misc/169363: www/yaws needs to be updated to 1.93 for a security fix
Kenji Rikitake
kenji.rikitake at acm.org
Sun Jun 24 07:10:10 UTC 2012
>Number: 169363
>Category: misc
>Synopsis: www/yaws needs to be updated to 1.93 for a security fix
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jun 24 07:10:10 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Kenji Rikitake
>Release: 9.0-STABLE
>Organization:
>Environment:
FreeBSD minimax.priv.k2r.org 9.0-STABLE FreeBSD 9.0-STABLE #5: Wed Jun 13 12:46:09 JST 2012 root at minimax.priv.k2r.org:/usr/obj/usr/src/sys/MINIMAX amd64
>Description:
Yaws 1.92 has a critical vulnerability when using cookies which may result in session hijacking. This vulnerability is addressesd on 1.93. Details:
http://sourceforge.net/mailarchive/message.php?msg_id=29435297
>How-To-Repeat:
Yaws 1.92 or the older version has the vulnerability.
>Fix:
Updating yaws to 1.93 will fix this issue. The patch included is a diff for a quick fix from the current port (yaws 1.92 based) to the 1.93. (use patch -p1 to apply)
The details are also on GitHub at:
https://github.com/jj1bdx/yaws-freebsd-port
Patch attached with submission follows:
diff --git a/yaws/Makefile b/yaws/Makefile
index 363aac2..d1bd67b 100644
--- a/yaws/Makefile
+++ b/yaws/Makefile
@@ -6,7 +6,7 @@
#
PORTNAME= yaws
-PORTVERSION= 1.92
+PORTVERSION= 1.93
CATEGORIES= www
MASTER_SITES= http://yaws.hyber.org/download/
@@ -32,6 +32,8 @@ APPDIR=${PREFIX}/lib/erlang/lib/yaws-${PORTVERSION}
SUB_FILES= pkg-message
+CONFIGURE_ARGS+=--prefix=${PREFIX} --localstatedir=/var
+
.include <bsd.port.pre.mk>
.if defined(WITH_SENDFILE)
@@ -55,16 +57,22 @@ do-install:
@${MKDIR} ${ETCDIR}
@${INSTALL_DATA} ${FILESDIR}/yaws.conf.sample ${ETCDIR}
@${MKDIR} ${APPDIR}/ebin
+ @${MKDIR} ${APPDIR}/examples
+ @${MKDIR} ${APPDIR}/examples/ebin
+ @${MKDIR} ${APPDIR}/examples/src
@${MKDIR} ${APPDIR}/include
@${MKDIR} ${APPDIR}/priv
@${MKDIR} ${APPDIR}/priv/lib
@${MKDIR} ${APPDIR}/src
@${MKDIR} ${PREFIX}/www/yaws
@${INSTALL_DATA} ${WRKSRC}/ebin/* ${APPDIR}/ebin
-.for FILE in envelope.xsd mime.types soap.xsd wsdl.xsd epam
+ @${INSTALL_DATA} ${WRKSRC}/examples/ebin/* ${APPDIR}/examples/ebin
+ @${INSTALL_DATA} ${WRKSRC}/examples/src/* ${APPDIR}/examples/src
+.for FILE in envelope.xsd mime.types soap.xsd wsdl.xsd soap-envelope.xsd wsdl11soap12.xsd xml.xsd
@${INSTALL_DATA} ${WRKSRC}/priv/${FILE} ${APPDIR}/priv
.endfor
- @${INSTALL_DATA} ${WRKSRC}/priv/lib/* ${APPDIR}/priv/lib
+ @${INSTALL_PROGRAM} ${WRKSRC}/priv/epam ${APPDIR}/priv
+ @${INSTALL_LIB} ${WRKSRC}/priv/lib/* ${APPDIR}/priv/lib
@${INSTALL_DATA} ${WRKSRC}/include/* ${APPDIR}/include
@${INSTALL_DATA} ${WRKSRC}/src/*.?rl ${APPDIR}/src
@cd ${WRKSRC}/www && (${FIND} * | ${CPIO} -pu ${WWWDIR})
diff --git a/yaws/distinfo b/yaws/distinfo
index 6e0db3d..276d47f 100644
--- a/yaws/distinfo
+++ b/yaws/distinfo
@@ -1,2 +1,2 @@
-SHA256 (yaws-1.92.tar.gz) = cde83ca55d8e1b10a89094e1cfdc3e78d91ba9b1036cb5ea4e1994f5922c2357
-SIZE (yaws-1.92.tar.gz) = 894749
+SHA256 (yaws-1.93.tar.gz) = 56e26ebbbb7cac15993dcab431f01a120510603567e696b9e09fa0a9e644a38f
+SIZE (yaws-1.93.tar.gz) = 1138147
diff --git a/yaws/files/patch-man_yaws.conf.5 b/yaws/files/patch-man_yaws.conf.5
index 51b9adf..2fce0af 100644
--- a/yaws/files/patch-man_yaws.conf.5
+++ b/yaws/files/patch-man_yaws.conf.5
@@ -1,4 +1,4 @@
-
+Modified by Kenji Rikitake
$FreeBSD: ports/www/yaws/files/patch-man_yaws.conf.5,v 1.4 2010/03/20 16:30:16 olgeni Exp $
--- man/yaws.conf.5.orig
@@ -6,8 +6,8 @@ $FreeBSD: ports/www/yaws/files/patch-man_yaws.conf.5,v 1.4 2010/03/20 16:30:16 o
@@ -1,6 +1,6 @@
.TH YAWS.CONF "5" "" "" "User Commands"
.SH NAME
--/etc/yaws/yaws.conf \- Configuration file for the yaws web server
-+!!PREFIX!!/etc/yaws/yaws.conf \- Configuration file for the yaws web server
+-/etc/yaws/yaws.conf \- Configuration file for the Yaws web server
++!!PREFIX!!/etc/yaws/yaws.conf \- Configuration file for the Yaws web server
.SH DESCRIPTION
.\" Add any additional description here
.PP
diff --git a/yaws/files/patch-scripts__gen-yaws b/yaws/files/patch-scripts__gen-yaws
new file mode 100644
index 0000000..50a7352
--- /dev/null
+++ b/yaws/files/patch-scripts__gen-yaws
@@ -0,0 +1,20 @@
+--- scripts/gen-yaws.ORIG 2012-06-24 15:27:11.000000000 +0900
++++ scripts/gen-yaws 2012-06-24 15:33:26.000000000 +0900
+@@ -1,13 +1,15 @@
+ #!/bin/sh
+
++# CAUTION: Modified for FreeBSD Port installation
++# referring yawsdir in the installed yaws library
++
+ # Used by scripts/Makefile and scripts/rebar-pre-script to generate
+ # the yaws execution script
+
+ set -e
+
+-topdir=`cd .. && pwd`
+ cat yaws.template | \
+- ./Subst %yawsdir% "${topdir}" | \
++ ./Subst %yawsdir% "/usr/local/lib/erlang/lib/yaws" | \
+ ./Subst %vardir% "${VARDIR}" | \
+ ./Subst %run_erl% "${ERLBINDIR}/run_erl" | \
+ ./Subst %to_erl% "${ERLBINDIR}/to_erl" | \
