pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2015Q1]: pkgsrc/www/apache22 Pullup ticket #4733 - requested b...
details: https://anonhg.NetBSD.org/pkgsrc/rev/da0bac80f134
branches: pkgsrc-2015Q1
changeset: 649260:da0bac80f134
user: tron <tron%pkgsrc.org@localhost>
date: Sun May 24 11:41:00 2015 +0000
description:
Pullup ticket #4733 - requested by sborrill
www/apache22: security patch
Revisions pulled up:
- www/apache22/Makefile 1.103
- www/apache22/distinfo 1.61
- www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c 1.1
---
Module Name: pkgsrc
Committed By: sborrill
Date: Fri May 22 09:20:20 UTC 2015
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Added Files:
pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c
Log Message:
Add patch to mitigate Logjam TLS vulnerabilities (CVE-2015-4000).
Based on FreeBSD ports.
diffstat:
www/apache22/Makefile | 7 +-
www/apache22/distinfo | 3 +-
www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c | 73 ++++++++++++++++
3 files changed, 81 insertions(+), 2 deletions(-)
diffs (116 lines):
diff -r 6eec91eb1dd5 -r da0bac80f134 www/apache22/Makefile
--- a/www/apache22/Makefile Sun May 24 11:33:38 2015 +0000
+++ b/www/apache22/Makefile Sun May 24 11:41:00 2015 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.102 2014/09/09 08:11:48 adam Exp $
+# $NetBSD: Makefile,v 1.102.6.1 2015/05/24 11:41:00 tron Exp $
DISTNAME= httpd-2.2.29
PKGNAME= ${DISTNAME:S/httpd/apache/}
+PKGREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
http://archive.apache.org/dist/httpd/ \
@@ -209,6 +210,10 @@
${TOUCH} ${WRKSRC}/build/libtool
${ECHO} "" >> ${WRKSRC}/docs/conf/extra/httpd-languages.conf.in
+pre-build:
+ ${ECHO} "===> Generating unique DH group to mitigate Logjam attack (this will take a while)"
+ (cd ${WRKSRC}/modules/ssl && ${PERL5} ssl_engine_dh.c)
+
post-build:
${SED} "s#@PKG_SYSCONFDIR@#${PKG_SYSCONFDIR}#g" \
< ${FILESDIR}/mkcert.sh > ${WRKDIR}/mkcert
diff -r 6eec91eb1dd5 -r da0bac80f134 www/apache22/distinfo
--- a/www/apache22/distinfo Sun May 24 11:33:38 2015 +0000
+++ b/www/apache22/distinfo Sun May 24 11:41:00 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.60 2014/09/09 08:11:48 adam Exp $
+$NetBSD: distinfo,v 1.60.6.1 2015/05/24 11:41:00 tron Exp $
SHA1 (httpd-2.2.29.tar.bz2) = 1d6a8fbc1391d358cc6fe430edc16222b97258d5
RMD160 (httpd-2.2.29.tar.bz2) = c9a823f038a6a1cbfd94cd9bdd067edd26cf7a3b
@@ -16,4 +16,5 @@
SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa
SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746
+SHA1 (patch-modules_ssl_ssl__engine__dh.c) = fc37a639ecfbade0cf8a4fc684d7ec3b92949897
SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
diff -r 6eec91eb1dd5 -r da0bac80f134 www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c Sun May 24 11:41:00 2015 +0000
@@ -0,0 +1,73 @@
+--- modules/ssl/ssl_engine_dh.c.orig 2006-07-12 03:38:44 UTC
++++ modules/ssl/ssl_engine_dh.c
+@@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen)
+ {
+ DH *dh;
+
+- if (nKeyLen == 512)
+- dh = get_dh512();
+- else if (nKeyLen == 1024)
+- dh = get_dh1024();
++ if (nKeyLen == 2048)
++ dh = get_dh2048();
++ else if (nKeyLen == 3072)
++ dh = get_dh3072();
+ else
+- dh = get_dh1024();
++ dh = get_dh3072();
+ return dh;
+ }
+
+@@ -151,7 +151,7 @@ print FP $source;
+ close(FP);
+
+ # generate the DH parameters
+-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
++print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n";
+ my $rand = '';
+ foreach $file (qw(/var/log/messages /var/adm/messages
+ /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
+@@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var
+ }
+ }
+ $rand = "-rand $rand" if ($rand ne '');
+-system("openssl gendh $rand -out dh512.pem 512");
+-system("openssl gendh $rand -out dh1024.pem 1024");
++system("openssl gendh $rand -out dh2048.pem 2048");
++system("openssl gendh $rand -out dh3072.pem 3072");
+
+ # generate DH param info
+ my $dhinfo = '';
+-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh3072.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+ $dhinfo =~ s|^|** |mg;
+@@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n";
+
+ # generate C source from DH params
+ my $dhsource = '';
+-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+ $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
+@@ -203,8 +203,8 @@ print FP $source;
+ close(FP);
+
+ # cleanup
+-unlink("dh512.pem");
+-unlink("dh1024.pem");
++unlink("dh2048.pem");
++unlink("dh3072.pem");
+
+ =pod
+ */
Home |
Main Index |
Thread Index |
Old Index