[email protected] (Jérémie Courrèges-Anglas) writes: > Here's a fix committed upstream for CVE-2014-4668. > > > https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf66cb012f88 > > More background information: > > http://marc.info/?l=oss-security&m=140396290228252&w=2
[...] And here's the diff for 5.5, only built-tested: Index: Makefile =================================================================== RCS file: /cvs/ports/www/cherokee/Makefile,v retrieving revision 1.47 diff -u -p -r1.47 Makefile --- Makefile 12 Aug 2013 04:11:21 -0000 1.47 +++ Makefile 22 Jul 2014 12:13:25 -0000 @@ -20,7 +20,7 @@ PKGNAME-streaming = cherokee-streaming-$ REVISION-main = 3 REVISION-geoip = 2 -REVISION-ldap = 4 +REVISION-ldap = 5 REVISION-mysql = 4 REVISION-streaming = 3 Index: patches/patch-cherokee_validator_ldap_c =================================================================== RCS file: patches/patch-cherokee_validator_ldap_c diff -N patches/patch-cherokee_validator_ldap_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-cherokee_validator_ldap_c 22 Jul 2014 11:42:11 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ +Fix for CVE-2014-4668. +--- cherokee/validator_ldap.c.orig Tue Jul 22 12:40:31 2014 ++++ cherokee/validator_ldap.c Tue Jul 22 12:41:11 2014 +@@ -331,7 +331,8 @@ cherokee_validator_ldap_check (cherokee_validator_ldap + /* Sanity checks + */ + if ((conn->validator == NULL) || +- cherokee_buffer_is_empty (&conn->validator->user)) ++ cherokee_buffer_is_empty (&conn->validator->user) || ++ cherokee_buffer_is_empty (&conn->validator->passwd)) + return ret_error; + + size = cherokee_buffer_cnt_cspn (&conn->validator->user, 0, "*()"); -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
