Bug 52768

Summary:

[PATCH] SECURITY-UPDATE Apache2 to 2.0.46

Product:

Ports & Packages

Reporter:

Jason Li <delphij>

Component:

Individual Port(s)

Assignee:

Hye-Shik Chang <perky>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

delphij

Priority:

Normal

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
file.diff	none

Description Jason Li 2003-05-28 20:30:03 UTC

	Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in certain 
circumstances. This can be triggered remotely through mod_dav and possibly 
other mechanisms. The crash was originally reported by David Endler 
<DEndler@iDefense.com> and was researched and fixed by Joe Orton 
<jorton@redhat.com>. Specific details and an analysis of the crash will be 
published Friday, May 30. No more specific information is disclosed at this 
time, but all Apache 2.0 users are encouraged to upgrade now.
	[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]

	Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable 
to a denial-of-service attack on the basic authentication module, which was 
reported by John Hughes <john.hughes@entegrity.com>. A bug in the 
configuration scripts caused the apr_password_validate() function to be 
thread-unsafe on platforms with crypt_r(), including AIX and Linux. All 
versions of Apache 2.0 have this thread-safety problem on platforms with no 
crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others. 
When using a threaded MPM (which is not the default on these platforms), 
this allows remote attackers to create a denial of service which causes 
valid usernames and passwords for Basic Authentication to fail until Apache 
is restarted. We do not believe this bug could allow unauthorized users to 
gain access to protected resources.
	[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]

Fix: I believe the current maintainer will fix this issue, but because of this 
is an emergency security update, I would like this patch to be applied if 
the maintainer is busy. I have tested this under FreeBSD 4-STABLE and 
5-CURRENT. Hope this is helpful and be merged into the 5.1-RELEASE. Thanks.
	Patch updates the port:
PORTNAME=	apache
-PORTVERSION=	2.0.45
+PORTVERSION=	2.0.46
CATEGORIES=	www ipv6
MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD}
DISTNAME=	httpd-${PORTVERSION}


--              if eval $SHELL $ac_abs_srcdir/configure $ac_configure_args 
--cache-file=$ac_sub_cache_file --srcdir=$ac_abs_srcdir $apache_apr_flags 
--prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir 
--includedir=$includedir --bindir=$bindir --datadir=$datadir 
--with-installbuilddir=$installbuilddir
-+              if eval $SHELL $ac_abs_srcdir/configure
-+ $ac_configure_args --cache-file=$ac_sub_cache_file
-+ --srcdir=$ac_abs_srcdir $apache_apr_flags --prefix=$prefix
-+ --exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir
-+ --bindir=$libdir --datadir=$datadir
-+ --with-installbuilddir=$installbuilddir
+
+-              if eval $SHELL $ac_abs_srcdir/configure $apr_configure_args 
--cache-file=$ac_sub_cache_file --srcdir=$ac_abs_srcdir $apache_apr_flags 
--prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir 
--includedir=$includedir --bindir=$bindir --datadir=$datadir 
--with-installbuilddir=$installbuilddir
++              if eval $SHELL $ac_abs_srcdir/configure
++ $apr_configure_args --cache-file=$ac_sub_cache_file 
--srcdir=$ac_abs_srcdir $apache_apr_flags --prefix=$prefix 
--exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir 
--bindir=$libdir --datadir=$datadir --with-installbuilddir=$installbuilddir
    then :
      echo "srclib/apr configured properly"
    else
-@@ -2888,7 +2888,7 @@
-     ac_sub_cache_file="$ac_popdir/$cache_file" ;;
-   esac
+@@ -2928,7 +2928,7 @@
+   done
+

--              if eval $SHELL $ac_abs_srcdir/configure $ac_configure_args 
--cache-file=$ac_sub_cache_file --srcdir=$ac_abs_srcdir --with-apr=../apr 
--prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir 
--includedir=$includedir --bindir=$bindir
-+              if eval $SHELL $ac_abs_srcdir/configure
-+ $ac_configure_args --cache-file=$ac_sub_cache_file 
--srcdir=$ac_abs_srcdir --with-apr=../apr --prefix=$prefix 
--exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir 
--bindir=$libdir
+-              if eval $SHELL $ac_abs_srcdir/configure $apr_configure_args 
--cache-file=$ac_sub_cache_file --srcdir=$ac_abs_srcdir --with-apr=../apr 
--prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir 
--includedir=$includedir --bindir=$bindir
++              if eval $SHELL $ac_abs_srcdir/configure
++ $apr_configure_args --cache-file=$ac_sub_cache_file 
--srcdir=$ac_abs_srcdir --with-apr=../apr --prefix=$prefix 
--exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir 
--bindir=$libdir
    then :
      echo "srclib/apr-util configured properly"
    else
-@@ -15634,6 +15634,9 @@
+@@ -15719,6 +15719,9 @@

  cat >>confdefs.h <<_ACEOF
  #define SERVER_CONFIG_FILE "${rel_sysconfdir}/${progname}.conf"

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail--AX8BLqGoDUnxn8AGY3ohnZnPeCLOH2viwmmz5AV03ZjzCDLn
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

diff -ruN apache2.orig/Makefile apache2/Makefile
--- apache2.orig/Makefile	Thu Apr 17 05:33:58 2003
+++ apache2/Makefile	Thu May 29 02:40:53 2003
@@ -6,7 +6,7 @@
#

Comment 1 Trevor Johnson freebsd_committer

2003-05-30 18:48:55 UTC

Responsible Changed
From-To: freebsd-ports-bugs->perky

over to maintainer

Comment 2 Hye-Shik Chang freebsd_committer

2003-06-01 01:10:25 UTC

State Changed
From-To: open->closed

Updated. Thank you!