Software security issues on Ysul
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	dereckson
	Feb 24 2015, 17:07

Description

Apache 2.4, Django 1.6.6 and bittorrent-libutp-0.20130514 have security issue (see P34).

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		dereckson	T214 Software security issues on Ysul
		Resolved		dereckson	T223 Upgrade OpenSSL on Ysul

Event Timeline

dereckson claimed this task.Feb 24 2015, 17:07

dereckson added a project: Servers.

Resolved for bittorrent-libutp.

bittorrent-libutp: 0.20130514 -> 0.20130514_1

Django upgraded to 1.7.3

Apache still to do. Beware of SuEXEC custom PHP patch.

As noted on P34, we don't use any of the Apache features with the reported vulnerabilites.

dereckson mentioned this in T218: Update PHP and Apache on Ysul.Mar 17 2015, 18:05

Apache reinstalled.

To avoid to have to manually tweak the configuration line, I've open a bug in the FreeBSD tracker to get back the possibility to specify the SuEXEC docroot.

Meanwhile, the Apache reinstallation procedure is to add our SuEXEC/PHP patch in the files folder, and use F1380 as configure line, then build the and install the package normally.

It could be something like:

cd /usr/ports/www/apache24/files
fetch http://dereckson.devio.us/patches/patch-support__suexec.c
cd ..
make patch
cd work/httpd-2.4.*
arc download F1380
sh config.nice
cd ..
touch .configure_done.apache._usr_local
cd ..
make build deinstall reinstall

There is also an issue (solved) with OpenSSL, see T223.

dereckson added a subtask: T223: Upgrade OpenSSL on Ysul.Mar 21 2015, 15:09

So for reference, we can now customize SuEXEC settings.

To add to /etc/make.conf

# www/apache24
SUEXEC_DOCROOT=/var/wwwroot

	F1380: config.nice
	Mar 21 2015, 15:08

Software security issues on YsulClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Software security issues on Ysul
Closed, ResolvedPublic
Actions

Related Objects
Search...