[Pkg-apache-commits] r1254 - in /branches/lenny-apache2: NEWS changelog config-dir/mods-available/ssl.conf control patches/00list patches/080_CVE-2009-3555-rfc5746.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Sun Dec 5 10:47:03 UTC 2010 

Author: sf
Date: Sun Dec  5 10:47:02 2010
New Revision: 1254

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1254
Log:
backport support for rfc5746
bump openssl build-dep

Added:
    branches/lenny-apache2/patches/080_CVE-2009-3555-rfc5746.dpatch
Modified:
    branches/lenny-apache2/NEWS
    branches/lenny-apache2/changelog
    branches/lenny-apache2/config-dir/mods-available/ssl.conf
    branches/lenny-apache2/control
    branches/lenny-apache2/patches/00list

Modified: branches/lenny-apache2/NEWS
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/NEWS?rev=1254&op=diff
==============================================================================
--- branches/lenny-apache2/NEWS (original)
+++ branches/lenny-apache2/NEWS Sun Dec  5 10:47:02 2010
@@ -1,3 +1,15 @@
+apache2 (2.2.9-10+lenny9) stable-security; urgency=low
+
+  * The latest openssl upgrade added support for SSL/TLS secure renegotiation
+    (RFC 5746) to fix the protocol vulnerability CVE-2009-3555 but disallows
+    renegotiation for clients that do not yet support this extension.  This
+    upgrade of apache2 adds the new SSLInsecureRenegotiation directive which
+    allows to revert to the old behaviour. If you need to support such
+    clients, uncomment the 'SSLInsecureRenegotiation on' line in
+    /etc/apache2/mods-available/ssl.conf
+
+ -- Stefan Fritsch <sf at debian.org>  Mon, 15 Nov 2010 22:53:03 +0100
+
 apache2 (2.2.9-3) unstable; urgency=low
 
   * The directive "NameVirtualHost *" has been changed to "NameVirtualHost

Modified: branches/lenny-apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/changelog?rev=1254&op=diff
==============================================================================
--- branches/lenny-apache2/changelog (original)
+++ branches/lenny-apache2/changelog Sun Dec  5 10:47:02 2010
@@ -1,3 +1,14 @@
+apache2 (2.2.9-10+lenny9) UNRELEASED; urgency=low
+
+  * Add the new SSLInsecureRenegotiation directive to configure if clients
+    that have not been patched to support secure renegotiation (RFC 5746)
+    are allowed to connect (CVE-2009-3555).
+    Together with the recent openssl upgrade, this closes: #587037
+    This upgrade also adds support for the SSL_SECURE_RENEG variable, to
+    allow testing if secure renegotiation is supported by the client.
+
+ -- Stefan Fritsch <sf at debian.org>  Mon, 15 Nov 2010 22:46:40 +0100
+
 apache2 (2.2.9-10+lenny8) stable; urgency=low
 
   * Add missing psmisc dependency for killall used in the init script.

Modified: branches/lenny-apache2/config-dir/mods-available/ssl.conf
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/config-dir/mods-available/ssl.conf?rev=1254&op=diff
==============================================================================
--- branches/lenny-apache2/config-dir/mods-available/ssl.conf (original)
+++ branches/lenny-apache2/config-dir/mods-available/ssl.conf Sun Dec  5 10:47:02 2010
@@ -61,4 +61,8 @@
 # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
 SSLProtocol all -SSLv2
 
+# Allow insecure renegotiation with clients which do not yet support the
+# secure renegotiation protocol. Default: Off
+#SSLInsecureRenegotiation on
+
 </IfModule>

Modified: branches/lenny-apache2/control
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/control?rev=1254&op=diff
==============================================================================
--- branches/lenny-apache2/control (original)
+++ branches/lenny-apache2/control Sun Dec  5 10:47:02 2010
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
 Uploaders: Tollef Fog Heen <tfheen at debian.org>, Thom May <thom at debian.org>, Adam Conrad <adconrad at 0c3.net>, Peter Samuelson <peter at p12n.org>, Stefan Fritsch <sf at debian.org>
-Build-Depends: debhelper (>=6.0.7), dpatch, lsb-release, libaprutil1-dev, libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev, sharutils
+Build-Depends: debhelper (>=6.0.7), dpatch, lsb-release, libaprutil1-dev, libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev (>=0.9.8g-15+lenny10), sharutils
 Standards-Version: 3.8.0
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2
 Vcs-svn: svn://svn.debian.org/pkg-apache/trunk/apache2

