Bug 215096 - www/apache24: Fix HTTP/2 DoS vulnerability
Summary: www/apache24: Fix HTTP/2 DoS vulnerability
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-apache mailing list
URL: http://mail-archives.apache.org/mod_m...
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-12-06 11:23 UTC by Bernard Spil
Modified: 2016-12-06 17:09 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (apache)
brnrd: merge-quarterly?


Attachments
svn diff for www/apache24 (4.89 KB, patch)
2016-12-06 11:23 UTC, Bernard Spil
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil freebsd_committer 2016-12-06 11:23:54 UTC
Created attachment 177716 [details]
svn diff for www/apache24

www/apache24: Fix HTTP/2 DoS vulnerability

  - Add patch from upstream security advisory
  - Bump PORTREVISION

Security: cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
Security: CVE-2016-8740
MFH: 2016Q4
Comment 1 Olli Hauer freebsd_committer 2016-12-06 12:04:09 UTC
Hi Bernhard,

I've read about the CVE note this morning in the train, but have not time to test until weekend ..
If the build is OK, please go on and commit the patch!

Since http2 is off by default, I'm not sure if we need PORTREV. bump and MFH, but without I see no way to handle the vuxml entry ...
Comment 2 Mathieu Arnold freebsd_committer 2016-12-06 12:21:08 UTC
The vulnerability is there.  Wether the thing is enabled or not by default does not enter into account.  Bumping PORTREVISION is always necessary.  See https://www.freebsd.org/doc/en/books/porters-handbook/makefile-naming.html
Comment 3 commit-hook freebsd_committer 2016-12-06 12:44:11 UTC
A commit references this bug:

Author: brnrd
Date: Tue Dec  6 12:43:37 UTC 2016
New revision: 427953
URL: https://svnweb.freebsd.org/changeset/ports/427953

Log:
  www/apache24: Fix HTTP/2 DoS vulnerability

    - Add patch from upstream security advisory
    - Bump PORTREVISION

  PR:		215096
  MFH:		2016Q4
  Security:	cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
  Security:	CVE-2016-8740

Changes:
  head/www/apache24/Makefile
  head/www/apache24/files/patch-CVE-2016-8740
Comment 4 commit-hook freebsd_committer 2016-12-06 12:53:20 UTC
A commit references this bug:

Author: brnrd
Date: Tue Dec  6 12:52:28 UTC 2016
New revision: 427954
URL: https://svnweb.freebsd.org/changeset/ports/427954

Log:
  MFH: r427953

  www/apache24: Fix HTTP/2 DoS vulnerability

    - Add patch from upstream security advisory
    - Bump PORTREVISION

  PR:		215096
  Security:	cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf
  Security:	CVE-2016-8740

  Approved by:	ports-secteam (implicit, "Backport of security and reliability fixes")

Changes:
_U  branches/2016Q4/
  branches/2016Q4/www/apache24/Makefile
  branches/2016Q4/www/apache24/files/patch-CVE-2016-8740