From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 03:17:38 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB1AA106566B; Wed, 1 Feb 2012 03:17:38 +0000 (UTC) (envelope-from pgollucci@taximagic.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 66FDB8FC08; Wed, 1 Feb 2012 03:17:38 +0000 (UTC) Received: by qcmt40 with SMTP id t40so544057qcm.13 for ; Tue, 31 Jan 2012 19:17:37 -0800 (PST) Received: by 10.229.76.132 with SMTP id c4mr5218567qck.134.1328066257360; Tue, 31 Jan 2012 19:17:37 -0800 (PST) Received: from jlhewitt.home (pool-173-66-140-39.washdc.fios.verizon.net. [173.66.140.39]) by mx.google.com with ESMTPS id ft9sm44859429qab.20.2012.01.31.19.17.36 (version=SSLv3 cipher=OTHER); Tue, 31 Jan 2012 19:17:36 -0800 (PST) Message-ID: <4F28AECF.4060109@taximagic.com> Date: Tue, 31 Jan 2012 22:17:35 -0500 From: "Philip M. Gollucci" Organization: RideCharge Inc. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: Jason Helfman References: <201202010011.q110Btm0002906@freefall.freebsd.org> <4F28A12D.2080504@p6m7g8.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org Subject: Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 03:17:38 -0000 On 1/31/12 10:15 PM, Jason Helfman wrote: > > > On Tue, Jan 31, 2012 at 6:19 PM, Philip M. Gollucci > > wrote: > > Do not change this file. You're reverting a local change we've > pulled from trunk svn for security. > > Please commit the rest of the patch with my review / hat. > > > > ==============================__==============================__======= > RCS file: > /home/pcvs/ports/www/apache22/__files/patch-docs__conf__extra____httpd-ssl.conf.in > ,v > retrieving revision 1.3 > diff -u -r1.3 patch-docs__conf__extra____httpd-ssl.conf.in > > --- files/patch-docs__conf__extra____httpd-ssl.conf.in > 23 Jan > 2012 23:24:38 -0000 1.3 > +++ files/patch-docs__conf__extra____httpd-ssl.conf.in > 1 Feb > 2012 00:05:53 -0000 > @@ -1,58 +1,22 @@ > ---- ./docs/conf/extra/httpd-ssl.__conf.in.orig 2008-02-04 > 23:00:07.000000000 +0000 > -+++ ./docs/conf/extra/httpd-ssl.__conf.in > 2012-01-23 23 > :20:06.446390870 +0000 > -@@ -77,17 +77,35 @@ > +--- ./docs/conf/extra/httpd-ssl.__conf.in.orig 2012-01-31 15 > :16:43.000000000 -0800 > ++++ ./docs/conf/extra/httpd-ssl.__conf.in > 2012-01-31 15 > :17:47.000000000 -0800 > +@@ -77,8 +77,8 @@ > DocumentRoot "@exp_htdocsdir@" > ServerName www.example.com:@@SSLPort@@ > ServerAdmin you@example.com > -ErrorLog "@exp_logfiledir@/error_log" > -TransferLog "@exp_logfiledir@/access_log" > -+ErrorLog "@exp_logfiledir@/httpd-error.__log" > -+TransferLog "@exp_logfiledir@/httpd-__access.log" > ++ErrorLog "@exp_logfiledir@/httpd-error___log" > ++TransferLog "@exp_logfiledir@/httpd-__access_log" > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > - SSLEngine on > - > -+# SSL Protocol support: > -+# List the protocol versions which clients are allowed to > -+# connect with. Disable SSLv2 by default (cf. RFC 6176). > -+SSLProtocol all -SSLv2 > -+ > - # SSL Cipher Suite: > - # List the ciphers that the client is permitted to negotiate. > - # See the mod_ssl documentation for a complete list. > --SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+__HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:__+eNULL > -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > -+ > -+# Speed-optimized SSL Cipher configuration: > -+# If speed is your main concern (on busy HTTPS servers e.g.), > -+# you might want to force clients to specific, performance > -+# optimized ciphers. In this case, prepend those ciphers > -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. > -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA > -+# (as in the example below), most connections will no longer > -+# have perfect forward secrecy - if the server's key is > -+# compromised, captures of past or future traffic must be > -+# considered compromised, too. > -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:__MEDIUM:!aNULL:!MD5 > -+#SSLHonorCipherOrder on > - > - # Server Certificate: > - # Point SSLCertificateFile at a PEM encoded certificate. If > -@@ -218,14 +236,14 @@ > - # Similarly, one has to force some clients to use HTTP/1.0 > to workaround > - # their broken HTTP/1.1 implementation. Use variables > "downgrade-1.0" and > - # "force-response-1.0" for this. > --BrowserMatch ".*MSIE.*" \ > -+BrowserMatch "MSIE [2-5]" \ > - nokeepalive ssl-unclean-shutdown \ > - downgrade-1.0 force-response-1.0 > - > +@@ -243,7 +243,7 @@ > # Per-Server Logging: > # The home of a custom SSL log file. Use this when you want a > # compact non-error SSL logfile on a virtual host basis. > -CustomLog "@exp_logfiledir@/ssl_request___log" \ > -+CustomLog "@exp_logfiledir@/httpd-ssl___request.log" \ > ++CustomLog "@exp_logfiledir@/httpd-ssl___request_log" \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > _________________________________________________ > freebsd-apache@freebsd.org > mailing list > http://lists.freebsd.org/__mailman/listinfo/freebsd-__apache > > To unsubscribe, send any mail to > "freebsd-apache-unsubscribe@__freebsd.org > " > > > > -- > ------------------------------__------------------------------__------------ > 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C > Philip M. Gollucci (pgollucci@p6m7g8.com > ) c: 703.336.9354 > Member, Apache Software Foundation > Committer, FreeBSD Foundation > Consultant, P6M7G8 Inc. > Director Operations, Ridecharge Inc. > > Work like you don't need the money, > love like you'll never get hurt, > and dance like nobody's watching. > > > I will be glad to do that, however it didn't patch cleanly. The > additions were in the downloaded source, unless I am mistaken. > Can you please verify? I'm wiped tonight. I'll peak Wednesday am. ping me if you don't hear from me tomorrow. > -jgh