Re: apache13-modssl-1.3.33+2.8.22_1 port broken??

2005-07-28 Thread Warren Block 

On Wed, 27 Jul 2005, Viren Patel wrote:


I am trying to install apache+mod_ssl-1.3.33+2.8.22_1 and
get the following:

#make
===>  apache+mod_ssl-1.3.33+2.8.22_1 has known
vulnerabilities:
=> apache -- http request smuggling.
  Reference:

=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/www/apache13-modssl.

I have updated the ports tree and the files directory
contains the patch for this vulnerability
(patch-secfix-CAN-2005-2088).

I need to install this port urgently. What am I doing
wrong?? If the vulnerability has not been fixed, how can I
force install? TIA.


# make -DDISABLE_VULNERABILITIES

will override portaudit.

-Warren Block * Rapid City, South Dakota USA
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: apache13-modssl

2004-04-12 Thread Chuck Swiger 
Matthew Seaman wrote:
[ ... ]
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+2
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+1


Errr -- did you look at the lists of entries those searches actually turn
up?  [ ...some analysis snipped... ]  I don't think that simply counting
CVE entries is going to tell you very much useful.
No, I didn't look closely at the results.

Without a lot more knowledge of the anonymous friend's security concerns (what 
their security policy is; whether local compromise vs remote matters, for 
instance; exploits related to specific modules they were running [simply 
considering the interactions of mod_ssl with OpenSSL vulnerabilities is a 
topic of considerable complexity]; etc), the # of CVE entries is as relevant 
as any other statistic.

I agree with you, in other words: not very...useful.  :-)

However, someone who cared to make a meaningful comparision might start with 
the CVEs, plus checking the ChangeLogs, security-focus/bugtrak/etc mailing 
lists, and any other convenient data sources besides.

--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: apache13-modssl

2004-04-12 Thread Matthew Seaman 
On Mon, Apr 12, 2004 at 03:39:44PM -0400, Chuck Swiger wrote:
> Matthew Seaman wrote:
> [ ... ]
> >Your friend is being unnecessarily alarmist.  apache2 is not
> >significantly different to apache13 in security terms.
> 
> There have been 16 CVE entries list for Apache 2, and 8 for Apache 1.x:
> 
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+2
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+1

Errr -- did you look at the lists of entries those searches actually
turn up?  Quite a few of the entries for the 'apache+2' search are
actually apache-1.3.x specific...  In fact, by my reckoning most of
the CVE entries which are generic apache problems (i.e. they aren't OS
or distribution specific, or they don't depend on some 3rd party code,
like PHP) -- most of those apply equally to both apache-1.3.x and
apache-2.0.x.  If you search for the currently released apache
versions, there are 2 entries mentioning apache-1.3.29 (one of which
is actually for versions *before* 1.3.29), and also 2 mentioning
apache-2.0.49 (again one of which only applies to versions *before*
2.0.49)

I don't think that simply counting CVE entries is going to tell you
very much useful.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgp0.pgp
Description: PGP signature

Re: apache13-modssl

2004-04-12 Thread Chuck Swiger 
Matthew Seaman wrote:
[ ... ]
Your friend is being unnecessarily alarmist.  apache2 is not
significantly different to apache13 in security terms.
There have been 16 CVE entries list for Apache 2, and 8 for Apache 1.x:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+2
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+1
...so, if anything, one could argue that Apache 1 is a better bet in terms of 
security (not surprising, 1.x is more widely used and better tested).

However, it is
(I think) still a bit bigger and slower than apache13, plus support
for all of the vast panoply of add-on modules etc. is yet to appear.
However, apache2 works very well, and has some extra functionality
(like improved IPv6 support and better threading) which may make it
the preferrred choice at some sites.
I don't have rigorous benchmarks to prove this opinion :-), but observation 
suggests that platforms which have very good thread support (ie, Solaris and 
MacOS X) tend to run Apache 2 better than platforms which have OK thread 
support (Windows, FreeBSD, Linux).

The same observation tends to apply to Java as well, and if one is generating 
dynamic web content using a JVM, the condition of thread support on the local 
platform matters even more.

--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: apache13-modssl

2004-04-12 Thread Matthew Seaman 
On Mon, Apr 12, 2004 at 05:55:11AM -0500, Michael A. Alestock wrote:
> I recently uninstalled the Apache2 port to be able to use the Apache13-modssl 
> port for SSL pages. 
> 
> However, I had a friend tell me that Apache13-modssl is alot less secure than 
> Apache2.
> 
> Is there a modssl for Apache2 that I could use/install so it's more secure than 
> Apache13-modssl??

Your friend is being unnecessarily alarmist.  apache2 is not
significantly different to apache13 in security terms.  However, it is
(I think) still a bit bigger and slower than apache13, plus support
for all of the vast panoply of add-on modules etc. is yet to appear.

