From Michael.Galapchuk at fcbank.com.ua Mon Nov 2 11:03:45 2009 From: Michael.Galapchuk at fcbank.com.ua (Michael M Galapchuk) Date: Mon Nov 2 11:03:52 2009 Subject: About www/apache22 port update to apache-2.2.14 Message-ID: <484867381.20091102123201@fcbank.com.ua> Hi, maintainer, How about update port www/apache22 to apache-2.2.14 (2009-10-05)? "Apache HTTP Server 2.2.14 is the best available version" http://httpd.apache.org/download.cgi Best regards, Michael mailto:Michael.Galapchuk@fcbank.com.ua From bugmaster at FreeBSD.org Mon Nov 2 11:06:15 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 2 11:06:43 2009 Subject: Current problem reports assigned to apache@FreeBSD.org Message-ID: <200911021106.nA2B6EPl033029@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o ports/140137 apache [patch] port www/apache22 update to 2.2.14 o ports/140092 apache www/mod_hosts_access: update to 1.1.0 to allow compat o ports/138846 apache www/apache22 mod_proxy optional patch is not applied b o ports/138466 apache [patch] www/apache22: 'rc.d/apache22 graceful' fails ( o ports/138373 apache www/apache22 accf_data required at apache startup o ports/137729 apache www/mod_auth_kerb2 port broken on 8.0-BETA2 o ports/136928 apache [PATCH] www/apache20 - suexec resource limits patch o ports/136598 apache [PATCH] www/mod_fastcgi: Fix non-threadsafe function o ports/136432 apache www/mod_auth_kerb does not build with MIT Kerberos (se a ports/134577 apache www/apache22: build faild with mod_auth_digest a ports/133773 apache net/keepalived port update request o ports/130479 apache www/apache20 and www/apache22 configure_args busted o ports/128952 apache [NEW PORT] java/javadb: Sun's supported distribution o o ports/128078 apache www/apache20 -- LDAP support is broken o ports/125183 apache www/apache22 wrong SUEXEC_DOCROOT o ports/124375 apache www/mod_auth_kerb doesn't compile against heimdal o ports/121134 apache www/mod_log_sql2-dtc scoreboard problem o ports/120229 apache www/apache20 does not pick up usernames from NIS [regr o ports/118003 apache www/apache22: with PgSQL option require only libpq.so. p ports/116984 apache [patch] www/apache13-modssl missing perl5.8 as RUN_DEP o ports/108169 apache www/apache20 wrong AP_SAFE_PATH for suEXEC a ports/101566 apache www/apache20 All .svn subdirectories in $(htdocsdir) g a ports/96953 apache www/apache22 port uses its own directories a ports/83644 apache www/apache20 add support for ndbm 24 problems total. From david at vizion2000.net Sat Nov 7 13:57:13 2009 From: david at vizion2000.net (David Southwell) Date: Sat Nov 7 13:57:19 2009 Subject: error "ssl_onceonlyinit" prevents apache startup Message-ID: <200911071356.52729.david@vizion2000.net> From error log: [Sat Nov 07 13:17:37 2009] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sat Nov 07 13:17:38 2009] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) /libexec/ld-elf.so.1: /usr/local/lib/php/20060613/imap.so: Undefined symbol "ssl_onceonlyinit" Got this error after #apachectl stop #apachectl start and following dialogue: In order to read them you have to provide the pass phrases. Server www.vizion2000.net:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. Any ideas what may be causing this? I notice that all files in /usr/local/lib/php/20060613/ are dated 4th Nov so I assume they must have been recompiled during a portupgrade -a on that date. David From edwin at FreeBSD.org Sat Nov 7 14:00:22 2009 From: edwin at FreeBSD.org (edwin@FreeBSD.org) Date: Sat Nov 7 14:00:28 2009 Subject: ports/140357: [patch] www/apache22 and www/apache20: fix CVE-2009-3555 Message-ID: <200911071400.nA7E0LJY072681@freefall.freebsd.org> Synopsis: [patch] www/apache22 and www/apache20: fix CVE-2009-3555 Responsible-Changed-From-To: freebsd-ports-bugs->apache Responsible-Changed-By: edwin Responsible-Changed-When: Sat Nov 7 14:00:21 UTC 2009 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=140357 From rea-fbsd at codelabs.ru Sat Nov 7 14:02:32 2009 From: rea-fbsd at codelabs.ru (Eygene Ryabinkin) Date: Sat Nov 7 14:02:39 2009 Subject: [patch] www/apache22 and www/apache20: fix CVE-2009-3555 Message-ID: <20091107135157.41F9CB8035@phoenix.codelabs.ru> >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [patch] www/apache22 