www/apache24: Update to 2.4.34
ClosedPublic
Actions

Authored by joneum on Jul 16 2018, 9:56 PM.

Details

Reviewers

brnrd
ohauer

Commits

rP475020: MFH: r475018
rP475018: www/apache24: Update to 2.4.34

Summary

www/apache24: Security update to 2.4.34

fixes vulns in mod_http2 and mod_md
include SSL_* options in alphabetic ordering
Remove unneeded SSL_CFLAGS and _LDFLAGS
Remove WITH_HTTP_PORT and WITH_SSL_PORT
Remove trailing whitespace
Fix build with HTTP2 but without SSL [1]

PR: 229802, 227944 [1]
With hat: apache
Approved by: (apache)
MFH: 2018Q3
Security: 8b1a50ab-8a8e-11e8-add2-b499baebfeaf
Differential Review: https://reviews.freebsd.org/D16294

Test Plan

10.4 amd64: http://joneumbox.org/data/104amd64-ports/2018-07-16_23h29m21s/logs/apache24-2.4.34.log
10.4 i386: http://joneumbox.org/data/104i386-ports/2018-07-16_23h29m21s/logs/apache24-2.4.34.log

11.1 amd64: http://joneumbox.org/data/11-1-AMD64-ports/2018-07-16_23h32m58s/logs/apache24-2.4.34.log
11.1 i386: http://joneumbox.org/data/104i386-ports/2018-07-16_23h29m21s/logs/apache24-2.4.34.log

HEAD amd64: http://joneumbox.org/data/12amd64-ports/2018-07-16_23h34m49s/logs/apache24-2.4.34.log
HEAD i386: http://joneumbox.org/data/12i386-ports/2018-07-16_23h34m51s/logs/apache24-2.4.34.log

Diff Detail

Lint

No Lint Coverage

Unit

No Test Coverage

Build Status

Buildable 18171
Build 17905: arc lint + arc unit

Event Timeline

joneum created this revision.Jul 16 2018, 9:56 PM

Harbormaster completed remote builds in B18087: Diff 45394.Jul 16 2018, 9:56 PM

joneum added reviewers: brnrd, ohauer.Jul 16 2018, 9:57 PM

Nice improvements!

www/apache24/Makefile
67	As we don't have HTTP2_IMPLIES= SSL I don't think this is OK. You can build Apache with HTTP2 but without SSL (even though I wouldn't know why someone would). Looks to me like mod_h2 does require libcrypto: https://github.com/icing/mod_h2/blob/master/configure.ac#L105 but not 100% sure.
74	What's going on with indentation here? It aligns OK for me already.
89–90	Any reason not to keep the SSL_* entries not in alphabetical order? Think that's mostly historical.
107–108	If we remove these, we can also remove lines 37 and 38 37 WITH_HTTP_PORT?= 80 38 WITH_SSL_PORT?= 443 People should do that with `Listen` and `<VirtualHost>` directives anyway. Do our default config files specify Listen correctly?

This revision now requires changes to proceed.Jul 17 2018, 8:00 AM

I don't think this warrants a MFH, there are no security fixes in this release.

www/apache24/Makefile
107–108	Just checked, the config files we ship have etc/httpd.conf 52 Listen 80 etc/extra/httpd-ssl.conf 36 Listen 443 so `WITH_HTTP_PORT` and `WITH_SSL_PORT` are indeed redundant.

Updated patch in bug #229802

www/apache24/Makefile
67	So yes, this is OK, and exactly what my point is/was. It should be added. Not sure about whitespace here.

In D16294#345867, @brnrd wrote:

I don't think this warrants a MFH, there are no security fixes in this release.

The vulnerability fixes were missing from the ChangeLog as per https://lists.apache.org/thread.html/b57f9c60d015b88301f916a242e0c40d22ce7da381885d1ede7e0de9@%3Cdev.httpd.apache.org%3E

Documented in vuxml http://www.vuxml.org/freebsd/8b1a50ab-8a8e-11e8-add2-b499baebfeaf.html

I've done some more cosmetic fixing / portlint petting, the modules/md/md_crypt.c fix has landed upstream

mat added a subscriber: mat.Jul 18 2018, 3:28 PM

mat added inline comments.

www/apache24/Makefile
69	Then `HTTP2_IMPLIES=SSL`, and this, and the added `--with-ssl` above, can be removed.
77–83	MD_IMPLIES= SSL and remove the USES=ssl and --with-ssl.

brnrd added inline comments.Jul 18 2018, 7:39 PM

www/apache24/Makefile
69	It is not a requirement to build the `mod_ssl` module (which is what the `SSL` option in Apache 2.4 does) if you want the `mod_http2` module. See also earlier comment.
77–83	As before. The SSL option toggles the `mod_ssl` module. Almost all options in the port are prefixed with mod_ to enable them during build. And it is silly to not have `mod_ssl` module when you use `mod_md` yet technically possible.