ports/164675: www/apache22: update to 2.2.22 (addresses multiple CVE reports)
Jason Helfman
jgh at freebsd.org
Wed Feb 1 00:20:11 UTC 2012
>Number: 164675
>Category: ports
>Synopsis: www/apache22: update to 2.2.22 (addresses multiple CVE reports)
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Feb 01 00:20:10 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Jason Helfman
>Release: FreeBSD 8.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD freefall.freebsd.org 8.2-STABLE FreeBSD 8.2-STABLE #5 r227907: Wed Nov 23 21:55:50 UTC 2011 simon at freefall.freebsd.org:/usr/obj/usr/src/sys/FREEFALL i386
>Description:
Update to 2.2.22
Buildlog: http://people.freebsd.org/~jgh/files/apache-2.2.22.log
>How-To-Repeat:
>Fix:
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/www/apache22/Makefile,v
retrieving revision 1.294
diff -u -r1.294 Makefile
--- Makefile 23 Sep 2011 22:25:53 -0000 1.294
+++ Makefile 1 Feb 2012 00:05:53 -0000
@@ -8,7 +8,7 @@
#
PORTNAME= apache
-PORTVERSION= 2.2.21
+PORTVERSION= 2.2.22
#PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD}
Index: Makefile.doc
===================================================================
RCS file: /home/pcvs/ports/www/apache22/Makefile.doc,v
retrieving revision 1.15
diff -u -r1.15 Makefile.doc
--- Makefile.doc 31 Mar 2011 17:00:36 -0000 1.15
+++ Makefile.doc 1 Feb 2012 00:05:53 -0000
@@ -102,7 +102,7 @@
MAKE_ENV+= NOPORTDOCS=yes
.endif
-MAN1= dbmmanage.1 htdigest.1 htpasswd.1 htdbm.1
-MAN8= ab.8 apachectl.8 apxs.8 httpd.8 logresolve.8 rotatelogs.8 suexec.8 htcacheclean.8
+MAN1= ab.1 apxs.1 dbmmanage.1 htdbm.1 htdigest.1 htpasswd.1 httxt2dbm.1 logresolve.1
+MAN8= apachectl.8 htcacheclean.8 httpd.8 rotatelogs.8 suexec.8
PORTDOCS= * #don't blame me ;-)
Index: distinfo
===================================================================
RCS file: /home/pcvs/ports/www/apache22/distinfo,v
retrieving revision 1.86
diff -u -r1.86 distinfo
--- distinfo 15 Sep 2011 05:00:28 -0000 1.86
+++ distinfo 1 Feb 2012 00:05:53 -0000
@@ -1,2 +1,2 @@
-SHA256 (apache22/httpd-2.2.21.tar.bz2) = 18d5591fe48cfbac44fc20316036ffe17456df60bc3a2aaad238d56c6445577f
-SIZE (apache22/httpd-2.2.21.tar.bz2) = 5324905
+SHA256 (apache22/httpd-2.2.22.tar.bz2) = dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231
+SIZE (apache22/httpd-2.2.22.tar.bz2) = 5378934
Index: files/patch-Makefile.in
===================================================================
RCS file: /home/pcvs/ports/www/apache22/files/patch-Makefile.in,v
retrieving revision 1.25
diff -u -r1.25 patch-Makefile.in
--- files/patch-Makefile.in 7 May 2010 03:15:44 -0000 1.25
+++ files/patch-Makefile.in 1 Feb 2012 00:05:53 -0000
@@ -96,10 +96,10 @@
@test -d $(DESTDIR)$(manualdir) || $(MKINSTALLDIRS) $(DESTDIR)$(manualdir)
- @cp -p $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1
- @cp -p $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8
-+ for i in dbmmanage htdbm htdigest htpasswd; do \
++ for i in ab apxs dbmmanage htdbm htdigest htpasswd httxt2dbm logresolve; do \
+ ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.1 $(DESTDIR)$(mandir)/man1; \
+ done
-+ for i in ab apachectl apxs htcacheclean httpd logresolve rotatelogs suexec; do \
++ for i in apachectl htcacheclean httpd rotatelogs suexec; do \
+ ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.8 $(DESTDIR)$(mandir)/man8; \
+ done
+.if !defined(NOPORTDOCS)
Index: files/patch-docs__conf__extra__httpd-ssl.conf.in
===================================================================
RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v
retrieving revision 1.3
diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in
--- files/patch-docs__conf__extra__httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3
+++ files/patch-docs__conf__extra__httpd-ssl.conf.in 1 Feb 2012 00:05:53 -0000
@@ -1,58 +1,22 @@
---- ./docs/conf/extra/httpd-ssl.conf.in.orig 2008-02-04 23:00:07.000000000 +0000
-+++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-23 23:20:06.446390870 +0000
-@@ -77,17 +77,35 @@
+--- ./docs/conf/extra/httpd-ssl.conf.in.orig 2012-01-31 15:16:43.000000000 -0800
++++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-31 15:17:47.000000000 -0800
+@@ -77,8 +77,8 @@
DocumentRoot "@exp_htdocsdir@"
ServerName www.example.com:@@SSLPort@@
ServerAdmin you at example.com
-ErrorLog "@exp_logfiledir@/error_log"
-TransferLog "@exp_logfiledir@/access_log"
-+ErrorLog "@exp_logfiledir@/httpd-error.log"
-+TransferLog "@exp_logfiledir@/httpd-access.log"
++ErrorLog "@exp_logfiledir@/httpd-error_log"
++TransferLog "@exp_logfiledir@/httpd-access_log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
- SSLEngine on
-
-+# SSL Protocol support:
-+# List the protocol versions which clients are allowed to
-+# connect with. Disable SSLv2 by default (cf. RFC 6176).
-+SSLProtocol all -SSLv2
-+
- # SSL Cipher Suite:
- # List the ciphers that the client is permitted to negotiate.
- # See the mod_ssl documentation for a complete list.
--SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-+
-+# Speed-optimized SSL Cipher configuration:
-+# If speed is your main concern (on busy HTTPS servers e.g.),
-+# you might want to force clients to specific, performance
-+# optimized ciphers. In this case, prepend those ciphers
-+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-+# Caveat: by giving precedence to RC4-SHA and AES128-SHA
-+# (as in the example below), most connections will no longer
-+# have perfect forward secrecy - if the server's key is
-+# compromised, captures of past or future traffic must be
-+# considered compromised, too.
-+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-+#SSLHonorCipherOrder on
-
- # Server Certificate:
- # Point SSLCertificateFile at a PEM encoded certificate. If
-@@ -218,14 +236,14 @@
- # Similarly, one has to force some clients to use HTTP/1.0 to workaround
- # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
- # "force-response-1.0" for this.
--BrowserMatch ".*MSIE.*" \
-+BrowserMatch "MSIE [2-5]" \
- nokeepalive ssl-unclean-shutdown \
- downgrade-1.0 force-response-1.0
-
+@@ -243,7 +243,7 @@
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
-CustomLog "@exp_logfiledir@/ssl_request_log" \
-+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \
++CustomLog "@exp_logfiledir@/httpd-ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list