Bug 215096

Summary:

www/apache24: Fix HTTP/2 DoS vulnerability

Product:

Ports & Packages

Reporter:

Bernard Spil <brnrd>

Component:

Individual Port(s)

Assignee:

freebsd-apache (Nobody) <apache>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

brnrd, ohauer, ports-secteam

Priority:

---

Keywords:

patch, security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (apache)
brnrd: merge-quarterly?

Hardware:

Any

OS:

Any

URL:

http://mail-archives.apache.org/mod_mbox/httpd-announce/201612.mbox/%3C1A097A43-7CCB-4BA1-861F-E0C7EEE83A4B%40apache.org%3E

Attachments:

Description	Flags
svn diff for www/apache24	none

Description Bernard Spil freebsd_committer

2016-12-06 11:23:54 UTC

Created attachment 177716 [details]
svn diff for www/apache24

www/apache24: Fix HTTP/2 DoS vulnerability

  - Add patch from upstream security advisory
  - Bump PORTREVISION

Security: cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
Security: CVE-2016-8740
MFH: 2016Q4

Comment 1 Olli Hauer freebsd_committer

2016-12-06 12:04:09 UTC

Hi Bernhard,

I've read about the CVE note this morning in the train, but have not time to test until weekend ..
If the build is OK, please go on and commit the patch!

Since http2 is off by default, I'm not sure if we need PORTREV. bump and MFH, but without I see no way to handle the vuxml entry ...

Comment 2 Mathieu Arnold freebsd_committer

2016-12-06 12:21:08 UTC

The vulnerability is there.  Wether the thing is enabled or not by default does not enter into account.  Bumping PORTREVISION is always necessary.  See https://www.freebsd.org/doc/en/books/porters-handbook/makefile-naming.html

Comment 3 commit-hook freebsd_committer

2016-12-06 12:44:11 UTC

A commit references this bug:

Author: brnrd
Date: Tue Dec  6 12:43:37 UTC 2016
New revision: 427953
URL: https://svnweb.freebsd.org/changeset/ports/427953

Log:
  www/apache24: Fix HTTP/2 DoS vulnerability

    - Add patch from upstream security advisory
    - Bump PORTREVISION

  PR:		215096
  MFH:		2016Q4
  Security:	cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
  Security:	CVE-2016-8740

Changes:
  head/www/apache24/Makefile
  head/www/apache24/files/patch-CVE-2016-8740

Comment 4 commit-hook freebsd_committer

2016-12-06 12:53:20 UTC

A commit references this bug:

Author: brnrd
Date: Tue Dec  6 12:52:28 UTC 2016
New revision: 427954
URL: https://svnweb.freebsd.org/changeset/ports/427954

Log:
  MFH: r427953

  www/apache24: Fix HTTP/2 DoS vulnerability

    - Add patch from upstream security advisory
    - Bump PORTREVISION

  PR:		215096
  Security:	cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
  Security:	CVE-2016-8740

  Approved by:	ports-secteam (implicit, "Backport of security and reliability fixes")

Changes:
_U  branches/2016Q4/
  branches/2016Q4/www/apache24/Makefile
  branches/2016Q4/www/apache24/files/patch-CVE-2016-8740