[Bug 215457] www/apache24 2.4.23 requires security update per listed CVEs

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215457

            Bug ID: 215457
           Summary: www/apache24 2.4.23 requires security update per
                    listed CVEs
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: apache at FreeBSD.org
          Reporter: dewayne at heuristicsystems.com.au
             Flags: maintainer-feedback?(apache at FreeBSD.org)
          Assignee: apache at FreeBSD.org

Apache announced the following CVE's that are addressed in apache 2.4.25. 
Might be time for an update to the port.  

  CVE-2016-0736 (cve.mitre.org)
  mod_session_crypto: Authenticate the session data/cookie with a
  MAC (SipHash) to prevent deciphering or tampering with a padding
  oracle attack.

  CVE-2016-2161 (cve.mitre.org)
  mod_auth_digest: Prevent segfaults during client entry allocation
  when the shared memory space is exhausted.

  CVE-2016-5387 (cve.mitre.org)
  core: Mitigate [f]cgi "httpoxy" issues.

  CVE-2016-8740 (cve.mitre.org)
  mod_http2: Mitigate DoS memory exhaustion via endless
  CONTINUATION frames.

  CVE-2016-8743 (cve.mitre.org)
  Enforce HTTP request grammar corresponding to RFC7230 for request
  lines and request headers, to prevent response splitting and cache
  pollution by malicious clients or downstream proxies.

After changing the PORTVERSION, makesum and removing the patch
"files/patch-CVE-2016-8740" I came across other issues that may pertain to my
env??  This was on 11.0Stable amd64, as a hint that it may not be
straight-forward.

Thanks to doctor at doctor.nl2k.ab.ca for circulating the announcement.

-- 
You are receiving this mail because:
You are the assignee for the bug.