diff options
| author | tron <tron> | 2015-09-09 20:38:53 +0000 |
|---|---|---|
| committer | tron <tron> | 2015-09-09 20:38:53 +0000 |
| commit | d3d99f6b69db7e99393e71a5669c3101c0de25b1 (patch) | |
| tree | ff1d377ff705306ee55b41ec96836e58573c9afe | |
| parent | 6b0d901c23abf1cb1d0cb8c0d6d76380a0abce2d (diff) | |
| download | pkgsrc-d3d99f6b69db7e99393e71a5669c3101c0de25b1.tar.gz | |
Pullup ticket #4813 - requested by he
www/apache22: security update
Revisions pulled up:
- www/apache22/Makefile 1.105
- www/apache22/distinfo 1.62
- www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c deleted
---
Module Name: pkgsrc
Committed By: adam
Date: Mon Jul 20 18:28:59 UTC 2015
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Removed Files:
pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c
Log Message:
Changes with Apache 2.2.31
*) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
Changes with Apache 2.2.30 (not released)
*) SECURITY: CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.
*) http: Fix LimitRequestBody checks when there is no more bytes to read.
*) core: Allow spaces after chunk-size for compatibility with implementations
using a pre-filled buffer.
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts.
*) http: Make ap_die() robust against any HTTP error code and not modify
response status (finally logged) when nothing is to be done.
*) core, modules: Avoid error response/document handling by the core if some
handler or input filter already did it while reading the request (causing
a double response body).
*) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
5+ instead of just for FreeBSD 5.
*) mod_proxy: use the original (non absolute) form of the request-line's URI
for requests embedded in CONNECT payloads used to connect SSL backends via
a ProxyRemote forward-proxy.
*) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
internationalization.
*) mod_log_config: Implement logging for sub second timestamps and
request end time.
*) mod_log_config: Ensure that time data is consistent if multiple
duration patterns are used in combination, e.g. %D and %{ms}T.
*) mod_log_config: Add "%{UNIT}T" format to output request duration in
seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
*) In alignment with RFC 7525, the default recommended SSLCipherSuite
and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
default recommended SSLProtocol and SSLProxyProtocol directives now
exclude SSLv3. Existing configurations must be adjusted by the
administrator.
*) core: Avoid potential use of uninitialized (NULL) request data in
request line error path.
*) mod_proxy_http: Use the "Connection: close" header for requests to
backends not recycling connections (disablereuse), including the default
reverse and forward proxies.
*) mod_proxy: Add ap_connection_reusable() for checking if a connection
is reusable as of this point in processing.
*) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
graceful restarts, even if new workers are added, old ones removed, or
the order changes.
*) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
*) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
allowing custom parameters to be configured via SSLCertificateFile,
and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
Unless custom parameters are configured, the standardized parameters
are applied based on the certificate's RSA/DSA key size.
*) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
keys, and unconditionally disable aNULL, eNULL and EXP ciphers
(not overridable via SSLCipherSuite).
*) mod_ssl: Add support for configuring persistent TLS session ticket
encryption/decryption keys (useful for clustered environments).
*) SSLProtocol and SSLCipherSuite recommendations in the example/default
conf/extra/httpd-ssl.conf file are now global in scope, affecting all
VirtualHosts (matching 2.4 default configuration).
*) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
selected DB engine.
*) Turn static function get_server_name_for_url() into public
ap_get_server_name_for_url() and use it where appropriate. This
fixes mod_rewrite generating invalid URLs for redirects to IPv6
literal addresses.
*) dav_validate_request: avoid validating locks and ETags when there are
no If headers providing them on a resource we aren't modifying.
*) mod_ssl: New directive SSLSessionTickets (On|Off).
The directive controls the use of TLS session tickets (RFC 5077),
default value is "On" (unchanged behavior).
Session ticket creation uses a random key created during web
server startup and recreated during restarts. No other key
recreation mechanism is available currently. Therefore using session
tickets without restarting the web server with an appropriate frequency
(e.g. daily) compromises perfect forward secrecy.
*) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
compile against APR-1.2.x (minimum required version).
*) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
computed for subsequent requests.
| -rw-r--r-- | www/apache22/Makefile | 9 | ||||
| -rw-r--r-- | www/apache22/distinfo | 9 | ||||
| -rw-r--r-- | www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c | 73 |
3 files changed, 6 insertions, 85 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index f0b926972a0..df6649d5abd 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.104 2015/06/12 10:51:48 wiz Exp $ +# $NetBSD: Makefile,v 1.104.2.1 2015/09/09 20:38:53 tron Exp $ -DISTNAME= httpd-2.2.29 +DISTNAME= httpd-2.2.31 PKGNAME= ${DISTNAME:S/httpd/apache/} -PKGREVISION= 2 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ http://archive.apache.org/dist/httpd/ \ @@ -210,10 +209,6 @@ post-extract: ${TOUCH} ${WRKSRC}/build/libtool ${ECHO} "" >> ${WRKSRC}/docs/conf/extra/httpd-languages.conf.in -pre-build: - ${ECHO} "===> Generating unique DH group to mitigate Logjam attack (this will take a while)" - (cd ${WRKSRC}/modules/ssl && ${PERL5} ssl_engine_dh.c) - post-build: ${SED} "s#@PKG_SYSCONFDIR@#${PKG_SYSCONFDIR}#g" \ < ${FILESDIR}/mkcert.sh > ${WRKDIR}/mkcert diff --git a/www/apache22/distinfo b/www/apache22/distinfo index 4e7ccaf1692..bd870ac3755 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.61 2015/05/22 09:20:20 sborrill Exp $ +$NetBSD: distinfo,v 1.61.2.1 2015/09/09 20:38:53 tron Exp $ -SHA1 (httpd-2.2.29.tar.bz2) = 1d6a8fbc1391d358cc6fe430edc16222b97258d5 -RMD160 (httpd-2.2.29.tar.bz2) = c9a823f038a6a1cbfd94cd9bdd067edd26cf7a3b -Size (httpd-2.2.29.tar.bz2) = 5625498 bytes +SHA1 (httpd-2.2.31.tar.bz2) = e3b55387112206307ba76526820a2627472f3787 +RMD160 (httpd-2.2.31.tar.bz2) = 5b073f5f556c74e19eba8e40faa5c5fa308e018a +Size (httpd-2.2.31.tar.bz2) = 5610489 bytes SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7 SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad @@ -16,5 +16,4 @@ SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746 -SHA1 (patch-modules_ssl_ssl__engine__dh.c) = fc37a639ecfbade0cf8a4fc684d7ec3b92949897 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 diff --git a/www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c b/www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c deleted file mode 100644 index ab46b73cfab..00000000000 --- a/www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c +++ /dev/null @@ -1,73 +0,0 @@ ---- modules/ssl/ssl_engine_dh.c.orig 2006-07-12 03:38:44 UTC -+++ modules/ssl/ssl_engine_dh.c -@@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen) - { - DH *dh; - -- if (nKeyLen == 512) -- dh = get_dh512(); -- else if (nKeyLen == 1024) -- dh = get_dh1024(); -+ if (nKeyLen == 2048) -+ dh = get_dh2048(); -+ else if (nKeyLen == 3072) -+ dh = get_dh3072(); - else -- dh = get_dh1024(); -+ dh = get_dh3072(); - return dh; - } - -@@ -151,7 +151,7 @@ print FP $source; - close(FP); - - # generate the DH parameters --print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; -+print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n"; - my $rand = ''; - foreach $file (qw(/var/log/messages /var/adm/messages - /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { -@@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var - } - } - $rand = "-rand $rand" if ($rand ne ''); --system("openssl gendh $rand -out dh512.pem 512"); --system("openssl gendh $rand -out dh1024.pem 1024"); -+system("openssl gendh $rand -out dh2048.pem 2048"); -+system("openssl gendh $rand -out dh3072.pem 3072"); - - # generate DH param info - my $dhinfo = ''; --open(FP, "openssl dh -noout -text -in dh512.pem |") || die; -+open(FP, "openssl dh -noout -text -in dh2048.pem |") || die; - $dhinfo .= $_ while (<FP>); - close(FP); --open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; -+open(FP, "openssl dh -noout -text -in dh3072.pem |") || die; - $dhinfo .= $_ while (<FP>); - close(FP); - $dhinfo =~ s|^|** |mg; -@@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n"; - - # generate C source from DH params - my $dhsource = ''; --open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die; -+open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die; - $dhsource .= $_ while (<FP>); - close(FP); --open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; -+open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die; - $dhsource .= $_ while (<FP>); - close(FP); - $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void) -@@ -203,8 +203,8 @@ print FP $source; - close(FP); - - # cleanup --unlink("dh512.pem"); --unlink("dh1024.pem"); -+unlink("dh2048.pem"); -+unlink("dh3072.pem"); - - =pod - */ |