Bug 220160 - www/apache24: Update to 2.4.26 (addresses multiple CVE reports)
Summary: www/apache24: Update to 2.4.26 (addresses multiple CVE reports)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-apache (Nobody)
URL: http://httpd.apache.org/security/vuln...
Keywords: security
Depends on:
Blocks:
 
Reported: 2017-06-20 11:09 UTC by Markus Kohlmeyer
Modified: 2017-07-14 12:28 UTC (History)
6 users (show)

See Also:
bugzilla: maintainer-feedback? (apache)


Attachments
Update Apache to v2.4.26 (3.21 KB, patch)
2017-06-20 16:00 UTC, Dani
i.dani: maintainer-approval? (apache)
Details | Diff
Build log with security/libressl (119.90 KB, text/plain)
2017-06-20 17:19 UTC, Markus Kohlmeyer
no flags Details
patch from: https://bz.apache.org/bugzilla/show_bug.cgi?id=61184 (11.85 KB, patch)
2017-06-28 14:21 UTC, Ivan Rozhuk
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Kohlmeyer 2017-06-20 11:09:43 UTC
Apache 2.4.26 was released and addresses multiple CVE:
http://httpd.apache.org/security/vulnerabilities_24.html

Also it contains a new module: mod_brotli (bug #218851)
Comment 1 Dani 2017-06-20 16:00:25 UTC
Created attachment 183655 [details]
Update Apache to v2.4.26

!! mod_brotli support depends on bug #218851 !!

- update to 2.4.26
-- Add mod_brotli support, fix pkg-plist
-- HTTP/2 support no longer tagged as "experimental" but is instead considered fully production ready.
Comment 2 Markus Kohlmeyer 2017-06-20 17:19:29 UTC
Created attachment 183656 [details]
Build log with security/libressl

There is a problem when building with security/libessl regarding SSL_CTX_set_max_proto_version and SSL_CTX_set_min_proto_version or OPENSSL_VERSION_NUMBER
Comment 3 Dani 2017-06-20 18:08:20 UTC
(In reply to Markus Kohlmeyer from comment #2)

Looks like the support for OpenSSL 1.1.0, which has been added in v2.4.26, breaks the build with LibreSSL (which isn't officially supported by Apache afaik).

See: https://github.com/apache/httpd/commit/d9a5d4c6ee64b400cd552dbd8b3bbd36942d5544
and https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_max_proto_version.html
Comment 4 Markus Kohlmeyer 2017-06-20 22:13:32 UTC
Patch for the LibreSSL problem from Bernard Spil exists in Apache Bugzilla:
https://bz.apache.org/bugzilla/show_bug.cgi?id=61184
Comment 5 Ivan Rozhuk 2017-06-28 14:21:07 UTC
Created attachment 183888 [details]
patch from: https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

Now builds ok.
Comment 6 commit-hook freebsd_committer 2017-07-12 19:32:21 UTC
A commit references this bug:

Author: brnrd
Date: Wed Jul 12 19:31:42 UTC 2017
New revision: 445603
URL: https://svnweb.freebsd.org/changeset/ports/445603

Log:
  www/apache24: Update to 2.4.27

   - Bugfix update to 2.4.27
   - Fix build with LibreSSL [1]
   - Add brotli compression option
   - Add pkg-message for 10.3 base-ssl users
   - HTTP/2 is production ready, default enable
     - warn users of 10.3 for mod_http2/OpenSSL 1.0.1

  [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

  PR:             220160 [1]
  Reported by:    Markus Kohlmeyer <rootservice@gmail.com>
  Reviewed by:    ohauer (hat)
  Approved by:    ohauer (hat)
  Differential Revision:  https://reviews.freebsd.org/D11285

Changes:
  head/www/apache24/Makefile
  head/www/apache24/Makefile.options
  head/www/apache24/Makefile.options.desc
  head/www/apache24/distinfo
  head/www/apache24/files/patch-modules_ssl_mod__ssl.c
  head/www/apache24/files/patch-modules_ssl_ssl__engine__init.c
  head/www/apache24/files/patch-modules_ssl_ssl__engine__io.c
  head/www/apache24/files/patch-modules_ssl_ssl__engine__kernel.c
  head/www/apache24/files/patch-modules_ssl_ssl__engine__vars.c
  head/www/apache24/files/patch-modules_ssl_ssl__private.h
  head/www/apache24/files/patch-modules_ssl_ssl__util.c
  head/www/apache24/files/patch-modules_ssl_ssl__util__ssl.h
  head/www/apache24/files/patch-modules_ssl_ssl__util__stapling.c
  head/www/apache24/files/patch-support_ab.c
  head/www/apache24/files/pkg-message.in
  head/www/apache24/pkg-plist
Comment 7 commit-hook freebsd_committer 2017-07-14 12:28:49 UTC
A commit references this bug:

Author: brnrd
Date: Fri Jul 14 12:28:14 UTC 2017
New revision: 445747
URL: https://svnweb.freebsd.org/changeset/ports/445747

Log:
  MFH: r445603

  www/apache24: Update to 2.4.27

   - Bugfix update to 2.4.27
   - Fix build with LibreSSL [1]
   - Add brotli compression option
   - Add pkg-message for 10.3 base-ssl users
   - HTTP/2 is production ready, default enable
     - warn users of 10.3 for mod_http2/OpenSSL 1.0.1

  [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=61184

  PR:             220160 [1]
  Reported by:    Markus Kohlmeyer <rootservice@gmail.com>
  Reviewed by:    ohauer (hat)
  Approved by:    ohauer (hat)
  Differential Revision:  https://reviews.freebsd.org/D11285

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/www/apache24/Makefile
  branches/2017Q3/www/apache24/Makefile.options
  branches/2017Q3/www/apache24/Makefile.options.desc
  branches/2017Q3/www/apache24/distinfo
  branches/2017Q3/www/apache24/files/patch-modules_ssl_mod__ssl.c
  branches/2017Q3/www/apache24/files/patch-modules_ssl_ssl__engine__init.c
  branches/2017Q3/www/apache24/files/patch-modules_ssl_ssl__engine__io.c
  branches/2017Q3/www/apache24/files/patch-modules_ssl_ssl__engine__kernel.c
  branches/2017Q3/www/apache24/files/patch-modules_ssl_ssl__engine__vars.c
  branches/2017Q3/www/apache24/files/patch-modules_ssl_ssl__private.h
  branches/2017Q3/www/apache24/files/patch-modules_ssl_ssl__util.c
  branches/2017Q3/www/apache24/files/patch-modules_ssl_ssl__util__ssl.h
  branches/2017Q3/www/apache24/files/patch-modules_ssl_ssl__util__stapling.c
  branches/2017Q3/www/apache24/files/patch-support_ab.c
  branches/2017Q3/www/apache24/files/pkg-message.in
  branches/2017Q3/www/apache24/pkg-plist