aboutsummaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2014-10-15 10:10:39 +0000
committerTatsuya Kinoshita <tats@debian.org>2014-10-15 11:07:02 +0000
commitd679aee471301f3321a223d0180fb26787be8e2f (patch)
tree4a02566bb0ed28816746b24fae73e279360bccc4 /debian
parentDebian release 0.5.3-17 (diff)
downloadw3m-d679aee471301f3321a223d0180fb26787be8e2f.tar.gz
w3m-d679aee471301f3321a223d0180fb26787be8e2f.zip
New patch 340_ssl-init.patch to disable SSLv3 [CVE-2014-3566]
Diffstat (limited to '')
-rw-r--r--debian/patches/340_ssl-init.patch50
-rw-r--r--debian/patches/series1
2 files changed, 51 insertions, 0 deletions
diff --git a/debian/patches/340_ssl-init.patch b/debian/patches/340_ssl-init.patch
new file mode 100644
index 0000000..b47bbb6
--- /dev/null
+++ b/debian/patches/340_ssl-init.patch
@@ -0,0 +1,50 @@
+Subject: Force ssl_verify_server on, and disable SSLv2 and SSLv3
+Author: Ludwig Nussel <ludwig.nussel@suse.de>, Tatsuya Kinoshita <tats@debian.org>
+Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4
+
+ Update README.SSL to follow default values
+
+ Disable SSLv3 by default [CVE-2014-3566]
+ cf. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
+
+ Force ssl_verify_server on and disable SSLv2 support
+ Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4
+
+diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL
+index 4aedfde..670ed5f 100644
+--- a/doc-jp/README.SSL
++++ b/doc-jp/README.SSL
+@@ -25,9 +25,9 @@ SSL
+
+ ssl_forbid_method
+ 使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1)
+- (デフォルトは<NULL>).
++ (デフォルトは2, 3).
+ ssl_verify_server ON/OFF
+- SSLのサーバ認証を行う(デフォルトはOFF).
++ SSLのサーバ認証を行う(デフォルトはON).
+ ssl_cert_file ファイル名
+ SSLのクライアント用PEM形式証明書ファイル(デフォルトは<NULL>).
+ ssl_key_file ファイル名
+diff --git a/fm.h b/fm.h
+index 8378939..ddcd4fc 100644
+--- a/fm.h
++++ b/fm.h
+@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
+ #endif
+
+ #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
+-global int ssl_verify_server init(FALSE);
++global int ssl_verify_server init(TRUE);
+ global char *ssl_cert_file init(NULL);
+ global char *ssl_key_file init(NULL);
+ global char *ssl_ca_path init(NULL);
+@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
+ #endif /* defined(USE_SSL) &&
+ * defined(USE_SSL_VERIFY) */
+ #ifdef USE_SSL
+-global char *ssl_forbid_method init(NULL);
++global char *ssl_forbid_method init("2, 3");
+ #endif
+
+ global int is_redisplay init(FALSE);
diff --git a/debian/patches/series b/debian/patches/series
index e7e1572..badec89 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,4 +32,5 @@
310_doc-ascii.patch
320_imlib2-config.patch
330_Disable-weak-ciphers.patch
+340_ssl-init.patch
900_ChangeLog.patch