From owner-svn-ports-all@freebsd.org Wed Jul 15 17:16:08 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1E8C19A268E; Wed, 15 Jul 2015 17:16:08 +0000 (UTC) (envelope-from pgollucci@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 01ED11DCD; Wed, 15 Jul 2015 17:16:08 +0000 (UTC) (envelope-from pgollucci@FreeBSD.org) Received: from svnmir.geo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6FHG7i7068163; Wed, 15 Jul 2015 17:16:07 GMT (envelope-from pgollucci@FreeBSD.org) Received: (from pgollucci@localhost) by svnmir.geo.freebsd.org (8.14.9/8.14.9/Submit) id t6FHG69c068155; Wed, 15 Jul 2015 17:16:06 GMT (envelope-from pgollucci@FreeBSD.org) Message-Id: <201507151716.t6FHG69c068155@svnmir.geo.freebsd.org> X-Authentication-Warning: svnmir.geo.freebsd.org: pgollucci set sender to pgollucci@FreeBSD.org using -f From: "Philip M. Gollucci" Date: Wed, 15 Jul 2015 17:16:06 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r392170 - in head/www/apache24: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2015 17:16:08 -0000 Author: pgollucci Date: Wed Jul 15 17:16:05 2015 New Revision: 392170 URL: https://svnweb.freebsd.org/changeset/ports/392170 Log: www/apache24: fix CVEs, update 2.4.12 -> 2.4.16 - Convet to USES=autoreconf - Sort USES - Remove now empty patch files Security: https://vuxml.freebsd.org/freebsd/a12494c1-2af4-11e5-86ff-14dae9d210b8.html Differential Revision: https://reviews.freebsd.org/D3101 Submitted by: feld Reviewed by: pgollucci (myself) With Hat: apache@ MFH: 2015Q3 Deleted: head/www/apache24/files/patch-acinclude.m4 head/www/apache24/files/patch-include__ap_config_auto.h.in head/www/apache24/files/patch-modules__ssl__ssl_engine_init.c head/www/apache24/files/patch-modules__ssl__ssl_engine_rand.c Modified: head/www/apache24/Makefile head/www/apache24/distinfo head/www/apache24/files/patch-Makefile.in head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in Modified: head/www/apache24/Makefile ============================================================================== --- head/www/apache24/Makefile Wed Jul 15 16:26:34 2015 (r392169) +++ head/www/apache24/Makefile Wed Jul 15 17:16:05 2015 (r392170) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= apache24 -PORTVERSION= 2.4.12 +PORTVERSION= 2.4.16 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} @@ -18,10 +18,10 @@ CONFLICTS_INSTALL= caudium14-1.* \ apache-*-2.2.* apache22-* USE_APACHE= common24 -USES= tar:bzip2 iconv perl5 libtool cpe +USES= autoreconf cpe iconv libtool perl5 tar:bzip2 USE_PERL5= run -USE_AUTOTOOLS= autoconf USE_RC_SUBR= apache24 htcacheclean +GNU_CONFIGURE= yes CPE_VENDOR= apache CPE_PRODUCT= http_server Modified: head/www/apache24/distinfo ============================================================================== --- head/www/apache24/distinfo Wed Jul 15 16:26:34 2015 (r392169) +++ head/www/apache24/distinfo Wed Jul 15 17:16:05 2015 (r392170) @@ -1,2 +1,2 @@ -SHA256 (apache24/httpd-2.4.12.tar.bz2) = ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4 -SIZE (apache24/httpd-2.4.12.tar.bz2) = 5054838 +SHA256 (apache24/httpd-2.4.16.tar.bz2) = ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743 +SIZE (apache24/httpd-2.4.16.tar.bz2) = 5101005 Modified: head/www/apache24/files/patch-Makefile.in ============================================================================== --- head/www/apache24/files/patch-Makefile.in Wed Jul 15 16:26:34 2015 (r392169) +++ head/www/apache24/files/patch-Makefile.in Wed Jul 15 17:16:05 2015 (r392170) @@ -1,4 +1,4 @@ ---- Makefile.in.orig 2012-12-17 11:50:41 UTC +--- Makefile.in.orig 2015-04-15 18:06:04 UTC +++ Makefile.in @@ -32,12 +32,9 @@ include $(top_srcdir)/build/program.mk install-conf: @@ -14,45 +14,7 @@ done; \ for j in $(top_srcdir)/docs/conf $(top_builddir)/docs/conf ; do \ cd $$j ; \ -@@ -58,6 +55,16 @@ install-conf: - -e 's#@@SSLPort@@#$(SSLPORT)#g' \ - -e 'p' \ - < $$i; \ -+ if echo " $(DSO_MODULES) "|$(EGREP) " cgi " > /dev/null ; then \ -+ have_cgi="1"; \ -+ else \ -+ have_cgi="0"; \ -+ fi; \ -+ if echo " $(DSO_MODULES) "|$(EGREP) " cgid " > /dev/null ; then \ -+ have_cgid="1"; \ -+ else \ -+ have_cgid="0"; \ -+ fi; \ - for j in $(DSO_MODULES) "^EOL^"; do \ - if test $$j != "^EOL^"; then \ - if echo ",$(ENABLED_DSO_MODULES),"|$(EGREP) ",$$j," > /dev/null ; then \ -@@ -68,8 +75,18 @@ install-conf: - if test "$(LOAD_ALL_MODULES)" = "yes"; then \ - loading_disabled=""; \ - fi; \ -- echo "$${loading_disabled}LoadModule $${j}_module $(rel_libexecdir)/mod_$${j}.so"; \ -- fi; \ -+ if test $$j = "cgid" -a "$$have_cgi" = "1"; then \ -+ echo ""; \ -+ echo " $${loading_disabled}LoadModule $${j}_module $(rel_libexecdir)/mod_$${j}.so"; \ -+ echo ""; \ -+ elif test $$j = "cgi" -a "$$have_cgid" = "1"; then \ -+ echo ""; \ -+ echo " $${loading_disabled}LoadModule $${j}_module $(rel_libexecdir)/mod_$${j}.so"; \ -+ echo ""; \ -+ else \ -+ echo "$${loading_disabled}LoadModule $${j}_module $(rel_libexecdir)/mod_$${j}.so"; \ -+ fi; \ -+ fi; \ - done; \ - sed -e '1,/@@LoadModule@@/d' \ - -e '/@@LoadModule@@/d' \ -@@ -78,15 +95,12 @@ install-conf: +@@ -98,15 +95,12 @@ install-conf: -e 's#@@SSLPort@@#$(SSLPORT)#g' \ < $$i; \ fi \ @@ -70,7 +32,7 @@ fi; \ done ; \ done ; \ -@@ -137,48 +151,25 @@ dox: +@@ -157,48 +151,25 @@ dox: doxygen $(top_srcdir)/docs/doxygen.conf install-htdocs: @@ -128,7 +90,7 @@ install-other: @test -d $(DESTDIR)$(logfiledir) || $(MKINSTALLDIRS) $(DESTDIR)$(logfiledir) -@@ -231,12 +222,7 @@ install-man: +@@ -251,12 +222,7 @@ install-man: @test -d $(DESTDIR)$(manualdir) || $(MKINSTALLDIRS) $(DESTDIR)$(manualdir) @cp -p $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1 @cp -p $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8 Modified: head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in ============================================================================== --- head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in Wed Jul 15 16:26:34 2015 (r392169) +++ head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in Wed Jul 15 17:16:05 2015 (r392170) @@ -1,37 +1,6 @@ ---- docs/conf/extra/httpd-ssl.conf.in.orig 2015-01-31 12:20:34 UTC -+++ docs/conf/extra/httpd-ssl.conf.in -@@ -42,11 +42,30 @@ Listen @@SSLPort@@ - ## the main server and all SSL-enabled virtual hosts. - ## - -+## disable unsecure SSL protocols -+SSLProtocol ALL -SSLv2 -SSLv3 -+ - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 - -+## The following entries can be used as suggestions, -+## for more information see: -+## - http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite -+## - http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html -+## -+## To test your SSL implementation use for example security/sslscan or for public reachable systems https://www.ssllabs.com/ -+ -+## sample for OpenSSL >= 1.0.x (with RC4) -+# SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" -+ -+## sample for OpenSSL >= 1.0.x (keep support for IE8 on XP) -+# SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4" -+ -+## sample for OpenSSL >= 1.0.x (no RC4 support) -+# SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" -+ - # Speed-optimized SSL Cipher configuration: - # If speed is your main concern (on busy HTTPS servers e.g.), - # you might want to force clients to specific, performance -@@ -105,8 +124,8 @@ SSLSessionCacheTimeout 300 +--- docs/conf/extra/httpd-ssl.conf.in.orig 2015-05-27 13:59:59.000000000 -0500 ++++ docs/conf/extra/httpd-ssl.conf.in 2015-07-15 09:50:31.369623000 -0500 +@@ -124,8 +124,8 @@ DocumentRoot "@exp_htdocsdir@" ServerName www.example.com:@@SSLPort@@ ServerAdmin you@example.com @@ -42,7 +11,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. -@@ -265,7 +284,7 @@ BrowserMatch "MSIE [2-5]" \ +@@ -284,7 +284,7 @@ # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis.