Update to 2.2.22 Buildlog: http://people.freebsd.org/~jgh/files/apache-2.2.22.log and here https://redports.org/buildarchive/20120201011451-36374/
Responsible Changed From-To: freebsd-ports-bugs->apache Over to maintainer (via the GNATS Auto Assign Tool)
here is the vuxml: http://people.freebsd.org/~jgh/files/vuln.xml.patch.txt -jgh -- Jason Helfman | FreeBSD Committer jgh@FreeBSD.org | http://people.freebsd.org/~jgh
Do not change this file. You're reverting a local change we've pulled from trunk svn for security. Please commit the rest of the patch with my review / hat. > =================================================================== > RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v > retrieving revision 1.3 > diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in > --- files/patch-docs__conf__extra__httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3 > +++ files/patch-docs__conf__extra__httpd-ssl.conf.in 1 Feb 2012 00:05:53 -0000 > @@ -1,58 +1,22 @@ > ---- ./docs/conf/extra/httpd-ssl.conf.in.orig 2008-02-04 23:00:07.000000000 +0000 > -+++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-23 23:20:06.446390870 +0000 > -@@ -77,17 +77,35 @@ > +--- ./docs/conf/extra/httpd-ssl.conf.in.orig 2012-01-31 15:16:43.000000000 -0800 > ++++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-31 15:17:47.000000000 -0800 > +@@ -77,8 +77,8 @@ > DocumentRoot "@exp_htdocsdir@" > ServerName www.example.com:@@SSLPort@@ > ServerAdmin you@example.com > -ErrorLog "@exp_logfiledir@/error_log" > -TransferLog "@exp_logfiledir@/access_log" > -+ErrorLog "@exp_logfiledir@/httpd-error.log" > -+TransferLog "@exp_logfiledir@/httpd-access.log" > ++ErrorLog "@exp_logfiledir@/httpd-error_log" > ++TransferLog "@exp_logfiledir@/httpd-access_log" > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > - SSLEngine on > - > -+# SSL Protocol support: > -+# List the protocol versions which clients are allowed to > -+# connect with. Disable SSLv2 by default (cf. RFC 6176). > -+SSLProtocol all -SSLv2 > -+ > - # SSL Cipher Suite: > - # List the ciphers that the client is permitted to negotiate. > - # See the mod_ssl documentation for a complete list. > --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > -+ > -+# Speed-optimized SSL Cipher configuration: > -+# If speed is your main concern (on busy HTTPS servers e.g.), > -+# you might want to force clients to specific, performance > -+# optimized ciphers. In this case, prepend those ciphers > -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. > -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA > -+# (as in the example below), most connections will no longer > -+# have perfect forward secrecy - if the server's key is > -+# compromised, captures of past or future traffic must be > -+# considered compromised, too. > -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 > -+#SSLHonorCipherOrder on > - > - # Server Certificate: > - # Point SSLCertificateFile at a PEM encoded certificate. If > -@@ -218,14 +236,14 @@ > - # Similarly, one has to force some clients to use HTTP/1.0 to workaround > - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and > - # "force-response-1.0" for this. > --BrowserMatch ".*MSIE.*" \ > -+BrowserMatch "MSIE [2-5]" \ > - nokeepalive ssl-unclean-shutdown \ > - downgrade-1.0 force-response-1.0 > - > +@@ -243,7 +243,7 @@ > # Per-Server Logging: > # The home of a custom SSL log file. Use this when you want a > # compact non-error SSL logfile on a virtual host basis. > -CustomLog "@exp_logfiledir@/ssl_request_log" \ > -+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \ > ++CustomLog "@exp_logfiledir@/httpd-ssl_request_log" \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > </VirtualHost> > _______________________________________________ > freebsd-apache@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-apache > To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org" > -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Director Operations, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching.
I will be glad to do that, however it didn't patch cleanly. The additions were in the downloaded source, unless I am mistaken. Can you please verify? -jgh
On 1/31/12 10:15 PM, Jason Helfman wrote: > I will be glad to do that, however it didn't patch cleanly. The > additions were in the downloaded source, unless I am mistaken. > Can you please verify? I'm wiped tonight. I'll peek Wednesday am. ping me if you don't hear from me tomorrow. > -jgh
Yes, new httpd-ssl.conf.in already has changes in SSLProtocol and SSLCipherSuite, so we no longer need it in local patch. But please, don't change the log file names from httpd-error.log to httpd-error_log from httpd-access.log to httpd-access_log from httpd-ssl_request.log to httpd-ssl_request_log -- Miroslav Lachman
2012/2/1 Miroslav Lachman <quip@quip.cz> > Yes, new httpd-ssl.conf.in already has changes in SSLProtocol and > SSLCipherSuite, so we no longer need it in local patch. > > But please, don't change the log file names > from httpd-error.log to httpd-error_log > from httpd-access.log to httpd-access_log > from httpd-ssl_request.log to httpd-ssl_request_log > > -- > Miroslav Lachman > > Doh! I can see that now. Thanks, I will update patch, confirm with apache@and get this committed soon.
On Wed, Feb 01, 2012 at 10:40:00AM +0100, Miroslav Lachman thus spake: >Yes, new httpd-ssl.conf.in already has changes in SSLProtocol and >SSLCipherSuite, so we no longer need it in local patch. > >But please, don't change the log file names >from httpd-error.log to httpd-error_log >from httpd-access.log to httpd-access_log >from httpd-ssl_request.log to httpd-ssl_request_log > >-- >Miroslav Lachman > Attached is the updated patch. -jgh -- Jason Helfman | FreeBSD Committer jgh@FreeBSD.org | http://people.freebsd.org/~jgh
jgh 2012-02-01 18:56:08 UTC FreeBSD ports repository Modified files: www/apache22 Makefile Makefile.doc distinfo www/apache22/files patch-Makefile.in patch-docs__conf__extra__httpd-ssl.conf.in Log: - Update to 2.2.22 Addresses: * SECURITY: CVE-2011-3607 (cve.mitre.org) Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. * SECURITY: CVE-2012-0021 (cve.mitre.org) The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value. * SECURITY: CVE-2012-0031 (cve.mitre.org) scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function. * SECURITY: CVE-2011-4317 (cve.mitre.org) The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. * SECURITY: CVE-2012-0053 (cve.mitre.org) protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script. * SECURITY: CVE-2011-3368 (cve.mitre.org) The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. PR: ports/164675 Reviewed by: pgollucci Approved by: pgollucci, crees, rene (mentors, implicit) With Hat: apache@ Revision Changes Path 1.295 +1 -1 ports/www/apache22/Makefile 1.16 +3 -3 ports/www/apache22/Makefile.doc 1.87 +2 -2 ports/www/apache22/distinfo 1.26 +2 -2 ports/www/apache22/files/patch-Makefile.in 1.4 +4 -40 ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!
jgh 2012-02-02 01:32:18 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: document latest Apache vulnerabilities PR: ports/164675 Reviewed by: crees, eadler Approved by: crees (mentor) Revision Changes Path 1.2587 +55 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"