diff -u apache2-2.2.9/debian/changelog apache2-2.2.9/debian/changelog --- apache2-2.2.9/debian/changelog +++ apache2-2.2.9/debian/changelog @@ -1,3 +1,14 @@ +apache2 (2.2.9-3ubuntu1) intrepid; urgency=low + + * Add a new config file /etc/apache2/conf.d/ssl_options with options + which disable version 2 of SSL (SSLv2). + * Add 'Disabling SSLv2' paragraph in README.Debian.gz with instructions + how to disable SSLv2. + * Add hooks to apache2.2-common.postinst and apache2.2-common.preinst so + that ssl_options isn't created on upgrades + + -- Sun, 20 Jul 2008 08:46:29 +0200 + apache2 (2.2.9-3) unstable; urgency=low [ Stefan Fritsch ] diff -u apache2-2.2.9/debian/control apache2-2.2.9/debian/control --- apache2-2.2.9/debian/control +++ apache2-2.2.9/debian/control @@ -1,7 +1,8 @@ Source: apache2 Section: web Priority: optional -Maintainer: Debian Apache Maintainers +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Debian Apache Maintainers Uploaders: Tollef Fog Heen , Thom May , Adam Conrad , Peter Samuelson , Stefan Fritsch Build-Depends: debhelper (>=6.0.7), dpatch, lsb-release, libaprutil1-dev, libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev, sharutils Standards-Version: 3.8.0 diff -u apache2-2.2.9/debian/README.Debian apache2-2.2.9/debian/README.Debian --- apache2-2.2.9/debian/README.Debian +++ apache2-2.2.9/debian/README.Debian @@ -11,6 +11,7 @@ Enabling SSL Creating self-signed certificates SSL workaround for MSIE + Disabling SSLv2 Suexec @@ -198,6 +199,20 @@ The default SSL virtual host in /etc/apache2/sites-available/default-ssl already contains this workaround. +Disabling SSLv2 +------------- + +On new installations, SSLv2 is disabled in Ubuntu, while on upgrades no changes +are being made. If you would like to disable SSLv2 in Ubuntu, create a file in +/etc/apache2/conf.d, named ssl_options and add: + + + SSLProtocol ALL -SSLv2 + SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM + + +and reload apache2. + Suexec ====== diff -u apache2-2.2.9/debian/apache2.2-common.postinst apache2-2.2.9/debian/apache2.2-common.postinst --- apache2-2.2.9/debian/apache2.2-common.postinst +++ apache2-2.2.9/debian/apache2.2-common.postinst @@ -66,6 +66,16 @@ a2enmod authz_host fi + +# Don't disable SSLv2 on upgrades +if [ -n "$2" ]; then + if [ -e /etc/apache2/conf.d/ssl_options.dpkg-apache2.2-common.existed ]; then + rm /etc/apache2/conf.d/ssl_options.dpkg-apache2.2-common.existed + else + rm /etc/apache2/conf.d/ssl_options + fi +fi + if [ $UPGRADE = from_2_0 ]; then # Module replacements from previous versions of apache2 if mod_is_enabled proxy; then diff -u apache2-2.2.9/debian/apache2.2-common.preinst apache2-2.2.9/debian/apache2.2-common.preinst --- apache2-2.2.9/debian/apache2.2-common.preinst +++ apache2-2.2.9/debian/apache2.2-common.preinst @@ -30,6 +30,12 @@ touch /etc/apache2/ports.conf.dpkg-apache2.2-common.existed fi +# we want to check in postinst whether /etc/apache2/conf.d/ssl_options existed +# before the upgrade +if [ -n "$2" ] && [ -e /etc/apache2/conf.d/ssl_options ]; then + touch /etc/apache2/conf.d/ssl_options.dpkg-apache2.2-common.existed +fi + if [ -n "$2" ] && dpkg --compare-versions "$2" lt 2.2.4-2; then mv_conffile /etc/default/apache2 9ac83f9132b78c3aa6dd4d7a583bf476 mv_conffile /etc/default/apache2 801eb5156368b54d92ecb578ce710836 only in patch2: unchanged: --- apache2-2.2.9.orig/debian/config-dir/conf.d/ssl_options +++ apache2-2.2.9/debian/config-dir/conf.d/ssl_options @@ -0,0 +1,4 @@ + + SSLProtocol ALL -SSLv2 + SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM +