jason Helfman freebsd_committer

2012-02-01 16:13:12 UTC

2012/2/1 Miroslav Lachman <quip@quip.cz>

> Yes, new httpd-ssl.conf.in already has changes in SSLProtocol and
> SSLCipherSuite, so we no longer need it in local patch.
>
> But please, don't change the log file names
> from httpd-error.log to httpd-error_log
> from httpd-access.log to httpd-access_log
> from httpd-ssl_request.log to httpd-ssl_request_log
>
> --
> Miroslav Lachman
>
> Doh! I can see that now. Thanks, I will update patch, confirm with apache@and get this committed soon.

Comment 8 Jason Helfman freebsd_committer

2012-02-01 17:30:57 UTC

On Wed, Feb 01, 2012 at 10:40:00AM +0100, Miroslav Lachman thus spake:
>Yes, new httpd-ssl.conf.in already has changes in SSLProtocol and
>SSLCipherSuite, so we no longer need it in local patch.
>
>But please, don't change the log file names
>from httpd-error.log to httpd-error_log
>from httpd-access.log to httpd-access_log
>from httpd-ssl_request.log to httpd-ssl_request_log
>
>-- 
>Miroslav Lachman
>
Attached is the updated patch.
-jgh


-- 
Jason Helfman         | FreeBSD Committer
jgh@FreeBSD.org       | http://people.freebsd.org/~jgh

Comment 9 dfilter service freebsd_committer

2012-02-01 18:56:20 UTC

jgh         2012-02-01 18:56:08 UTC

  FreeBSD ports repository

  Modified files:
    www/apache22         Makefile Makefile.doc distinfo 
    www/apache22/files   patch-Makefile.in 
                         patch-docs__conf__extra__httpd-ssl.conf.in 
  Log:
  - Update to 2.2.22
  
  Addresses:
  * SECURITY: CVE-2011-3607 (cve.mitre.org)
  Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP
  Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
  module is enabled, allows local users to gain privileges via a .htaccess file
  with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request
  header, leading to a heap-based buffer overflow.
  
  * SECURITY: CVE-2012-0021 (cve.mitre.org)
  The log_cookie function in mod_log_config.c in the mod_log_config module in the
  Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not
  properly handle a %{}C format string, which allows remote attackers to cause a
  denial of service (daemon crash) via a cookie that lacks both a name and a
  value.
  
  * SECURITY: CVE-2012-0031 (cve.mitre.org)
  scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
  users to cause a denial of service (daemon crash during shutdown) or possibly
  have unspecified other impact by modifying a certain type field within a
  scoreboard shared memory segment, leading to an invalid call to the free
  function.
  
  * SECURITY: CVE-2011-4317 (cve.mitre.org)
  The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
  through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in
  place, does not properly interact with use of (1) RewriteRule and (2)
  ProxyPassMatch pattern matches for configuration of a reverse proxy, which
  allows remote attackers to send requests to intranet servers via a malformed URI
  containing an @ (at sign) character and a : (colon) character in invalid
  positions. NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2011-3368.
  
  * SECURITY: CVE-2012-0053 (cve.mitre.org)
  protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
  restrict header information during construction of Bad Request (aka 400) error
  documents, which allows remote attackers to obtain the values of HTTPOnly
  cookies via vectors involving a (1) long or (2) malformed header in conjunction
  with crafted web script.
  
  * SECURITY: CVE-2011-3368 (cve.mitre.org)
  The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
  through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of
  (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a
  reverse proxy, which allows remote attackers to send requests to intranet
  servers via a malformed URI containing an initial @ (at sign) character.
  
  PR: ports/164675
  Reviewed by: pgollucci
  Approved by: pgollucci, crees, rene (mentors, implicit)
  With Hat: apache@
  
  Revision  Changes    Path
  1.295     +1 -1      ports/www/apache22/Makefile
  1.16      +3 -3      ports/www/apache22/Makefile.doc
  1.87      +2 -2      ports/www/apache22/distinfo
  1.26      +2 -2      ports/www/apache22/files/patch-Makefile.in
  1.4       +4 -40     ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"

Comment 10 Jason Helfman freebsd_committer

2012-02-01 18:57:36 UTC

State Changed
From-To: open->closed

Committed. Thanks!

Comment 11 dfilter service freebsd_committer

2012-02-02 01:32:28 UTC

jgh         2012-02-02 01:32:18 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  document latest Apache vulnerabilities
  
  PR:     ports/164675
  Reviewed by: crees, eadler
  Approved by: crees (mentor)
  
  Revision  Changes    Path
  1.2587    +55 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"