Your message dated Sat, 11 Aug 2012 12:20:16 +0100 with message-id <1344684016.2978.36.camel@jacala.jungle.funky-badger.org> and subject line Re: Bug#684567: unblock: apache2/2.2.22-11 has caused the Debian Bug report #684567, regarding unblock: apache2/2.2.22-11 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 684567: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684567 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: apache2/2.2.22-11
- From: Arno Töll <arno@debian.org>
- Date: Sat, 11 Aug 2012 12:16:29 +0200
- Message-id: <[🔎] 502630FD.2020104@debian.org>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Severity: normal Please unblock package apache2. I've attached a git diff of changes since 2.2.22-9 which is currently in Testing. These are changes since then: Close bug #682840 "Default /etc/apache2/mods-available/disk_cache.conf is incompatible with ext3". It turned out Apache's default configuration for mod_cache_disk does not work very well under some circumstances causing Apache to stop service. We changed the default to a more moderate setting. This is a non-invasive default configuration change only. However, we need to purge the on-disk cache of users on upgrades. This was fixed in 2.2.22-10 whereas upload 2.2.22-11 makes the handling of the cache directory more secure to avoid link attacks. Close bug #682401 "dbmmanage: please use Digest::SHA instead of Digest::SHA1". The Perl modules used by dbmmanage are not shipped in Wheezy. The patch makes dbmmanage work on Wheezy. Switch to xz compression for .deb members. This was done upon request as Apache might end up on Wheezy's CD1 (if we switch to Gnome again) because gnome-user-server reverse depends on it. Close bug #682897: "apache2: Directive "SSLProtocol" should support TLS 1.1+". Add support for TLSv1.0 and TLS in OpenSSL. The SSL Protocol change is important because it allows administrators to work around interopability problems that will doubtless occur with TLS v1.[12] with some buggy clients. Admittedly this is a heavy patch but we think it is of great benefit to Wheezy. It was backported from upstream's Apache 2.4 branch. unblock apache2/2.2.22-11diff --git a/debian/apache2.2-common.postinst b/debian/apache2.2-common.postinst index 65a565c..a730b9e 100644 --- a/debian/apache2.2-common.postinst +++ b/debian/apache2.2-common.postinst @@ -102,6 +102,23 @@ if [ -e /etc/apache2/disable-other-vhost-access-log.dpkg-apache2.2-common ] ; th rm /etc/apache2/disable-other-vhost-access-log.dpkg-apache2.2-common fi + +# Should run on upgrades from Squeeze or Testing only +# This code existed in parts 2.2.22-10 already but it wasn't complete. +# Thus, users of 2.2.22-10 (only in Sid) enter here as well. That's not +# optimal, but not a problem either. +if [ -n "$2" ] && dpkg --compare-versions "$2" lt 2.2.22-11; then + if [ -d /var/cache/apache2/mod_disk_cache ] ; then + echo "Purging old mod_disk_cache cache data in /var/cache/apache2/mod_disk_cache" + if [ -d /var/cache/apache2/ ] && [ "$(stat -c '%U' /var/cache/apache2/)" = "www-data" ] ; then + chown root:root /var/cache/apache2/ + fi + rm -rf /var/cache/apache2/mod_disk_cache + install -o www-data -g www-data -d /var/cache/apache2/mod_disk_cache/ + fi +fi + + rm -f /etc/apache2/ports.conf.dpkg-apache2.2-common.old rm -f /etc/default/apache2.dpkg-apache2.2-common.old rm -f /etc/apache2/conf.d/charset.dpkg-apache2.2-common.old diff --git a/debian/changelog b/debian/changelog index 6fa1ac1..665b678 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,31 @@ +apache2 (2.2.22-11) unstable; urgency=low + + * Be more careful regarding link attacks when purging the cache disk + directory. + * Change file ownership of /var/cache/apache2/ to root. + * Compress the data.tar in binary packages using xz to save some space on + installation medias (Debian