Summary: | www-servers/apache-2.2 - place "SSLCompression off" into /etc/apache2/modules.d/40_mod_ssl.conf | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Martin Mokrejš <mmokrejs> |
Component: | Vulnerabilities | Assignee: | Patrick Lauer <patrick> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | polynomial-c, security |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Martin Mokrejš
2014-04-10 12:57:13 UTC
Reassigning to the maintainers, sorry about the delay. Also see bug 506924. This was now committed to our apache git repository: http://git.overlays.gentoo.org/gitweb/?p=proj/apache.git;a=commitdiff;h=9154fa2d2a6b8f0b59c5b1d83c8186a4249d7f8f +*apache-2.4.9-r1 (20 Apr 2014) +*apache-2.2.27-r1 (20 Apr 2014) + + 20 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.26.ebuild, + +apache-2.2.27-r1.ebuild, -apache-2.4.9.ebuild, +apache-2.4.9-r1.ebuild: + Revbump fixing bug #506924 and bug #507324. Removed old. + After the upgrade to 2.4.9-r1 my apache failed to restart: apache2 |Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration I'm not using SSL, so mod_ssl is not loaded and this directive can't be used. Can be trivialy fixed by moving it before the </IfDefine>, like the rest of 40_mod_ssl.conf +*apache-2.4.9-r2 (21 Apr 2014) +*apache-2.2.27-r2 (21 Apr 2014) + + 21 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27-r1.ebuild, + +apache-2.2.27-r2.ebuild, -apache-2.4.9-r1.ebuild, +apache-2.4.9-r2.ebuild: + Moved SSLCompression into the IfDefine. + Sorry for the inconveniences. This is a perfect example how mistakes can be overseen as I had these changes reviewed by four other people. No problem. I can easily see how that slipped through testing and if its fixed as fast as in this case, I really do not have any complains. Thanks! The default for SSLCompression is "off" in all of our Apache versions: * http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression * http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression (it changed in 2.2.26). So if you'd like to reduce the noise in the default config, this can be removed again. No, I think it is helpfull to keep them in, it is too easy for a user to enable it and we should educate them NOT to do it. Only worse the defaults changed between minor versions. You could also argument that users are supposed to switch to 2.4 where it is disabled ... no, I think this is just wrong argumentation. They simply have to be made aware of that so it should stay in. Thanks. |