Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2014-10-09 12:52:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2014-03-31 20:43:12.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2014-10-09 12:52:04.000000000 +0200 @@ -1,0 +2,60 @@ +Mon Oct 6 12:30:07 UTC 2014 - [email protected] + +- the following unused patches were removed from the package: + * apache2-mod_ssl_npn.patch + * httpd-2.0.49-log_server_status.dif + +------------------------------------------------------------------- +Mon Sep 29 11:57:40 UTC 2014 - [email protected] + +- 700 permissions for /usr/sbin/apache2-systemd-ask-pass and + /usr/sbin/start_apache2 [bnc#851627] + +------------------------------------------------------------------- +Wed Sep 26 15:38:17 UTC 2014 - [email protected] + +- allow only TCP ports in Yast2 firewall files + +------------------------------------------------------------------- +Fri Sep 26 15:00:45 UTC 2014 - [email protected] + +- more 2.2 -> 2.4 [bnc#862058] + +------------------------------------------------------------------- +Thu Sep 25 14:39:05 UTC 2014 - [email protected] + +- ServerSignature=Off and ServerTokens=Prod by request from + security team [bnc#716495] + +------------------------------------------------------------------- +Wed Sep 24 13:11:16 UTC 2014 - [email protected] + +- fix documentation links 2.2 -> 2.4 [bnc#888163] (internal) + +------------------------------------------------------------------- +Mon Jul 21 16:23:51 UTC 2014 - [email protected] + +- Update package Summary and Description. +- version 2.4.10 +* SECURITY: CVE-2014-0117 (cve.mitre.org) +* SECURITY: CVE-2014-3523 (cve.mitre.org) +* SECURITY: CVE-2014-0226 (cve.mitre.org) +* SECURITY: CVE-2014-0118 (cve.mitre.org) +* SECURITY: CVE-2014-0231 (cve.mitre.org) +* Multiple bugfixes to mod_ssl, mod_cache, mod_deflate, mod_lua +* mod_proxy_fcgi supports unix sockets. + +------------------------------------------------------------------- +Mon Jul 21 07:21:21 UTC 2014 - [email protected] + +- provide httpd.service as alias for apache2.service for + compatibility reasons (bnc#888093) + +------------------------------------------------------------------- +Mon Apr 14 08:47:02 UTC 2014 - [email protected] + +- move most ssl options to ssl-global.conf. There is usually no need + for every vhost to re-define the ciphers for example (bnc#865582). + Drop some commented entries that only lead to confusion. + +------------------------------------------------------------------- Old: ---- apache2-mod_ssl_npn.patch httpd-2.0.49-log_server_status.dif httpd-2.4.9.tar.bz2 New: ---- httpd-2.4.10.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:06.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:06.000000000 +0200 @@ -93,8 +93,8 @@ # "Server:" header %define VENDOR SUSE %define platform_string Linux/%VENDOR -%define realver 2.4.9 -Version: 2.4.9 +%define realver 2.4.10 +Version: 2.4.10 Release: 0 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: httpd-%{realver}.tar.bz2 @@ -166,7 +166,7 @@ Patch111: httpd-visibility.patch Url: http://httpd.apache.org/ Icon: Apache.xpm -Summary: The Apache Web Server Version 2.2 +Summary: The Apache Web Server Version 2.4 License: Apache-2.0 Group: Productivity/Networking/Web/Servers Provides: %{apache_mmn} @@ -198,36 +198,15 @@ %endif %description -Apache 2, the successor to Apache 1. +This version of httpd is a major release of the 2.4 stable branch, +and represents the best available version of Apache HTTP Server. +New features include Loadable MPMs, major improvements to OCSP support, +mod_lua, Dynamic Reverse Proxy configuration, Improved Authentication/ +Authorization, FastCGI Proxy, New Expression Parser, and a Small Object +Caching API. -Apache is the most used Web server software worldwide. - -Some new features in Apache 2: - hybrid multiprocess, multithreaded - mode for improved scalability - -- multiprotocol support - -- stream filtering - -- IPv6 support - -- new module API - -New modules include: - mod_auth_db - -- mod_auth_digest - -- mod_charset_lite - -- mod_dav - -- mod_file_cache - -Mod_ssl is no longer a separate package, but is now included in the -Apache distribution. - -See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and -http://httpd.apache.org/docs-2.2/upgrading.html. + See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and +http://httpd.apache.org/docs-2.4/upgrading.html. %if %worker @@ -316,7 +295,7 @@ %endif %package devel -Summary: Apache 2.2 Header and Include Files +Summary: Apache 2 Header and Include Files Group: Development/Libraries/C and C++ Requires: %{name} = %{version} Requires: %{pname}-MPM @@ -332,7 +311,7 @@ %package doc -Summary: Additional Package Documentation. +Summary: Additional Package Documentation Group: Documentation/Other %if 0%{?suse_version} >= 901 && 0%{?sles_version} != 9 Provides: apache-doc @@ -643,10 +622,10 @@ # init script and friends mkdir -p $RPM_BUILD_ROOT/etc/init.d install -m 744 $RPM_SOURCE_DIR/rc.