Apache 2.4, Django 1.6.6 and bittorrent-libutp-0.20130514 have security issue (see P34).
Description
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | dereckson | T214 Software security issues on Ysul | |||
Resolved | dereckson | T223 Upgrade OpenSSL on Ysul |
Event Timeline
Comment Actions
As noted on P34, we don't use any of the Apache features with the reported vulnerabilites.
Comment Actions
Apache reinstalled.
To avoid to have to manually tweak the configuration line, I've open a bug in the FreeBSD tracker to get back the possibility to specify the SuEXEC docroot.
Meanwhile, the Apache reinstallation procedure is to add our SuEXEC/PHP patch in the files folder, and use F1380 as configure line, then build the and install the package normally.
It could be something like:
cd /usr/ports/www/apache24/files fetch http://dereckson.devio.us/patches/patch-support__suexec.c cd .. make patch cd work/httpd-2.4.* arc download F1380 sh config.nice cd .. touch .configure_done.apache._usr_local cd .. make build deinstall reinstall
Comment Actions
So for reference, we can now customize SuEXEC settings.
To add to /etc/make.conf
# www/apache24 SUEXEC_DOCROOT=/var/wwwroot