diff --git a/yaws/pkg-plist b/yaws/pkg-plist
index fc34021..3238b3d 100644
--- a/yaws/pkg-plist
+++ b/yaws/pkg-plist
@@ -1,6 +1,5 @@
bin/yaws
%%ETCDIR%%/yaws.conf.sample
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/authmod_gssapi.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/haxe.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/json.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/json2.beam
@@ -38,29 +37,42 @@ bin/yaws
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_server.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_session_server.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_shaper.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_soap12_lib.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_soap_lib.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_soap_srv.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_stats.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_sup.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_sup_restarts.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_ticker.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_trace.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_vdir.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_websockets.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_xmlrpc.beam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_zlib.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/advanced_echo_callback.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/authmod_gssapi.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/basic_echo_callback.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/myappmod.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/shopcart.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/src/advanced_echo_callback.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/src/authmod_gssapi.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/src/basic_echo_callback.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/soap-envelope.hrl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/soap.hrl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/wsdl11soap12.hrl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws.hrl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws_api.hrl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws_dav.hrl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws_soap.hrl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/envelope.xsd
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/epam
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/lib/setuid_drv.so
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/mime.types
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/soap-envelope.xsd
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/soap.xsd
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/wsdl.xsd
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/advanced_echo_callback.erl
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/authmod_gssapi.erl
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/basic_echo_callback.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/wsdl11soap12.xsd
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/xml.xsd
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/haxe.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/json.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/json2.erl
@@ -99,12 +111,14 @@ bin/yaws
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_server.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_session_server.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_shaper.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_soap12_lib.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_soap_lib.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_soap_srv.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_stats.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_sup.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_sup_restarts.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_ticker.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_trace.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_vdir.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_websockets.erl
%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_xmlrpc.erl
@@ -269,6 +283,7 @@ bin/yaws
%%WWWDIR%%/json_intro.yaws
%%WWWDIR%%/json_sample.html
%%WWWDIR%%/json_sample.yaws
+%%WWWDIR%%/logger_mod.yaws
%%WWWDIR%%/man.yaws
%%WWWDIR%%/motivation.yaws
%%WWWDIR%%/news
@@ -328,6 +343,7 @@ bin/yaws
%%WWWDIR%%/websockets_example_endpoint.yaws
%%WWWDIR%%/yapp_intro.yaws
%%WWWDIR%%/yaws-1.55_to_1.56.patch
+%%WWWDIR%%/yaws.eps
%%WWWDIR%%/ybed.erl
%%WWWDIR%%/ybed_sup.erl
%%WWWDIR%%/yman.yaws
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list