[Midnightbsd-cvs] mports: www/apache22: CVE-2008-2939 Cross-site scripting (XSS)

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Sat Sep 20 11:18:30 EDT 2008 

Log Message:
-----------
CVE-2008-2939

Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.

Modified Files:
--------------
    mports/www/apache22:
        Makefile (r1.8 -> r1.9)
        pkg-plist (r1.4 -> r1.5)
    mports/www/apache22/files:
        apache22.sh.in (r1.3 -> r1.4)

Added Files:
-----------
    mports/www/apache22/files:
        htcacheclean.sh.in (r1.1)
        patch-CVE-2008-2939 (r1.1)

-------------- next part --------------
Index: pkg-plist
===================================================================
RCS file: /home/cvs/mports/www/apache22/pkg-plist,v
retrieving revision 1.4
retrieving revision 1.5
diff -L www/apache22/pkg-plist -L www/apache22/pkg-plist -u -r1.4 -r1.5
--- www/apache22/pkg-plist
+++ www/apache22/pkg-plist
@@ -1,4 +1,4 @@
- at comment $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/apache22/pkg-plist,v 1.87 2008/06/23 21:11:14 clement Exp $
+ at comment $MidnightBSD$
 @exec mkdir -p %D/etc/apache22/extra 2> /dev/null
 @exec mkdir -p %D/etc/apache22/Includes 2> /dev/null || true
 @exec mkdir -p %D/etc/apache22/envvars.d 2> /dev/null || true
Index: Makefile
===================================================================
RCS file: /home/cvs/mports/www/apache22/Makefile,v
retrieving revision 1.8
retrieving revision 1.9
diff -L www/apache22/Makefile -L www/apache22/Makefile -u -r1.8 -r1.9
--- www/apache22/Makefile
+++ www/apache22/Makefile
@@ -9,6 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.2.9
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITE_LOCAL:S/%SUBDIR%\//clement\/:aprmysql/}
@@ -40,9 +41,10 @@
 USE_APACHE=		common22
 USE_BZIP2=		yes
 USE_ICONV=		yes
-USE_AUTOTOOLS=	autoconf:261 libtool:15
+USE_AUTOTOOLS=	autoconf:262 libtool:15
 USE_PERL5=		yes
-USE_RC_SUBR=		apache22.sh
+USE_RC_SUBR=		apache22.sh htcacheclean.sh
+SUB_LIST+=		RC_SUBR_SUFFIX=${RC_SUBR_SUFFIX}
 LIBTOOLFILES=		configure
 
 .if !defined(WITH_APR_FROM_PORTS)
@@ -127,7 +129,7 @@
 CONFIGURE_ENV+=		LTFLAGS="--tag=CXX"
 .else
 PLIST_SUB+=	APR_PORTS=""
-CONFLICTS+=	apr-1.*
+CONFLICTS+=	apr-1.* apr-db4[0-9]-1.*
 CONFIGURE_ENV+=	USE_BUNDLED_APR=YES
 .endif
 
Index: apache22.sh.in
===================================================================
RCS file: /home/cvs/mports/www/apache22/files/apache22.sh.in,v
retrieving revision 1.3
retrieving revision 1.4
diff -L www/apache22/files/apache22.sh.in -L www/apache22/files/apache22.sh.in -u -r1.3 -r1.4
--- www/apache22/files/apache22.sh.in
+++ www/apache22/files/apache22.sh.in
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # $MidnightBSD$
-# $FreeBSD: ports/www/apache22/files/apache22.sh.in,v 1.2 2007/01/13 12:13:12 clement Exp $
+# $FreeBSD: ports/www/apache22/files/apache22.sh.in,v 1.5 2007/09/18 20:03:15 clement Exp $
 #
 
 # PROVIDE: apache22
@@ -89,21 +89,17 @@
 	fi
 else
 	if [ "x${apache22_profiles}" != "x" -a "x$1" != "x" ]; then
-		if [ "x$1" != "xrestart" ]; then
-			for profile in ${apache22_profiles}; do
-				echo "===> apache22 profile: ${profile}"
-				%%PREFIX%%/etc/rc.d/apache22.sh $1 ${profile}
-				retcode="$?"
-				if [ "0${retcode}" -ne 0 ]; then
-					failed="${profile} (${retcode}) ${failed:-}"
-				else
-					success="${profile} ${success:-}"
-				fi
-			done
-			exit 0
-		else
-			restart_precmd=""
-		fi
+		for profile in ${apache22_profiles}; do
+			echo "===> apache22 profile: ${profile}"
+			%%PREFIX%%/etc/rc.d/apache22%%RC_SUBR_SUFFIX%% $1 ${profile}
+			retcode="$?"
+			if [ "0${retcode}" -ne 0 ]; then
+				failed="${profile} (${retcode}) ${failed:-}"
+			else
+				success="${profile} ${success:-}"
+			fi
+		done
+		exit 0
 	fi
 fi
 