only). + + -- Arno Töll <arno@debian.org> Fri, 03 Aug 2012 23:20:50 +0200 + +apache2 (2.2.22-10) unstable; urgency=low + + [ Arno Töll ] + * Fix "dbmmanage: please use Digest::SHA instead of Digest::SHA1" by changing + perl module imports to make use Digest::SHA shipped with perl 5.10 (Closes: + #682401) + * Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible + with ext3" by changing the default to more moderate values. Some file + systems have a hard limit for the number of subdirectories in a single + directory. This change requires the cache directory to be purged. + (Closes: #682840) + + [ Stefan Fritsch ] + * Add support for TLSv1.0 ans TLSv1.1 to SSLProtocol and SSLProxyProtocol + directives. Closes: #682897 + + -- Stefan Fritsch <sf@debian.org> Mon, 30 Jul 2012 22:23:02 +0200 + apache2 (2.2.22-9) unstable; urgency=low * Fix typo in conf.d/security comment. Closes: #678740 diff --git a/debian/config-dir/mods-available/disk_cache.conf b/debian/config-dir/mods-available/disk_cache.conf index 01414dc..3a7361b 100644 --- a/debian/config-dir/mods-available/disk_cache.conf +++ b/debian/config-dir/mods-available/disk_cache.conf @@ -14,6 +14,10 @@ #CacheEnable disk / - CacheDirLevels 5 - CacheDirLength 3 + # The result of CacheDirLevels * CacheDirLength must not be higher than + # 20. Moreover, pay attention on file system limits. Some file systems + # do not support more than a certain number of subdirectories in a + # single directory (e.g. 32000 for ext3) + CacheDirLevels 2 + CacheDirLength 1 </IfModule> diff --git a/debian/patches/SSLProtocol-tls11-12.2.patch b/debian/patches/SSLProtocol-tls11-12.2.patch new file mode 100644 index 0000000..3c1c925 --- /dev/null +++ b/debian/patches/SSLProtocol-tls11-12.2.patch @@ -0,0 +1,148 @@ +Description: Support TLSv1.1 and TLSv1.2 in SSLProtocol directive +Forwarded: not-needed +Author: Stefan Fritsch +Last-Update: 2012-07-30 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682897 +# +# This patch encompases backports from 2.4 branch; +# +# http://svn.apache.org/viewvc?view=revision&revision=1222921 +# http://svn.apache.org/viewvc?view=revision&revision=1222930 +# +# However, it also accounts for the fact that SSLv2 support +# remains present in httpd-2.2 branch and makes no changes +# which changes the existing configuration behavior, with +# the exception of adding TLS1.1 and TLS1.2 by default.) +# +Index: apache2/modules/ssl/ssl_private.h +=================================================================== +--- apache2.orig/modules/ssl/ssl_private.h ++++ apache2/modules/ssl/ssl_private.h +@@ -59,6 +59,11 @@ + /** mod_ssl headers */ + #include "ssl_toolkit_compat.h" + #include "ssl_expr.h" ++ ++#ifdef SSL_OP_NO_TLSv1_2 ++#define HAVE_TLSV1_X ++#endif ++ + #include "ssl_util_ssl.h" + + /** The #ifdef macros are only defined AFTER including the above +@@ -218,10 +223,14 @@ + #define SSL_PROTOCOL_SSLV2 (1<<0) + #define SSL_PROTOCOL_SSLV3 (1<<1) + #define SSL_PROTOCOL_TLSV1 (1<<2) ++#define SSL_PROTOCOL_TLSV1_1 (1<<3) ++#define SSL_PROTOCOL_TLSV1_2 (1<<4) + #ifndef OPENSSL_NO_SSL2 +-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) ++#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|\ ++ SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) + #else +-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) ++#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|\ ++ SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) + #endif + typedef int ssl_proto_t; + +Index: apache2/modules/ssl/ssl_engine_init.c +=================================================================== +--- apache2.orig/modules/ssl/ssl_engine_init.c ++++ apache2/modules/ssl/ssl_engine_init.c +@@ -459,6 +459,10 @@ + (protocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""), + (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), + (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), ++#ifdef