Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 31 Jan 2012 22:17:35 -0500
From:      "Philip M. Gollucci" <pgollucci@taximagic.com>
To:        Jason Helfman <jgh@FreeBSD.org>
Cc:        FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org
Subject:   Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports)
Message-ID:  <4F28AECF.4060109@taximagic.com>
In-Reply-To: <CAMuy=%2Bgy9Z7Ec=-6xQ5roqa9mAELahDRv1mG1ph2bfhy47CRtA@mail.gmail.com>
References:  <201202010011.q110Btm0002906@freefall.freebsd.org> <4F28A12D.2080504@p6m7g8.com> <CAMuy=%2Bgy9Z7Ec=-6xQ5roqa9mAELahDRv1mG1ph2bfhy47CRtA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 1/31/12 10:15 PM, Jason Helfman wrote:
>
>
> On Tue, Jan 31, 2012 at 6:19 PM, Philip M. Gollucci
> <pgollucci@taximagic.com <mailto:pgollucci@taximagic.com>> wrote:
>
>     Do not change this file.  You're reverting a local change we've
>     pulled from trunk svn for security.
>
>     Please commit the rest of the patch with my review / hat.
>
>
>
>         ==============================__==============================__=======
>         RCS file:
>         /home/pcvs/ports/www/apache22/__files/patch-docs__conf__extra____httpd-ssl.conf.in
>         <http://patch-docs__conf__extra__httpd-ssl.conf.in>,v
>         retrieving revision 1.3
>         diff -u -r1.3 patch-docs__conf__extra____httpd-ssl.conf.in
>         <http://patch-docs__conf__extra__httpd-ssl.conf.in>;
>         --- files/patch-docs__conf__extra____httpd-ssl.conf.in
>         <http://patch-docs__conf__extra__httpd-ssl.conf.in>;    23 Jan
>         2012 23:24:38 -0000      1.3
>         +++ files/patch-docs__conf__extra____httpd-ssl.conf.in
>         <http://patch-docs__conf__extra__httpd-ssl.conf.in>;    1 Feb
>         2012 00:05:53 -0000
>         @@ -1,58 +1,22 @@
>         ---- ./docs/conf/extra/httpd-ssl.__conf.in.orig   2008-02-04
>         23:00:07.000000000 +0000
>         -+++ ./docs/conf/extra/httpd-ssl.__conf.in
>         <http://httpd-ssl.conf.in>; 2012-01-23 23
>         <tel:2012-01-23%2023>:20:06.446390870 +0000
>         -@@ -77,17 +77,35 @@
>         +--- ./docs/conf/extra/httpd-ssl.__conf.in.orig 2012-01-31 15
>         <tel:2012-01-31%2015>:16:43.000000000 -0800
>         ++++ ./docs/conf/extra/httpd-ssl.__conf.in
>         <http://httpd-ssl.conf.in>; 2012-01-31 15
>         <tel:2012-01-31%2015>:17:47.000000000 -0800
>         +@@ -77,8 +77,8 @@
>            DocumentRoot "@exp_htdocsdir@"
>            ServerName www.example.com:@@SSLPort@@
>            ServerAdmin you@example.com <mailto:you@example.com>
>           -ErrorLog "@exp_logfiledir@/error_log"
>           -TransferLog "@exp_logfiledir@/access_log"
>         -+ErrorLog "@exp_logfiledir@/httpd-error.__log"
>         -+TransferLog "@exp_logfiledir@/httpd-__access.log"
>         ++ErrorLog "@exp_logfiledir@/httpd-error___log"
>         ++TransferLog "@exp_logfiledir@/httpd-__access_log"
>
>            #   SSL Engine Switch:
>            #   Enable/Disable SSL for this virtual host.
>         - SSLEngine on
>         -
>         -+#   SSL Protocol support:
>         -+#   List the protocol versions which clients are allowed to
>         -+#   connect with. Disable SSLv2 by default (cf. RFC 6176).
>         -+SSLProtocol all -SSLv2
>         -+
>         - #   SSL Cipher Suite:
>         - #   List the ciphers that the client is permitted to negotiate.
>         - #   See the mod_ssl documentation for a complete list.
>         --SSLCipherSuite
>         ALL:!ADH:!EXPORT56:RC4+RSA:+__HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:__+eNULL
>         -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
>         -+
>         -+#   Speed-optimized SSL Cipher configuration:
>         -+#   If speed is your main concern (on busy HTTPS servers e.g.),
>         -+#   you might want to force clients to specific, performance
>         -+#   optimized ciphers. In this case, prepend those ciphers
>         -+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
>         -+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
>         -+#   (as in the example below), most connections will no longer
>         -+#   have perfect forward secrecy - if the server's key is
>         -+#   compromised, captures of past or future traffic must be
>         -+#   considered compromised, too.
>         -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:__MEDIUM:!aNULL:!MD5
>         -+#SSLHonorCipherOrder on
>         -
>         - #   Server Certificate:
>         - #   Point SSLCertificateFile at a PEM encoded certificate.  If
>         -@@ -218,14 +236,14 @@
>         - #   Similarly, one has to force some clients to use HTTP/1.0
>         to workaround
>         - #   their broken HTTP/1.1 implementation. Use variables
>         "downgrade-1.0" and
>         - # "force-response-1.0" for this.
>         --BrowserMatch ".*MSIE.*" \
>         -+BrowserMatch "MSIE [2-5]" \
>         -          nokeepalive ssl-unclean-shutdown \
>         -          downgrade-1.0 force-response-1.0
>         -
>         +@@ -243,7 +243,7 @@
>            #   Per-Server Logging:
>            #   The home of a custom SSL log file. Use this when you want a
>            #   compact non-error SSL logfile on a virtual host basis.
>           -CustomLog "@exp_logfiledir@/ssl_request___log" \
>         -+CustomLog "@exp_logfiledir@/httpd-ssl___request.log" \
>         ++CustomLog "@exp_logfiledir@/httpd-ssl___request_log" \
>         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>         </VirtualHost>
>         _________________________________________________
>         freebsd-apache@freebsd.org <mailto:freebsd-apache@freebsd.org>
>         mailing list
>         http://lists.freebsd.org/__mailman/listinfo/freebsd-__apache
>         <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>;
>         To unsubscribe, send any mail to
>         "freebsd-apache-unsubscribe@__freebsd.org
>         <mailto:freebsd-apache-unsubscribe@freebsd.org>"
>
>
>
>     --
>     ------------------------------__------------------------------__------------
>     1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
>     Philip M. Gollucci (pgollucci@p6m7g8.com
>     <mailto:pgollucci@p6m7g8.com>) c: 703.336.9354 <tel:703.336.9354>
>     Member,                           Apache Software Foundation
>     Committer,                        FreeBSD Foundation
>     Consultant,                       P6M7G8 Inc.
>     Director Operations,              Ridecharge Inc.
>
>     Work like you don't need the money,
>     love like you'll never get hurt,
>     and dance like nobody's watching.
>
>
> I will be glad to do that, however it didn't patch cleanly. The
> additions were in the downloaded source, unless I am mistaken.
> Can you please verify?
I'm wiped tonight. I'll peak Wednesday am. ping me if you don't hear 
from me tomorrow.


> -jgh




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F28AECF.4060109>