Page MenuHomeFreeBSD

www/apache24: Update to 2.4.34

Authored by joneum on Jul 16 2018, 9:56 PM.
Referenced Files
F72055236: D16294.diff
Thu, Nov 30, 8:07 PM
Unknown Object (File)
Sat, Nov 11, 6:28 PM
Unknown Object (File)
Wed, Nov 8, 2:55 PM
Unknown Object (File)
Oct 10 2023, 5:24 PM
Unknown Object (File)
Oct 7 2023, 1:45 PM
Unknown Object (File)
Aug 23 2023, 9:20 PM
Unknown Object (File)
Aug 1 2023, 7:58 PM
Unknown Object (File)
Jul 15 2023, 10:06 PM



www/apache24: Security update to 2.4.34

  • fixes vulns in mod_http2 and mod_md
  • include SSL_* options in alphabetic ordering
  • Remove unneeded SSL_CFLAGS and _LDFLAGS
  • Remove trailing whitespace
  • Fix build with HTTP2 but without SSL [1]

PR: 229802, 227944 [1]
With hat: apache
Approved by: (apache)
MFH: 2018Q3
Security: 8b1a50ab-8a8e-11e8-add2-b499baebfeaf
Differential Review:

Test Plan

Diff Detail

rP FreeBSD ports repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

brnrd requested changes to this revision.Jul 17 2018, 8:00 AM

Nice improvements!

70 ↗(On Diff #45394)

As we don't have


I don't think this is OK.
You can build Apache with HTTP2 but without SSL (even though I wouldn't know why someone would).
Looks to me like mod_h2 does require libcrypto: but not 100% sure.

77 ↗(On Diff #45394)

What's going on with indentation here? It aligns OK for me already.

94 ↗(On Diff #45394)

Any reason not to keep the SSL_* entries not in alphabetical order? Think that's mostly historical.

111 ↗(On Diff #45394)

If we remove these, we can also remove lines 37 and 38

37 WITH_HTTP_PORT?=        80
38 WITH_SSL_PORT?=         443

People should do that with Listen and <VirtualHost> directives anyway.
Do our default config files specify Listen correctly?

This revision now requires changes to proceed.Jul 17 2018, 8:00 AM

I don't think this warrants a MFH, there are no security fixes in this release.

111 ↗(On Diff #45394)

Just checked, the config files we ship have

52 Listen 80


36 Listen 443

so WITH_HTTP_PORT and WITH_SSL_PORT are indeed redundant.

Updated patch in bug #229802

70 ↗(On Diff #45394)

So yes, this is OK, and exactly what my point is/was. It should be added.
Not sure about whitespace here.

I don't think this warrants a MFH, there are no security fixes in this release.

The vulnerability fixes were missing from the ChangeLog as per

Documented in vuxml

I've done some more cosmetic fixing / portlint petting, the modules/md/md_crypt.c fix has landed upstream

mat added inline comments.
72 ↗(On Diff #45394)

Then HTTP2_IMPLIES=SSL, and this, and the added --with-ssl above, can be removed.

80–85 ↗(On Diff #45394)

and remove the USES=ssl and --with-ssl.

72 ↗(On Diff #45394)

It is not a requirement to build the mod_ssl module (which is what the SSL option in Apache 2.4 does) if you want the mod_http2 module. See also earlier comment.

80–85 ↗(On Diff #45394)

As before. The SSL option toggles the mod_ssl module. Almost all options in the port are prefixed with mod_ to enable them during build.
And it is silly to not have mod_ssl module when you use mod_md yet technically possible.

7 ↗(On Diff #45549)

are you sure this is the right PR number?

Looking good to commit!

This revision is now accepted and ready to land.Jul 20 2018, 2:15 PM
This revision was automatically updated to reflect the committed changes.