www/apache22: update to 2.2.22 (addresses multiple CVE reports)
Philip M. Gollucci
pgollucci at taximagic.com
Wed Feb 1 03:17:38 UTC 2012
On 1/31/12 10:15 PM, Jason Helfman wrote:
>
>
> On Tue, Jan 31, 2012 at 6:19 PM, Philip M. Gollucci
> <pgollucci at taximagic.com <mailto:pgollucci at taximagic.com>> wrote:
>
> Do not change this file. You're reverting a local change we've
> pulled from trunk svn for security.
>
> Please commit the rest of the patch with my review / hat.
>
>
>
> ==============================__==============================__=======
> RCS file:
> /home/pcvs/ports/www/apache22/__files/patch-docs__conf__extra____httpd-ssl.conf.in
> <http://patch-docs__conf__extra__httpd-ssl.conf.in>,v
> retrieving revision 1.3
> diff -u -r1.3 patch-docs__conf__extra____httpd-ssl.conf.in
> <http://patch-docs__conf__extra__httpd-ssl.conf.in>
> --- files/patch-docs__conf__extra____httpd-ssl.conf.in
> <http://patch-docs__conf__extra__httpd-ssl.conf.in> 23 Jan
> 2012 23:24:38 -0000 1.3
> +++ files/patch-docs__conf__extra____httpd-ssl.conf.in
> <http://patch-docs__conf__extra__httpd-ssl.conf.in> 1 Feb
> 2012 00:05:53 -0000
> @@ -1,58 +1,22 @@
> ---- ./docs/conf/extra/httpd-ssl.__conf.in.orig 2008-02-04
> 23:00:07.000000000 +0000
> -+++ ./docs/conf/extra/httpd-ssl.__conf.in
> <http://httpd-ssl.conf.in> 2012-01-23 23
> <tel:2012-01-23%2023>:20:06.446390870 +0000
> -@@ -77,17 +77,35 @@
> +--- ./docs/conf/extra/httpd-ssl.__conf.in.orig 2012-01-31 15
> <tel:2012-01-31%2015>:16:43.000000000 -0800
> ++++ ./docs/conf/extra/httpd-ssl.__conf.in
> <http://httpd-ssl.conf.in> 2012-01-31 15
> <tel:2012-01-31%2015>:17:47.000000000 -0800
> +@@ -77,8 +77,8 @@
> DocumentRoot "@exp_htdocsdir@"
> ServerName www.example.com:@@SSLPort@@
> ServerAdmin you at example.com <mailto:you at example.com>
> -ErrorLog "@exp_logfiledir@/error_log"
> -TransferLog "@exp_logfiledir@/access_log"
> -+ErrorLog "@exp_logfiledir@/httpd-error.__log"
> -+TransferLog "@exp_logfiledir@/httpd-__access.log"
> ++ErrorLog "@exp_logfiledir@/httpd-error___log"
> ++TransferLog "@exp_logfiledir@/httpd-__access_log"
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> - SSLEngine on
> -
> -+# SSL Protocol support:
> -+# List the protocol versions which clients are allowed to
> -+# connect with. Disable SSLv2 by default (cf. RFC 6176).
> -+SSLProtocol all -SSLv2
> -+
> - # SSL Cipher Suite:
> - # List the ciphers that the client is permitted to negotiate.
> - # See the mod_ssl documentation for a complete list.
> --SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+__HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:__+eNULL
> -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
> -+
> -+# Speed-optimized SSL Cipher configuration:
> -+# If speed is your main concern (on busy HTTPS servers e.g.),
> -+# you might want to force clients to specific, performance
> -+# optimized ciphers. In this case, prepend those ciphers
> -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
> -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA
> -+# (as in the example below), most connections will no longer
> -+# have perfect forward secrecy - if the server's key is
> -+# compromised, captures of past or future traffic must be
> -+# considered compromised, too.
> -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:__MEDIUM:!aNULL:!MD5
> -+#SSLHonorCipherOrder on
> -
> - # Server Certificate:
> - # Point SSLCertificateFile at a PEM encoded certificate. If
> -@@ -218,14 +236,14 @@
> - # Similarly, one has to force some clients to use HTTP/1.0
> to workaround
> - # their broken HTTP/1.1 implementation. Use variables
> "downgrade-1.0" and
> - # "force-response-1.0" for this.
> --BrowserMatch ".*MSIE.*" \
> -+BrowserMatch "MSIE [2-5]" \
> - nokeepalive ssl-unclean-shutdown \
> - downgrade-1.0 force-response-1.0
> -
> +@@ -243,7 +243,7 @@
> # Per-Server Logging:
> # The home of a custom SSL log file. Use this when you want a
> # compact non-error SSL logfile on a virtual host basis.
> -CustomLog "@exp_logfiledir@/ssl_request___log" \
> -+CustomLog "@exp_logfiledir@/httpd-ssl___request.log" \
> ++CustomLog "@exp_logfiledir@/httpd-ssl___request_log" \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
> _________________________________________________
> freebsd-apache at freebsd.org <mailto:freebsd-apache at freebsd.org>
> mailing list
> http://lists.freebsd.org/__mailman/listinfo/freebsd-__apache
> <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>
> To unsubscribe, send any mail to
> "freebsd-apache-unsubscribe at __freebsd.org
> <mailto:freebsd-apache-unsubscribe at freebsd.org>"
>
>
>
> --
> ------------------------------__------------------------------__------------
> 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C
> Philip M. Gollucci (pgollucci at p6m7g8.com
> <mailto:pgollucci at p6m7g8.com>) c: 703.336.9354 <tel:703.336.9354>
> Member, Apache Software Foundation
> Committer, FreeBSD Foundation
> Consultant, P6M7G8 Inc.
> Director Operations, Ridecharge Inc.
>
> Work like you don't need the money,
> love like you'll never get hurt,
> and dance like nobody's watching.
>
>
> I will be glad to do that, however it didn't patch cleanly. The
> additions were in the downloaded source, unless I am mistaken.
> Can you please verify?
I'm wiped tonight. I'll peak Wednesday am. ping me if you don't hear
from me tomorrow.
> -jgh
More information about the freebsd-apache
mailing list