From owner-freebsd-apache@freebsd.org  Wed Dec 21 00:42:43 2016
Return-Path: <owner-freebsd-apache@freebsd.org>
Delivered-To: freebsd-apache@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C476CC8808F
 for <freebsd-apache@mailman.ysv.freebsd.org>;
 Wed, 21 Dec 2016 00:42:43 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id AE089102F
 for <freebsd-apache@freebsd.org>; Wed, 21 Dec 2016 00:42:43 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id AD6C3C8808D; Wed, 21 Dec 2016 00:42:43 +0000 (UTC)
Delivered-To: apache@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD0C4C8808A
 for <apache@mailman.ysv.freebsd.org>; Wed, 21 Dec 2016 00:42:43 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 83CDA102B
 for <apache@FreeBSD.org>; Wed, 21 Dec 2016 00:42:43 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uBL0ghTg098998
 for <apache@FreeBSD.org>; Wed, 21 Dec 2016 00:42:43 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: apache@FreeBSD.org
Subject: [Bug 215457] www/apache24 2.4.23 requires security update per listed
 CVEs
Date: Wed, 21 Dec 2016 00:42:42 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: dewayne@heuristicsystems.com.au
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: apache@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback?
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 flagtypes.name
Message-ID: <bug-215457-16115@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-apache@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Support of apache-related ports  <freebsd-apache.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-apache>, 
 <mailto:freebsd-apache-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-apache/>
List-Post: <mailto:freebsd-apache@freebsd.org>
List-Help: <mailto:freebsd-apache-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-apache>,
 <mailto:freebsd-apache-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 00:42:43 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215457

            Bug ID: 215457
           Summary: www/apache24 2.4.23 requires security update per
                    listed CVEs
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: apache@FreeBSD.org
          Reporter: dewayne@heuristicsystems.com.au
             Flags: maintainer-feedback?(apache@FreeBSD.org)
          Assignee: apache@FreeBSD.org

Apache announced the following CVE's that are addressed in apache 2.4.25.=20
Might be time for an update to the port.=20=20

  CVE-2016-0736 (cve.mitre.org)
  mod_session_crypto: Authenticate the session data/cookie with a
  MAC (SipHash) to prevent deciphering or tampering with a padding
  oracle attack.

  CVE-2016-2161 (cve.mitre.org)
  mod_auth_digest: Prevent segfaults during client entry allocation
  when the shared memory space is exhausted.

  CVE-2016-5387 (cve.mitre.org)
  core: Mitigate [f]cgi "httpoxy" issues.

  CVE-2016-8740 (cve.mitre.org)
  mod_http2: Mitigate DoS memory exhaustion via endless
  CONTINUATION frames.

  CVE-2016-8743 (cve.mitre.org)
  Enforce HTTP request grammar corresponding to RFC7230 for request
  lines and request headers, to prevent response splitting and cache
  pollution by malicious clients or downstream proxies.

After changing the PORTVERSION, makesum and removing the patch
"files/patch-CVE-2016-8740" I came across other issues that may pertain to =
my
env??  This was on 11.0Stable amd64, as a hint that it may not be
straight-forward.

Thanks to doctor@doctor.nl2k.ab.ca for circulating the announcement.

--=20
You are receiving this mail because:
You are the assignee for the bug.=