[Pkg-openssl-changes] r705 - in openssl/branches/wheezy/debian: . patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Wed Dec 31 12:43:43 UTC 2014 

Author: kroeckx
Date: 2014-12-31 12:43:43 +0000 (Wed, 31 Dec 2014)
New Revision: 705

Added:
   openssl/branches/wheezy/debian/patches/disable_sslv3.patch
Modified:
   openssl/branches/wheezy/debian/changelog
   openssl/branches/wheezy/debian/patches/series
Log:
Disable SSLv3 by default.


Modified: openssl/branches/wheezy/debian/changelog
===================================================================
--- openssl/branches/wheezy/debian/changelog	2014-11-06 23:51:57 UTC (rev 704)
+++ openssl/branches/wheezy/debian/changelog	2014-12-31 12:43:43 UTC (rev 705)
@@ -1,3 +1,13 @@
+openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium
+
+  * Disable SSLv3 by default.  It can be enabled again by calling
+    SSL_CTX_clear_options() or SSL_clear_options() with SSL_OP_NO_SSLv3.
+    It can also be enabled again by setting OPENSSL_ALLOW_SSLv3 in the
+    environment to anything.
+    This fixes the POODLE issue (CVE-2014-3566).
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Wed, 31 Dec 2014 13:32:39 +0100
+
 openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium
 
   * Fixes CVE-2014-3513

Added: openssl/branches/wheezy/debian/patches/disable_sslv3.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/disable_sslv3.patch	                        (rev 0)
+++ openssl/branches/wheezy/debian/patches/disable_sslv3.patch	2014-12-31 12:43:43 UTC (rev 705)
@@ -0,0 +1,14 @@
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index d09bb7d..bc3cbc7 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2060,6 +2060,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
+ 	 */
+ 	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ 
++	if (getenv("OPENSSL_ALLOW_SSLv3") == NULL)
++		ret->options |= SSL_OP_NO_SSLv3;
++
+ 	return(ret);
+ err:
+ 	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);

Modified: openssl/branches/wheezy/debian/patches/series
===================================================================
--- openssl/branches/wheezy/debian/patches/series	2014-11-06 23:51:57 UTC (rev 704)
+++ openssl/branches/wheezy/debian/patches/series	2014-12-31 12:43:43 UTC (rev 705)
@@ -72,4 +72,5 @@
 Fix-for-SRTP-Memory-Leak.patch
 Fix-for-session-tickets-memory-leak.patch
 Fix-no-ssl3-configuration-option.patch
+disable_sslv3.patch

More information about the Pkg-openssl-changes mailing list