Install apache-2.2.20

Jeremy Chadwick freebsd at jdc.parodius.com
Fri Sep 2 10:34:39 UTC 2011


On Fri, Sep 02, 2011 at 11:44:20AM +0200, Florian Smeets wrote:
> On 02.09.2011 11:03, Jeremy Chadwick wrote:
> >On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote:
> >>On 02.09.2011 10:41, Jeremy Chadwick wrote:
> >>>On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote:
> >>>>Hi, there's a problem
> >>>>[root at timbsd /usr/ports/www/apache22]# make
> >>>>
> >>>>===>    apache-2.2.20 has known vulnerabilities:
> >>>>=>   apache -- Range header DoS vulnerability.
> >>>>    Reference:
> >>>>http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html
> >>>>=>   Please update your ports tree and try again.
> >>>>*** Error code 1
> >>>>
> >>>>Stop in /usr/ports/www/apache22.
> >>>>*** Error code 1
> >>>>
> >>>>Stop in /usr/ports/www/apache22.
> >>>
> >>>Looks like someone may have screwed up the portaudit (security/vuxml)
> >>>update.
> >>>
> >>
> >>You just need to download the current database.
> >>
> >># portaudit -F
> >>
> >>That worked for me.
> >
> >Look at the message he's receiving.  "apache-2.2.20 has known
> >vulnerabilities".  This is wrong.  Versions *PRIOR* to 2.2.20 have known
> >vulnerabilities.
> 
> The first vuxml entry that was added for this vulnerability had
> 
> | +	<range><gt>2.*</gt></range>
> 
> It was fixed yesterday to match only versions lower than 2.2.20
> 
> | -	<range><gt>2.*</gt></range>
> | +	<range><gt>2.*</gt><lt>2.2.20</lt></range>

Right, so it was buggered, and someone fixed it.  It's fixed *now*, but
it was broken at some point.  *sigh*  Well it's fixed, there's no real
point to me going on about it.  Thank you for providing the history
though, I appreciate it.

> That's why i suggested to download the new database.

Understood.

> >2) I'm using apache22 with the ITK MPM and I receive no such security
> >concern message.
> >
> >3) portaudit -Fda doesn't indicate anything is insecure besides PHP on
> >my system, even though it obviously is (using Apache 2.2.19).
> >
> 
> Ok, that's a different problem. 2 and 3 are basically the same
> problem, no? I think the slave ports need to added to the entry,
> too.

Yes, they're related.  I guess I should have put them under a single
item instead of separating them.

> >In my case (re: not receiving the security warning), it may be that
> >someone did not add the apache-itk-XXX shims to the portaudit db, which
> >are the direct result of the "stub" ports for Apache.  I don't know who
> >maintains this, but it's obviously incomplete.
> 
> Yes, the should be added.

Agreed, and someone should take the time to look at all the other Apache
stub ports to make sure they get added as well.  An "egrep ^apache" on
the audit db returns quite a lot of entries -- I imagine some are
legacy/for classic purposes that don't apply to the "present-day" ports
system, but going through all the www/apache* ports that rely on
www/apache22 would be best.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, US |
| Making life hard for others since 1977.               PGP 4BD6C0CB |



More information about the freebsd-apache mailing list