[Pkg-openssl-changes] r679 - in openssl/branches/wheezy/debian: . patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Sun Jun 15 11:30:23 UTC 2014 

Author: kroeckx
Date: 2014-06-15 11:30:22 +0000 (Sun, 15 Jun 2014)
New Revision: 679

Added:
   openssl/branches/wheezy/debian/patches/CVE-2012-4929.patch
Modified:
   openssl/branches/wheezy/debian/changelog
   openssl/branches/wheezy/debian/patches/series
Log:
Fix CVE-2012-4929 (CRiME)


Modified: openssl/branches/wheezy/debian/changelog
===================================================================
--- openssl/branches/wheezy/debian/changelog	2014-06-15 10:38:14 UTC (rev 678)
+++ openssl/branches/wheezy/debian/changelog	2014-06-15 11:30:22 UTC (rev 679)
@@ -1,7 +1,10 @@
 openssl (1.0.1e-2+deb7u11) wheezy-security; urgency=medium
 
-  * Update fix for CVE-2014-0224 to work with more renegiotation
-    and resumption cases. (Closes: #751093)
+  * Update fix for CVE-2014-0224 to work with more renegiotation and
+    resumption cases. (Closes: #751093)
+  * Fix CVE-2012-4929 (CRiME) by disabling zlib compression by default.
+    It can be enabled again by setting the environment variable
+    OPENSSL_NO_DEFAULT_ZLIB.  (Closes: #728055)
 
  -- Kurt Roeckx <kurt at roeckx.be>  Sun, 15 Jun 2014 12:31:21 +0200
 

Added: openssl/branches/wheezy/debian/patches/CVE-2012-4929.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2012-4929.patch	                        (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2012-4929.patch	2014-06-15 11:30:22 UTC (rev 679)
@@ -0,0 +1,17 @@
+Subject: Disable zlib compression by default
+
+This fixes CVE-2012-4929 (CRiME).
+
+Index: openssl-1.0.1e/ssl/ssl_ciph.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/ssl_ciph.c
++++ openssl-1.0.1e/ssl/ssl_ciph.c
+@@ -455,7 +455,7 @@ static void load_builtin_compressions(vo
+ 
+ 			MemCheck_off();
+ 			ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+-			if (ssl_comp_methods != NULL)
++			if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
+ 				{
+ 				comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ 				if (comp != NULL)

Modified: openssl/branches/wheezy/debian/patches/series
===================================================================
--- openssl/branches/wheezy/debian/patches/series	2014-06-15 10:38:14 UTC (rev 678)
+++ openssl/branches/wheezy/debian/patches/series	2014-06-15 11:30:22 UTC (rev 679)
@@ -52,3 +52,4 @@
 CVE-2014-3470.patch
 CVE-2014-0195.patch
 CVE-2014-0221.patch
+CVE-2012-4929.patch

More information about the Pkg-openssl-changes mailing list