[Bug 216752] www/obhttpd: OpenBSD errata, Jan 31, 2017

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216752

            Bug ID: 216752
           Summary: www/obhttpd: OpenBSD errata, Jan 31, 2017
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: t at tobik.me
                CC: koue at chaosophia.net
 Attachment #179563 maintainer-approval?(koue at chaosophia.net)
             Flags:
                CC: koue at chaosophia.net
             Flags: maintainer-feedback?(koue at chaosophia.net)

Created attachment 179563
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=179563&action=edit
www___obhttpd.diff

There was a recent OpenBSD 6.0 errata for httpd (see below).
Since www/obhttpd seems to be based on the 6.0 version it's
probably affected too.

---------

From: Bob Beck <beck at openbsd.org>
Date: Wed, 1 Feb 2017 23:07:12 -0700
Subject: OpenBSD errata, Jan 31, 2017
To: announce at openbsd.org, tech <tech at openbsd.org>

An issue has been identified whereby httpd(8) could be subject to a denial
of service attack. Repeated crafted requests could be made from a client
using file-range requests, making the server consume excessive amounts of
memory.

This issue has been fixed in current. For 5.9 and 6.0 the following errata
will disable range header processing in httpd(8) to prevent the problem.

Thanks to Pierre Kim <pierre.kim.sec at gmail.com> for reporting
the issue.

https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/017_httpd.patch.sig

https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/034_httpd.patch.sig

-- 
You are receiving this mail because:
You are the assignee for the bug.