diff options
Diffstat (limited to 'debian/patches/260_openssl.patch')
| -rw-r--r-- | debian/patches/260_openssl.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/debian/patches/260_openssl.patch b/debian/patches/260_openssl.patch new file mode 100644 index 0000000..85c32c8 --- /dev/null +++ b/debian/patches/260_openssl.patch @@ -0,0 +1,29 @@ +Subject: OpenSSL issues +Author: Cristian Rodriguez <crrodriguez@opensuse.org> +Origin: https://build.opensuse.org/request/show/141054 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929 + + Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org + - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients + that negotiate TLS-level compression can be abused for + MITM attacks. (w3m-openssl.patch) + - Use SSL_MODE_RELEASE_BUFFERS if available . + +--- w3m.orig/url.c ++++ w3m/url.c +@@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname, + if (strchr(ssl_forbid_method, 'T')) + option |= SSL_OP_NO_TLSv1; + } ++#ifdef SSL_OP_NO_COMPRESSION ++ option |= SSL_OP_NO_COMPRESSION; ++#endif + SSL_CTX_set_options(ssl_ctx, option); ++ ++#ifdef SSL_MODE_RELEASE_BUFFERS ++ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); ++#endif ++ + #ifdef USE_SSL_VERIFY + /* derived from openssl-0.9.5/apps/s_{client,cb}.c */ + #if 1 /* use SSL_get_verify_result() to verify cert */ |