%{pname} $RPM_BUILD_ROOT/etc/init.d/%{pname} -install -m 744 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2 +install -m 700 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2 %if 0%{?suse_version} >= 1210 mkdir -p $RPM_BUILD_ROOT%{_unitdir}/system/ -install -m 744 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass +install -m 700 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass install -m 644 $RPM_SOURCE_DIR/apache2.service $RPM_BUILD_ROOT%{_unitdir}/system/apache2.service %endif ln -sf ../../etc/init.d/%{pname} $RPM_BUILD_ROOT/%{_sbindir}/rc%{pname} ++++++ apache2-README ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -48,14 +48,14 @@ http://www.onlamp.com/pub/a/apache/2004/06/17/apacheckbk.html See -http://httpd.apache.org/docs-2.2/mpm.html and -http://httpd.apache.org/docs-2.2/misc/perf-tuning.html#compiletime +http:///httpd.apache.org/docs/2.4/mpm.html and +http:///httpd.apache.org/docs/2.4/misc/perf-tuning.html#compiletime for more technical details. In general, using a threaded MPM (worker) requires that all libraries that are loaded into apache (and libraries loaded by them in turn) be threadsafe as well. See -http://httpd.apache.org/docs-2.2/developer/thread_safety.html for a status on +http:///httpd.apache.org/docs/2.4/developer/thread_safety.html for a status on some libraries. ++++++ apache2-default-server.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -17,7 +17,7 @@ # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs-2.2/mod/core.html#options + # http:///httpd.apache.org/docs/2.4/mod/core.html#options # for more information. Options None # AllowOverride controls what directives may be placed in .htaccess files. ++++++ apache2-default-vhost-ssl.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -2,7 +2,7 @@ # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these -# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> +# directives see <URL:http:///httpd.apache.org/docs/2.4/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure ++++++ apache2-default-vhost.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -92,7 +92,7 @@ # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs-2.2/mod/core.html#options + # http:///httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options +Indexes +MultiViews +FollowSymLinks ++++++ apache2-httpd.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -3,7 +3,7 @@ # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. -# See <URL:http://httpd.apache.org/docs-2.2/> for detailed information about +# See <URL:http:///httpd.apache.org/docs/2.4/> for detailed information about # the directives. # Based upon the default apache configuration file that ships with apache, @@ -193,7 +193,7 @@ # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at -# <URL:http://httpd.apache.org/docs-2.2/vhosts/> +# <URL:http:///httpd.apache.org/docs/2.4/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host ++++++ apache2-listen.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -1,7 +1,7 @@ # Listen: Allows you to bind Apache to specific IP addresses and/or # ports. See also the <VirtualHost> directive. # -# http://httpd.apache.org/docs-2.2/mod/mpm_common.html#listen +# http:///httpd.apache.org/docs/2.4/mod/mpm_common.html#listen # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) ++++++ apache2-mod_autoindex-defaults.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -1,7 +1,7 @@ # # Directives controlling the display of server-generated directory listings. # -# see http://httpd.apache.org/docs-2.2/mod/mod_autoindex.html +# see http:///httpd.apache.org/docs/2.4/mod/mod_autoindex.html # <IfModule mod_autoindex.c> ++++++ apache2-mod_info.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -2,7 +2,7 @@ # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # -# see http://httpd.apache.org/docs-2.2/mod/mod_info.html +# see http:///httpd.apache.org/docs/2.4/mod/mod_info.html # <IfModule mod_info.c> <Location /server-info> ++++++ apache2-mod_log_config.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -2,7 +2,7 @@ # The following directives define some format nicknames for use with # a CustomLog directive. # -# http://httpd.apache.org/docs-2.2/mod/mod_log_config.html +# http:///httpd.apache.org/docs/2.4/mod/mod_log_config.html # # ++++++ apache2-mod_mime-defaults.