Date: Wed, 15 Jul 2015 17:18:01 +0000 (UTC) From: "Philip M. Gollucci" <pgollucci@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r392171 - in branches/2015Q3/www/apache24: . files Message-ID: <201507151718.t6FHI1Cm068554@svnmir.geo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pgollucci Date: Wed Jul 15 17:18:00 2015 New Revision: 392171 URL: https://svnweb.freebsd.org/changeset/ports/392171 Log: OBMFH: r392170 www/apache24: fix CVEs, update 2.4.12 -> 2.4.16 - Convet to USES=autoreconf - Sort USES - Remove now empty patch files Security: https://vuxml.freebsd.org/freebsd/a12494c1-2af4-11e5-86ff-14dae9d210b8.html Differential Revision: https://reviews.freebsd.org/D3101 Submitted by: feld Reviewed by: pgollucci (myself) With Hat: apache@ Approved by: ports-secteam (feld) Deleted: branches/2015Q3/www/apache24/files/patch-acinclude.m4 branches/2015Q3/www/apache24/files/patch-include__ap_config_auto.h.in branches/2015Q3/www/apache24/files/patch-modules__ssl__ssl_engine_init.c branches/2015Q3/www/apache24/files/patch-modules__ssl__ssl_engine_rand.c Modified: branches/2015Q3/www/apache24/Makefile branches/2015Q3/www/apache24/distinfo branches/2015Q3/www/apache24/files/patch-Makefile.in branches/2015Q3/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in Directory Properties: branches/2015Q3/ (props changed) Modified: branches/2015Q3/www/apache24/Makefile ============================================================================== --- branches/2015Q3/www/apache24/Makefile Wed Jul 15 17:16:05 2015 (r392170) +++ branches/2015Q3/www/apache24/Makefile Wed Jul 15 17:18:00 2015 (r392171) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= apache24 -PORTVERSION= 2.4.12 +PORTVERSION= 2.4.16 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} @@ -18,10 +18,10 @@ CONFLICTS_INSTALL= caudium14-1.* \ apache-*-2.2.* apache22-* USE_APACHE= common24 -USES= tar:bzip2 iconv perl5 libtool cpe +USES= autoreconf cpe iconv libtool perl5 tar:bzip2 USE_PERL5= run -USE_AUTOTOOLS= autoconf USE_RC_SUBR= apache24 htcacheclean +GNU_CONFIGURE= yes CPE_VENDOR= apache CPE_PRODUCT= http_server Modified: branches/2015Q3/www/apache24/distinfo ============================================================================== --- branches/2015Q3/www/apache24/distinfo Wed Jul 15 17:16:05 2015 (r392170) +++ branches/2015Q3/www/apache24/distinfo Wed Jul 15 17:18:00 2015 (r392171) @@ -1,2 +1,2 @@ -SHA256 (apache24/httpd-2.4.12.tar.bz2) = ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4 -SIZE (apache24/httpd-2.4.12.tar.bz2) = 5054838 +SHA256 (apache24/httpd-2.4.16.tar.bz2) = ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743 +SIZE (apache24/httpd-2.4.16.tar.bz2) = 5101005 Modified: branches/2015Q3/www/apache24/files/patch-Makefile.in ============================================================================== --- branches/2015Q3/www/apache24/files/patch-Makefile.in Wed Jul 15 17:16:05 2015 (r392170) +++ branches/2015Q3/www/apache24/files/patch-Makefile.in Wed Jul 15 17:18:00 2015 (r392171) @@ -1,4 +1,4 @@ ---- Makefile.in.orig 2012-12-17 11:50:41 UTC +--- Makefile.in.orig 2015-04-15 18:06:04 UTC +++ Makefile.in @@ -32,12 +32,9 @@ include $(top_srcdir)/build/program.mk install-conf: @@ -14,45 +14,7 @@ done; \ for j in $(top_srcdir)/docs/conf $(top_builddir)/docs/conf ; do \ cd $$j ; \ -@@ -58,6 +55,16 @@ install-conf: - -e 's#@@SSLPort@@#$(SSLPORT)#g' \ - -e 'p' \ - < $$i; \ -+ if echo " $(DSO_MODULES) "|$(EGREP) " cgi " > /dev/null ; then \ -+ have_cgi="1"; \ -+ else \ -+ have_cgi="0"; \ -+ fi; \ -+ if echo " $(DSO_MODULES) "|$(EGREP) " cgid " > /dev/null ; then \ -+ have_cgid="1"; \ -+ else \ -+ have_cgid="0"; \ -+ fi; \ - for j in $(DSO_MODULES) "^EOL^"; do \ - if test $$j != "^EOL^"; then \ - if echo ",$(ENABLED_DSO_MODULES),"|$(EGREP) ",$$j," > /dev/null ; then \ -@@ -68,8 +75,18 @@ install-conf: - if test "$(LOAD_ALL_MODULES)" = "yes"; then \ - loading_disabled=""; \ - fi; \ -- echo "$${loading_disabled}LoadModule $${j}_module $(rel_libexecdir)/mod_$${j}.so"; \ -- fi; \ -+ if test $$j = "cgid" -a "$$have_cgi" = "1"; then \ -+ echo "<IfModule !mpm_prefork_module>"; \ -+ echo " $${loading_disabled}LoadModule $${j}_module $(rel_libexecdir)/mod_$${j}.so"; \ -+ echo "</IfModule>"; \ -+ elif test $$j = "cgi" -a "$$have_cgid" = "1"; then \ -+ echo "<IfModule mpm_prefork_module>"; \ -+ echo " $${loading_disabled}LoadModule $${j}_module $(rel_libexecdir)/mod_$${j}.so"; \ -+ echo "</IfModule>"; \ -+ else \ -+ echo "$${loading_disabled}LoadModule $${j}_module $(rel_libexecdir)/mod_$${j}.so"; \ -+ fi; \ -+ fi; \ - done; \ - sed -e '1,/@@LoadModule@@/d' \ - -e '/@@LoadModule@@/d' \ -@@ -78,15 +95,12 @@ install-conf: +@@ -98,15 +95,12 @@ install-conf: -e 's#@@SSLPort@@#$(SSLPORT)#g' \ < $$i; \ fi \ @@ -70,7 +32,7 @@ fi; \ done ; \ done ; \ -@@ -137,48 +151,25 @@ dox: +@@ -157,48 +151,25 @@ dox: doxygen $(top_srcdir)/docs/doxygen.conf install-htdocs: @@ -128,7 +90,7 @@ install-other: @test -d $(DESTDIR)$(logfiledir) || $(MKINSTALLDIRS) $(DESTDIR)$(logfiledir) -@@ -231,12 +222,7 @@ install-man: +@@ -251,12 +222,7 @@ install-man: @test -d $(DESTDIR)$(manualdir) || $(MKINSTALLDIRS) $(DESTDIR)$(manualdir) @cp -p $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1 @cp -p $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8 Modified: branches/2015Q3/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in ============================================================================== --- branches/2015Q3/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in Wed Jul 15 17:16:05 2015 (r392170) +++ branches/2015Q3/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in Wed Jul 15 17:18:00 2015 (r392171) @@ -1,37 +1,6 @@ ---- docs/conf/extra/httpd-ssl.conf.in.orig 2015-01-31 12:20:34 UTC -+++ docs/conf/extra/httpd-ssl.conf.in -@@ -42,11 +42,30 @@ Listen @@SSLPort@@ - ## the main server and all SSL-enabled virtual hosts. - ## - -+## disable unsecure SSL protocols -+SSLProtocol ALL -SSLv2 -SSLv3 -+ - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 - -+## The following entries can be used as suggestions, -+## for more information see: -+## - http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite -+## - http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html -+## -+## To test your SSL implementation use for example security/sslscan or for public reachable systems https://www.ssllabs.com/ -+ -+## sample for OpenSSL >= 1.0.x (with RC4) -+# SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" -+ -+## sample for OpenSSL >= 1.0.x (keep support for IE8 on XP) -+# SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4" -+ -+## sample for OpenSSL >= 1.0.x (no RC4 support) -+# SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" -+ - # Speed-optimized SSL Cipher configuration: - # If speed is your main concern (on busy HTTPS servers e.g.), - # you might want to force clients to specific, performance -@@ -105,8 +124,8 @@ SSLSessionCacheTimeout 300 +--- docs/conf/extra/httpd-ssl.conf.in.orig 2015-05-27 13:59:59.000000000 -0500 ++++ docs/conf/extra/httpd-ssl.conf.in 2015-07-15 09:50:31.369623000 -0500 +@@ -124,8 +124,8 @@ DocumentRoot "@exp_htdocsdir@" ServerName www.example.com:@@SSLPort@@ ServerAdmin you@example.com @@ -42,7 +11,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. -@@ -265,7 +284,7 @@ BrowserMatch "MSIE [2-5]" \ +@@ -284,7 +284,7 @@ # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507151718.t6FHI1Cm068554>