www/apache22: update to 2.2.22 (addresses multiple CVE reports)
Jason Helfman
jgh at FreeBSD.org
Wed Feb 1 03:42:05 UTC 2012
On Tue, Jan 31, 2012 at 6:19 PM, Philip M. Gollucci <pgollucci at taximagic.com
> wrote:
> Do not change this file. You're reverting a local change we've pulled
> from trunk svn for security.
>
> Please commit the rest of the patch with my review / hat.
>
>
>
> ==============================**==============================**=======
>> RCS file: /home/pcvs/ports/www/apache22/**files/patch-docs__conf__extra_*
>> *_httpd-ssl.conf.in <http://patch-docs__conf__extra__httpd-ssl.conf.in>,v
>> retrieving revision 1.3
>> diff -u -r1.3 patch-docs__conf__extra__**httpd-ssl.conf.in<http://patch-docs__conf__extra__httpd-ssl.conf.in>
>> --- files/patch-docs__conf__extra_**_httpd-ssl.conf.in<http://patch-docs__conf__extra__httpd-ssl.conf.in> 23 Jan 2012 23:24:38 -0000 1.3
>> +++ files/patch-docs__conf__extra_**_httpd-ssl.conf.in<http://patch-docs__conf__extra__httpd-ssl.conf.in> 1 Feb 2012 00:05:53 -0000
>> @@ -1,58 +1,22 @@
>> ---- ./docs/conf/extra/httpd-ssl.**conf.in.orig 2008-02-04
>> 23:00:07.000000000 +0000
>> -+++ ./docs/conf/extra/httpd-ssl.**conf.in <http://httpd-ssl.conf.in>
>> 2012-01-23 23:20:06.446390870 +0000
>> -@@ -77,17 +77,35 @@
>> +--- ./docs/conf/extra/httpd-ssl.**conf.in.orig 2012-01-31 15:16:43.000000000
>> -0800
>> ++++ ./docs/conf/extra/httpd-ssl.**conf.in <http://httpd-ssl.conf.in>
>> 2012-01-31 15:17:47.000000000 -0800
>> +@@ -77,8 +77,8 @@
>> DocumentRoot "@exp_htdocsdir@"
>> ServerName www.example.com:@@SSLPort@@
>> ServerAdmin you at example.com
>> -ErrorLog "@exp_logfiledir@/error_log"
>> -TransferLog "@exp_logfiledir@/access_log"
>> -+ErrorLog "@exp_logfiledir@/httpd-error.**log"
>> -+TransferLog "@exp_logfiledir@/httpd-**access.log"
>> ++ErrorLog "@exp_logfiledir@/httpd-error_**log"
>> ++TransferLog "@exp_logfiledir@/httpd-**access_log"
>>
>> # SSL Engine Switch:
>> # Enable/Disable SSL for this virtual host.
>> - SSLEngine on
>> -
>> -+# SSL Protocol support:
>> -+# List the protocol versions which clients are allowed to
>> -+# connect with. Disable SSLv2 by default (cf. RFC 6176).
>> -+SSLProtocol all -SSLv2
>> -+
>> - # SSL Cipher Suite:
>> - # List the ciphers that the client is permitted to negotiate.
>> - # See the mod_ssl documentation for a complete list.
>> --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+**
>> HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:**+eNULL
>> -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
>> -+
>> -+# Speed-optimized SSL Cipher configuration:
>> -+# If speed is your main concern (on busy HTTPS servers e.g.),
>> -+# you might want to force clients to specific, performance
>> -+# optimized ciphers. In this case, prepend those ciphers
>> -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
>> -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA
>> -+# (as in the example below), most connections will no longer
>> -+# have perfect forward secrecy - if the server's key is
>> -+# compromised, captures of past or future traffic must be
>> -+# considered compromised, too.
>> -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:**MEDIUM:!aNULL:!MD5
>> -+#SSLHonorCipherOrder on
>> -
>> - # Server Certificate:
>> - # Point SSLCertificateFile at a PEM encoded certificate. If
>> -@@ -218,14 +236,14 @@
>> - # Similarly, one has to force some clients to use HTTP/1.0 to
>> workaround
>> - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0"
>> and
>> - # "force-response-1.0" for this.
>> --BrowserMatch ".*MSIE.*" \
>> -+BrowserMatch "MSIE [2-5]" \
>> - nokeepalive ssl-unclean-shutdown \
>> - downgrade-1.0 force-response-1.0
>> -
>> +@@ -243,7 +243,7 @@
>> # Per-Server Logging:
>> # The home of a custom SSL log file. Use this when you want a
>> # compact non-error SSL logfile on a virtual host basis.
>> -CustomLog "@exp_logfiledir@/ssl_request_**log" \
>> -+CustomLog "@exp_logfiledir@/httpd-ssl_**request.log" \
>> ++CustomLog "@exp_logfiledir@/httpd-ssl_**request_log" \
>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>
>> </VirtualHost>
>> ______________________________**_________________
>> freebsd-apache at freebsd.org mailing list
>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**apache<http://lists.freebsd.org/mailman/listinfo/freebsd-apache>
>> To unsubscribe, send any mail to "freebsd-apache-unsubscribe@**
>> freebsd.org <freebsd-apache-unsubscribe at freebsd.org>"
>>
>>
>
> --
> ------------------------------**------------------------------**
> ------------
> 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C
> Philip M. Gollucci (pgollucci at p6m7g8.com) c: 703.336.9354
> Member, Apache Software Foundation
> Committer, FreeBSD Foundation
> Consultant, P6M7G8 Inc.
> Director Operations, Ridecharge Inc.
>
> Work like you don't need the money,
> love like you'll never get hurt,
> and dance like nobody's watching.
>
>
I will be glad to do that, however it didn't patch cleanly. The additions
were in the downloaded source, unless I am mistaken.
Can you please verify?
-jgh
More information about the freebsd-apache
mailing list