maintainer-feedback requested: [Bug 215457] www/apache24 2.4.23 requires security update per listed CVEs
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Dec 21 00:42:43 UTC 2016
dewayne at heuristicsystems.com.au has reassigned Bugzilla Automation
<bugzilla at FreeBSD.org>'s request for maintainer-feedback to apache at FreeBSD.org:
Bug 215457: www/apache24 2.4.23 requires security update per listed CVEs
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215457
--- Description ---
Apache announced the following CVE's that are addressed in apache 2.4.25.
Might be time for an update to the port.
CVE-2016-0736 (cve.mitre.org)
mod_session_crypto: Authenticate the session data/cookie with a
MAC (SipHash) to prevent deciphering or tampering with a padding
oracle attack.
CVE-2016-2161 (cve.mitre.org)
mod_auth_digest: Prevent segfaults during client entry allocation
when the shared memory space is exhausted.
CVE-2016-5387 (cve.mitre.org)
core: Mitigate [f]cgi "httpoxy" issues.
CVE-2016-8740 (cve.mitre.org)
mod_http2: Mitigate DoS memory exhaustion via endless
CONTINUATION frames.
CVE-2016-8743 (cve.mitre.org)
Enforce HTTP request grammar corresponding to RFC7230 for request
lines and request headers, to prevent response splitting and cache
pollution by malicious clients or downstream proxies.
After changing the PORTVERSION, makesum and removing the patch
"files/patch-CVE-2016-8740" I came across other issues that may pertain to my
env?? This was on 11.0Stable amd64, as a hint that it may not be
straight-forward.
Thanks to doctor at doctor.nl2k.ab.ca for circulating the announcement.
More information about the freebsd-apache
mailing list