aboutsummaryrefslogtreecommitdiffstats
path: root/debian/patches/260_openssl.patch
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2013-11-07 14:45:21 +0000
committerTatsuya Kinoshita <tats@debian.org>2013-11-07 14:49:47 +0000
commitc4b1af9427bcbfee014664631ebb80376cedab12 (patch)
treedc139d716de8f51bf29eaca1f33204c6e5d4de31 /debian/patches/260_openssl.patch
parentUpdate 250_schemebug.patch (closes: #650747) (diff)
downloadw3m-c4b1af9427bcbfee014664631ebb80376cedab12.tar.gz
w3m-c4b1af9427bcbfee014664631ebb80376cedab12.zip
New patch 260_openssl.patch from openSUSE for OpenSSL issues
- Use SSL_OP_NO_COMPRESSION if available due to the "CRIME attack". [CVE-2012-4929] - Use SSL_MODE_RELEASE_BUFFERS if available.
Diffstat (limited to 'debian/patches/260_openssl.patch')
-rw-r--r--debian/patches/260_openssl.patch29
1 files changed, 29 insertions, 0 deletions
diff --git a/debian/patches/260_openssl.patch b/debian/patches/260_openssl.patch
new file mode 100644
index 0000000..85c32c8
--- /dev/null
+++ b/debian/patches/260_openssl.patch
@@ -0,0 +1,29 @@
+Subject: OpenSSL issues
+Author: Cristian Rodriguez <crrodriguez@opensuse.org>
+Origin: https://build.opensuse.org/request/show/141054
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929
+
+ Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org
+ - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients
+ that negotiate TLS-level compression can be abused for
+ MITM attacks. (w3m-openssl.patch)
+ - Use SSL_MODE_RELEASE_BUFFERS if available .
+
+--- w3m.orig/url.c
++++ w3m/url.c
+@@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname,
+ if (strchr(ssl_forbid_method, 'T'))
+ option |= SSL_OP_NO_TLSv1;
+ }
++#ifdef SSL_OP_NO_COMPRESSION
++ option |= SSL_OP_NO_COMPRESSION;
++#endif
+ SSL_CTX_set_options(ssl_ctx, option);
++
++#ifdef SSL_MODE_RELEASE_BUFFERS
++ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
++#endif
++
+ #ifdef USE_SSL_VERIFY
+ /* derived from openssl-0.9.5/apps/s_{client,cb}.c */
+ #if 1 /* use SSL_get_verify_result() to verify cert */