- Bump to nb5 to specifically address a new apache vuln:

http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 - Changes backported from apache CVS HEAD: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.110&r2=1.111 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.128&r2=1.129
author: adrianp <adrianp@pkgsrc.org> 2004-12-18 08:42:12 +0000
committer: adrianp <adrianp@pkgsrc.org> 2004-12-18 08:42:12 +0000
commit: 62c61758f0a459a11a3698a2fda2b768a1761583 (patch)
tree: 576b499348668e440c07c23408b2a70a581242da /www/apache2
parent: 1d87bf31b2ad499780d3368d490c8391bd830696 (diff)
download: pkgsrc-62c61758f0a459a11a3698a2fda2b768a1761583.tar.gz
5 files changed, 52 insertions, 5 deletions
diff --git a/www/apache2/Makefile b/www/apache2/Makefile
index 58c9c40bb41..c0efaa09f42 100644
--- a/www/apache2/Makefile
+++ b/www/apache2/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.60 2004/12/07 22:25:50 seb Exp $
+# $NetBSD: Makefile,v 1.61 2004/12/18 08:42:12 adrianp Exp $
 
 .include "Makefile.common"
 
 PKGNAME=		apache-${APACHE_VERSION}
-PKGREVISION=		4
+PKGREVISION=		5
 CATEGORIES=		www
 
 HOMEPAGE=		http://httpd.apache.org/
diff --git a/www/apache2/buildlink3.mk b/www/apache2/buildlink3.mk
index aa0dcc4b705..86313e811f4 100644
--- a/www/apache2/buildlink3.mk
+++ b/www/apache2/buildlink3.mk
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.10 2004/11/30 23:21:44 jlam Exp $
+# $NetBSD: buildlink3.mk,v 1.11 2004/12/18 08:42:12 adrianp Exp $
 
 BUILDLINK_DEPTH:=	${BUILDLINK_DEPTH}+
 APACHE_BUILDLINK3_MK:=	${APACHE_BUILDLINK3_MK}+
@@ -12,7 +12,7 @@ BUILDLINK_PACKAGES+=	apache
 
 .if !empty(APACHE_BUILDLINK3_MK:M+)
 BUILDLINK_DEPENDS.apache+=	apache>=2.0.51
-BUILDLINK_RECOMMENDED.apache+=	apache>=2.0.52nb2
+BUILDLINK_RECOMMENDED.apache+=	apache>=2.0.52nb5
 BUILDLINK_PKGSRCDIR.apache?=	../../www/apache2
 BUILDLINK_DEPMETHOD.apache?=	build
 .  if defined(APACHE_MODULE)
diff --git a/www/apache2/distinfo b/www/apache2/distinfo
index 3793bee5567..0fe7f0a0285 100644
--- a/www/apache2/distinfo
+++ b/www/apache2/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.32 2004/11/30 23:21:44 jlam Exp $
+$NetBSD: distinfo,v 1.33 2004/12/18 08:42:12 adrianp Exp $
 
 SHA1 (httpd-2.0.52.tar.gz) = 2a22fde052adc7d7258f999cd7dd8a7592ff36e7
 Size (httpd-2.0.52.tar.gz) = 6918995 bytes
@@ -10,3 +10,5 @@ SHA1 (patch-ak) = f11a86b1235d5c595fa381bbb474db4fe8448215
 SHA1 (patch-al) = 29cc52616c50b7ec998339cca386112a8f1611cc
 SHA1 (patch-am) = ff60a7b69ad949363ebec194141e9b95cb796426
 SHA1 (patch-ar) = c6769617cd9111f6d233d68883c71988a36fbbce
+SHA1 (patch-as) = c6fb574d5d96024e641816569f059bca4368fcec
+SHA1 (patch-at) = dd9a3eb14b3e20876eca6eff968e82326a53b7d9
diff --git a/www/apache2/patches/patch-as b/www/apache2/patches/patch-as
new file mode 100644
index 00000000000..53066380121
--- /dev/null
+++ b/www/apache2/patches/patch-as
@@ -0,0 +1,26 @@
+$NetBSD: patch-as,v 1.5 2004/12/18 08:42:12 adrianp Exp $
+
+--- modules/ssl/ssl_engine_kernel.c.orig	2004-12-18 07:10:37.000000000 +0000
++++ modules/ssl/ssl_engine_kernel.c	2004-12-18 07:13:50.000000000 +0000
+@@ -719,6 +719,21 @@
+                 X509_free(peercert);
+             }
+         }
++
++	/*
++	 * Also check that SSLCipherSuite has been enforced as expected.
++	 */
++	if (cipher_list) {
++	    cipher = SSL_get_current_cipher(ssl);
++	    if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
++	        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++	                      "SSL cipher suite not renegotiated: "
++	                      "access to %s denied using cipher %s",
++	                      r->filename,
++	                      SSL_CIPHER_get_name(cipher));
++	        return HTTP_FORBIDDEN;
++	    }
++	}
+     }
+ 
+     /*
diff --git a/www/apache2/patches/patch-at b/www/apache2/patches/patch-at
new file mode 100644
index 00000000000..60b9cf6179a
--- /dev/null
+++ b/www/apache2/patches/patch-at
@@ -0,0 +1,19 @@
+$NetBSD: patch-at,v 1.1 2004/12/18 08:42:12 adrianp Exp $
+
+--- modules/ssl/ssl_engine_init.c.orig	2004-12-18 07:15:01.000000000 +0000
++++ modules/ssl/ssl_engine_init.c	2004-12-18 07:15:59.000000000 +0000
+@@ -439,6 +439,14 @@
+      * Configure additional context ingredients
+      */
+     SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
++
++#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
++    /* 
++     * Disallow a session from being resumed during a renegotiation,
++     * so that an acceptable cipher suite can be negotiated.
++     */
++    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
++#endif
+ }
+ 
+ static void ssl_init_ctx_session_cache(server_rec *s,
author	adrianp <adrianp@pkgsrc.org>	2004-12-18 08:42:12 +0000
committer	adrianp <adrianp@pkgsrc.org>	2004-12-18 08:42:12 +0000
commit	62c61758f0a459a11a3698a2fda2b768a1761583 (patch)
tree	576b499348668e440c07c23408b2a70a581242da /www/apache2
parent	1d87bf31b2ad499780d3368d490c8391bd830696 (diff)
download	pkgsrc-62c61758f0a459a11a3698a2fda2b768a1761583.tar.gz