Page MenuHomeFreeBSD

www/apache24: Update to 2.4.34
ClosedPublic

Authored by joneum on Jul 16 2018, 9:56 PM.

Details

Summary

www/apache24: Security update to 2.4.34

  • fixes vulns in mod_http2 and mod_md
  • include SSL_* options in alphabetic ordering
  • Remove unneeded SSL_CFLAGS and _LDFLAGS
  • Remove WITH_HTTP_PORT and WITH_SSL_PORT
  • Remove trailing whitespace
  • Fix build with HTTP2 but without SSL [1]

PR: 229802, 227944 [1]
With hat: apache
Approved by: (apache)
MFH: 2018Q3
Security: 8b1a50ab-8a8e-11e8-add2-b499baebfeaf
Differential Review: https://reviews.freebsd.org/D16294

Test Plan

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

joneum created this revision.Jul 16 2018, 9:56 PM
brnrd requested changes to this revision.Jul 17 2018, 8:00 AM

Nice improvements!

www/apache24/Makefile
70 ↗(On Diff #45394)

As we don't have

HTTP2_IMPLIES= SSL

I don't think this is OK.
You can build Apache with HTTP2 but without SSL (even though I wouldn't know why someone would).
Looks to me like mod_h2 does require libcrypto: https://github.com/icing/mod_h2/blob/master/configure.ac#L105 but not 100% sure.

77 ↗(On Diff #45394)

What's going on with indentation here? It aligns OK for me already.

94 ↗(On Diff #45394)

Any reason not to keep the SSL_* entries not in alphabetical order? Think that's mostly historical.

111 ↗(On Diff #45394)

If we remove these, we can also remove lines 37 and 38

37 WITH_HTTP_PORT?=        80
38 WITH_SSL_PORT?=         443

People should do that with Listen and <VirtualHost> directives anyway.
Do our default config files specify Listen correctly?

This revision now requires changes to proceed.Jul 17 2018, 8:00 AM
brnrd added a comment.Jul 17 2018, 8:05 AM

I don't think this warrants a MFH, there are no security fixes in this release.

www/apache24/Makefile
111 ↗(On Diff #45394)

Just checked, the config files we ship have
etc/httpd.conf

52 Listen 80

etc/extra/httpd-ssl.conf

36 Listen 443

so WITH_HTTP_PORT and WITH_SSL_PORT are indeed redundant.

brnrd added a comment.Jul 17 2018, 8:19 AM

Updated patch in bug #229802

www/apache24/Makefile
70 ↗(On Diff #45394)

So yes, this is OK, and exactly what my point is/was. It should be added.
Not sure about whitespace here.

brnrd added a comment.Jul 18 2018, 2:35 PM

I don't think this warrants a MFH, there are no security fixes in this release.

The vulnerability fixes were missing from the ChangeLog as per https://lists.apache.org/thread.html/b57f9c60d015b88301f916a242e0c40d22ce7da381885d1ede7e0de9@%3Cdev.httpd.apache.org%3E

Documented in vuxml http://www.vuxml.org/freebsd/8b1a50ab-8a8e-11e8-add2-b499baebfeaf.html

I've done some more cosmetic fixing / portlint petting, the modules/md/md_crypt.c fix has landed upstream

mat added a subscriber: mat.Jul 18 2018, 3:28 PM
mat added inline comments.
www/apache24/Makefile
72 ↗(On Diff #45394)

Then HTTP2_IMPLIES=SSL, and this, and the added --with-ssl above, can be removed.

80–85 ↗(On Diff #45394)
MD_IMPLIES= SSL

and remove the USES=ssl and --with-ssl.

brnrd added inline comments.Jul 18 2018, 7:39 PM
www/apache24/Makefile
72 ↗(On Diff #45394)

It is not a requirement to build the mod_ssl module (which is what the SSL option in Apache 2.4 does) if you want the mod_http2 module. See also earlier comment.

80–85 ↗(On Diff #45394)

As before. The SSL option toggles the mod_ssl module. Almost all options in the port are prefixed with mod_ to enable them during build.
And it is silly to not have mod_ssl module when you use mod_md yet technically possible.

joneum edited the summary of this revision. (Show Details)Jul 19 2018, 4:55 PM
joneum updated this revision to Diff 45549.Jul 19 2018, 5:13 PM

some fixes

joneum added inline comments.Jul 20 2018, 6:46 AM
www/apache24/files/patch-modules_md_md__crypt.c
7 ↗(On Diff #45549)

are you sure this is the right PR number? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=62548

brnrd accepted this revision.Jul 20 2018, 2:15 PM

Looking good to commit!

This revision is now accepted and ready to land.Jul 20 2018, 2:15 PM
This revision was automatically updated to reflect the committed changes.