diff options
| author | tron <tron@pkgsrc.org> | 2015-05-24 11:41:00 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2015-05-24 11:41:00 +0000 |
| commit | 269b5a21a8d4c4cab2dac562c4ba6e0f4425c69a (patch) | |
| tree | 7e74e979ded2761c10087e5aadf7961ffef2fde1 | |
| parent | a11b959e92b0942e6e3cfbc3bf608bb87620a3e6 (diff) | |
| download | pkgsrc-269b5a21a8d4c4cab2dac562c4ba6e0f4425c69a.tar.gz | |
Pullup ticket #4733 - requested by sborrill
www/apache22: security patch
Revisions pulled up:
- www/apache22/Makefile 1.103
- www/apache22/distinfo 1.61
- www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c 1.1
---
Module Name: pkgsrc
Committed By: sborrill
Date: Fri May 22 09:20:20 UTC 2015
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Added Files:
pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c
Log Message:
Add patch to mitigate Logjam TLS vulnerabilities (CVE-2015-4000).
Based on FreeBSD ports.
| -rw-r--r-- | www/apache22/Makefile | 7 | ||||
| -rw-r--r-- | www/apache22/distinfo | 3 | ||||
| -rw-r--r-- | www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c | 73 |
3 files changed, 81 insertions, 2 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 9e5c1fee51f..f1957aef047 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.102 2014/09/09 08:11:48 adam Exp $ +# $NetBSD: Makefile,v 1.102.6.1 2015/05/24 11:41:00 tron Exp $ DISTNAME= httpd-2.2.29 PKGNAME= ${DISTNAME:S/httpd/apache/} +PKGREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ http://archive.apache.org/dist/httpd/ \ @@ -209,6 +210,10 @@ post-extract: ${TOUCH} ${WRKSRC}/build/libtool ${ECHO} "" >> ${WRKSRC}/docs/conf/extra/httpd-languages.conf.in +pre-build: + ${ECHO} "===> Generating unique DH group to mitigate Logjam attack (this will take a while)" + (cd ${WRKSRC}/modules/ssl && ${PERL5} ssl_engine_dh.c) + post-build: ${SED} "s#@PKG_SYSCONFDIR@#${PKG_SYSCONFDIR}#g" \ < ${FILESDIR}/mkcert.sh > ${WRKDIR}/mkcert diff --git a/www/apache22/distinfo b/www/apache22/distinfo index 4218941ce15..80b48f3342d 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.60 2014/09/09 08:11:48 adam Exp $ +$NetBSD: distinfo,v 1.60.6.1 2015/05/24 11:41:00 tron Exp $ SHA1 (httpd-2.2.29.tar.bz2) = 1d6a8fbc1391d358cc6fe430edc16222b97258d5 RMD160 (httpd-2.2.29.tar.bz2) = c9a823f038a6a1cbfd94cd9bdd067edd26cf7a3b @@ -16,4 +16,5 @@ SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746 +SHA1 (patch-modules_ssl_ssl__engine__dh.c) = fc37a639ecfbade0cf8a4fc684d7ec3b92949897 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 diff --git a/www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c b/www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c new file mode 100644 index 00000000000..ab46b73cfab --- /dev/null +++ b/www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c @@ -0,0 +1,73 @@ +--- modules/ssl/ssl_engine_dh.c.orig 2006-07-12 03:38:44 UTC ++++ modules/ssl/ssl_engine_dh.c +@@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen) + { + DH *dh; + +- if (nKeyLen == 512) +- dh = get_dh512(); +- else if (nKeyLen == 1024) +- dh = get_dh1024(); ++ if (nKeyLen == 2048) ++ dh = get_dh2048(); ++ else if (nKeyLen == 3072) ++ dh = get_dh3072(); + else +- dh = get_dh1024(); ++ dh = get_dh3072(); + return dh; + } + +@@ -151,7 +151,7 @@ print FP $source; + close(FP); + + # generate the DH parameters +-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; ++print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n"; + my $rand = ''; + foreach $file (qw(/var/log/messages /var/adm/messages + /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { +@@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var + } + } + $rand = "-rand $rand" if ($rand ne ''); +-system("openssl gendh $rand -out dh512.pem 512"); +-system("openssl gendh $rand -out dh1024.pem 1024"); ++system("openssl gendh $rand -out dh2048.pem 2048"); ++system("openssl gendh $rand -out dh3072.pem 3072"); + + # generate DH param info + my $dhinfo = ''; +-open(FP, "openssl dh -noout -text -in dh512.pem |") || die; ++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die; + $dhinfo .= $_ while (<FP>); + close(FP); +-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; ++open(FP, "openssl dh -noout -text -in dh3072.pem |") || die; + $dhinfo .= $_ while (<FP>); + close(FP); + $dhinfo =~ s|^|** |mg; +@@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n"; + + # generate C source from DH params + my $dhsource = ''; +-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die; ++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die; + $dhsource .= $_ while (<FP>); + close(FP); +-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; ++open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die; + $dhsource .= $_ while (<FP>); + close(FP); + $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void) +@@ -203,8 +203,8 @@ print FP $source; + close(FP); + + # cleanup +-unlink("dh512.pem"); +-unlink("dh1024.pem"); ++unlink("dh2048.pem"); ++unlink("dh3072.pem"); + + =pod + */ |