[Midnightbsd-cvs] mports: www/apache22: CVE-2008-2939 Cross-site scripting (XSS)
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sat Sep 20 11:18:30 EDT 2008
Log Message:
-----------
CVE-2008-2939
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
Modified Files:
--------------
mports/www/apache22:
Makefile (r1.8 -> r1.9)
pkg-plist (r1.4 -> r1.5)
mports/www/apache22/files:
apache22.sh.in (r1.3 -> r1.4)
Added Files:
-----------
mports/www/apache22/files:
htcacheclean.sh.in (r1.1)
patch-CVE-2008-2939 (r1.1)
-------------- next part --------------
Index: pkg-plist
===================================================================
RCS file: /home/cvs/mports/www/apache22/pkg-plist,v
retrieving revision 1.4
retrieving revision 1.5
diff -L www/apache22/pkg-plist -L www/apache22/pkg-plist -u -r1.4 -r1.5
--- www/apache22/pkg-plist
+++ www/apache22/pkg-plist
@@ -1,4 +1,4 @@
- at comment $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/apache22/pkg-plist,v 1.87 2008/06/23 21:11:14 clement Exp $
+ at comment $MidnightBSD$
@exec mkdir -p %D/etc/apache22/extra 2> /dev/null
@exec mkdir -p %D/etc/apache22/Includes 2> /dev/null || true
@exec mkdir -p %D/etc/apache22/envvars.d 2> /dev/null || true
Index: Makefile
===================================================================
RCS file: /home/cvs/mports/www/apache22/Makefile,v
retrieving revision 1.8
retrieving revision 1.9
diff -L www/apache22/Makefile -L www/apache22/Makefile -u -r1.8 -r1.9
--- www/apache22/Makefile
+++ www/apache22/Makefile
@@ -9,6 +9,7 @@
PORTNAME= apache
PORTVERSION= 2.2.9
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \
${MASTER_SITE_LOCAL:S/%SUBDIR%\//clement\/:aprmysql/}
@@ -40,9 +41,10 @@
USE_APACHE= common22
USE_BZIP2= yes
USE_ICONV= yes
-USE_AUTOTOOLS= autoconf:261 libtool:15
+USE_AUTOTOOLS= autoconf:262 libtool:15
USE_PERL5= yes
-USE_RC_SUBR= apache22.sh
+USE_RC_SUBR= apache22.sh htcacheclean.sh
+SUB_LIST+= RC_SUBR_SUFFIX=${RC_SUBR_SUFFIX}
LIBTOOLFILES= configure
.if !defined(WITH_APR_FROM_PORTS)
@@ -127,7 +129,7 @@
CONFIGURE_ENV+= LTFLAGS="--tag=CXX"
.else
PLIST_SUB+= APR_PORTS=""
-CONFLICTS+= apr-1.*
+CONFLICTS+= apr-1.* apr-db4[0-9]-1.*
CONFIGURE_ENV+= USE_BUNDLED_APR=YES
.endif
Index: apache22.sh.in
===================================================================
RCS file: /home/cvs/mports/www/apache22/files/apache22.sh.in,v
retrieving revision 1.3
retrieving revision 1.4
diff -L www/apache22/files/apache22.sh.in -L www/apache22/files/apache22.sh.in -u -r1.3 -r1.4
--- www/apache22/files/apache22.sh.in
+++ www/apache22/files/apache22.sh.in
@@ -1,7 +1,7 @@
#!/bin/sh
#
# $MidnightBSD$
-# $FreeBSD: ports/www/apache22/files/apache22.sh.in,v 1.2 2007/01/13 12:13:12 clement Exp $
+# $FreeBSD: ports/www/apache22/files/apache22.sh.in,v 1.5 2007/09/18 20:03:15 clement Exp $
#
# PROVIDE: apache22
@@ -89,21 +89,17 @@
fi
else
if [ "x${apache22_profiles}" != "x" -a "x$1" != "x" ]; then
- if [ "x$1" != "xrestart" ]; then
- for profile in ${apache22_profiles}; do
- echo "===> apache22 profile: ${profile}"
- %%PREFIX%%/etc/rc.d/apache22.sh $1 ${profile}
- retcode="$?"
