aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/patches/260_openssl.patch29
-rw-r--r--debian/patches/series1
2 files changed, 30 insertions, 0 deletions
diff --git a/debian/patches/260_openssl.patch b/debian/patches/260_openssl.patch
new file mode 100644
index 0000000..85c32c8
--- /dev/null
+++ b/debian/patches/260_openssl.patch
@@ -0,0 +1,29 @@
+Subject: OpenSSL issues
+Author: Cristian Rodriguez <crrodriguez@opensuse.org>
+Origin: https://build.opensuse.org/request/show/141054
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929
+
+ Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org
+ - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients
+ that negotiate TLS-level compression can be abused for
+ MITM attacks. (w3m-openssl.patch)
+ - Use SSL_MODE_RELEASE_BUFFERS if available .
+
+--- w3m.orig/url.c
++++ w3m/url.c
+@@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname,
+ if (strchr(ssl_forbid_method, 'T'))
+ option |= SSL_OP_NO_TLSv1;
+ }
++#ifdef SSL_OP_NO_COMPRESSION
++ option |= SSL_OP_NO_COMPRESSION;
++#endif
+ SSL_CTX_set_options(ssl_ctx, option);
++
++#ifdef SSL_MODE_RELEASE_BUFFERS
++ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
++#endif
++
+ #ifdef USE_SSL_VERIFY
+ /* derived from openssl-0.9.5/apps/s_{client,cb}.c */
+ #if 1 /* use SSL_get_verify_result() to verify cert */
diff --git a/debian/patches/series b/debian/patches/series
index 6003d51..910ff9a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,4 +24,5 @@
230_cygwin-lang.patch
240_win64gc.patch
250_schemebug.patch
+260_openssl.patch
900_ChangeLog.patch