maintainer-feedback requested: [Bug 215457] www/apache24 2.4.23 requires security update per listed CVEs

bugzilla-noreply at bugzilla-noreply at
Wed Dec 21 00:42:43 UTC 2016

dewayne at has reassigned Bugzilla Automation
<bugzilla at>'s request for maintainer-feedback to apache at
Bug 215457: www/apache24 2.4.23 requires security update per listed CVEs

--- Description ---
Apache announced the following CVE's that are addressed in apache 2.4.25. 
Might be time for an update to the port.  

  CVE-2016-0736 (
  mod_session_crypto: Authenticate the session data/cookie with a
  MAC (SipHash) to prevent deciphering or tampering with a padding
  oracle attack.

  CVE-2016-2161 (
  mod_auth_digest: Prevent segfaults during client entry allocation
  when the shared memory space is exhausted.

  CVE-2016-5387 (
  core: Mitigate [f]cgi "httpoxy" issues.

  CVE-2016-8740 (
  mod_http2: Mitigate DoS memory exhaustion via endless

  CVE-2016-8743 (
  Enforce HTTP request grammar corresponding to RFC7230 for request
  lines and request headers, to prevent response splitting and cache
  pollution by malicious clients or downstream proxies.

After changing the PORTVERSION, makesum and removing the patch
"files/patch-CVE-2016-8740" I came across other issues that may pertain to my
env??  This was on 11.0Stable amd64, as a hint that it may not be

Thanks to doctor at for circulating the announcement.

More information about the freebsd-apache mailing list