From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 03:42:05 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0059D106566C; Wed, 1 Feb 2012 03:42:04 +0000 (UTC) (envelope-from bsd-src@helfman.org) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 921248FC08; Wed, 1 Feb 2012 03:42:04 +0000 (UTC) Received: by vbbfa15 with SMTP id fa15so915529vbb.13 for ; Tue, 31 Jan 2012 19:42:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.52.29.75 with SMTP id i11mr11913342vdh.23.1328066144033; Tue, 31 Jan 2012 19:15:44 -0800 (PST) Sender: bsd-src@helfman.org Received: by 10.220.231.134 with HTTP; Tue, 31 Jan 2012 19:15:43 -0800 (PST) In-Reply-To: <4F28A12D.2080504@p6m7g8.com> References: <201202010011.q110Btm0002906@freefall.freebsd.org> <4F28A12D.2080504@p6m7g8.com> Date: Tue, 31 Jan 2012 19:15:43 -0800 X-Google-Sender-Auth: 0oULl4MH7m53-j8yZxeHGhzRUtI Message-ID: From: Jason Helfman To: "Philip M. Gollucci" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org Subject: Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 03:42:05 -0000 On Tue, Jan 31, 2012 at 6:19 PM, Philip M. Gollucci wrote: > Do not change this file. You're reverting a local change we've pulled > from trunk svn for security. > > Please commit the rest of the patch with my review / hat. > > > > ==============================**==============================**======= >> RCS file: /home/pcvs/ports/www/apache22/**files/patch-docs__conf__extra_* >> *_httpd-ssl.conf.in ,v >> retrieving revision 1.3 >> diff -u -r1.3 patch-docs__conf__extra__**httpd-ssl.conf.in >> --- files/patch-docs__conf__extra_**_httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3 >> +++ files/patch-docs__conf__extra_**_httpd-ssl.conf.in 1 Feb 2012 00:05:53 -0000 >> @@ -1,58 +1,22 @@ >> ---- ./docs/conf/extra/httpd-ssl.**conf.in.orig 2008-02-04 >> 23:00:07.000000000 +0000 >> -+++ ./docs/conf/extra/httpd-ssl.**conf.in >> 2012-01-23 23:20:06.446390870 +0000 >> -@@ -77,17 +77,35 @@ >> +--- ./docs/conf/extra/httpd-ssl.**conf.in.orig 2012-01-31 15:16:43.000000000 >> -0800 >> ++++ ./docs/conf/extra/httpd-ssl.**conf.in >> 2012-01-31 15:17:47.000000000 -0800 >> +@@ -77,8 +77,8 @@ >> DocumentRoot "@exp_htdocsdir@" >> ServerName www.example.com:@@SSLPort@@ >> ServerAdmin you@example.com >> -ErrorLog "@exp_logfiledir@/error_log" >> -TransferLog "@exp_logfiledir@/access_log" >> -+ErrorLog "@exp_logfiledir@/httpd-error.**log" >> -+TransferLog "@exp_logfiledir@/httpd-**access.log" >> ++ErrorLog "@exp_logfiledir@/httpd-error_**log" >> ++TransferLog "@exp_logfiledir@/httpd-**access_log" >> >> # SSL Engine Switch: >> # Enable/Disable SSL for this virtual host. >> - SSLEngine on >> - >> -+# SSL Protocol support: >> -+# List the protocol versions which clients are allowed to >> -+# connect with. Disable SSLv2 by default (cf. RFC 6176). >> -+SSLProtocol all -SSLv2 >> -+ >> - # SSL Cipher Suite: >> - # List the ciphers that the client is permitted to negotiate. >> - # See the mod_ssl documentation for a complete list. >> --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+** >> HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:**+eNULL >> -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 >> -+ >> -+# Speed-optimized SSL Cipher configuration: >> -+# If speed is your main concern (on busy HTTPS servers e.g.), >> -+# you might want to force clients to specific, performance >> -+# optimized ciphers. In this case, prepend those ciphers >> -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. >> -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA >> -+# (as in the example below), most connections will no longer >> -+# have perfect forward secrecy - if the server's key is >> -+# compromised, captures of past or future traffic must be >> -+# considered compromised, too. >> -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:**MEDIUM:!aNULL:!MD5 >> -+#SSLHonorCipherOrder on >> - >> - # Server Certificate: >> - # Point SSLCertificateFile at a PEM encoded certificate. If >> -@@ -218,14 +236,14 @@ >> - # Similarly, one has to force some clients to use HTTP/1.0 to >> workaround >> - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" >> and >> - # "force-response-1.0" for this. >> --BrowserMatch ".*MSIE.*" \ >> -+BrowserMatch "MSIE [2-5]" \ >> - nokeepalive ssl-unclean-shutdown \ >> - downgrade-1.0 force-response-1.0 >> - >> +@@ -243,7 +243,7 @@ >> # Per-Server Logging: >> # The home of a custom SSL log file. Use this when you want a >> # compact non-error SSL logfile on a virtual host basis. >> -CustomLog "@exp_logfiledir@/ssl_request_**log" \ >> -+CustomLog "@exp_logfiledir@/httpd-ssl_**request.log" \ >> ++CustomLog "@exp_logfiledir@/httpd-ssl_**request_log" \ >> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >> >> >> ______________________________**_________________ >> freebsd-apache@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-**apache >> To unsubscribe, send any mail to "freebsd-apache-unsubscribe@** >> freebsd.org " >> >> > > -- > ------------------------------**------------------------------** > ------------ > 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C > Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 > Member, Apache Software Foundation > Committer, FreeBSD Foundation > Consultant, P6M7G8 Inc. > Director Operations, Ridecharge Inc. > > Work like you don't need the money, > love like you'll never get hurt, > and dance like nobody's watching. > > I will be glad to do that, however it didn't patch cleanly. The additions were in the downloaded source, unless I am mistaken. Can you please verify? -jgh