https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215457
Bug ID: 215457
Summary: www/apache24 2.4.23 requires security update per
listed CVEs
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: Individual Port(s)
Assignee: apache at FreeBSD.org
Reporter: dewayne at heuristicsystems.com.au
Flags: maintainer-feedback?(apache at FreeBSD.org)
Assignee: apache at FreeBSD.org
Apache announced the following CVE's that are addressed in apache 2.4.25.
Might be time for an update to the port.
CVE-2016-0736 (cve.mitre.org)
mod_session_crypto: Authenticate the session data/cookie with a
MAC (SipHash) to prevent deciphering or tampering with a padding
oracle attack.
CVE-2016-2161 (cve.mitre.org)
mod_auth_digest: Prevent segfaults during client entry allocation
when the shared memory space is exhausted.
CVE-2016-5387 (cve.mitre.org)
core: Mitigate [f]cgi "httpoxy" issues.
CVE-2016-8740 (cve.mitre.org)
mod_http2: Mitigate DoS memory exhaustion via endless
CONTINUATION frames.
CVE-2016-8743 (cve.mitre.org)
Enforce HTTP request grammar corresponding to RFC7230 for request
lines and request headers, to prevent response splitting and cache
pollution by malicious clients or downstream proxies.
After changing the PORTVERSION, makesum and removing the patch
"files/patch-CVE-2016-8740" I came across other issues that may pertain to my
env?? This was on 11.0Stable amd64, as a hint that it may not be
straight-forward.
Thanks to doctor at doctor.nl2k.ab.ca for circulating the announcement.
--
You are receiving this mail because:
You are the assignee for the bug.