Modified: branches/lenny-apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/00list?rev=1254&op=diff
==============================================================================
--- branches/lenny-apache2/patches/00list (original)
+++ branches/lenny-apache2/patches/00list Sun Dec  5 10:47:02 2010
@@ -38,6 +38,7 @@
 077_CVE-2010-0408.dpatch
 078_CVE-2010-0434.dpatch
 079_avoid_brigade_destroy.dpatch
+080_CVE-2009-3555-rfc5746.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch

Added: branches/lenny-apache2/patches/080_CVE-2009-3555-rfc5746.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/080_CVE-2009-3555-rfc5746.dpatch?rev=1254&op=file
==============================================================================
--- branches/lenny-apache2/patches/080_CVE-2009-3555-rfc5746.dpatch (added)
+++ branches/lenny-apache2/patches/080_CVE-2009-3555-rfc5746.dpatch Sun Dec  5 10:47:02 2010
@@ -1,0 +1,178 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: Add support for SSLInsecureRenegotiation directive
+# Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=917044
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny-apache2~/modules/ssl/mod_ssl.c lenny-apache2/modules/ssl/mod_ssl.c
+--- lenny-apache2~/modules/ssl/mod_ssl.c	2010-11-15 22:45:54.000000000 +0100
++++ lenny-apache2/modules/ssl/mod_ssl.c	2010-11-15 23:14:11.411204883 +0100
+@@ -143,6 +143,8 @@
+                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+     SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                 "Use the server's cipher ordering preference")
++    SSL_CMD_SRV(InsecureRenegotiation, FLAG,
++                "Enable support for insecure renegotiation")
+     SSL_CMD_ALL(UserName, TAKE1,
+                 "Set user name to SSL variable value")
+ 
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny-apache2~/modules/ssl/ssl_engine_config.c lenny-apache2/modules/ssl/ssl_engine_config.c
+--- lenny-apache2~/modules/ssl/ssl_engine_config.c	2010-11-15 22:45:54.000000000 +0100
++++ lenny-apache2/modules/ssl/ssl_engine_config.c	2010-11-15 23:14:11.411204883 +0100
+@@ -169,6 +169,7 @@
+     sc->vhost_id_len           = 0;     /* set during module init */
+     sc->session_cache_timeout  = UNSET;
+     sc->cipher_server_pref     = UNSET;
++    sc->insecure_reneg         = UNSET;
+ 
+     modssl_ctx_init_proxy(sc, p);
+ 
+@@ -257,6 +258,7 @@
+     cfgMergeBool(proxy_enabled);
+     cfgMergeInt(session_cache_timeout);
+     cfgMergeBool(cipher_server_pref);
++    cfgMergeBool(insecure_reneg);
+ 
+     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
+ 
+@@ -674,6 +676,19 @@
+ #endif
+ }
+ 
++const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
++{
++#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++    sc->insecure_reneg = flag?TRUE:FALSE;
++    return NULL;
++#else
++    return "The SSLInsecureRenegotiation directive is not available "
++        "with this SSL library";
++#endif
++}
++
++
+ static const char *ssl_cmd_check_dir(cmd_parms *parms,
+                                      const char **dir)
+ {
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny-apache2~/modules/ssl/ssl_engine_init.c lenny-apache2/modules/ssl/ssl_engine_init.c
+--- lenny-apache2~/modules/ssl/ssl_engine_init.c	2010-11-15 23:14:11.306955553 +0100
++++ lenny-apache2/modules/ssl/ssl_engine_init.c	2010-11-15 23:14:11.411204883 +0100
+@@ -364,6 +364,7 @@
+     MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
+     char *cp;
+     int protocol = mctx->protocol;
++    SSLSrvConfigRec *sc = mySrvConfig(s);
+ 
+     /*
+      *  Create the new per-server SSL context
+@@ -414,11 +415,14 @@
+     }
+ 
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+-    {
+-        SSLSrvConfigRec *sc = mySrvConfig(s);
+-        if (sc->cipher_server_pref == TRUE) {
+-            SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+-        }
++    if (sc->cipher_server_pref == TRUE) {
++        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
