diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2014-10-15 10:10:39 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2014-10-15 11:07:02 +0000 |
commit | d679aee471301f3321a223d0180fb26787be8e2f (patch) | |
tree | 4a02566bb0ed28816746b24fae73e279360bccc4 | |
parent | Debian release 0.5.3-17 (diff) | |
download | w3m-d679aee471301f3321a223d0180fb26787be8e2f.tar.gz w3m-d679aee471301f3321a223d0180fb26787be8e2f.zip |
New patch 340_ssl-init.patch to disable SSLv3 [CVE-2014-3566]
-rw-r--r-- | debian/patches/340_ssl-init.patch | 50 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 51 insertions, 0 deletions
diff --git a/debian/patches/340_ssl-init.patch b/debian/patches/340_ssl-init.patch new file mode 100644 index 0000000..b47bbb6 --- /dev/null +++ b/debian/patches/340_ssl-init.patch @@ -0,0 +1,50 @@ +Subject: Force ssl_verify_server on, and disable SSLv2 and SSLv3 +Author: Ludwig Nussel <ludwig.nussel@suse.de>, Tatsuya Kinoshita <tats@debian.org> +Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4 + + Update README.SSL to follow default values + + Disable SSLv3 by default [CVE-2014-3566] + cf. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ + + Force ssl_verify_server on and disable SSLv2 support + Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4 + +diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL +index 4aedfde..670ed5f 100644 +--- a/doc-jp/README.SSL ++++ b/doc-jp/README.SSL +@@ -25,9 +25,9 @@ SSL + + ssl_forbid_method + 使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1) +- (デフォルトは<NULL>). ++ (デフォルトは2, 3). + ssl_verify_server ON/OFF +- SSLのサーバ認証を行う(デフォルトはOFF). ++ SSLのサーバ認証を行う(デフォルトはON). + ssl_cert_file ファイル名 + SSLのクライアント用PEM形式証明書ファイル(デフォルトは<NULL>). + ssl_key_file ファイル名 +diff --git a/fm.h b/fm.h +index 8378939..ddcd4fc 100644 +--- a/fm.h ++++ b/fm.h +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); + #endif + + #if defined(USE_SSL) && defined(USE_SSL_VERIFY) +-global int ssl_verify_server init(FALSE); ++global int ssl_verify_server init(TRUE); + global char *ssl_cert_file init(NULL); + global char *ssl_key_file init(NULL); + global char *ssl_ca_path init(NULL); +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE); + #endif /* defined(USE_SSL) && + * defined(USE_SSL_VERIFY) */ + #ifdef USE_SSL +-global char *ssl_forbid_method init(NULL); ++global char *ssl_forbid_method init("2, 3"); + #endif + + global int is_redisplay init(FALSE); diff --git a/debian/patches/series b/debian/patches/series index e7e1572..badec89 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -32,4 +32,5 @@ 310_doc-ascii.patch 320_imlib2-config.patch 330_Disable-weak-ciphers.patch +340_ssl-init.patch 900_ChangeLog.patch |