215457 – www/apache24 2.4.23 requires security update per listed CVEs

Bug 215457 - www/apache24 2.4.23 requires security update per listed CVEs

Summary: www/apache24 2.4.23 requires security update per listed CVEs

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Olli Hauer

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-12-21 00:42 UTC by dewayne
Modified:	2016-12-22 06:28 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (apache) ohauer: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description dewayne 2016-12-21 00:42:42 UTC

Apache announced the following CVE's that are addressed in apache 2.4.25.  Might be time for an update to the port.  

  CVE-2016-0736 (cve.mitre.org)
  mod_session_crypto: Authenticate the session data/cookie with a
  MAC (SipHash) to prevent deciphering or tampering with a padding
  oracle attack.

  CVE-2016-2161 (cve.mitre.org)
  mod_auth_digest: Prevent segfaults during client entry allocation
  when the shared memory space is exhausted.

  CVE-2016-5387 (cve.mitre.org)
  core: Mitigate [f]cgi "httpoxy" issues.

  CVE-2016-8740 (cve.mitre.org)
  mod_http2: Mitigate DoS memory exhaustion via endless
  CONTINUATION frames.

  CVE-2016-8743 (cve.mitre.org)
  Enforce HTTP request grammar corresponding to RFC7230 for request
  lines and request headers, to prevent response splitting and cache
  pollution by malicious clients or downstream proxies.

After changing the PORTVERSION, makesum and removing the patch "files/patch-CVE-2016-8740" I came across other issues that may pertain to my env??  This was on 11.0Stable amd64, as a hint that it may not be straight-forward.

Thanks to doctor@doctor.nl2k.ab.ca for circulating the announcement.

Comment 1 commit-hook freebsd_committer

2016-12-21 10:42:11 UTC

A commit references this bug:

Author: ohauer
Date: Wed Dec 21 10:41:10 UTC 2016
New revision: 429063
URL: https://svnweb.freebsd.org/changeset/ports/429063

Log:
  - update to 2.4.25

  PR:		215457
  Reported by:	Apache Software Foundation
  MFH:		2016Q4
  Security:	vid 862d6ab3-c75e-11e6-9f98-20cf30e32f6d
  		CVE-2016-8743
  		CVE-2016-2161
  		CVE-2016-0736
  		CVE-2016-8740
  		CVE-2016-5387

Changes:
  head/www/apache24/Makefile
  head/www/apache24/distinfo
  head/www/apache24/files/patch-CVE-2016-8740
  head/www/apache24/files/patch-httpoxy

Comment 2 Olli Hauer freebsd_committer

2016-12-21 11:01:20 UTC

An update to 2.4.25 was committed,

(I don't know doctor@, but there are several sec. lists subscribed to the Apache Foundation announcements)

Comment 3 commit-hook freebsd_committer

2016-12-22 06:28:09 UTC

A commit references this bug:

Author: ohauer
Date: Thu Dec 22 06:27:09 UTC 2016
New revision: 429144
URL: https://svnweb.freebsd.org/changeset/ports/429144

Log:
  MFH: r425421 r429063

  - Add LICENSE
  - update to 2.4.25

  PR:		215457
  Reported by:	Apache Software Foundation
  Security:	vid 862d6ab3-c75e-11e6-9f98-20cf30e32f6d
  		CVE-2016-8743
  		CVE-2016-2161
  		CVE-2016-0736
  		CVE-2016-8740
  		CVE-2016-5387

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/www/apache24/Makefile
  branches/2016Q4/www/apache24/distinfo
  branches/2016Q4/www/apache24/files/patch-CVE-2016-8740
  branches/2016Q4/www/apache24/files/patch-httpoxy