Install apache-2.2.20
Jeremy Chadwick
freebsd at jdc.parodius.com
Fri Sep 2 09:17:00 UTC 2011
On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote:
> On 02.09.2011 10:41, Jeremy Chadwick wrote:
> >On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote:
> >>Hi, there's a problem
> >>[root at timbsd /usr/ports/www/apache22]# make
> >>
> >> To enable a module category: WITH_<CATEGORY>_MODULES
> >> To disable a module category: WITHOUT_<CATEGORY>_MODULES
> >>
> >> Per default categories are:
> >> AUTH AUTHN AUTHZ DAV CACHE MISC
> >> Categories available:
> >> AUTH AUTHN AUTHZ CACHE DAV EXPERIMENTAL LDAP MISC PROXY SSL SUEXEC
> >>THREADS
> >>
> >> To see all available knobs, type make show-options
> >> To see all modules in different categories, type make show-categories
> >> You can check your modules configuration by using make show-modules
> >>
> >>===> apache-2.2.20 has known vulnerabilities:
> >>=> apache -- Range header DoS vulnerability.
> >> Reference:
> >>http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html
> >>=> Please update your ports tree and try again.
> >>*** Error code 1
> >>
> >>Stop in /usr/ports/www/apache22.
> >>*** Error code 1
> >>
> >>Stop in /usr/ports/www/apache22.
> >
> >Looks like someone may have screwed up the portaudit (security/vuxml)
> >update.
> >
>
> You just need to download the current database.
>
> # portaudit -F
>
> That worked for me.
Look at the message he's receiving. "apache-2.2.20 has known
vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known
vulnerabilities.
So again: someone messed up the portaudit (security/vuxml) database. If
it got fixed, I'm not seeing any evidence of that yet either:
icarus# pkg_info | egrep ^apache
apache-itk-2.2.19 Version 2.2.x of Apache web server with itk MPM.
icarus# portaudit -Fda
New database installed.
Database created: Thu Sep 1 12:20:00 PDT 2011
Affected package: php5-5.3.6
Type of problem: php -- multiple vulnerabilities.
Reference: http://portaudit.FreeBSD.org/057bf770-cac4-11e0-aea3-00215c6a37bb.html
1 problem(s) in your installed packages found.
You are advised to update or deinstall the affected package(s)
immediately.
icarus# egrep ^PORTVERSION /usr/ports/www/apache22/Makefile
PORTVERSION= 2.2.20
Let's recap:
1) The message the OP is receiving is that Apache 2.2.20 is insecure,
which is wrong.
2) I'm using apache22 with the ITK MPM and I receive no such security
concern message.
3) portaudit -Fda doesn't indicate anything is insecure besides PHP on
my system, even though it obviously is (using Apache 2.2.19).
4) Here's the relevant contents of the portaudit db:
icarus# bzcat /var/db/portaudit/auditfile.tbz | strings -a | egrep ^apache | grep Range
apache>2.*<2.2.20|http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html|apache -- Range header DoS vulnerability
In my case (re: not receiving the security warning), it may be that
someone did not add the apache-itk-XXX shims to the portaudit db, which
are the direct result of the "stub" ports for Apache. I don't know who
maintains this, but it's obviously incomplete.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, US |
| Making life hard for others since 1977. PGP 4BD6C0CB |
More information about the freebsd-apache
mailing list