Bug 189109 - [security] www/mod_spdy Apache module heartbleed bug
Summary: [security] www/mod_spdy Apache module heartbleed bug
Status: Closed Feedback Timeout
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-apache (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-29 15:50 UTC by Hasan Alp İNAN
Modified: 2014-06-30 20:47 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hasan Alp İNAN 2014-04-29 15:50:00 UTC
Details here:

SECURITY UPDATE (8 Apr 2014): All mod_spdy users should upgrade to mod_spdy 0.9.4.2 immediately to fix the heartbleed bug in mod_spdy's linked version of OpenSSL. See  issue 85  for details.

https://code.google.com/p/mod-spdy/

Fix: 

Update mod_spdy port to 0.9.4.2 version.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2014-04-29 16:35:41 UTC
Responsible Changed
From-To: freebsd-ports-bugs->apache

apache@ wants this port PRs (via the GNATS Auto Assign Tool)
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2014-04-29 16:35:42 UTC
Maintainer of www/mod_spdy,

Please note that PR ports/189109 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/189109

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 3 Edwin Groothuis freebsd_committer freebsd_triage 2014-04-29 16:35:43 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 4 Olli Hauer freebsd_committer freebsd_triage 2014-06-29 18:00:26 UTC
Seems the author of the port is not around or reachable.
Best solution is to mark the port as forbidden an deprecate in 4 weeks.
Comment 5 Mark Felder freebsd_committer freebsd_triage 2014-06-30 20:04:49 UTC
This seems like a rather important port. Isn't spdy relatively popular?

I'll get a new distfile mirrored. Oddly this thing requires the apache source. Is there some way we can pull the Apache version dynamically instead of having it hardcoded into the port?
Comment 6 Olli Hauer freebsd_committer freebsd_triage 2014-06-30 20:47:00 UTC
Hm, (un)luckily it is at the moment the only implementation.
http://lists.w3.org/Archives/Public/ietf-http-wg/2014AprJun/0815.html

I also thought about dynamically add apache22 to the mix via `make -V _DISTDIR -C ${PORTSDIR}/www/apache22` but that's a really dirty workaround.

A small improvement would be already if the port picks the source from the apache22 DIST_SUBDIR.

Some weeks ago there was a discussion on the upstream list to include spdy because of the ugly buildsystem and to keep it more compatible with current apache releases.
http://marc.info/?t=139887674700005&r=1&w=2

Haven't done any tests/checkouts from this repo (enotime)
https://issues.apache.org/jira/browse/INFRA-7653