diff options
author | adrianp <adrianp@pkgsrc.org> | 2004-12-18 08:42:12 +0000 |
---|---|---|
committer | adrianp <adrianp@pkgsrc.org> | 2004-12-18 08:42:12 +0000 |
commit | 5ba05c19b0e1ad419671df9d1c3355100c6f104a (patch) | |
tree | 576b499348668e440c07c23408b2a70a581242da /www/apache2/patches | |
parent | 1538ce0e7684d10188fc73d5a38f1d502941bc00 (diff) | |
download | pkgsrc-5ba05c19b0e1ad419671df9d1c3355100c6f104a.tar.gz |
- Bump to nb5 to specifically address a new apache vuln:
http://issues.apache.org/bugzilla/show_bug.cgi?id=31505
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
- Changes backported from apache CVS HEAD:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.110&r2=1.111
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.128&r2=1.129
Diffstat (limited to 'www/apache2/patches')
-rw-r--r-- | www/apache2/patches/patch-as | 26 | ||||
-rw-r--r-- | www/apache2/patches/patch-at | 19 |
2 files changed, 45 insertions, 0 deletions
diff --git a/www/apache2/patches/patch-as b/www/apache2/patches/patch-as new file mode 100644 index 00000000000..53066380121 --- /dev/null +++ b/www/apache2/patches/patch-as @@ -0,0 +1,26 @@ +$NetBSD: patch-as,v 1.5 2004/12/18 08:42:12 adrianp Exp $ + +--- modules/ssl/ssl_engine_kernel.c.orig 2004-12-18 07:10:37.000000000 +0000 ++++ modules/ssl/ssl_engine_kernel.c 2004-12-18 07:13:50.000000000 +0000 +@@ -719,6 +719,21 @@ + X509_free(peercert); + } + } ++ ++ /* ++ * Also check that SSLCipherSuite has been enforced as expected. ++ */ ++ if (cipher_list) { ++ cipher = SSL_get_current_cipher(ssl); ++ if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "SSL cipher suite not renegotiated: " ++ "access to %s denied using cipher %s", ++ r->filename, ++ SSL_CIPHER_get_name(cipher)); ++ return HTTP_FORBIDDEN; ++ } ++ } + } + + /* diff --git a/www/apache2/patches/patch-at b/www/apache2/patches/patch-at new file mode 100644 index 00000000000..60b9cf6179a --- /dev/null +++ b/www/apache2/patches/patch-at @@ -0,0 +1,19 @@ +$NetBSD: patch-at,v 1.1 2004/12/18 08:42:12 adrianp Exp $ + +--- modules/ssl/ssl_engine_init.c.orig 2004-12-18 07:15:01.000000000 +0000 ++++ modules/ssl/ssl_engine_init.c 2004-12-18 07:15:59.000000000 +0000 +@@ -439,6 +439,14 @@ + * Configure additional context ingredients + */ + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++ ++#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION ++ /* ++ * Disallow a session from being resumed during a renegotiation, ++ * so that an acceptable cipher suite can be negotiated. ++ */ ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); ++#endif + } + + static void ssl_init_ctx_session_cache(server_rec *s, |