Yaws 1.92 has a critical vulnerability when using cookies which may result in session hijacking. This vulnerability is addressesd on 1.93. Details:
Fix: Updating yaws to 1.93 will fix this issue. The patch included is a diff for a quick fix from the current port (yaws 1.92 based) to the 1.93. (use patch -p1 to apply)
The details are also on GitHub at:
Patch attached with submission follows:
How-To-Repeat: Yaws 1.92 or the older version has the vulnerability.
This PR should have been categorized as ports. My apologies.
++> FreeBSD-gnats-submit@FreeBSD.org <FreeBSD-gnats-submit@FreeBSD.org> [2012-06-24 07:10:10 +0000]:
> >Category: misc
> >Responsible: freebsd-bugs
> >Synopsis: www/yaws needs to be updated to 1.93 for a security fix
> >Arrival-Date: Sun Jun 24 07:10:10 UTC 2012
Over to maintainer.
olgeni 2012-06-25 01:10:44 UTC
FreeBSD ports repository
www/yaws Makefile distinfo pkg-plist
Upgrade to version 1.93, which contains a security fix among other changes.
"Use crypto:rand_bytes() instead of the cryptographically weak random
module. Swedish security consultant and cryptographer Kalle
Zetterlund discovered a way to - given a sequence of cookies produced
by yaws_session_server - predict the next session id. Thus providing
a gaping security hole into yaws servers that use the yaws_session_server
to maintain cookie based HTTP sessions (klacke/kallez)"
Submitted by: Kenji Rikitake <email@example.com>
Revision Changes Path
1.60 +11 -3 ports/www/yaws/Makefile
1.40 +2 -2 ports/www/yaws/distinfo
1.5 +4 -4 ports/www/yaws/files/patch-man_yaws.conf.5
1.1 +20 -0 ports/www/yaws/files/patch-scripts__gen-yaws (new)
1.37 +24 -4 ports/www/yaws/pkg-plist
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"