Here's a fix committed upstream for CVE-2014-4668. https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf66cb012f88
More background information: http://marc.info/?l=oss-security&m=140396290228252&w=2 ok? Index: Makefile =================================================================== RCS file: /cvs/ports/www/cherokee/Makefile,v retrieving revision 1.48 diff -u -p -r1.48 Makefile --- Makefile 21 Apr 2014 13:03:40 -0000 1.48 +++ Makefile 22 Jul 2014 10:43:15 -0000 @@ -20,7 +20,7 @@ PKGNAME-streaming = cherokee-streaming-$ REVISION-main = 3 REVISION-geoip = 2 -REVISION-ldap = 5 +REVISION-ldap = 6 REVISION-mysql = 4 REVISION-streaming = 3 Index: patches/patch-cherokee_validator_ldap_c =================================================================== RCS file: patches/patch-cherokee_validator_ldap_c diff -N patches/patch-cherokee_validator_ldap_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-cherokee_validator_ldap_c 22 Jul 2014 10:42:30 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ +Fix for CVE-2014-4668. +--- cherokee/validator_ldap.c.orig Tue Jul 22 12:40:31 2014 ++++ cherokee/validator_ldap.c Tue Jul 22 12:41:11 2014 +@@ -331,7 +331,8 @@ cherokee_validator_ldap_check (cherokee_validator_ldap + /* Sanity checks + */ + if ((conn->validator == NULL) || +- cherokee_buffer_is_empty (&conn->validator->user)) ++ cherokee_buffer_is_empty (&conn->validator->user) || ++ cherokee_buffer_is_empty (&conn->validator->passwd)) + return ret_error; + + size = cherokee_buffer_cnt_cspn (&conn->validator->user, 0, "*()"); -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
