Created attachment 153202 [details] update fcgi to 2.4.0_5 + CVE patch Yesterday was released the CVE-2012-6687[1] who report possible DOS attacks allowed by fastcgi 2.4.0. As far as I can see, it's our version in ports. Attached a patch integrate the fix : https://launchpadlibrarian.net/93064712/poll.patch [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6687
Maintainer CC'd
Poudriere log : http://www.bebik.net/poudriere/2015-02-20_11h21m03s/logs/fcgi-devkit-2.4.0_5.log
Thanks for reporting! I'll look into this ASAP (hopefully today, no later than tomorrow).
Created attachment 153215 [details] CVE patch + cpe records I change my patch to take advantage of this update to add CPE informations to www/fcgi. Here are the details about what the CPE is : https://wiki.freebsd.org/Ports/CPE Cheers - rodrigo
According to the Wiki, adding CPE records is mandatory in this case. Thanks for the update. I've verified that the patch builds. And the code looks OK too, so I've set maintainer approval. Feel free to poke a committer if you don't have the necessary bit(s) yourself.
Don't worry, I have the required bits :) I'm now preparing the vuxml record.
ping
It was ready to be committed last time, or did I miss something?
Reporter is Committer
Comment on attachment 153215 [details] CVE patch + cpe records Just for reference maintainer-feedback is not maintainer-approval. Setting maintainer-approval on the attachment/patch for clarity
Ah, that must have been my bad then. Sorry for the inconvenience.
A commit references this bug: Author: rodrigo Date: Wed Mar 4 23:31:58 UTC 2015 New revision: 380457 URL: https://svnweb.freebsd.org/changeset/ports/380457 Log: Patch fcgi to address CVE-2012-6687 vulnerabilities. PR: 197844 Submitted by: rodrigo Obtained from: ubuntu MFH: 2015Q1 Security: CVE-2012-6687 Changes: head/www/fcgi/Makefile head/www/fcgi/files/patch-CVE-2012-6687-pool
committed, thanks
A commit references this bug: Author: rodrigo Date: Thu Mar 5 22:44:26 UTC 2015 New revision: 380562 URL: https://svnweb.freebsd.org/changeset/ports/380562 Log: MFH: r380457 Patch fcgi to address CVE-2012-6687 vulnerabilities. PR: 197844 Submitted by: rodrigo Obtained from: ubuntu Security: CVE-2012-6687 Approved by: ports-secteam Changes: _U branches/2015Q1/ branches/2015Q1/www/fcgi/Makefile branches/2015Q1/www/fcgi/files/patch-CVE-2012-6687-pool