and www/apache20: fix CVE-2009-3555 >Severity: critical >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 8.0-BETA2 amd64 >Environment: System: FreeBSD 8.0-BETA2 amd64 >Description: See [1]. >How-To-Repeat: [1] http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2 >Fix: I had applied the upstream fix for the Apache 2.2 and backported it to Apache 2.0. Since OpenSSL port was already upgraded to 0.9.8k that disables renegotiation, the only missing piece is the system OpenSSL, so the patch is applied only when system OpenSSL is used. I had verified this with www/apache22 -- renegotiation turns the connection down and error is logged to the Apache error log. Hadn't yet tested www/apache20 in the real world -- only compilability. --- apache-fix.diff begins here --- >From 7ab29b62ed92d86bc7c593a762f888a0482a0bcc Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sat, 7 Nov 2009 15:29:59 +0300 Signed-off-by: Eygene Ryabinkin --- www/apache20/Makefile | 3 +- www/apache20/files/fix-cve-2009-3555 | 279 +++++++++++++++++++++++++++++++ www/apache22/Makefile | 5 + www/apache22/files/fix-cve-2009-3555 | 303 ++++++++++++++++++++++++++++++++++ 4 files changed, 589 insertions(+), 1 deletions(-) create mode 100644 www/apache20/files/fix-cve-2009-3555 create mode 100644 www/apache22/files/fix-cve-2009-3555 diff --git a/www/apache20/Makefile b/www/apache20/Makefile index 14a06c5..23011bd 100644 --- a/www/apache20/Makefile +++ b/www/apache20/Makefile @@ -9,7 +9,7 @@ PORTNAME= apache PORTVERSION= 2.0.63 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITE_LOCAL:S/$/:powerlogo/} @@ -37,6 +37,7 @@ CONFLICTS= apache+mod_ssl-1.* apache+mod_ssl+ipv6-1.* apache+mod_ssl+modsnmp-1.* # patch files EXTRA_PATCHES+= ${FILESDIR}/build-fix-openssl_beta +EXTRA_PATCHES+= ${FILESDIR}/fix-cve-2009-3555 .if defined(WITH_EXPERIMENTAL_PATCHES) IGNORE= : Please define WITH_KQUEUE_SUPPORT instead diff --git a/www/apache20/files/fix-cve-2009-3555 b/www/apache20/files/fix-cve-2009-3555 new file mode 100644 index 0000000..c6a7265 --- /dev/null +++ b/www/apache20/files/fix-cve-2009-3555 @@ -0,0 +1,279 @@ +Modified patch from http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch + +--- modules/ssl/mod_ssl.h.orig 2009-11-07 14:55:25.000000000 +0300 ++++ modules/ssl/mod_ssl.h 2009-11-07 14:56:40.000000000 +0300 +@@ -389,6 +389,19 @@ + int is_proxy; + int disabled; + int non_ssl_request; ++ ++ /* Track the handshake/renegotiation state for the connection so ++ * that all client-initiated renegotiations can be rejected, as a ++ * partial fix for CVE-2009-3555. */ ++ enum { ++ RENEG_INIT = 0, /* Before initial handshake */ ++ RENEG_REJECT, /* After initial handshake; any client-initiated ++ * renegotiation should be rejected */ ++ RENEG_ALLOW, /* A server-initated renegotiation is taking ++ * place (as dictated by configuration) */ ++ RENEG_ABORT /* Renegotiation initiated by client, abort the ++ * connection */ ++ } reneg_state; + } SSLConnRec; + + typedef struct { +@@ -585,7 +598,7 @@ + int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); + SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); + void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); + + /* Session Cache Support */ + void ssl_scache_init(server_rec *, apr_pool_t *); +--- modules/ssl/ssl_engine_init.c.orig 2009-11-07 14:57:31.000000000 +0300 ++++ modules/ssl/ssl_engine_init.c 2009-11-07 14:58:00.000000000 +0300 +@@ -464,10 +464,7 @@ + SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); + +- if (s->loglevel >= APLOG_DEBUG) { +- /* this callback only logs if LogLevel >= info */ +- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState); +- } ++ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + } + + static void ssl_init_ctx_verify(server_rec *s, +--- modules/ssl/ssl_engine_io.c.orig 2009-11-07 14:58:35.000000000 +0300 ++++ modules/ssl/ssl_engine_io.c 2009-11-07 15:01:05.000000000 +0300 +@@ -102,6 +102,7 @@ + ap_filter_t *pInputFilter; + ap_filter_t *pOutputFilter; + int nobuffer; /* non-zero to prevent buffering */ ++ SSLConnRec *config; + } ssl_filter_ctx_t; + + typedef struct { +@@ -193,6 +194,12 @@ + { + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); + ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ outctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* when handshaking we'll have a small number of bytes. + * max size SSL will pass us here is about 16k. + * (16413 bytes to be exact) +@@ -465,6 +472,12 @@ + if (!in) + return 0; + ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ inctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* XXX: flush here only required for SSLv2; + * OpenSSL calls BIO_flush() at the appropriate times for + * the other protocols. +@@ -1585,6 +1598,8 @@ + + filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t)); + ++ filter_ctx->config = myConnConfig(c); ++ + filter_ctx->nobuffer = 0; + filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, + filter_ctx, NULL, c); +--- modules/ssl/ssl_engine_kernel.c.orig 2009-11-07 15:01:41.000000000 +0300 ++++ modules/ssl/ssl_engine_kernel.c 2009-11-07 15:09:49.000000000 +0300 +@@ -611,6 +611,10 @@ + (unsigned char *)&id, + sizeof(id)); + ++ /* Toggle the renegotiation state to allow the new ++ * handshake to proceed. */ ++ sslconn->reneg_state = RENEG_ALLOW; ++ + SSL_renegotiate(ssl); + SSL_do_handshake(ssl); + +@@ -628,6 +632,8 @@ + SSL_set_state(ssl, SSL_ST_ACCEPT); + SSL_do_handshake(ssl); + ++ sslconn->reneg_state = RENEG_REJECT; ++ + if (SSL_get_state(ssl) != SSL_ST_OK) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Re-negotiation handshake failed: " +@@ -1700,76 +1706,56 @@ + return; + } + +-/* +- * This callback function is executed while OpenSSL processes the +- * SSL handshake and does SSL record layer stuff. We use it to +- * trace OpenSSL's processing in out SSL logfile. +- */ +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) +-{ +- conn_rec *c; +- server_rec *s; +- SSLSrvConfigRec *sc; ++/* Dump debugginfo trace to the log file. */ ++static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, ++ server_rec *s, int where, int rc) + ++{ + /* +- * find corresponding server ++ * create the various trace messages + */ +- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) { +- return; ++ if (where & SSL_CB_HANDSHAKE_START) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: start", SSL_LIBRARY_NAME); + } +- +- s = c->base_server; +- if (!(sc = mySrvConfig(s))) { +- return; ++ else if (where & SSL_CB_HANDSHAKE_DONE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: done", SSL_LIBRARY_NAME); + } +- +- /* +- * create the various trace messages +- */ +- if (s->loglevel >= APLOG_DEBUG) { +- if (where & SSL_CB_HANDSHAKE_START) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: start", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_HANDSHAKE_DONE) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: done", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_LOOP) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Loop: %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (where & SSL_CB_READ) { ++ else if (where & SSL_CB_LOOP) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Loop: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_READ) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Read: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_WRITE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Write: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_ALERT) { ++ char *str = (where & SSL_CB_READ) ? "read" : "write"; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Alert: %s:%s:%s", ++ SSL_LIBRARY_NAME, str, ++ SSL_alert_type_string_long(rc), ++ SSL_alert_desc_string_long(rc)); ++ } ++ else if (where & SSL_CB_EXIT) { ++ if (rc == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Read: %s", ++ "%s: Exit: failed in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_WRITE) { ++ else if (rc < 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Write: %s", ++ "%s: Exit: error in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_ALERT) { +- char *str = (where & SSL_CB_READ) ? "read" : "write"; +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Alert: %s:%s:%s", +- SSL_LIBRARY_NAME, str, +- SSL_alert_type_string_long(rc), +- SSL_alert_desc_string_long(rc)); +- } +- else if (where & SSL_CB_EXIT) { +- if (rc == 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: failed in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (rc < 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: error in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- } + } + + /* +@@ -1789,3 +1775,48 @@ + } + } + ++/* ++ * This callback function is executed while OpenSSL processes the SSL ++ * handshake and does SSL record layer stuff. It's used to trap ++ * client-initiated renegotiations, and for dumping everything to the ++ * log. ++ */ ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) ++{ ++ conn_rec *c; ++ server_rec *s; ++ SSLConnRec *scr; ++ ++ /* Retrieve the conn_rec and the associated SSLConnRec. */ ++ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { ++ return; ++ } ++ ++ if ((scr = myConnConfig(c)) == NULL) { ++ return; ++ } ++ ++ /* If the reneg state is to reject renegotiations, check the SSL ++ * state machine and move to ABORT if a Client Hello is being ++ * read. */ ++ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { ++ int state = SSL_get_state(ssl); ++ ++ if (state == SSL3_ST_SR_CLNT_HELLO_A ++ || state == SSL23_ST_SR_CLNT_HELLO_A) { ++ scr->reneg_state = RENEG_ABORT; ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, ++ "rejecting client initiated renegotiation"); ++ } ++ } ++ /* If the first handshake is complete, change state to reject any ++ * subsequent client-initated renegotiation. */ ++ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { ++ scr->reneg_state = RENEG_REJECT; ++ } ++ ++ s = mySrvFromConn(c); ++ if (s && s->loglevel >= APLOG_DEBUG) { ++ log_tracing_state(ssl, c, s, where, rc); ++ } ++} diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 4eb1f0c..cb9bcd4 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -9,6 +9,7 @@ PORTNAME= apache PORTVERSION= 2.2.13 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} DISTNAME= httpd-${PORTVERSION} @@ -121,6 +122,10 @@ WITH_LDAP= yes CFLAGS+= -I${OPENSSLINC} LDFLAGS+= -L${OPENSSLLIB} +.if defined(WITH_OPENSSL_BASE) +EXTRA_PATCHES+= ${FILESDIR}/fix-cve-2009-3555 +.endif + .endif .if defined(WITH_APR_FROM_PORTS) diff --git a/www/apache22/files/fix-cve-2009-3555 b/www/apache22/files/fix-cve-2009-3555 new file mode 100644 index 0000000..f2253e6 --- /dev/null +++ b/www/apache22/files/fix-cve-2009-3555 @@ -0,0 +1,303 @@ + + SECURITY: CVE-2009-3555 (cve.mitre.org) + + A partial fix for the TLS renegotiation prefix injection attack by + rejecting any client-initiated renegotiations. Any configuration + which requires renegotiation for per-directory/location access + control is still vulnerable, unless using OpenSSL >= 0.9.8l. + [Joe Orton, Ruediger Pluem] + +Obtained-From: http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch +Notes: should be discarded when OpenSSL will be upgraded to 0.9.8l. + +Index: modules/ssl/ssl_private.h +=================================================================== +--- modules/ssl/ssl_private.h (revision 833621) ++++ modules/ssl/ssl_private.h (revision 833622) +@@ -356,6 +356,20 @@ + int is_proxy; + int disabled; + int non_ssl_request; ++ ++ /* Track the handshake/renegotiation state for the connection so ++ * that all client-initiated renegotiations can be rejected, as a ++ * partial fix for CVE-2009-3555. */ ++ enum { ++ RENEG_INIT = 0, /* Before initial handshake */ ++ RENEG_REJECT, /* After initial handshake; any client-initiated ++ * renegotiation should be rejected */ ++ RENEG_ALLOW, /* A server-initated renegotiation is taking ++ * place (as dictated by configuration) */ ++ RENEG_ABORT /* Renegotiation initiated by client, abort the ++ * connection */ ++ } reneg_state; ++ + server_rec *server; + } SSLConnRec; + +@@ -574,7 +588,7 @@ + int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); + SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); + void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); + #ifndef OPENSSL_NO_TLSEXT + int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); + #endif +Index: modules/ssl/ssl_engine_init.c +=================================================================== +--- modules/ssl/ssl_engine_init.c (revision 833621) ++++ modules/ssl/ssl_engine_init.c (revision 833622) +@@ -501,10 +501,7 @@ + SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); + +- if (s->loglevel >= APLOG_DEBUG) { +- /* this