Date: Fri, 03 Feb 2017 11:44:28 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 216752] www/obhttpd: OpenBSD errata, Jan 31, 2017 Message-ID: <bug-216752-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D216752 Bug ID: 216752 Summary: www/obhttpd: OpenBSD errata, Jan 31, 2017 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: t@tobik.me CC: koue@chaosophia.net Attachment #179563 maintainer-approval?(koue@chaosophia.net) Flags: CC: koue@chaosophia.net Flags: maintainer-feedback?(koue@chaosophia.net) Created attachment 179563 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D179563&action= =3Dedit www___obhttpd.diff There was a recent OpenBSD 6.0 errata for httpd (see below). Since www/obhttpd seems to be based on the 6.0 version it's probably affected too. --------- From: Bob Beck <beck@openbsd.org> Date: Wed, 1 Feb 2017 23:07:12 -0700 Subject: OpenBSD errata, Jan 31, 2017 To: announce@openbsd.org, tech <tech@openbsd.org> An issue has been identified whereby httpd(8) could be subject to a denial of service attack. Repeated crafted requests could be made from a client using file-range requests, making the server consume excessive amounts of memory. This issue has been fixed in current. For 5.9 and 6.0 the following errata will disable range header processing in httpd(8) to prevent the problem. Thanks to Pierre Kim <pierre.kim.sec@gmail.com> for reporting the issue. https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/017_httpd.patch.sig https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/034_httpd.patch.sig --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-216752-13>