HAVE_TLSV1_X ++ (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""), ++ (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""), ++#endif + NULL); + cp[strlen(cp)-2] = NUL; + +@@ -474,6 +478,21 @@ + } + else + #endif ++#ifdef HAVE_TLSV1_X ++ if (protocol == SSL_PROTOCOL_TLSV1_1) { ++ method = mctx->pkp ? ++ TLSv1_1_client_method() : /* proxy */ ++ TLSv1_1_server_method(); /* server */ ++ ctx = SSL_CTX_new(method); ++ } ++ else if (protocol == SSL_PROTOCOL_TLSV1_2) { ++ method = mctx->pkp ? ++ TLSv1_2_client_method() : /* proxy */ ++ TLSv1_2_server_method(); /* server */ ++ ctx = SSL_CTX_new(method); ++ } ++ else ++#endif + { + method = mctx->pkp ? + SSLv23_client_method() : /* proxy */ +@@ -497,6 +516,16 @@ + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); + } + ++#ifdef HAVE_TLSV1_X ++ if (!(protocol & SSL_PROTOCOL_TLSV1_1)) { ++ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); ++ } ++ ++ if (!(protocol & SSL_PROTOCOL_TLSV1_2)) { ++ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); ++ } ++#endif ++ + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + if (sc->cipher_server_pref == TRUE) { + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); +Index: apache2/modules/ssl/ssl_engine_config.c +=================================================================== +--- apache2.orig/modules/ssl/ssl_engine_config.c ++++ apache2/modules/ssl/ssl_engine_config.c +@@ -1286,6 +1286,14 @@ + else if (strcEQ(w, "TLSv1")) { + thisopt = SSL_PROTOCOL_TLSV1; + } ++#ifdef HAVE_TLSV1_X ++ else if (strcEQ(w, "TLSv1.1")) { ++ thisopt = SSL_PROTOCOL_TLSV1_1; ++ } ++ else if (strcEQ(w, "TLSv1.2")) { ++ thisopt = SSL_PROTOCOL_TLSV1_2; ++ } ++#endif + else if (strcEQ(w, "all")) { + thisopt = SSL_PROTOCOL_ALL; + } +Index: apache2/modules/ssl/mod_ssl.c +=================================================================== +--- apache2.orig/modules/ssl/mod_ssl.c ++++ apache2/modules/ssl/mod_ssl.c +@@ -142,8 +142,8 @@ + "SSL Session Cache object lifetime " + "(`N' - number of seconds)") + SSL_CMD_SRV(Protocol, RAW_ARGS, +- "Enable or disable various SSL protocols" +- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") ++ "Enable or disable various SSL protocols " ++ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)") + SSL_CMD_SRV(HonorCipherOrder, FLAG, + "Use the server's cipher ordering preference") + SSL_CMD_SRV(InsecureRenegotiation, FLAG, +@@ -160,8 +160,8 @@ + "SSL switch for the proxy protocol engine " + "(`on', `off')") + SSL_CMD_SRV(ProxyProtocol, RAW_ARGS, +- "SSL Proxy: enable or disable SSL protocol flavors " +- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") ++ "SSL Proxy: enable or disable SSL protocol flavors " ++ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)") + SSL_CMD_SRV(ProxyCipherSuite, TAKE1, + "SSL Proxy: colon-delimited list of permitted SSL ciphers " + "(`XXX:...:XXX' - see manual)") diff --git a/debian/patches/dbmmanage-perl-510.patch b/debian/patches/dbmmanage-perl-510.patch new file mode 100644 index 0000000..0729016 --- /dev/null +++ b/debian/patches/dbmmanage-perl-510.patch @@ -0,0 +1,54 @@ +Description: Make use of builtin SHA1 perl routines in Perl 5.10 +Forwarded: not-needed +Author: Arno Töll <arno@debian.org> +Last-Update: 2012-07-23 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682401 +--- a/support/dbmmanage.in ++++ b/support/dbmmanage.in +@@ -20,6 +20,7 @@ + # + # usage: dbmmanage <DBMfile> <command> <user> <password> <groups> <comment> + ++require v5.10; + package dbmmanage; + # -ldb -lndbm -lgdbm -lsdbm + BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File SDBM_File) } +@@ -49,14 +50,15 @@ + } + + sub need_sha1_crypt { +- if (!eval ('require "Digest/SHA1.pm";')) { ++ if (!eval ('require "Digest/SHA.pm";')) { + print STDERR <<SHAERR; + dbmmanage