head	1.1;
access;
symbols
	OPENPKG_2_STABLE_MP:1.1
	OPENPKG_E1_MP_HEAD:1.1
	OPENPKG_E1_MP:1.1
	OPENPKG_E1_MP_2_STABLE:1.1
	OPENPKG_E1_FP:1.1
	OPENPKG_2_STABLE_20061018:1.1
	OPENPKG_2_STABLE:1.1.0.24
	OPENPKG_2_STABLE_BP:1.1
	OPENPKG_2_5_SOLID:1.1.0.22
	OPENPKG_2_5_SOLID_BP:1.1
	OPENPKG_2_4_RELEASE:1.1
	OPENPKG_2_4_SOLID:1.1.0.20
	OPENPKG_2_4_SOLID_BP:1.1
	OPENPKG_2_3_RELEASE:1.1
	OPENPKG_2_3_SOLID:1.1.0.18
	OPENPKG_2_3_SOLID_BP:1.1
	OPENPKG_2_2_RELEASE:1.1
	OPENPKG_2_2_SOLID:1.1.0.16
	OPENPKG_2_2_SOLID_BP:1.1
	OPENPKG_2_1_RELEASE:1.1
	OPENPKG_2_1_SOLID:1.1.0.14
	OPENPKG_2_1_SOLID_BP:1.1
	OPENPKG_2_0_RELEASE:1.1
	OPENPKG_2_0_SOLID:1.1.0.12
	OPENPKG_2_0_SOLID_BP:1.1
	OPENPKG_1_3_RELEASE:1.1
	OPENPKG_1_3_SOLID:1.1.0.10
	OPENPKG_1_3_SOLID_BP:1.1
	OPENPKG_1_2_SOLID:1.1.0.8
	OPENPKG_1_2_SOLID_BP:1.1
	OPENPKG_1_STABLE:1.1.0.6
	OPENPKG_1_STABLE_BP:1.1
	OPENPKG_1_0_SOLID:1.1.0.4
	OPENPKG_1_1_SOLID:1.1.0.2;
locks; strict;
comment	@# @;


1.1
date	2002.10.23.09.26.27;	author rse;	state dead;
branches
	1.1.2.1
	1.1.4.1
	1.1.8.1;
next	;

1.1.2.1
date	2002.10.23.09.26.27;	author rse;	state Exp;
branches;
next	1.1.2.2;

1.1.2.2
date	2003.03.18.15.04.22;	author rse;	state Exp;
branches;
next	;

1.1.4.1
date	2002.10.23.09.30.38;	author rse;	state Exp;
branches;
next	;

1.1.8.1
date	2003.03.18.15.08.11;	author rse;	state Exp;
branches;
next	;


desc
@@


1.1
log
@file mod_ssl.patch was initially added on branch OPENPKG_1_1_SOLID.
@
text
@@


1.1.8.1
log
@apply security bugfix (OpenPKG-SA-2003.020-modssl)
@
text
@a0 18
Security bugfix for OpenSSL timing attacks.

Index: mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_init.c
--- mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_init.c	4 Oct 2002 13:18:25 -0000	1.114
+++ mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_init.c	18 Mar 2003 13:35:10 -0000	1.115
@@@@ -795,6 +795,12 @@@@
                     cpVHostID);
             ssl_die();
         }
+        if (!RSA_blinding_on(sc->pPrivateKey[SSL_AIDX_RSA]->pkey.rsa, NULL)) {
+            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+                    "Init: (%s) Unable to enable RSA blinding (probably PRNG failure)",
+                    cpVHostID);
+            ssl_die();
+        }
         if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_RSA]) <= 0) {
             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                     "Init: (%s) Unable to configure RSA server private key",
@


1.1.4.1
log
@add bugfixing patch for mod_ssl XSS problem
@
text
@a0 17

Security bugfix for mod_ssl Cross Side Scripting (XSS) problem.

Index: mod_ssl-2.8.5-1.3.22/pkg.sslmod/ssl_engine_kernel.c
--- mod_ssl-2.8.5-1.3.22/pkg.sslmod/ssl_engine_kernel.c.orig	4 Oct 2002 13:31:09 -0000	1.132
+++ mod_ssl-2.8.5-1.3.22/pkg.sslmod/ssl_engine_kernel.c	10 Oct 2002 14:27:45 -0000	1.133
@@@@ -622,7 +622,8 @@@@
         if (!ap_is_default_port(port, r))
             thisport = ap_psprintf(r->pool, ":%u", port);
         thisurl = ap_psprintf(r->pool, "https://%s%s/",
-                              ap_get_server_name(r), thisport);
+                              ap_escape_html(r->pool, ap_get_server_name(r)),
+			      thisport);
 
         ap_table_setn(r->notes, "error-notes", ap_psprintf(r->pool,
                       "Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR>\n"

@


1.1.2.1
log
@add bugfixing patch for mod_ssl XSS problem
@
text
@a0 17

Security bugfix for mod_ssl Cross Side Scripting (XSS) problem.

Index: mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_kernel.c
--- mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_kernel.c.orig	4 Oct 2002 13:31:09 -0000	1.132
+++ mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_kernel.c	10 Oct 2002 14:27:45 -0000	1.133
@@@@ -622,7 +622,8 @@@@
         if (!ap_is_default_port(port, r))
             thisport = ap_psprintf(r->pool, ":%u", port);
         thisurl = ap_psprintf(r->pool, "https://%s%s/",
-                              ap_get_server_name(r), thisport);
+                              ap_escape_html(r->pool, ap_get_server_name(r)),
+			      thisport);
 
         ap_table_setn(r->notes, "error-notes", ap_psprintf(r->pool,
                       "Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR>\n"

@


1.1.2.2
log
@apply security bugfix (OpenPKG-SA-2003.020-modssl)
@
text
@a17 19

Security bugfix for OpenSSL timing attacks.

Index: mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_init.c
--- mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_init.c	4 Oct 2002 13:18:25 -0000	1.114
+++ mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_init.c	18 Mar 2003 13:35:10 -0000	1.115
@@@@ -795,6 +795,12 @@@@
                     cpVHostID);
             ssl_die();
         }
+        if (!RSA_blinding_on(sc->pPrivateKey[SSL_AIDX_RSA]->pkey.rsa, NULL)) {
+            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+                    "Init: (%s) Unable to enable RSA blinding (probably PRNG failure)",
+                    cpVHostID);
+            ssl_die();
+        }
         if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_RSA]) <= 0) {
             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                     "Init: (%s) Unable to configure RSA server private key",
@