aboutsummaryrefslogblamecommitdiffstats
path: root/debian/patches/260_openssl.patch
blob: 85c32c8cdb40aed17d75329c2908e41a13c6b831 (plain) (tree)



























                                                                                
Subject: OpenSSL issues
Author: Cristian Rodriguez <crrodriguez@opensuse.org>
Origin: https://build.opensuse.org/request/show/141054
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929

  Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org
  - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients
    that negotiate TLS-level compression can be abused for
    MITM attacks. (w3m-openssl.patch) 
  - Use SSL_MODE_RELEASE_BUFFERS if available .

--- w3m.orig/url.c
+++ w3m/url.c
@@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname,
 	    if (strchr(ssl_forbid_method, 'T'))
 		option |= SSL_OP_NO_TLSv1;
 	}
+#ifdef SSL_OP_NO_COMPRESSION
+	option |= SSL_OP_NO_COMPRESSION;
+#endif
 	SSL_CTX_set_options(ssl_ctx, option);
+
+#ifdef SSL_MODE_RELEASE_BUFFERS
+	SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+
 #ifdef USE_SSL_VERIFY
 	/* derived from openssl-0.9.5/apps/s_{client,cb}.c */
 #if 1				/* use SSL_get_verify_result() to verify cert */