Install apache-2.2.20
Florian Smeets
flo at freebsd.org
Fri Sep 2 09:44:22 UTC 2011
On 02.09.2011 11:03, Jeremy Chadwick wrote:
> On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote:
>> On 02.09.2011 10:41, Jeremy Chadwick wrote:
>>> On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote:
>>>> Hi, there's a problem
>>>> [root at timbsd /usr/ports/www/apache22]# make
>>>>
>>>> ===> apache-2.2.20 has known vulnerabilities:
>>>> => apache -- Range header DoS vulnerability.
>>>> Reference:
>>>> http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html
>>>> => Please update your ports tree and try again.
>>>> *** Error code 1
>>>>
>>>> Stop in /usr/ports/www/apache22.
>>>> *** Error code 1
>>>>
>>>> Stop in /usr/ports/www/apache22.
>>>
>>> Looks like someone may have screwed up the portaudit (security/vuxml)
>>> update.
>>>
>>
>> You just need to download the current database.
>>
>> # portaudit -F
>>
>> That worked for me.
>
> Look at the message he's receiving. "apache-2.2.20 has known
> vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known
> vulnerabilities.
The first vuxml entry that was added for this vulnerability had
| + <range><gt>2.*</gt></range>
It was fixed yesterday to match only versions lower than 2.2.20
| - <range><gt>2.*</gt></range>
| + <range><gt>2.*</gt><lt>2.2.20</lt></range>
That's why i suggested to download the new database.
>
> So again: someone messed up the portaudit (security/vuxml) database. If
> it got fixed, I'm not seeing any evidence of that yet either:
>
If you download the newest db Pavels problem should be fixed.
> Let's recap:
>
> 1) The message the OP is receiving is that Apache 2.2.20 is insecure,
> which is wrong.
see above.
>
> 2) I'm using apache22 with the ITK MPM and I receive no such security
> concern message.
>
> 3) portaudit -Fda doesn't indicate anything is insecure besides PHP on
> my system, even though it obviously is (using Apache 2.2.19).
>
Ok, that's a different problem. 2 and 3 are basically the same problem,
no? I think the slave ports need to added to the entry, too.
> 4) Here's the relevant contents of the portaudit db:
>
> icarus# bzcat /var/db/portaudit/auditfile.tbz | strings -a | egrep ^apache | grep Range
> apache>2.*<2.2.20|http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html|apache -- Range header DoS vulnerability
>
You have the current database :)
> In my case (re: not receiving the security warning), it may be that
> someone did not add the apache-itk-XXX shims to the portaudit db, which
> are the direct result of the "stub" ports for Apache. I don't know who
> maintains this, but it's obviously incomplete.
>
Yes, the should be added.
Cheers,
Florian
More information about the freebsd-apache
mailing list