From owner-svn-ports-all@FreeBSD.ORG Thu Sep 13 03:35:10 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 550791065673; Thu, 13 Sep 2012 03:35:10 +0000 (UTC) (envelope-from swills@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 3F3288FC08; Thu, 13 Sep 2012 03:35:10 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q8D3ZAxW008137; Thu, 13 Sep 2012 03:35:10 GMT (envelope-from swills@svn.freebsd.org) Received: (from swills@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q8D3Z9kH008132; Thu, 13 Sep 2012 03:35:09 GMT (envelope-from swills@svn.freebsd.org) Message-Id: <201209130335.q8D3Z9kH008132@svn.freebsd.org> From: Steve Wills Date: Thu, 13 Sep 2012 03:35:09 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r304170 - in head: security/vuxml www/mod_pagespeed X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 03:35:10 -0000 Author: swills Date: Thu Sep 13 03:35:09 2012 New Revision: 304170 URL: http://svn.freebsd.org/changeset/ports/304170 Log: - Update to 0.10.22.6 which fixes two security issues - Document security issues in vuxml [1] Reviewed by: bdrewery [1] Security: 178ba4ea-fd40-11e1-b2ae-001fd0af1a4c Modified: head/security/vuxml/vuln.xml head/www/mod_pagespeed/Makefile head/www/mod_pagespeed/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Sep 13 02:03:41 2012 (r304169) +++ head/security/vuxml/vuln.xml Thu Sep 13 03:35:09 2012 (r304170) @@ -51,6 +51,56 @@ Note: Please add new entries to the beg --> + + mod_pagespeed -- multiple vulnerabilities + + + mod_pagespeed + 0.10.22.6 + + + + +

Google Reports:

+
+

mod_pagespeed 0.10.22.6 is a security update that fixes two + critical issues that affect earlier versions:

+
    +
  • CVE-2012-4001, a problem with validation of own host name.
    • +
  • CVE-2012-4360, a cross-site scripting attack, which affects versions starting from 0.10.19.1.
    • +
+

The effect of the first problem is that it is possible to confuse + mod_pagespeed about its own host name, and to trick it into + fetching resources from other machines. This could be an issue if + the HTTP server has access to machines that are not otherwise + publicly visible.

+

The second problem would permit a hostile third party to execute + JavaScript in users' browsers in context of the domain running + mod_pagespeed, which could permit interception of users' cookies or + data on the site.

+

Because of the severity of the two problems, users are strongly + encouraged to update immediately.

+

Behavior Changes in the Update:

+

As part of the fix to the first issue, mod_pagespeed will not fetch + resources from machines other than localhost if they are not + explicitly mentioned in the configuration. This means that if you + need resources on the server's domain to be handled by some other + system, you'll need to explicitly use ModPagespeedMapOriginDomain + or ModPagespeedDomain to authorize that.

+
+ + + + CVE-2012-4001 + CVE-2012-4360 + https://developers.google.com/speed/docs/mod_pagespeed/announce-0.10.22.6 + + + 2012-09-12 + 2012-09-12 + + + freeradius -- arbitrary code execution for TLS-based authentication Modified: head/www/mod_pagespeed/Makefile ============================================================================== --- head/www/mod_pagespeed/Makefile Thu Sep 13 02:03:41 2012 (r304169) +++ head/www/mod_pagespeed/Makefile Thu Sep 13 03:35:09 2012 (r304170) @@ -6,8 +6,7 @@ # PORTNAME= mod_pagespeed -PORTVERSION= 0.10.22.4 -PORTREVISION= 1 +PORTVERSION= 0.10.22.6 PORTEPOCH= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_LOCAL} Modified: head/www/mod_pagespeed/distinfo ============================================================================== --- head/www/mod_pagespeed/distinfo Thu Sep 13 02:03:41 2012 (r304169) +++ head/www/mod_pagespeed/distinfo Thu Sep 13 03:35:09 2012 (r304170) @@ -1,2 +1,2 @@ -SHA256 (mod_pagespeed_source_0.10.22.4.tar.xz) = 4abb02fec78b20d2790e9f6bb7c454b14cccde9add4a0341d6e6779066d3a3a9 -SIZE (mod_pagespeed_source_0.10.22.4.tar.xz) = 14492376 +SHA256 (mod_pagespeed_source_0.10.22.6.tar.xz) = 58d983777727ebabbd576610129235bd39fbd025f1620bb2f6f3f176f600619f +SIZE (mod_pagespeed_source_0.10.22.6.tar.xz) = 11864872