However, apache2 works very well, and has some extra functionality
(like improved IPv6 support and better threading) which may make it
the preferrred choice at some sites.

One of the extra bits of functionality in apache2 is that mod_ssl has
now been rolled into the base distribution.  All you need to do is
enable the SSL functionality by editing the configuration files, and
get yourself a suitable server key and certificate.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgp0.pgp
Description: PGP signature

Re: apache13-modssl + mod_php4, php not interpreted

2002-10-03 Thread Nigel Soon 

Hi Tom,

Thanks I was missing the 'Addtype ...' lines in my http.conf file.
Once I added those and restarted the server everything worked.

Thanks again,

Nigel


On Thu, 03 Oct 2002, Thomas T. Veldhouse wrote:

> First, did you start your server with SSL?  Second, unless you want php to
> run ONLY with SSL, I would move it out of that block so that it will start
> anytime.  Lastly, make sure you have the following in your config.
> 
> [...]
> DirectoryIndex index.php index.html
> [...]
> AddType application/x-httpd-php .php
> AddType application/x-httpd-php-source .phps
> [...]
> 
> Tom Veldhouse
> 
> - Original Message -
> From: "Nigel Soon" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, October 03, 2002 1:15 PM
> Subject: apache13-modssl + mod_php4, php not interpreted
> 
> 
> > Hello,
> >
> > I have a problem with php not being interpreted now that I have
> > started using apache13-modssl instead of apache13.
> >
> > I am running freebsd 4.6-RELEASE. The procedure I went through
> > was removing mod_php4 then removing apache. I then changed the
> > dependency of mod_php4 to use apache13-modssl and recompiled.
> >
> > The web server starts fine using ssl but the php web pages are
> > not interpreted. I have the following lines in my http.conf
> > file which leads me to believe the php modules are being loaded
> >
> > ---
> > 
> > LoadModule ssl_module libexec/apache/libssl.so
> > LoadModule php4_modulelibexec/apache/libphp4.so
> > 
> > .
> > .
> > .
> > .
> > 
> > AddModule mod_ssl.c
> > AddModule mod_php4.c
> > 
> > ---
> >
> >
> > Does anybody have any ideas?
> >
> > Thanks,
> >
> > Nigel
> >
> >
> > To Unsubscribe: send mail to [EMAIL PROTECTED]
> > with "unsubscribe freebsd-questions" in the body of the message
> >
> 

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

RE: apache13-modssl + mod_php4, php not interpreted

2002-10-03 Thread Octavian Hornoiu 

Make sure that the following lines are also present in httpd.conf

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Without these, apache will not interpret php.

Good luck!

- Octavian

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nigel Soon
Sent: Thursday, October 03, 2002 11:16 AM
To: [EMAIL PROTECTED]
Subject: apache13-modssl + mod_php4, php not interpreted


Hello,

I have a problem with php not being interpreted now that I have
started using apache13-modssl instead of apache13. 

I am running freebsd 4.6-RELEASE. The procedure I went through
was removing mod_php4 then removing apache. I then changed the
dependency of mod_php4 to use apache13-modssl and recompiled.

The web server starts fine using ssl but the php web pages are
not interpreted. I have the following lines in my http.conf 
file which leads me to believe the php modules are being loaded

---

LoadModule ssl_module libexec/apache/libssl.so
LoadModule php4_modulelibexec/apache/libphp4.so

..
..
..
..

AddModule mod_ssl.c
AddModule mod_php4.c

---


Does anybody have any ideas?

Thanks,

Nigel


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: apache13-modssl + mod_php4, php not interpreted

2002-10-03 Thread Thomas T. Veldhouse 

First, did you start your server with SSL?  Second, unless you want php to
run ONLY with SSL, I would move it out of that block so that it will start
anytime.  Lastly, make sure you have the following in your config.

[...]
DirectoryIndex index.php index.html
[...]
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
[...]

Tom Veldhouse

- Original Message -
From: "Nigel Soon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 03, 2002 1:15 PM
Subject: apache13-modssl + mod_php4, php not interpreted


> Hello,
>
> I have a problem with php not being interpreted now that I have
> started using apache13-modssl instead of apache13.
>
> I am running freebsd 4.6-RELEASE. The procedure I went through
> was removing mod_php4 then removing apache. I then changed the
> dependency of mod_php4 to use apache13-modssl and recompiled.
>
> The web server starts fine using ssl but the php web pages are
> not interpreted. I have the following lines in my http.conf
> file which leads me to believe the php modules are being loaded
>
> ---
> 
> LoadModule ssl_module libexec/apache/libssl.so
> LoadModule php4_modulelibexec/apache/libphp4.so
> 
> .
> .
> .
> .
> 
> AddModule mod_ssl.c
> AddModule mod_php4.c
> 
> ---
>
>
> Does anybody have any ideas?
>
> Thanks,
>
> Nigel
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message