ports/52768: [PATCH] SECURITY-UPDATE Apache2 to 2.0.46

öÎ Àî delphij at hotmail.com
Wed May 28 19:30:08 UTC 2003 

>Number:         52768
>Category:       ports
>Synopsis:       [PATCH] SECURITY-UPDATE Apache2 to 2.0.46
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 28 12:30:03 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Xin LI <delphij at frontfree.net>
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
Frontfree Technology Network
>Environment:
System: FreeBSD ftp.cn.netbsd.org 4.8-STABLE FreeBSD 4.8-STABLE #129: Thu 
May 8 00:48:00 CST 2003 delphij at ftp.cn.netbsd.org:/usr/obj/usr/src/sys/FTP 
i386
>Description:
	Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in certain 
circumstances. This can be triggered remotely through mod_dav and possibly 
other mechanisms. The crash was originally reported by David Endler 
<DEndler at iDefense.com> and was researched and fixed by Joe Orton 
<jorton at redhat.com>. Specific details and an analysis of the crash will be 
published Friday, May 30. No more specific information is disclosed at this 
time, but all Apache 2.0 users are encouraged to upgrade now.
	[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]

	Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable 
to a denial-of-service attack on the basic authentication module, which was 
reported by John Hughes <john.hughes at entegrity.com>. A bug in the 
configuration scripts caused the apr_password_validate() function to be 
thread-unsafe on platforms with crypt_r(), including AIX and Linux. All 
versions of Apache 2.0 have this thread-safety problem on platforms with no 
crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others. 
When using a threaded MPM (which is not the default on these platforms), 
this allows remote attackers to create a denial of service which causes 
valid usernames and passwords for Basic Authentication to fail until Apache 
is restarted. We do not believe this bug could allow unauthorized users to 
gain access to protected resources.
	[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]
>How-To-Repeat:
>Fix:
	I believe the current maintainer will fix this issue, but because of this 
is an emergency security update, I would like this patch to be applied if 
the maintainer is busy. I have tested this under FreeBSD 4-STABLE and 
5-CURRENT. Hope this is helpful and be merged into the 5.1-RELEASE. Thanks.
	Patch updates the port:
diff -ruN apache2.orig/Makefile apache2/Makefile
--- apache2.orig/Makefile	Thu Apr 17 05:33:58 2003
+++ apache2/Makefile	Thu May 29 02:40:53 2003
@@ -6,7 +6,7 @@
#

PORTNAME=	apache
-PORTVERSION=	2.0.45
+PORTVERSION=	2.0.46
CATEGORIES=	www ipv6
MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD}
DISTNAME=	httpd-${PORTVERSION}
diff -ruN apache2.orig/distinfo apache2/distinfo
--- apache2.orig/distinfo	Fri Apr  4 10:36:57 2003
+++ apache2/distinfo	Thu May 29 02:41:47 2003
@@ -1,2 +1,2 @@
-MD5 (httpd-2.0.45.tar.gz) = 1f33e9a2e2de06da190230fa72738d75
+MD5 (httpd-2.0.46.tar.gz) = ff682f82f0808eb01df60824d959ebe8
MD5 (powerlogo.gif) = 0f106073b3c7844cf22d4df126b27c62
diff -ruN apache2.orig/files/patch-configure apache2/files/patch-configure
--- apache2.orig/files/patch-configure	Fri Apr  4 10:36:57 2003
+++ apache2/files/patch-configure	Thu May 29 03:12:58 2003
@@ -1,5 +1,5 @@
---- configure.orig	Mon Mar 31 16:48:51 2003
-+++ configure	Thu Apr  3 21:18:08 2003
+--- configure.orig	Thu May 29 03:07:55 2003
++++ configure	Thu May 29 03:12:31 2003
@@ -1513,7 +1513,7 @@
        $srcdir/config.layout > $pldconf
    layout_name=$LAYOUT
@@ -9,25 +9,25 @@
    for var in prefix exec_prefix bindir sbindir libexecdir mandir \
               sysconfdir datadir errordir iconsdir htdocsdir cgidir \
               includedir localstatedir runtimedir logfiledir libdir \ -@@ 
-2613,7 +2613,7 @@
-     ac_sub_cache_file="$ac_popdir/$cache_file" ;;
-   esac
+@@ -2627,7 +2627,7 @@
+   done

--              if eval $SHELL $ac_abs_srcdir/configure $ac_configure_args 
--cache-file=$ac_sub_cache_file --srcdir=$ac_abs_srcdir $apache_apr_flags 
--prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir 
--includedir=$includedir --bindir=$bindir --datadir=$datadir 
--with-installbuilddir=$installbuilddir
-+              if eval $SHELL $ac_abs_srcdir/configure
-+ $ac_configure_args --cache-file=$ac_sub_cache_file
-+ --srcdir=$ac_abs_srcdir $apache_apr_flags --prefix=$prefix
-+ --exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir
-+ --bindir=$libdir --datadir=$datadir
-+ --with-installbuilddir=$installbuilddir
+
+-              if eval $SHELL $ac_abs_srcdir/configure $apr_configure_args 
--cache-file=$ac_sub_cache_file --srcdir=$ac_abs_srcdir $apache_apr_flags 
--prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir 
--includedir=$includedir --bindir=$bindir --datadir=$datadir 
--with-installbuilddir=$installbuilddir
++              if eval $SHELL $ac_abs_srcdir/configure
++ $apr_configure_args --cache-file=$ac_sub_cache_file 
--srcdir=$ac_abs_srcdir $apache_apr_flags --prefix=$prefix 
--exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir 
--bindir=$libdir --datadir=$datadir --with-installbuilddir=$installbuilddir
    then :
      echo "srclib/apr configured properly"
    else
-@@ -2888,7 +2888,7 @@
-     ac_sub_cache_file="$ac_popdir/$cache_file" ;;
-   esac
+@@ -2928,7 +2928,7 @@
+   done
+

--              if eval $SHELL $ac_abs_srcdir/configure $ac_configure_args 
--cache-file=$ac_sub_cache_file --srcdir=$ac_abs_srcdir --with-apr=../apr 
--prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir 
--includedir=$includedir --bindir=$bindir
-+              if eval $SHELL $ac_abs_srcdir/configure
-+ $ac_configure_args --cache-file=$ac_sub_cache_file 
--srcdir=$ac_abs_srcdir --with-apr=../apr --prefix=$prefix 
--exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir 
--bindir=$libdir
+-              if eval $SHELL $ac_abs_srcdir/configure $apr_configure_args 
--cache-file=$ac_sub_cache_file --srcdir=$ac_abs_srcdir --with-apr=../apr 
--prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir 
--includedir=$includedir --bindir=$bindir
++              if eval $SHELL $ac_abs_srcdir/configure
++ $apr_configure_args --cache-file=$ac_sub_cache_file 
--srcdir=$ac_abs_srcdir --with-apr=../apr --prefix=$prefix 
--exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir 
--bindir=$libdir
    then :
      echo "srclib/apr-util configured properly"
    else
-@@ -15634,6 +15634,9 @@
+@@ -15719,6 +15719,9 @@

  cat >>confdefs.h <<_ACEOF
  #define SERVER_CONFIG_FILE "${rel_sysconfdir}/${progname}.conf"

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list