callback only logs if LogLevel >= info */ +- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState); +- } ++ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + } + + static void ssl_init_ctx_verify(server_rec *s, +Index: modules/ssl/ssl_engine_io.c +=================================================================== +--- modules/ssl/ssl_engine_io.c (revision 833621) ++++ modules/ssl/ssl_engine_io.c (revision 833622) +@@ -103,6 +103,7 @@ + ap_filter_t *pInputFilter; + ap_filter_t *pOutputFilter; + int nobuffer; /* non-zero to prevent buffering */ ++ SSLConnRec *config; + } ssl_filter_ctx_t; + + typedef struct { +@@ -193,7 +194,13 @@ + static int bio_filter_out_write(BIO *bio, const char *in, int inl) + { + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); +- ++ ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ outctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* when handshaking we'll have a small number of bytes. + * max size SSL will pass us here is about 16k. + * (16413 bytes to be exact) +@@ -466,6 +473,12 @@ + if (!in) + return 0; + ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ inctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* XXX: flush here only required for SSLv2; + * OpenSSL calls BIO_flush() at the appropriate times for + * the other protocols. +@@ -1724,6 +1737,8 @@ + + filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t)); + ++ filter_ctx->config = myConnConfig(c); ++ + filter_ctx->nobuffer = 0; + filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, + filter_ctx, NULL, c); +Index: modules/ssl/ssl_engine_kernel.c +=================================================================== +--- modules/ssl/ssl_engine_kernel.c (revision 833621) ++++ modules/ssl/ssl_engine_kernel.c (revision 833622) +@@ -729,6 +729,10 @@ + (unsigned char *)&id, + sizeof(id)); + ++ /* Toggle the renegotiation state to allow the new ++ * handshake to proceed. */ ++ sslconn->reneg_state = RENEG_ALLOW; ++ + SSL_renegotiate(ssl); + SSL_do_handshake(ssl); + +@@ -750,6 +754,8 @@ + SSL_set_state(ssl, SSL_ST_ACCEPT); + SSL_do_handshake(ssl); + ++ sslconn->reneg_state = RENEG_REJECT; ++ + if (SSL_get_state(ssl) != SSL_ST_OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Re-negotiation handshake failed: " +@@ -1844,76 +1850,55 @@ + return; + } + +-/* +- * This callback function is executed while OpenSSL processes the +- * SSL handshake and does SSL record layer stuff. We use it to +- * trace OpenSSL's processing in out SSL logfile. +- */ +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) ++/* Dump debugginfo trace to the log file. */ ++static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, ++ server_rec *s, int where, int rc) + { +- conn_rec *c; +- server_rec *s; +- SSLSrvConfigRec *sc; +- + /* +- * find corresponding server ++ * create the various trace messages + */ +- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) { +- return; ++ if (where & SSL_CB_HANDSHAKE_START) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: start", SSL_LIBRARY_NAME); + } +- +- s = mySrvFromConn(c); +- if (!(sc = mySrvConfig(s))) { +- return; ++ else if (where & SSL_CB_HANDSHAKE_DONE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: done", SSL_LIBRARY_NAME); + } +- +- /* +- * create the various trace messages +- */ +- if (s->loglevel >= APLOG_DEBUG) { +- if (where & SSL_CB_HANDSHAKE_START) { ++ else if (where & SSL_CB_LOOP) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Loop: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_READ) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Read: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_WRITE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Write: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_ALERT) { ++ char *str = (where & SSL_CB_READ) ? "read" : "write"; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Alert: %s:%s:%s", ++ SSL_LIBRARY_NAME, str, ++ SSL_alert_type_string_long(rc), ++ SSL_alert_desc_string_long(rc)); ++ } ++ else if (where & SSL_CB_EXIT) { ++ if (rc == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: start", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_HANDSHAKE_DONE) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: done", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_LOOP) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Loop: %s", ++ "%s: Exit: failed in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_READ) { ++ else if (rc < 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Read: %s", ++ "%s: Exit: error in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_WRITE) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Write: %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (where & SSL_CB_ALERT) { +- char *str = (where & SSL_CB_READ) ? "read" : "write"; +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Alert: %s:%s:%s", +- SSL_LIBRARY_NAME, str, +- SSL_alert_type_string_long(rc), +- SSL_alert_desc_string_long(rc)); +- } +- else if (where & SSL_CB_EXIT) { +- if (rc == 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: failed in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (rc < 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: error in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- } + } + + /* +@@ -1933,6 +1918,52 @@ + } + } + ++/* ++ * This callback function is executed while OpenSSL processes the SSL ++ * handshake and does SSL record layer stuff. It's used to trap ++ * client-initiated renegotiations, and for dumping everything to the ++ * log. ++ */ ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) ++{ ++ conn_rec *c; ++ server_rec *s; ++ SSLConnRec *scr; ++ ++ /* Retrieve the conn_rec and the associated SSLConnRec. */ ++ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { ++ return; ++ } ++ ++ if ((scr = myConnConfig(c)) == NULL) { ++ return; ++ } ++ ++ /* If the reneg state is to reject renegotiations, check the SSL ++ * state machine and move to ABORT if a Client Hello is being ++ * read. */ ++ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { ++ int state = SSL_get_state(ssl); ++ ++ if (state == SSL3_ST_SR_CLNT_HELLO_A ++ || state == SSL23_ST_SR_CLNT_HELLO_A) { ++ scr->reneg_state = RENEG_ABORT; ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, ++ "rejecting client initiated renegotiation"); ++ } ++ } ++ /* If the first handshake is complete, change state to reject any ++ * subsequent client-initated renegotiation. */ ++ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { ++ scr->reneg_state = RENEG_REJECT; ++ } ++ ++ s = mySrvFromConn(c); ++ if (s && s->loglevel >= APLOG_DEBUG) { ++ log_tracing_state(ssl, c, s, where, rc); ++ } ++} ++ + #ifndef OPENSSL_NO_TLSEXT + /* + * This callback function is executed when OpenSSL encounters an extended -- 1.6.3.1 --- apache-fix.diff ends here --- VuXML entry will follow, probably today. From edwin at FreeBSD.org Sun Nov 8 03:30:14 2009 From: edwin at FreeBSD.org (edwin@FreeBSD.org) Date: Sun Nov 8 03:30:20 2009 Subject: ports/140380: [patch] www/apache22: Add support for inclusion of profile_* directive Message-ID: <200911080330.nA83UDcB071033@freefall.freebsd.org> Synopsis: [patch] www/apache22: Add support for inclusion of profile_* directive Responsible-Changed-From-To: freebsd-ports-bugs->apache Responsible-Changed-By: edwin Responsible-Changed-When: Sun Nov 8 03:30:13 UTC 2009 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=140380 From bugmaster at FreeBSD.org Mon Nov 9 11:06:15 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 9 11:06:43 2009 Subject: Current problem reports assigned to apache@FreeBSD.org Message-ID: <200911091106.nA9B6EUW078429@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o ports/140380 apache [patch] www/apache22: Add support for inclusion of pro o ports/140357 apache [patch] www/apache22 and www/apache20: fix CVE-2009-35 o ports/140137 apache [patch] port www/apache22 update to 2.2.14 o ports/140092 apache www/mod_hosts_access: update to 1.1.0 to allow compat o ports/138846 apache www/apache22 mod_proxy optional patch is not applied b o ports/138466 apache [patch] www/apache22: 'rc.d/apache22 graceful' fails ( o ports/138373 apache www/apache22 accf_data required at apache startup o ports/137729 apache www/mod_auth_kerb2 port broken on 8.0-BETA2 o ports/136928 apache [PATCH] www/apache20 - suexec resource limits patch o ports/136598 apache [PATCH] www/mod_fastcgi: Fix non-threadsafe function o ports/136432 apache www/mod_auth_kerb does not build