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -2,7 +2,7 @@ # mod_mime configuration: # associate various bits of "meta information" with files by their filename extensions # -# see http://httpd.apache.org/docs-2.2/mod/mod_mime.html +# see http:///httpd.apache.org/docs/2.4/mod/mod_mime.html # # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) @@ -152,7 +152,7 @@ # Guess the MIME type of a file by looking at a few bytes of its contents -# http://httpd.apache.org/docs-2.2/mod/mod_mime_magic.html +# http:///httpd.apache.org/docs/2.4/mod/mod_mime_magic.html <IfModule mod_mime_magic.c> MIMEMagicFile /etc/apache2/magic </IfModule> ++++++ apache2-mod_reqtimeout.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -7,7 +7,7 @@ # # mod_reqtimeout.c must be loaded. # -# see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html +# see https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html # or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en # # Note: ++++++ apache2-mod_status.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -2,7 +2,7 @@ # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # -# see http://httpd.apache.org/docs-2.2/mod/mod_status.html +# see http:///httpd.apache.org/docs/2.4/mod/mod_status.html # <IfModule mod_status.c> <Location /server-status> ++++++ apache2-server-tuning.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -10,47 +10,47 @@ # prefork MPM <IfModule prefork.c> # number of server processes to start - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers StartServers 5 # minimum number of server processes which are kept spare - # http://httpd.apache.org/docs/2.2/mod/prefork.html#minspareservers + # http://httpd.apache.org/docs/2.4/mod/prefork.html#minspareservers MinSpareServers 5 # maximum number of server processes which are kept spare - # http://httpd.apache.org/docs/2.2/mod/prefork.html#maxspareservers + # http://httpd.apache.org/docs/2.4/mod/prefork.html#maxspareservers MaxSpareServers 10 # highest possible MaxClients setting for the lifetime of the Apache process. - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#serverlimit + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#serverlimit ServerLimit 150 # maximum number of server processes allowed to start - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxclients MaxClients 150 # maximum number of requests a server process serves - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild MaxRequestsPerChild 10000 </IfModule> # worker MPM <IfModule worker.c> # initial number of server processes to start - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers StartServers 3 # minimum number of worker threads which are kept spare - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#minsparethreads + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#minsparethreads MinSpareThreads 25 # maximum number of worker threads which are kept spare - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxsparethreads + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxsparethreads MaxSpareThreads 75 # upper limit on the configurable number of threads per child process - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadlimit + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadlimit ThreadLimit 64 # maximum number of simultaneous client connections - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxclients MaxClients 150 # number of worker threads created by each child process - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadsperchild + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadsperchild ThreadsPerChild 25 # maximum number of requests a server process serves - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild MaxRequestsPerChild 10000 </IfModule> @@ -103,7 +103,7 @@ # The default is on; turn this off if you serve from NFS-mounted # filesystems. On some systems, turning it off (regardless of # filesystem) can improve performance; for details, please see -# http://httpd.apache.org/docs-2.2/mod/core.html#enablemmap +# http:///httpd.apache.org/docs/2.4/mod/core.html#enablemmap # #EnableMMAP off @@ -112,7 +112,7 @@ # used to deliver files (assuming that the OS supports it). # The default is on; turn this off if you serve from NFS-mounted # filesystems. Please see -# http://httpd.apache.org/docs-2.2/mod/core.html#enablesendfile +# http:///httpd.apache.org/docs/2.4/mod/core.html#enablesendfile # EnableSendfile on ++++++ apache2-ssl-global.conf ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -7,7 +7,7 @@ # These are the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these -# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> +# directives see <URL:http:///httpd.apache.org/docs/2.4/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure @@ -70,6 +70,63 @@ #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/urandom 