Bug 169363 - www/yaws needs to be updated to 1.93 for a security fix
Summary: www/yaws needs to be updated to 1.93 for a security fix
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Jimmy Olgeni
Depends on:
Reported: 2012-06-24 08:10 UTC by kenji.rikitake
Modified: 2012-06-25 02:20 UTC (History)
0 users

See Also:

file.diff (8.28 KB, patch)
2012-06-24 08:10 UTC, kenji.rikitake
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description kenji.rikitake 2012-06-24 08:10:10 UTC
Yaws 1.92 has a critical vulnerability when using cookies which may result in session hijacking.  This vulnerability is addressesd on 1.93. Details:

Fix: Updating yaws to 1.93 will fix this issue.  The patch included is a diff for a quick fix from the current port (yaws 1.92 based) to the 1.93. (use patch -p1 to apply)
The details are also on GitHub at:

Patch attached with submission follows:
How-To-Repeat: Yaws 1.92 or the older version has the vulnerability.
Comment 1 kenji.rikitake 2012-06-24 08:22:39 UTC
This PR should have been categorized as ports. My apologies.

++> FreeBSD-gnats-submit@FreeBSD.org <FreeBSD-gnats-submit@FreeBSD.org> [2012-06-24 07:10:10 +0000]:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=169363
> >Category:       misc
> >Responsible:    freebsd-bugs
> >Synopsis:       www/yaws needs to be updated to 1.93 for a security fix
> >Arrival-Date:   Sun Jun 24 07:10:10 UTC 2012
Comment 2 Po-Chuan Hsieh freebsd_committer 2012-06-24 08:48:13 UTC
Responsible Changed
From-To: freebsd-bugs->olgeni

Over to maintainer.
Comment 3 Jimmy Olgeni freebsd_committer 2012-06-25 02:10:51 UTC
State Changed
From-To: open->closed

Committed. Thanks!
Comment 4 dfilter service freebsd_committer 2012-06-25 02:10:56 UTC
olgeni      2012-06-25 01:10:44 UTC

  FreeBSD ports repository

  Modified files:
    www/yaws             Makefile distinfo pkg-plist 
    www/yaws/files       patch-man_yaws.conf.5 
  Added files:
    www/yaws/files       patch-scripts__gen-yaws 
  Upgrade to version 1.93, which contains a security fix among other changes.
  From Erlyaws-list:
  "Use crypto:rand_bytes() instead of the cryptographically weak random
  module. Swedish security consultant and cryptographer Kalle
  Zetterlund discovered a way to - given a sequence of cookies produced
  by yaws_session_server - predict the next session id. Thus providing
  a gaping security hole into yaws servers that use the yaws_session_server
  to maintain cookie based HTTP sessions (klacke/kallez)"
  PR:             ports/169363
  Submitted by:   Kenji Rikitake <kenji.rikitake@acm.org>
  Revision  Changes    Path
  1.60      +11 -3     ports/www/yaws/Makefile
  1.40      +2 -2      ports/www/yaws/distinfo
  1.5       +4 -4      ports/www/yaws/files/patch-man_yaws.conf.5
  1.1       +20 -0     ports/www/yaws/files/patch-scripts__gen-yaws (new)
  1.37      +24 -4     ports/www/yaws/pkg-plist
cvs-all@freebsd.org mailing list
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"