with MIT Kerberos (se a ports/134577 apache www/apache22: build faild with mod_auth_digest a ports/133773 apache net/keepalived port update request o ports/130479 apache www/apache20 and www/apache22 configure_args busted o ports/128952 apache [NEW PORT] java/javadb: Sun's supported distribution o o ports/128078 apache www/apache20 -- LDAP support is broken o ports/125183 apache www/apache22 wrong SUEXEC_DOCROOT o ports/124375 apache www/mod_auth_kerb doesn't compile against heimdal o ports/121134 apache www/mod_log_sql2-dtc scoreboard problem o ports/120229 apache www/apache20 does not pick up usernames from NIS [regr o ports/118003 apache www/apache22: with PgSQL option require only libpq.so. p ports/116984 apache [patch] www/apache13-modssl missing perl5.8 as RUN_DEP o ports/108169 apache www/apache20 wrong AP_SAFE_PATH for suEXEC a ports/101566 apache www/apache20 All .svn subdirectories in $(htdocsdir) g a ports/96953 apache www/apache22 port uses its own directories a ports/83644 apache www/apache20 add support for ndbm 26 problems total. From chris at chrysalisnet.org Wed Nov 11 04:30:10 2009 From: chris at chrysalisnet.org (Chris) Date: Wed Nov 11 04:30:16 2009 Subject: apache 2.2.14 missing in ports Message-ID: Hi release 2.2.14 has been out for over a month now and fixed some security problems, can you please update the port in FreeBSD, thanks. Regards Chris From pgollucci at p6m7g8.com Fri Nov 13 01:38:18 2009 From: pgollucci at p6m7g8.com (Philip M. Gollucci) Date: Fri Nov 13 01:38:24 2009 Subject: apache 2.2.14 missing in ports In-Reply-To: References: Message-ID: <4AFCB886.9080708@p6m7g8.com> Chris wrote: > Hi > > release 2.2.14 has been out for over a month now and fixed some security > problems, can you please update the port in FreeBSD, thanks. At this point 2.2.15 is immiment and will include the recent ssl fix/work around. -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 VP Apache Infrastructure; Member, Apache Software Foundation Committer, FreeBSD Foundation Sr. System Admin, Ridecharge Inc. Consultant, P6M7G8 Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. From bugmaster at FreeBSD.org Mon Nov 16 11:06:16 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 16 11:06:45 2009 Subject: Current problem reports assigned to apache@FreeBSD.org Message-ID: <200911161106.nAGB6F2L010605@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o ports/140380 apache [patch] www/apache22: Add support for inclusion of pro o ports/140357 apache [patch] www/apache22 and www/apache20: fix CVE-2009-35 o ports/140137 apache [patch] port www/apache22 update to 2.2.14 o ports/140092 apache www/mod_hosts_access: update to 1.1.0 to allow compat o ports/138846 apache www/apache22 mod_proxy optional patch is not applied b o ports/138466 apache [patch] www/apache22: 'rc.d/apache22 graceful' fails ( o ports/138373 apache www/apache22 accf_data required at apache startup o ports/137729 apache www/mod_auth_kerb2 port broken on 8.0-BETA2 o ports/136928 apache [PATCH] www/apache20 - suexec resource limits patch o ports/136598 apache [PATCH] www/mod_fastcgi: Fix non-threadsafe function o ports/136432 apache www/mod_auth_kerb does not build with MIT Kerberos (se a ports/134577 apache www/apache22: build faild with mod_auth_digest a ports/133773 apache net/keepalived port update request o ports/130479 apache www/apache20 and www/apache22 configure_args busted o ports/128952 apache [NEW PORT] java/javadb: Sun's supported distribution o o ports/128078 apache www/apache20 -- LDAP support is broken o ports/125183 apache www/apache22 wrong SUEXEC_DOCROOT o ports/124375 apache www/mod_auth_kerb doesn't compile against heimdal o ports/121134 apache www/mod_log_sql2-dtc scoreboard problem o ports/120229 apache www/apache20 does not pick up usernames from NIS [regr o ports/118003 apache www/apache22: with PgSQL option require only libpq.so. p ports/116984 apache [patch] www/apache13-modssl missing perl5.8 as RUN_DEP o ports/108169 apache www/apache20 wrong AP_SAFE_PATH for suEXEC a ports/101566 apache www/apache20 All .svn subdirectories in $(htdocsdir) g a ports/96953 apache www/apache22 port uses its own directories a ports/83644 apache www/apache20 add support for ndbm 26 problems