SHA1 passwords require the interface or the module Digest::SHA1 +-available from CPAN: ++available from CPAN and Debian: + +- http://www.cpan.org/modules/by-module/Digest/Digest-MD5-2.12.tar.gz ++ Debian package: libdigest-sha-perl ++ CPAN: http://search.cpan.org/~mshelor/Digest-SHA-5.71/lib/Digest/SHA.pm + +-Please install Digest::SHA1 and try again, or use a different crypt option: ++Please install Digest::SHA and try again, or use a different crypt option: + + SHAERR + usage(); +@@ -67,7 +69,9 @@ + if (!eval ('require "Crypt/PasswdMD5.pm";')) { + print STDERR <<MD5ERR; + dbmmanage MD5 passwords require the module Crypt::PasswdMD5 available from CPAN ++and Debian: + ++ Debian package: libcrypt-passwdmd5-perl + http://www.cpan.org/modules/by-module/Crypt/Crypt-PasswdMD5-1.1.tar.gz + + Please install Crypt::PasswdMD5 and try again, or use a different crypt option: +@@ -209,7 +213,7 @@ + + sub cryptpw_sha1 { + my($pw, $salt) = @_; +- '{SHA}' . Digest::SHA1::sha1_base64($pw) . "="; ++ '{SHA}' . Digest::SHA::sha1_base64($pw) . "="; + } + + sub cryptpw { diff --git a/debian/patches/series b/debian/patches/series index 15b506b..6113b65 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -30,3 +30,5 @@ # If you're aware of that you can uncomment it at any time later and work on it # as you wish. #202_suexec-custom +dbmmanage-perl-510.patch +SSLProtocol-tls11-12.2.patch diff --git a/debian/rules b/debian/rules index 4cb688d..df368d0 100755 --- a/debian/rules +++ b/debian/rules @@ -237,7 +237,7 @@ override_dh_fixperms: chmod 4754 debian/apache2-suexec-custom/usr/lib/apache2/suexec chgrp www-data debian/apache2-suexec-custom/usr/lib/apache2/suexec dh_fixperms -Xusr/lib/apache2/suexec - chown -R www-data:www-data debian/apache2.2-common/var/cache/apache2 + chown -R www-data:www-data debian/apache2.2-common/var/cache/apache2/mod_disk_cache chown root:adm debian/apache2.2-common/var/log/apache2 chmod o-rx debian/apache2.2-common/var/log/apache2 @@ -290,7 +290,7 @@ override_dh_builddeb: sed -i '/apache2-dbg/d' debian/files; \ dh_builddeb -Napache2-dbg; \ else \ - dh_builddeb; \ + dh_builddeb -- -Zxz; \ fi override_dh_installlogrotate:Attachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: Arno Töll <arno@debian.org>, 684567-done@bugs.debian.org
- Subject: Re: Bug#684567: unblock: apache2/2.2.22-11
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 11 Aug 2012 12:20:16 +0100
- Message-id: <1344684016.2978.36.camel@jacala.jungle.funky-badger.org>
- In-reply-to: <[🔎] 502630FD.2020104@debian.org>
- References: <[🔎] 502630FD.2020104@debian.org>
On Sat, 2012-08-11 at 12:16 +0200, Arno Töll wrote: > Please unblock package apache2. I've attached a git diff of changes > since 2.2.22-9 which is currently in Testing. These are changes since then: > > Close bug #682840 "Default /etc/apache2/mods-available/disk_cache.conf > is incompatible with ext3". [...] > Close bug #682401 "dbmmanage: please use Digest::SHA instead of > Digest::SHA1". The Perl modules used by dbmmanage are not shipped in > Wheezy. The patch makes dbmmanage work on Wheezy. This all looks okay. > Switch to xz compression for .deb members. This was done upon request as > Apache might end up on Wheezy's CD1 (if we switch to Gnome again) > because gnome-user-server reverse depends on it. We haven't actually switched _away_, fwiw... > Close bug #682897: "apache2: Directive "SSLProtocol" should support TLS > 1.1+". Add support for TLSv1.0 and TLS in OpenSSL. The SSL Protocol > change is important because it allows administrators to work around > interopability problems that will doubtless occur with TLS v1.[12] with > some buggy clients. Admittedly this is a heavy patch but we think it is > of great benefit to Wheezy. It was backported from upstream's Apache 2.4 > branch. Unblocked; thanks. Regards, Adam
--- End Message ---