ports/138337: [patch] port neon28 update to 28.6
olli hauer
ohauer at gmx.de
Sun Aug 30 11:10:02 UTC 2009
>Number: 138337
>Category: ports
>Synopsis: [patch] port neon28 update to 28.6
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun Aug 30 11:10:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: olli hauer <ohauer at gmx.de>
>Release: FreeBSD 7.2-RELEASE-p3 i386
>Organization:
>Environment:
>Description:
Changes in release neon 0.28.6, 18 August 2009
* SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat;
could allow a Denial of Service attack by a malicious server.
* SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in a
certificate subject name; could allow an undetected MITM attack against
an SSL server if a trusted CA issues such a cert.
Note: CVE-2009-2474 does affect GnuTLS as well as OpenSSL, contrary to
previous announcement.
Changes in release neon 0.28.5, 3 July 2009
* Enable support for X.509v1 CA certificates in GnuTLS.
* Fix handling of EINTR in connect() calls.
* Fix use of builds with SOCK_CLOEXEC support on older Linux kernels.
Important message about CVE-2009-2473 from
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html
neon 0.28.6 has a fix for the "billion laughs" entity expansion attack
against expat. If a client application visited a malicious DAV server,
or used the XML parsing interfaces (ne_xml*) to parse an XML document
from an attacker, a denial of service attack was possible.
This issue has been assigned CVE name CVE-2009-2473.
All versions of neon older than 0.28.6 are affected, where linked
against expat. This issue does not affect versions of neon which are
compiled to use libxml2 instead of expat, provided the libxml2 version
is 2.6.32 or greater.
@lev
Is there a reason to keep --enable-xml in the CONFIGURE_ARGS?
A search over the port history showed it was introduced in this version
http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/neon/Attic/Makefile?annotate=1.5
(Tue Jun 5 20:50:03 2001 UTC (8 years, 2 months ago) by olgeni)
However, in the build logs you can find this message.
- configure: WARNING: unrecognized options: --enable-xml
I guess it is a forgotten parameter from Year 2002
http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/neon/Attic/Makefile.diff?r2=1.13&r1=1.12&f=u
//olli
>How-To-Repeat:
>Fix:
--- patch_neon28.6.txt begins here ---
--- Makefile
+++ Makefile
@@ -6,7 +6,7 @@
#
PORTNAME= neon28
-PORTVERSION= 0.28.4
+PORTVERSION= 0.28.6
CATEGORIES= www
MASTER_SITES= http://www.webdav.org/neon/ \
http://keyserver.kjsl.com/~jharris/distfiles/
@@ -29,7 +29,6 @@
USE_GNOME= gnomehack gnometarget
GNU_CONFIGURE= yes
CONFIGURE_ARGS= --with-ssl \
- --enable-xml \
--enable-shared \
--with-expat \
--with-libs=${LOCALBASE}:${PREFIX}
--- distinfo
+++ distinfo
@@ -1,3 +1,3 @@
-MD5 (neon-0.28.4.tar.gz) = 6c3b94362af743d046e198e9fcbe4a85
-SHA256 (neon-0.28.4.tar.gz) = be151943df34e5884b2c7f4b5f4ebe83b8e74e665d90474aca06006e3b9530bd
-SIZE (neon-0.28.4.tar.gz) = 775886
+MD5 (neon-0.28.6.tar.gz) = 252578ed555552b71d15909641484951
+SHA256 (neon-0.28.6.tar.gz) = 06ee8b1aa37a14a956a1158bf6b5a8c3388976d61c1dc3773a3ffe18ac8ecc0e
+SIZE (neon-0.28.6.tar.gz) = 789193
--- patch_neon28.6.txt ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list