[Pkg-openssl-changes] r682 - in openssl/branches/squeeze/debian: . patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Thu Jun 19 21:40:24 UTC 2014 

Author: kroeckx
Date: 2014-06-19 21:40:24 +0000 (Thu, 19 Jun 2014)
New Revision: 682

Added:
   openssl/branches/squeeze/debian/patches/CVE-2012-4929.patch
Modified:
   openssl/branches/squeeze/debian/changelog
   openssl/branches/squeeze/debian/patches/series
Log:
Fix CVE-2012-4929 (CRiME)


Modified: openssl/branches/squeeze/debian/changelog
===================================================================
--- openssl/branches/squeeze/debian/changelog	2014-06-19 21:36:04 UTC (rev 681)
+++ openssl/branches/squeeze/debian/changelog	2014-06-19 21:40:24 UTC (rev 682)
@@ -2,8 +2,11 @@
 
   * Update CVE-2014-0224 patch: Accept CCS after sending finished.
     (Closes: #751093)
+  * Fix CVE-2012-4929 (CRiME) by disabling zlib compression by default.
+    It can be enabled again by setting the environment variable
+    OPENSSL_NO_DEFAULT_ZLIB.  (Closes: #728055)
 
- -- Kurt Roeckx <kurt at roeckx.be>  Thu, 19 Jun 2014 23:25:00 +0200
+ -- Kurt Roeckx <kurt at roeckx.be>  Thu, 19 Jun 2014 23:39:43 +0200
 
 openssl (0.9.8o-4squeeze15) squeeze-lts; urgency=medium
 

Added: openssl/branches/squeeze/debian/patches/CVE-2012-4929.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2012-4929.patch	                        (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2012-4929.patch	2014-06-19 21:40:24 UTC (rev 682)
@@ -0,0 +1,17 @@
+Subject: Disable zlib compression by default
+
+This fixes CVE-2012-4929 (CRiME).
+
+Index: openssl-1.0.1e/ssl/ssl_ciph.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/ssl_ciph.c
++++ openssl-1.0.1e/ssl/ssl_ciph.c
+@@ -455,7 +455,7 @@ static void load_builtin_compressions(vo
+ 
+ 			MemCheck_off();
+ 			ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+-			if (ssl_comp_methods != NULL)
++			if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
+ 				{
+ 				comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ 				if (comp != NULL)

Modified: openssl/branches/squeeze/debian/patches/series
===================================================================
--- openssl/branches/squeeze/debian/patches/series	2014-06-19 21:36:04 UTC (rev 681)
+++ openssl/branches/squeeze/debian/patches/series	2014-06-19 21:40:24 UTC (rev 682)
@@ -45,3 +45,4 @@
 CVE-2014-0221.patch
 CVE-2014-3470.patch
 CVE-2014-0224.patch
+CVE-2012-4929.patch

More information about the Pkg-openssl-changes mailing list