@@ -121,6 +117,11 @@
 
 apache22_checkconfig()
 {
+	if test -f %%PREFIX%%/sbin/envvars
+	then
+		. %%PREFIX%%/sbin/envvars
+	fi
+
 	echo "Performing sanity check on apache22 configuration:"
 	eval ${command} ${apache22_flags} -t
 }
@@ -143,11 +144,6 @@
 {
 	apache22_checkconfig
 
-	if test -f %%PREFIX%%/sbin/envvars
-	then
-		. %%PREFIX%%/sbin/envvars
-	fi
-
 	if checkyesno apache22limits_enable
 	then
 		eval `/usr/bin/limits ${apache22limits_args}` 2>/dev/null
--- /dev/null
+++ www/apache22/files/patch-CVE-2008-2939
@@ -0,0 +1,11 @@
+--- modules/proxy/mod_proxy_ftp.c	2008/08/05 19:00:05	682869
++++ modules/proxy/mod_proxy_ftp.c	2008/08/05 19:01:50	682870
+@@ -383,6 +383,7 @@
+                                                            c->bucket_alloc));
+         }
+         if (wildcard != NULL) {
++            wildcard = ap_escape_html(p, wildcard);
+             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
+                                                            strlen(wildcard), p,
+                                                            c->bucket_alloc));
+
--- /dev/null
+++ www/apache22/files/htcacheclean.sh.in
@@ -0,0 +1,64 @@
+#!/bin/sh
+#
+#
+#
+
+# PROVIDE: htcacheclean
+
+#
+# Configuration settings for htcacheclean in /etc/rc.conf
+#
+# htcacheclean_enable (bool) 
+# Set to "NO" by default 
+# Set it to "YES" to enable htcacheclean
+#
+# htcacheclean_cache (str) Set to "%%PREFIX%%/www/proxy" by default Set the
+# location of the mod_disk_cache CacheRoot This should be the same as whats in
+# your httpd.conf
+#
+# htcacheclean_cachelimit (str) Set to "512M" by default Sets the size
+# htcacheclean should prune the disk cache to expressed in bytes by default, K
+# for kilobytes, M for megabytes.
+#
+# htcacheclean_interval (num) 
+# Set to "10" by default
+# Sets how frequently in munutes htcacheclean wakes up and prunes the cache
+#
+# htcacheclean_args (str)
+# Set to "-t -n -i" by default
+# Sets extra command-line arguments to htcacheclean
+# -t Delete all empty directories
+# -n Be nice by sleeping occasionally to not saturate the I/O bandwith of the disk
+# -i Run only when there was a modification of the disk cache
+
+. %%RC_SUBR%%
+
+htcacheclean_enable="${htcacheclean_enable:-"NO"}"
+htcacheclean_cache="${htcacheclean_cache:-"%%PREFIX%%/www/proxy"}"
+htcacheclean_cachelimit="${htcacheclean_cachelimit:-"512M"}"
+htcacheclean_interval="${htcacheclean_interval:-"60"}"
+htcacheclean_args="${htcacheclean_args:-"-t -n -i"}"
+
+
+name="htcacheclean"
+rcvar=`set_rcvar`
+
+start_precmd="htc_check"
+restart_precmd="htc_check"
+restart_reload="htc_check"
+load_rc_config "${name}"
+
+command="%%PREFIX%%/sbin/htcacheclean"
+flags="-p${htcacheclean_cache} -d${htcacheclean_interval} -l${htcacheclean_cachelimit} ${htcacheclean_args}"
+required_dirs="${htcacheclean_cache}"
+
+htc_check()
+{
+	[ ! -d ${htcacheclean_cache} ] && {
+		echo ""
+		return 1
+	}
+	return 0
+}
+
+run_rc_command "$1"

More information about the Midnightbsd-cvs mailing list