Bug 216752 - www/obhttpd: OpenBSD errata, Jan 31, 2017
Summary: www/obhttpd: OpenBSD errata, Jan 31, 2017
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Joseph Mingrone
Keywords: patch
Depends on:
Reported: 2017-02-03 11:44 UTC by Tobias Kortkamp
Modified: 2017-02-16 21:44 UTC (History)
2 users (show)

See Also:
koue: maintainer-feedback+

www___obhttpd.diff (1.62 KB, patch)
2017-02-03 11:44 UTC, Tobias Kortkamp
no flags Details | Diff
www___obhttpd.diff (1.78 KB, patch)
2017-02-03 11:49 UTC, Tobias Kortkamp
tobik: maintainer-approval? (koue)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Kortkamp freebsd_committer 2017-02-03 11:44:28 UTC
Created attachment 179563 [details]

There was a recent OpenBSD 6.0 errata for httpd (see below).
Since www/obhttpd seems to be based on the 6.0 version it's
probably affected too.


From: Bob Beck <beck@openbsd.org>
Date: Wed, 1 Feb 2017 23:07:12 -0700
Subject: OpenBSD errata, Jan 31, 2017
To: announce@openbsd.org, tech <tech@openbsd.org>

An issue has been identified whereby httpd(8) could be subject to a denial
of service attack. Repeated crafted requests could be made from a client
using file-range requests, making the server consume excessive amounts of

This issue has been fixed in current. For 5.9 and 6.0 the following errata
will disable range header processing in httpd(8) to prevent the problem.

Thanks to Pierre Kim <pierre.kim.sec@gmail.com> for reporting
the issue.


Comment 1 Tobias Kortkamp freebsd_committer 2017-02-03 11:49:31 UTC
Created attachment 179564 [details]

Sorry, for some reason the patch comment was missing from the diff.
Comment 2 Joseph Mingrone freebsd_committer 2017-02-12 19:34:07 UTC
Should the default configuration file include something like

chroot "/usr/local/www"

and logs/ under it?  Should they be set owned by www:www?

The obhttpd.conf man page says if a chroot is not specified, then the home directory of the www user is used (/var/www on OpenBSD, but nonexistent on FreeBSD).

Does it make sense to replace references to httpd with obhttpd in the man pages?
Comment 3 Joseph Mingrone freebsd_committer 2017-02-12 19:38:16 UTC
At the end of the first sentence I meant to ask if the chroot directory should be created and a logs/ directory created under it?  What about a default HTML root directory to match the default configuration file so things work by default without requiring users to tinker?
Comment 4 Nikola Kolev 2017-02-13 11:28:54 UTC
Hi Joseph,

Yep, I'm agree with your recommendations and will include them in the next version of the port.

Comment 5 Joseph Mingrone freebsd_committer 2017-02-13 20:23:00 UTC
Nikola and Tobias,

I have created a review at https://reviews.freebsd.org/D9574.  Could you comment/test.  Nikola if you are satisfied with these changes could you let me know you approve?  For the next version, I can either submit a pull request or you can incorporate the changes yourself if that makes things easier for you in the future.
Comment 6 Joseph Mingrone freebsd_committer 2017-02-16 20:01:06 UTC
I updated the patch so that a default chroot directory need not be specified in the configuration file, as Tobias suggested.


Nikola, we await your feedback and/or approval.
Comment 7 commit-hook freebsd_committer 2017-02-16 21:43:24 UTC
A commit references this bug:

Author: jrm
Date: Thu Feb 16 21:43:12 UTC 2017
New revision: 434257
URL: https://svnweb.freebsd.org/changeset/ports/434257

  www/obhttpd: Apply OpenBSD errata from January 31st, 2017.

  Errata text: https://marc.info/?l=openbsd-announce&m=148604065924319&w=2

  PR:		216752
  Submitted by:	t@tobik.me
  Approved by:	swills (mentor, implicit) koue@chaosophia.net (maintainer)