- if [ "0${retcode}" -ne 0 ]; then
- failed="${profile} (${retcode}) ${failed:-}"
- else
- success="${profile} ${success:-}"
- fi
- done
- exit 0
- else
- restart_precmd=""
- fi
+ for profile in ${apache22_profiles}; do
+ echo "===> apache22 profile: ${profile}"
+ %%PREFIX%%/etc/rc.d/apache22%%RC_SUBR_SUFFIX%% $1 ${profile}
+ retcode="$?"
+ if [ "0${retcode}" -ne 0 ]; then
+ failed="${profile} (${retcode}) ${failed:-}"
+ else
+ success="${profile} ${success:-}"
+ fi
+ done
+ exit 0
fi
fi
@@ -121,6 +117,11 @@
apache22_checkconfig()
{
+ if test -f %%PREFIX%%/sbin/envvars
+ then
+ . %%PREFIX%%/sbin/envvars
+ fi
+
echo "Performing sanity check on apache22 configuration:"
eval ${command} ${apache22_flags} -t
}
@@ -143,11 +144,6 @@
{
apache22_checkconfig
- if test -f %%PREFIX%%/sbin/envvars
- then
- . %%PREFIX%%/sbin/envvars
- fi
-
if checkyesno apache22limits_enable
then
eval `/usr/bin/limits ${apache22limits_args}` 2>/dev/null
--- /dev/null
+++ www/apache22/files/patch-CVE-2008-2939
@@ -0,0 +1,11 @@
+--- modules/proxy/mod_proxy_ftp.c 2008/08/05 19:00:05 682869
++++ modules/proxy/mod_proxy_ftp.c 2008/08/05 19:01:50 682870
+@@ -383,6 +383,7 @@
+ c->bucket_alloc));
+ }
+ if (wildcard != NULL) {
++ wildcard = ap_escape_html(p, wildcard);
+ APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
+ strlen(wildcard), p,
+ c->bucket_alloc));
+
--- /dev/null
+++ www/apache22/files/htcacheclean.sh.in
@@ -0,0 +1,64 @@
+#!/bin/sh
+#
+#
+#
+
+# PROVIDE: htcacheclean
+
+#
+# Configuration settings for htcacheclean in /etc/rc.conf
+#
+# htcacheclean_enable (bool)
+# Set to "NO" by default
+# Set it to "YES" to enable htcacheclean
+#
+# htcacheclean_cache (str) Set to "%%PREFIX%%/www/proxy" by default Set the
+# location of the mod_disk_cache CacheRoot This should be the same as whats in
+# your httpd.conf
+#
+# htcacheclean_cachelimit (str) Set to "512M" by default Sets the size
+# htcacheclean should prune the disk cache to expressed in bytes by default, K
+# for kilobytes, M for megabytes.
+#
+# htcacheclean_interval (num)
+# Set to "10" by default
+# Sets how frequently in munutes htcacheclean wakes up and prunes the cache
+#
+# htcacheclean_args (str)
+# Set to "-t -n -i" by default
+# Sets extra command-line arguments to htcacheclean
+# -t Delete all empty directories
+# -n Be nice by sleeping occasionally to not saturate the I/O bandwith of the disk
+# -i Run only when there was a modification of the disk cache
+
+. %%RC_SUBR%%
+
+htcacheclean_enable="${htcacheclean_enable:-"NO"}"
+htcacheclean_cache="${htcacheclean_cache:-"%%PREFIX%%/www/proxy"}"
+htcacheclean_cachelimit="${htcacheclean_cachelimit:-"512M"}"
+htcacheclean_interval="${htcacheclean_interval:-"60"}"
+htcacheclean_args="${htcacheclean_args:-"-t -n -i"}"
+
+
+name="htcacheclean"
+rcvar=`set_rcvar`
+
+start_precmd="htc_check"
+restart_precmd="htc_check"
+restart_reload="htc_check"
+load_rc_config "${name}"
+
+command="%%PREFIX%%/sbin/htcacheclean"
+flags="-p${htcacheclean_cache} -d${htcacheclean_interval} -l${htcacheclean_cachelimit} ${htcacheclean_args}"
+required_dirs="${htcacheclean_cache}"
+
+htc_check()
+{
+ [ ! -d ${htcacheclean_cache} ] && {
+ echo ""
+ return 1
+ }
+ return 0
+}
+
+run_rc_command "$1"
More information about the Midnightbsd-cvs
mailing list