Date: Fri, 2 Sep 2011 13:47:19 +0400 From: Pavel Timofeev <timp87@gmail.com> To: Florian Smeets <flo@freebsd.org> Cc: ade@freebsd.org, apache@freebsd.org Subject: Re: Install apache-2.2.20 Message-ID: <CAAoTqfv9i%2BteehUEX-bgyMzr08h%2BEDBqUsqZL2bUhazkjg_aUg@mail.gmail.com> In-Reply-To: <4E60A574.5040705@freebsd.org> References: <CAAoTqfuCAQ2-bUYJD35Xj_kZ_Mc7H-Y3fgPuD-13L8rLm8%2BbUw@mail.gmail.com> <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org> <20110902090342.GA48221@icarus.home.lan> <4E60A574.5040705@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Yea, portaudit -F worked for me. Thank you! 2011/9/2 Florian Smeets <flo@freebsd.org> > On 02.09.2011 11:03, Jeremy Chadwick wrote: > >> On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: >> >>> On 02.09.2011 10:41, Jeremy Chadwick wrote: >>> >>>> On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: >>>> >>>>> Hi, there's a problem >>>>> [root@timbsd /usr/ports/www/apache22]# make >>>>> >>>>> ===> apache-2.2.20 has known vulnerabilities: >>>>> => apache -- Range header DoS vulnerability. >>>>> Reference: >>>>> http://portaudit.FreeBSD.org/**7f6108d2-cea8-11e0-9d58-** >>>>> 0800279895ea.html<http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html> >>>>> => Please update your ports tree and try again. >>>>> *** Error code 1 >>>>> >>>>> Stop in /usr/ports/www/apache22. >>>>> *** Error code 1 >>>>> >>>>> Stop in /usr/ports/www/apache22. >>>>> >>>> >>>> Looks like someone may have screwed up the portaudit (security/vuxml) >>>> update. >>>> >>>> >>> You just need to download the current database. >>> >>> # portaudit -F >>> >>> That worked for me. >>> >> >> Look at the message he's receiving. "apache-2.2.20 has known >> vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known >> vulnerabilities. >> > > The first vuxml entry that was added for this vulnerability had > > | + <range><gt>2.*</gt></range> > > It was fixed yesterday to match only versions lower than 2.2.20 > > | - <range><gt>2.*</gt></range> > | + <range><gt>2.*</gt><lt>2.2.20<**/lt></range> > > > That's why i suggested to download the new database. > > > >> So again: someone messed up the portaudit (security/vuxml) database. If >> it got fixed, I'm not seeing any evidence of that yet either: >> >> > If you download the newest db Pavels problem should be fixed. > > > Let's recap: >> >> 1) The message the OP is receiving is that Apache 2.2.20 is insecure, >> which is wrong. >> > > see above. > > > >> 2) I'm using apache22 with the ITK MPM and I receive no such security >> concern message. >> >> 3) portaudit -Fda doesn't indicate anything is insecure besides PHP on >> my system, even though it obviously is (using Apache 2.2.19). >> >> > Ok, that's a different problem. 2 and 3 are basically the same problem, no? > I think the slave ports need to added to the entry, too. > > > 4) Here's the relevant contents of the portaudit db: >> >> icarus# bzcat /var/db/portaudit/auditfile.**tbz | strings -a | egrep >> ^apache | grep Range >> apache>2.*<2.2.20|http://**portaudit.FreeBSD.org/** >> 7f6108d2-cea8-11e0-9d58-**0800279895ea.html|apache<http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html%7Capache>-- Range header DoS vulnerability >> >> > You have the current database :) > > > In my case (re: not receiving the security warning), it may be that >> someone did not add the apache-itk-XXX shims to the portaudit db, which >> are the direct result of the "stub" ports for Apache. I don't know who >> maintains this, but it's obviously incomplete. >> >> > Yes, the should be added. > > Cheers, > Florian >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAoTqfv9i%2BteehUEX-bgyMzr08h%2BEDBqUsqZL2bUhazkjg_aUg>