[Bug 215457] www/apache24 2.4.23 requires security update per listed CVEs

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Dec 21 00:42:43 UTC 2016


            Bug ID: 215457
           Summary: www/apache24 2.4.23 requires security update per
                    listed CVEs
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: apache at FreeBSD.org
          Reporter: dewayne at heuristicsystems.com.au
             Flags: maintainer-feedback?(apache at FreeBSD.org)
          Assignee: apache at FreeBSD.org

Apache announced the following CVE's that are addressed in apache 2.4.25. 
Might be time for an update to the port.  

  CVE-2016-0736 (cve.mitre.org)
  mod_session_crypto: Authenticate the session data/cookie with a
  MAC (SipHash) to prevent deciphering or tampering with a padding
  oracle attack.

  CVE-2016-2161 (cve.mitre.org)
  mod_auth_digest: Prevent segfaults during client entry allocation
  when the shared memory space is exhausted.

  CVE-2016-5387 (cve.mitre.org)
  core: Mitigate [f]cgi "httpoxy" issues.

  CVE-2016-8740 (cve.mitre.org)
  mod_http2: Mitigate DoS memory exhaustion via endless

  CVE-2016-8743 (cve.mitre.org)
  Enforce HTTP request grammar corresponding to RFC7230 for request
  lines and request headers, to prevent response splitting and cache
  pollution by malicious clients or downstream proxies.

After changing the PORTVERSION, makesum and removing the patch
"files/patch-CVE-2016-8740" I came across other issues that may pertain to my
env??  This was on 11.0Stable amd64, as a hint that it may not be

Thanks to doctor at doctor.nl2k.ab.ca for circulating the announcement.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-apache mailing list