++    }
++#endif
++
++#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
++    if (sc->insecure_reneg == TRUE) {
++        SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+     }
+ #endif
+ 
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny-apache2~/modules/ssl/ssl_engine_kernel.c lenny-apache2/modules/ssl/ssl_engine_kernel.c
+--- lenny-apache2~/modules/ssl/ssl_engine_kernel.c	2010-11-15 23:14:11.310953934 +0100
++++ lenny-apache2/modules/ssl/ssl_engine_kernel.c	2010-11-15 23:14:11.411204883 +0100
+@@ -612,10 +612,18 @@
+         else {
+             request_rec *id = r->main ? r->main : r;
+ 
+-            /* do a full renegotiation */
++            /* Perform a full renegotiation. */
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+-                         "Performing full renegotiation: "
+-                         "complete handshake protocol");
++                         "Performing full renegotiation: complete handshake "
++                         "protocol (%s support secure renegotiation)",
++#if defined(SSL_get_secure_renegotiation_support)
++                         SSL_get_secure_renegotiation_support(ssl) ? 
++                         "client does" : "client does not"
++#else
++                         "server does not"
++#endif
++                );
++
+ 
+             SSL_set_session_id_context(ssl,
+                                        (unsigned char *)&id,
+@@ -631,6 +639,7 @@
+             if (SSL_get_state(ssl) != SSL_ST_OK) {
+                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                              "Re-negotiation request failed");
++                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
+ 
+                 r->connection->aborted = 1;
+                 return HTTP_FORBIDDEN;
+@@ -917,6 +926,7 @@
+     "SSL_VERSION_INTERFACE",
+     "SSL_VERSION_LIBRARY",
+     "SSL_PROTOCOL",
++    "SSL_SECURE_RENEG",
+     "SSL_COMPRESS_METHOD",
+     "SSL_CIPHER",
+     "SSL_CIPHER_EXPORT",
+@@ -1061,6 +1071,12 @@
+         }
+     }
+ 
++
++#ifdef SSL_get_secure_renegotiation_support
++    apr_table_setn(r->notes, "ssl-secure-reneg", 
++                   SSL_get_secure_renegotiation_support(ssl) ? "1" : "0");
++#endif
++
+     return DECLINED;
+ }
+ 
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny-apache2~/modules/ssl/ssl_engine_vars.c lenny-apache2/modules/ssl/ssl_engine_vars.c
+--- lenny-apache2~/modules/ssl/ssl_engine_vars.c	2010-11-15 22:45:54.000000000 +0100
++++ lenny-apache2/modules/ssl/ssl_engine_vars.c	2010-11-15 23:18:12.226747522 +0100
+@@ -320,6 +320,14 @@
+     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
+         result = ssl_var_lookup_ssl_compress_meth(ssl);
+     }
++    else if (ssl != NULL && strcEQ(var, "SECURE_RENEG")) {
++        int flag = 0;
++#ifdef SSL_get_secure_renegotiation_support
++        flag = SSL_get_secure_renegotiation_support(ssl);
++#endif
++        result = apr_pstrdup(p, flag ? "true" : "false");
++    }
++
+     return result;
+ }
+ 
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny-apache2~/modules/ssl/ssl_private.h lenny-apache2/modules/ssl/ssl_private.h
+--- lenny-apache2~/modules/ssl/ssl_private.h	2010-11-15 23:14:11.310953934 +0100
++++ lenny-apache2/modules/ssl/ssl_private.h	2010-11-15 23:14:11.411204883 +0100
+@@ -460,6 +460,7 @@
+     int              vhost_id_len;
+     int              session_cache_timeout;
+     BOOL             cipher_server_pref;
++    BOOL             insecure_reneg;
+     modssl_ctx_t    *server;
+     modssl_ctx_t    *proxy;
+ };
+@@ -526,6 +527,7 @@
+ const char  *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
+ const char  *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
++const char  *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+ 
+ const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
+ const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);

More information about the Pkg-apache-commits mailing list