Date: Wed, 1 Feb 2012 00:11:55 GMT From: Jason Helfman <jgh@freebsd.org> To: FreeBSD-gnats-submit@freebsd.org Cc: apache@freebsd.org Subject: www/apache22: update to 2.2.22 (addresses multiple CVE reports) Message-ID: <201202010011.q110Btm0002906@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Submitter-Id: current-users >Originator: Jason Helfman >Organization: >Confidential: no >Synopsis: www/apache22: update to 2.2.22 (addresses multiple CVE reports) >Severity: critical >Priority: high >Category: ports >Class: change-request >Release: FreeBSD 8.2-STABLE i386 >Environment: System: FreeBSD freefall.freebsd.org 8.2-STABLE FreeBSD 8.2-STABLE #5 r227907: Wed Nov 23 21:55:50 UTC 2011 simon@freefall.freebsd.org:/usr/obj/usr/src/sys/FREEFALL i386 >Description: Update to 2.2.22 Buildlog: http://people.freebsd.org/~jgh/files/apache-2.2.22.log >How-To-Repeat: >Fix: Index: Makefile =================================================================== RCS file: /home/pcvs/ports/www/apache22/Makefile,v retrieving revision 1.294 diff -u -r1.294 Makefile --- Makefile 23 Sep 2011 22:25:53 -0000 1.294 +++ Makefile 1 Feb 2012 00:05:53 -0000 @@ -8,7 +8,7 @@ # PORTNAME= apache -PORTVERSION= 2.2.21 +PORTVERSION= 2.2.22 #PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} Index: Makefile.doc =================================================================== RCS file: /home/pcvs/ports/www/apache22/Makefile.doc,v retrieving revision 1.15 diff -u -r1.15 Makefile.doc --- Makefile.doc 31 Mar 2011 17:00:36 -0000 1.15 +++ Makefile.doc 1 Feb 2012 00:05:53 -0000 @@ -102,7 +102,7 @@ MAKE_ENV+= NOPORTDOCS=yes .endif -MAN1= dbmmanage.1 htdigest.1 htpasswd.1 htdbm.1 -MAN8= ab.8 apachectl.8 apxs.8 httpd.8 logresolve.8 rotatelogs.8 suexec.8 htcacheclean.8 +MAN1= ab.1 apxs.1 dbmmanage.1 htdbm.1 htdigest.1 htpasswd.1 httxt2dbm.1 logresolve.1 +MAN8= apachectl.8 htcacheclean.8 httpd.8 rotatelogs.8 suexec.8 PORTDOCS= * #don't blame me ;-) Index: distinfo =================================================================== RCS file: /home/pcvs/ports/www/apache22/distinfo,v retrieving revision 1.86 diff -u -r1.86 distinfo --- distinfo 15 Sep 2011 05:00:28 -0000 1.86 +++ distinfo 1 Feb 2012 00:05:53 -0000 @@ -1,2 +1,2 @@ -SHA256 (apache22/httpd-2.2.21.tar.bz2) = 18d5591fe48cfbac44fc20316036ffe17456df60bc3a2aaad238d56c6445577f -SIZE (apache22/httpd-2.2.21.tar.bz2) = 5324905 +SHA256 (apache22/httpd-2.2.22.tar.bz2) = dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231 +SIZE (apache22/httpd-2.2.22.tar.bz2) = 5378934 Index: files/patch-Makefile.in =================================================================== RCS file: /home/pcvs/ports/www/apache22/files/patch-Makefile.in,v retrieving revision 1.25 diff -u -r1.25 patch-Makefile.in --- files/patch-Makefile.in 7 May 2010 03:15:44 -0000 1.25 +++ files/patch-Makefile.in 1 Feb 2012 00:05:53 -0000 @@ -96,10 +96,10 @@ @test -d $(DESTDIR)$(manualdir) || $(MKINSTALLDIRS) $(DESTDIR)$(manualdir) - @cp -p $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1 - @cp -p $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8 -+ for i in dbmmanage htdbm htdigest htpasswd; do \ ++ for i in ab apxs dbmmanage htdbm htdigest htpasswd httxt2dbm logresolve; do \ + ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.1 $(DESTDIR)$(mandir)/man1; \ + done -+ for i in ab apachectl apxs htcacheclean httpd logresolve rotatelogs suexec; do \ ++ for i in apachectl htcacheclean httpd rotatelogs suexec; do \ + ${INSTALL_MAN} $(top_srcdir)/docs/man/$$i.8 $(DESTDIR)$(mandir)/man8; \ + done +.if !defined(NOPORTDOCS) Index: files/patch-docs__conf__extra__httpd-ssl.conf.in =================================================================== RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v retrieving revision 1.3 diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in --- files/patch-docs__conf__extra__httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3 +++ files/patch-docs__conf__extra__httpd-ssl.conf.in 1 Feb 2012 00:05:53 -0000 @@ -1,58 +1,22 @@ ---- ./docs/conf/extra/httpd-ssl.conf.in.orig 2008-02-04 23:00:07.000000000 +0000 -+++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-23 23:20:06.446390870 +0000 -@@ -77,17 +77,35 @@ +--- ./docs/conf/extra/httpd-ssl.conf.in.orig 2012-01-31 15:16:43.000000000 -0800 ++++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-31 15:17:47.000000000 -0800 +@@ -77,8 +77,8 @@ DocumentRoot "@exp_htdocsdir@" ServerName www.example.com:@@SSLPort@@ ServerAdmin you@example.com -ErrorLog "@exp_logfiledir@/error_log" -TransferLog "@exp_logfiledir@/access_log" -+ErrorLog "@exp_logfiledir@/httpd-error.log" -+TransferLog "@exp_logfiledir@/httpd-access.log" ++ErrorLog "@exp_logfiledir@/httpd-error_log" ++TransferLog "@exp_logfiledir@/httpd-access_log" # SSL Engine Switch: # Enable/Disable SSL for this virtual host. - SSLEngine on - -+# SSL Protocol support: -+# List the protocol versions which clients are allowed to -+# connect with. Disable SSLv2 by default (cf. RFC 6176). -+SSLProtocol all -SSLv2 -+ - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 -+ -+# Speed-optimized SSL Cipher configuration: -+# If speed is your main concern (on busy HTTPS servers e.g.), -+# you might want to force clients to specific, performance -+# optimized ciphers. In this case, prepend those ciphers -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA -+# (as in the example below), most connections will no longer -+# have perfect forward secrecy - if the server's key is -+# compromised, captures of past or future traffic must be -+# considered compromised, too. -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 -+#SSLHonorCipherOrder on - - # Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If -@@ -218,14 +236,14 @@ - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. --BrowserMatch ".*MSIE.*" \ -+BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - +@@ -243,7 +243,7 @@ # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. -CustomLog "@exp_logfiledir@/ssl_request_log" \ -+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \ ++CustomLog "@exp_logfiledir@/httpd-ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202010011.q110Btm0002906>