total. From Michael.Galapchuk at fcbank.com.ua Tue Nov 17 09:53:42 2009 From: Michael.Galapchuk at fcbank.com.ua (Michael M Galapchuk) Date: Tue Nov 17 09:53:48 2009 Subject: Upgrade www/apache22 Message-ID: <1689334853.20091117115323@fcbank.com.ua> Hi, maintainer, Please, upgrade, if possible, www/apache22 to apache-2.2.14 (2009-10-05). "Apache HTTP Server 2.2.14 is the best available version" http://httpd.apache.org/download.cgi Best regards, Michael mailto:Michael.Galapchuk@fcbank.com.ua From Michael.Galapchuk at fcbank.com.ua Thu Nov 19 13:29:47 2009 From: Michael.Galapchuk at fcbank.com.ua (Michael M Galapchuk) Date: Thu Nov 19 13:29:53 2009 Subject: Upgrade www/apache22 Message-ID: <1134410456.20091119091344@fcbank.com.ua> Hi, maintainer, Please, upgrade, if possible, www/apache22 to apache-2.2.14 (2009-10-05). "Apache HTTP Server 2.2.14 is the best available version" http://httpd.apache.org/download.cgi Best regards, Michael mailto:Michael.Galapchuk@fcbank.com.ua From linimon at FreeBSD.org Sun Nov 22 23:31:08 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Sun Nov 22 23:31:14 2009 Subject: ports/140785: www/apache22 port fails Message-ID: <200911222331.nAMNV8pC036689@freefall.freebsd.org> Old Synopsis: Apache 22 port fails New Synopsis: www/apache22 port fails Responsible-Changed-From-To: freebsd-ports-bugs->apache Responsible-Changed-By: linimon Responsible-Changed-When: Sun Nov 22 23:30:31 UTC 2009 Responsible-Changed-Why: Fix synopsis and assign. http://www.freebsd.org/cgi/query-pr.cgi?pr=140785 From bugmaster at FreeBSD.org Mon Nov 23 11:06:15 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 23 11:06:44 2009 Subject: Current problem reports assigned to apache@FreeBSD.org Message-ID: <200911231106.nANB6ElK069558@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o ports/140785 apache www/apache22 port fails o ports/140380 apache [patch] www/apache22: Add support for inclusion of pro o ports/140357 apache [patch] www/apache22 and www/apache20: fix CVE-2009-35 o ports/140137 apache [patch] port www/apache22 update to 2.2.14 o ports/140092 apache www/mod_hosts_access: update to 1.1.0 to allow compat o ports/138846 apache www/apache22 mod_proxy optional patch is not applied b o ports/138466 apache [patch] www/apache22: 'rc.d/apache22 graceful' fails ( o ports/138373 apache www/apache22 accf_data required at apache startup o ports/137729 apache www/mod_auth_kerb2 port broken on 8.0-BETA2 o ports/136928 apache [PATCH] www/apache20 - suexec resource limits patch o ports/136598 apache [PATCH] www/mod_fastcgi: Fix non-threadsafe function o ports/136432 apache www/mod_auth_kerb does not build with MIT Kerberos (se a ports/134577 apache www/apache22: build faild with mod_auth_digest a ports/133773 apache net/keepalived port update request o ports/130479 apache www/apache20 and www/apache22 configure_args busted o ports/128952 apache [NEW PORT] java/javadb: Sun's supported distribution o o ports/128078 apache www/apache20 -- LDAP support is broken o ports/125183 apache www/apache22 wrong SUEXEC_DOCROOT o ports/124375 apache www/mod_auth_kerb doesn't compile against heimdal o ports/121134 apache www/mod_log_sql2-dtc scoreboard problem o ports/120229 apache www/apache20 does not pick up usernames from NIS [regr o ports/118003 apache www/apache22: with PgSQL option require only libpq.so. p ports/116984 apache [patch] www/apache13-modssl missing perl5.8 as RUN_DEP o ports/108169 apache www/apache20 wrong AP_SAFE_PATH for suEXEC a ports/101566 apache www/apache20 All .svn subdirectories in $(htdocsdir) g a ports/96953 apache www/apache22 port uses its own directories a ports/83644 apache www/apache20 add support for ndbm 27 problems total. From admin at lissyara.su Thu Nov 26 07:30:05 2009 From: admin at lissyara.su (Alex Keda) Date: Thu Nov 26 07:30:11 2009 Subject: ports/136928: [PATCH] www/apache20 - suexec resource limits patch Message-ID: <200911260730.nAQ7U5KR057929@freefall.freebsd.org> The following reply was made to PR ports/136928; it has been noted by GNATS. From: Alex Keda To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/136928: [PATCH] www/apache20 - suexec resource limits patch Date: Thu, 26 Nov 2009 10:21:55 +0300 may be somebody commit this?