svn commit: r301849 - in head: security/vuxml www/apache22 www/apache22/files
Wesley Shields
wxs at FreeBSD.org
Thu Aug 2 03:17:27 UTC 2012
Author: wxs
Date: Thu Aug 2 03:17:26 2012
New Revision: 301849
URL: http://svn.freebsd.org/changeset/ports/301849
Log:
Document Apache 2.2.x insecure handling of LD_LIBRARY_PATH.
Add patch[1] to address problem to apache port.
[1]: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/envvars-std.in?view=log&pathrev=1296428
Approved by: apache@ (pgollucci@)
Obtained from: Apache SVN
Modified:
head/security/vuxml/vuln.xml
head/www/apache22/Makefile
head/www/apache22/files/patch-support__envvars-std.in (contents, props changed)
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Aug 2 03:09:40 2012 (r301848)
+++ head/security/vuxml/vuln.xml Thu Aug 2 03:17:26 2012 (r301849)
@@ -52,6 +52,52 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="de2bc01f-dc44-11e1-9f4d-002354ed89bc">
+ <topic>Apache -- Insecure LD_LIBRARY_PATH handling</topic>
+ <affects>
+ <package>
+ <name>apache</name>
+ <range><le>2.2.22_5</le></range>
+ </package>
+ <package>
+ <name>apache-event</name>
+ <range><le>2.2.22_5</le></range>
+ </package>
+ <package>
+ <name>apache-itk</name>
+ <range><le>2.2.22_5</le></range>
+ </package>
+ <package>
+ <name>apache-peruser</name>
+ <range><le>2.2.22_5</le></range>
+ </package>
+ <package>
+ <name>apache-worker</name>
+ <range><le>2.2.22_5</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Apache reports:</p>
+ <blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">
+ <p>Insecure handling of LD_LIBRARY_PATH was found that could lead to
+ the current working directory to be searched for DSOs. This could
+ allow a local user to execute code as root if an administrator runs
+ apachectl from an untrusted directory.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2012-0883</cvename>
+ <url>http://httpd.apache.org/security/vulnerabilities_24.html</url>
+ <url>http://www.apache.org/dist/httpd/CHANGES_2.4.2</url>
+ </references>
+ <dates>
+ <discovery>2012-03-02</discovery>
+ <entry>2012-08-01</entry>
+ </dates>
+ </vuln>
+
<vuln vid="f01292a0-db3c-11e1-a84b-00e0814cab4e">
<topic>django -- multiple vulnerabilities</topic>
<affects>
Modified: head/www/apache22/Makefile
==============================================================================
--- head/www/apache22/Makefile Thu Aug 2 03:09:40 2012 (r301848)
+++ head/www/apache22/Makefile Thu Aug 2 03:17:26 2012 (r301849)
@@ -9,7 +9,7 @@
PORTNAME= apache
PORTVERSION= 2.2.22
-PORTREVISION= 5
+PORTREVISION= 6
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD}
DISTNAME= httpd-${PORTVERSION}
Modified: head/www/apache22/files/patch-support__envvars-std.in
==============================================================================
--- head/www/apache22/files/patch-support__envvars-std.in Thu Aug 2 03:09:40 2012 (r301848)
+++ head/www/apache22/files/patch-support__envvars-std.in Thu Aug 2 03:17:26 2012 (r301849)
@@ -1,6 +1,15 @@
---- ./support/envvars-std.in.orig 2006-07-11 23:38:44.000000000 -0400
-+++ ./support/envvars-std.in 2010-05-06 19:37:54.270732510 -0400
-@@ -22,3 +22,10 @@
+--- support/envvars-std.in.orig 2006-07-11 23:38:44.000000000 -0400
++++ support/envvars-std.in 2012-08-01 23:11:16.000000000 -0400
+@@ -18,7 +18,18 @@
+ #
+ # This file is generated from envvars-std.in
+ #
+- at SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
++if test "x$@SHLIBPATH_VAR@" != "x" ; then
++ @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
++else
++ @SHLIBPATH_VAR@="@exp_libdir@"
++fi
export @SHLIBPATH_VAR@
#
@OS_SPECIFIC_VARS@
More information about the svn-ports-all
mailing list