Subject: OpenSSL issues Author: Cristian Rodriguez Origin: https://build.opensuse.org/request/show/141054 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929 Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients that negotiate TLS-level compression can be abused for MITM attacks. (w3m-openssl.patch) - Use SSL_MODE_RELEASE_BUFFERS if available . --- w3m.orig/url.c +++ w3m/url.c @@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname, if (strchr(ssl_forbid_method, 'T')) option |= SSL_OP_NO_TLSv1; } +#ifdef SSL_OP_NO_COMPRESSION + option |= SSL_OP_NO_COMPRESSION; +#endif SSL_CTX_set_options(ssl_ctx, option); + +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif + #ifdef USE_SSL_VERIFY /* derived from openssl-0.9.5/apps/s_{client,cb}.c */ #if 1 /* use SSL_get_verify_result() to verify cert */