diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2013-11-07 14:45:21 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2013-11-07 14:49:47 +0000 |
commit | c4b1af9427bcbfee014664631ebb80376cedab12 (patch) | |
tree | dc139d716de8f51bf29eaca1f33204c6e5d4de31 | |
parent | Update 250_schemebug.patch (closes: #650747) (diff) | |
download | w3m-c4b1af9427bcbfee014664631ebb80376cedab12.tar.gz w3m-c4b1af9427bcbfee014664631ebb80376cedab12.zip |
New patch 260_openssl.patch from openSUSE for OpenSSL issues
- Use SSL_OP_NO_COMPRESSION if available due to the "CRIME attack".
[CVE-2012-4929]
- Use SSL_MODE_RELEASE_BUFFERS if available.
-rw-r--r-- | debian/patches/260_openssl.patch | 29 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 30 insertions, 0 deletions
diff --git a/debian/patches/260_openssl.patch b/debian/patches/260_openssl.patch new file mode 100644 index 0000000..85c32c8 --- /dev/null +++ b/debian/patches/260_openssl.patch @@ -0,0 +1,29 @@ +Subject: OpenSSL issues +Author: Cristian Rodriguez <crrodriguez@opensuse.org> +Origin: https://build.opensuse.org/request/show/141054 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929 + + Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org + - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients + that negotiate TLS-level compression can be abused for + MITM attacks. (w3m-openssl.patch) + - Use SSL_MODE_RELEASE_BUFFERS if available . + +--- w3m.orig/url.c ++++ w3m/url.c +@@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname, + if (strchr(ssl_forbid_method, 'T')) + option |= SSL_OP_NO_TLSv1; + } ++#ifdef SSL_OP_NO_COMPRESSION ++ option |= SSL_OP_NO_COMPRESSION; ++#endif + SSL_CTX_set_options(ssl_ctx, option); ++ ++#ifdef SSL_MODE_RELEASE_BUFFERS ++ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); ++#endif ++ + #ifdef USE_SSL_VERIFY + /* derived from openssl-0.9.5/apps/s_{client,cb}.c */ + #if 1 /* use SSL_get_verify_result() to verify cert */ diff --git a/debian/patches/series b/debian/patches/series index 6003d51..910ff9a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -24,4 +24,5 @@ 230_cygwin-lang.patch 240_win64gc.patch 250_schemebug.patch +260_openssl.patch 900_ChangeLog.patch |