512 + # SSL protocols + # Supporting TLS only is adequate nowadays + SSLProtocol all -SSLv2 -SSLv3 + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. + # See the mod_ssl documentation for a complete list. + SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + + # Server Certificate: + # Point SSLCertificateFile at a PEM encoded certificate. If + # the certificate is encrypted, then you will be prompted for a + # pass phrase. Note that a kill -HUP will prompt again. Keep + # in mind that if you have both an RSA and a DSA certificate you + # can configure both in parallel (to also allow the use of DSA + # ciphers, etc.) + #SSLCertificateFile /etc/apache2/ssl.crt/server.crt + #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt + + # Server Private Key: + # If the key is not combined with the certificate, use this + # directive to point at the key file. Keep in mind that if + # you've both a RSA and a DSA private key you can configure + # both in parallel (to also allow the use of DSA ciphers, etc.) + #SSLCertificateKeyFile /etc/apache2/ssl.key/server.key + #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded intermediate CA + # certificates which form the certificate chain for the + # server certificate. Alternatively the referenced file + # can be the same as SSLCertificateFile when the CA + # certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/apache2/ssl.crt + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + </IfModule> </IfDefine> </IfDefine> ++++++ apache2-vhost-ssl.template ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -11,7 +11,7 @@ # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these -# directives see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html +# directives see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure @@ -38,167 +38,17 @@ # Enable/Disable SSL for this virtual host. SSLEngine on - # SSL protocols - # Supporting TLS only is adequate nowadays - SSLProtocol all -SSLv2 - - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 - - # Speed-optimized SSL Cipher configuration: - # If speed is your main concern (on busy HTTPS servers e.g.), - # you might want to force clients to specific, performance - # optimized ciphers. In this case, prepend those ciphers - # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. - # Caveat: by giving precedence to RC4-SHA and AES128-SHA - # (as in the example below), most connections will no longer - # have perfect forward secrecy - if the server's key is - # compromised, captures of past or future traffic must be - # considered compromised, too. - #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 - #SSLHonorCipherOrder on - - # Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If - # the certificate is encrypted, then you will be prompted for a - # pass phrase. Note that a kill -HUP will prompt again. Keep - # in mind that if you have both an RSA and a DSA certificate you - # can configure both in parallel (to also allow the use of DSA - # ciphers, etc.) - SSLCertificateFile /etc/apache2/ssl.crt/server.crt - #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt - - # Server Private Key: - # If the key is not combined with the certificate, use this - # directive to point at the key file. Keep in mind that if - # you've both a RSA and a DSA private key you can configure - # both in parallel (to also allow the use of DSA ciphers, etc.) - SSLCertificateKeyFile /etc/apache2/ssl.key/server.key - #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key - - # Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the - # concatenation of PEM encoded CA certificates which form the - # certificate chain for the server certificate. Alternatively - # the referenced file can be the same as SSLCertificateFile - # when the CA certificates are directly appended to the server - # certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt - - # Certificate Authority (CA): - # Set the CA certificate verification path where to find CA - # certificates for client authentication or alternatively one - # huge file containing all of them (file must be PEM encoded) - # Note: Inside SSLCACertificatePath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCACertificatePath /etc/apache2/ssl.crt - #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt - - # Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client - # authentication or alternatively one huge file containing all - # of them (file must be PEM encoded) - # Note: Inside SSLCARevocationPath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCARevocationPath /etc/apache2/ssl.crl - #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl - - # Client Authentication (Type): - # Client