- Bump to nb5 to specifically address a new apache vuln:

http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 - Changes backported from apache CVS HEAD: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.110&r2=1.111 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.128&r2=1.129
author: adrianp <adrianp@pkgsrc.org> 2004-12-18 08:42:12 +0000
committer: adrianp <adrianp@pkgsrc.org> 2004-12-18 08:42:12 +0000
commit: 5ba05c19b0e1ad419671df9d1c3355100c6f104a (patch)
tree: 576b499348668e440c07c23408b2a70a581242da /www/apache2/patches
parent: 1538ce0e7684d10188fc73d5a38f1d502941bc00 (diff)
download: pkgsrc-5ba05c19b0e1ad419671df9d1c3355100c6f104a.tar.gz
2 files changed, 45 insertions, 0 deletions
diff --git a/www/apache2/patches/patch-as b/www/apache2/patches/patch-as
new file mode 100644
index 00000000000..53066380121
--- /dev/null
+++ b/www/apache2/patches/patch-as
@@ -0,0 +1,26 @@
+$NetBSD: patch-as,v 1.5 2004/12/18 08:42:12 adrianp Exp $
+
+--- modules/ssl/ssl_engine_kernel.c.orig	2004-12-18 07:10:37.000000000 +0000
++++ modules/ssl/ssl_engine_kernel.c	2004-12-18 07:13:50.000000000 +0000
+@@ -719,6 +719,21 @@
+                 X509_free(peercert);
+             }
+         }
++
++	/*
++	 * Also check that SSLCipherSuite has been enforced as expected.
++	 */
++	if (cipher_list) {
++	    cipher = SSL_get_current_cipher(ssl);
++	    if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
++	        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++	                      "SSL cipher suite not renegotiated: "
++	                      "access to %s denied using cipher %s",
++	                      r->filename,
++	                      SSL_CIPHER_get_name(cipher));
++	        return HTTP_FORBIDDEN;
++	    }
++	}
+     }
+ 
+     /*
diff --git a/www/apache2/patches/patch-at b/www/apache2/patches/patch-at
new file mode 100644
index 00000000000..60b9cf6179a
--- /dev/null
+++ b/www/apache2/patches/patch-at
@@ -0,0 +1,19 @@
+$NetBSD: patch-at,v 1.1 2004/12/18 08:42:12 adrianp Exp $
+
+--- modules/ssl/ssl_engine_init.c.orig	2004-12-18 07:15:01.000000000 +0000
++++ modules/ssl/ssl_engine_init.c	2004-12-18 07:15:59.000000000 +0000
+@@ -439,6 +439,14 @@
+      * Configure additional context ingredients
+      */
+     SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
++
++#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
++    /* 
++     * Disallow a session from being resumed during a renegotiation,
++     * so that an acceptable cipher suite can be negotiated.
++     */
++    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
++#endif
+ }
+ 
+ static void ssl_init_ctx_session_cache(server_rec *s,
author	adrianp <adrianp@pkgsrc.org>	2004-12-18 08:42:12 +0000
committer	adrianp <adrianp@pkgsrc.org>	2004-12-18 08:42:12 +0000
commit	5ba05c19b0e1ad419671df9d1c3355100c6f104a (patch)
tree	576b499348668e440c07c23408b2a70a581242da /www/apache2/patches
parent	1538ce0e7684d10188fc73d5a38f1d502941bc00 (diff)
download	pkgsrc-5ba05c19b0e1ad419671df9d1c3355100c6f104a.tar.gz