Page MenuHomeDevCentral

Software security issues on Ysul
Closed, ResolvedPublic

Description

Apache 2.4, Django 1.6.6 and bittorrent-libutp-0.20130514 have security issue (see P34).

Event Timeline

dereckson renamed this task from Software security issues on Ysul (see P34) to Software security issues on Ysul.Feb 24 2015, 17:08
dereckson updated the task description. (Show Details)
dereckson added a project: security.

Resolved for bittorrent-libutp.

bittorrent-libutp: 0.20130514 -> 0.20130514_1

Django upgraded to 1.7.3

Apache still to do. Beware of SuEXEC custom PHP patch.

As noted on P34, we don't use any of the Apache features with the reported vulnerabilites.

Apache reinstalled.

To avoid to have to manually tweak the configuration line, I've open a bug in the FreeBSD tracker to get back the possibility to specify the SuEXEC docroot.

Meanwhile, the Apache reinstallation procedure is to add our SuEXEC/PHP patch in the files folder, and use F1380 as configure line, then build the and install the package normally.

It could be something like:

cd /usr/ports/www/apache24/files
fetch http://dereckson.devio.us/patches/patch-support__suexec.c
cd ..
make patch
cd work/httpd-2.4.*
arc download F1380
sh config.nice
cd ..
touch .configure_done.apache._usr_local
cd ..
make build deinstall reinstall

There is also an issue (solved) with OpenSSL, see T223.

So for reference, we can now customize SuEXEC settings.

To add to /etc/make.conf
# www/apache24
SUEXEC_DOCROOT=/var/wwwroot