certificate verification type and depth. Types are - # none, optional, require and optional_no_ca. Depth is a - # number which specifies how deeply to verify the certificate - # issuer chain before deciding the certificate is not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - # Access Control: - # With SSLRequire you can do per-directory access control based - # on arbitrary complex boolean expressions containing server - # variable checks and other lookup directives. The syntax is a - # mixture between C and Perl. See the mod_ssl documentation - # for more details. - #<Location /> - #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ - # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ - # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ - # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ - #</Location> - - # SSL Engine Options: - # Set various options for the SSL engine. - # o FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that - # the standard Auth/DBMAuth methods can be used for access control. The - # user name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - # o ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the - # server (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates - # into CGI scripts. - # o StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the - # exportation for CGI and SSI requests only. - # o StrictRequire: - # This denies access when "SSLRequireSSL" or "SSLRequire" applied even - # under a "Satisfy any" situation, i.e. when it applies access is denied - # and no other module can change it. - # o OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - <FilesMatch "\.(cgi|shtml|phtml|php)$"> - SSLOptions +StdEnvVars - </FilesMatch> - <Directory "/srv/www/cgi-bin"> - SSLOptions +StdEnvVars - </Directory> - - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 + # You can use per vhost certificates if SNI is supported. + SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt + SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key + #SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /var/log/apache2/ssl_request_log ssl_combined -</VirtualHost> +</VirtualHost> </IfDefine> </IfDefine> ++++++ apache2-vhost.template ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -100,7 +100,7 @@ # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs-2.2/mod/core.html#options + # http:///httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options Indexes FollowSymLinks ++++++ apache2.firewall ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -5,7 +5,7 @@ TCP="http" # space separated list of allowed UDP ports -UDP="http" +UDP="" # space separated list of allowed RPC services RPC="" ++++++ apache2.service ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -14,3 +14,4 @@ [Install] WantedBy=multi-user.target +Alias=httpd.service ++++++ apache2.ssl-firewall ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:07.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:07.000000000 +0200 @@ -5,7 +5,7 @@ TCP="https" # space separated list of allowed UDP ports -UDP="https" +UDP="" # space separated list of allowed RPC services RPC="" ++++++ httpd-2.4.9.tar.bz2 -> httpd-2.4.10.tar.bz2 ++++++ ++++ 29351 lines of diff (skipped) ++++++ rc.apache2 ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:11.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:11.000000000 +0200 @@ -21,7 +21,7 @@ # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # X-Interactive: true -# Short-Description: Apache 2.2 HTTP Server +# Short-Description: Apache 2 HTTP Server # Description: Start the Apache HTTP daemon ### END INIT INFO ++++++ sysconfig.apache2 ++++++ --- /var/tmp/diff_new_pack.2czHpi/_old 2014-10-09 12:52:11.000000000 +0200 +++ /var/tmp/diff_new_pack.2czHpi/_new 2014-10-09 12:52:11.000000000 +0200 @@ -41,7 +41,7 @@ # @@all_modules@@ # -# see http://httpd.apache.org/docs-2.2/mod/ ! +# see http:///httpd.apache.org/docs/2.4/mod/ ! # # * It pays to use IfDefine statements... like # <IfModule mod_xyz.c> @@ -191,7 +191,7 @@ # Configures the footer on server-generated documents # This correlates to the ServerSignature directive. # -APACHE_SERVERSIGNATURE="on" +APACHE_SERVERSIGNATURE="off" ## Type: list(debug,info,notice,warn,error,crit,alert,emerg) ## Default: "warn" @@ -249,9 +249,9 @@ # # How much information the server response header field contains about the server. # (installed modules, versions, etc.) -# see http://httpd.apache.org/docs-2.2/mod/core.html#servertokens +# see http:///httpd.apache.org/docs/2.4/mod/core.html#servertokens # -APACHE_SERVERTOKENS="OS" +APACHE_SERVERTOKENS="ProductOnly" ## Type: list(on,off) ## Default: "off" -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
