Created attachment 342674 [details] pound-2.7a.ebuild In the latest version labeled as experimental, the ssl beast attack scenario is solved and thus a hard requirement if you do visa handling with it. Also, the dynscaler option is gone.
Created attachment 342678 [details, diff] Disable SSL compression Patch to prevent CRIME vulnerability. Taken and adapted to 2.7a from https://github.com/goochjj/pound/commit/a0c52c542ca9620a96750f9877b26bf4c84aef1b
Comment on attachment 342674 [details] pound-2.7a.ebuild --- pound-2.6.ebuild 2012-08-23 17:03:10.000000000 +0200 +++ - 2013-03-20 20:52:25.095295221 +0100 @@ -1,4 +1,4 @@ -# Copyright 1999-2012 Gentoo Foundation +# Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/www-servers/pound/pound-2.6.ebuild,v 1.2 2012/08/21 15:23:00 johu Exp $ @@ -12,8 +12,8 @@ LICENSE="GPL-3" SLOT="0" -KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~sparc x86" -IUSE="dynscaler" +KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~sparc ~x86" +IUSE="" DEPEND="dev-libs/libpcre dev-libs/openssl" @@ -21,11 +21,6 @@ S=${WORKDIR}/${MY_P} -src_configure() { - econf \ - $(use_enable dynscaler) -} - src_install() { dodir /usr/sbin cp "${S}"/pound "${D}"/usr/sbin/
+ 25 Mar 2013; Patrick Lauer <patrick@gentoo.org> +pound-2.7a.ebuild: + Bump for #462380 if I understand you correctly then 2.7 has the patch you need already included
No, the patch is needed as well. The setup is simple and you can test it with https://www.ssllabs.com/ssltest/
r76 | roseg | 2013-09-26 14:33:21 +0200 (Don, 26 Sep 2013) | 12 lines Release 2.7b Enhancements: - Add support for PATCH HTTP method Bug fixes: - sanitize URLs for redirection (prevent CSRF) - SSL disable empty fragments - SSL disable compression (CRIME attack prevention) - fixed bug in configuration of DISABLED directive - changed the log level from WARNING to NOTICE if the thread arg is NULL
The ebuild for 2.7a seems to work for 2.7b on my testing environment.
New version is out: r77 | roseg | 2014-04-21 13:16:07 +0200 (Mon, 21 Apr 2014) | 9 lines Release 2.7c Enhancements: - added filtering of "Expect: 100-continue" headers Bug fixes: - re-patched the redirect patch (Frank Schmierler) - fixed RPC handling (Frank Schmierler) ------------------------------------------------------------------------- Also attaching a patch to allow disabling of SSLv2 and SSLv3 to mitigate POODLE attack
Created attachment 386752 [details, diff] Disable SSL on request
Created attachment 386754 [details] 2.7c ebuild