apache2 port

Peter C. Lai sirmoo at cowbert.net
Thu Sep 30 14:41:20 PDT 2004


On Thu, Sep 30, 2004 at 02:10:00PM -0700, Eli Dart wrote:
> 
> In reply to "Peter C. Lai" <sirmoo at cowbert.net> :
> 
> > if PORTVERSION isn't 2.0.51 then you shouldn't be getting anything in 2.0.51
> > (if you say the vulnerability was only introduced with 2.0.51).
> 
> Of course.  However, the main reason for rolling version 2.0.51 was 
> to fix 3 security problems.  The maintainer chose to keep version 
> 2.0.50 and apply patches for those vulnerabilities rather than update 
> the port to version 2.0.51.  If those patches were the only changes 
> between 2.0.50 and 2.0.51, then the version in ports (as installed) 
> is vulnerable, whatever PORTVERSION says.
> 
> This is the reason I asked the question at all.  I don't know enough 
> about the internals of apache to know if the patches for the previous 
> 3 vulnerabilities could have caused the current bug or not.
> 
> 		--eli

Ok. the new bug is CVE CAN-2004-0811, which is:
Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy 
directive," which could allow attackers to obtain access to restricted 
resources contrary to the specified authentication configuration.

It would appear from the description to be linked to changes made to 
correct CAN-2004-0747: Buffer overflow in Apache 2.0.50 and earlier allows 
local users to gain apache privileges via a .htaccess file that causes the 
overflow during expansion of environment variables.

Then it is vulnerable. Could the port maintainer confirm this and if so,
file a vuxml document for 2.0.50_3?

> 
> > 
> > This should really be in the ports@ list.
> > 
> > On Thu, Sep 30, 2004 at 02:02:32PM -0700, Eli Dart wrote:
> > >=20
> > > In reply to "Peter C. Lai" <sirmoo at cowbert.net> :
> > >=20
> > > > no. you can tell by PORTVERSION in the Makefile.
> > >=20
> > > That still doesn't cover the case of the vulnerability being=20
> > > introduced by the patch....
> > >=20
> > > Unless I'm truly missing something....
> > >=20
> > > 		--eli
> > >=20
> > >=20
> > > >=20
> > > > On Thu, Sep 30, 2004 at 01:45:16PM -0700, Eli Dart wrote:
> > > > > Hi all,
> > > > >=20
> > > > > There has been another vulnerability [1] discovered in apache2.  This=
> > =20
> > > > > affects only version 2.0.51 (where it was introduced).  The ports=20
> > > > > tree is frozen, pending 5.3-R, so I assume that an update of the=20
> > > > > apache2 port to 2.0.52 is not forthcoming any time soon.
> > > > >=20
> > > > > The question is this -- since the apache2 in the ports tree is 2.0.50=
> > =20
> > > > > plus patches, does the version in the ports tree have this=20
> > > > > vulnerability?  It seems that it only would if the patches to 2.0.50=
> > =20
> > > > > introduced the vulnerability...  Does anyone know?
> > > > >=20
> > > > > Thanks!
> > > > >=20
> > > > > 		--eli
> > > > >=20
> > > > >=20
> > > > >=20
> > > > >=20
> > > >=20
> > > >=20
> > > >=20
> > > > --=20
> > > > Peter C. Lai
> > > > University of Connecticut
> > > > Dept. of Molecular and Cell Biology
> > > > Yale University School of Medicine
> > > > SenseLab | Research Assistant
> > > > http://cowbert.2y.net/
> > > >=20
> > >=20
> > >=20
> > 
> > 
> > 
> > --=20
> > Peter C. Lai
> > University of Connecticut
> > Dept. of Molecular and Cell Biology
> > Yale University School of Medicine
> > SenseLab | Research Assistant
> > http://cowbert.2y.net/
> > 
> 
> 
-- 
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology
Yale University School of Medicine
SenseLab | Research Assistant
http://cowbert.2y.net/



More information about the freebsd-ports mailing list