Bug#873519: jessie-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-4+deb8u2

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Mon Aug 28 17:05:59 UTC 2017 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu


This request for accepting a freerdp jessie-pu correlates to
https://bugs.debian.org/871943

Quoting my self from the stretch-pu:


```
We received a helpful patch from FreeRDP upstream for the still support
FreeRDP 1.1 version we ship in Debian.

[PATCH 1/1] enable TLS 1+

Currently TLS version 1.0 is used implicitly by using the TLSv1_method.
To be able to also use TLS 1.1 and later use SSLv23_client_method
instead. To make sure SSLv2 or SSLv3 isn't used disable them.

A .debdiff has been attached.

A +/- identical upload could be done for jessie-updates, too. The
upstream versions are the same, the patch level is slightly different.
Shall I file an extra bug report for that?
```

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
diff -Nru freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/changelog freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/changelog
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/changelog	2017-07-28 11:12:43.000000000 +0200
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/changelog	2017-08-28 18:56:18.000000000 +0200
@@ -1,3 +1,11 @@
+freerdp (1.1.0~git20140921.1.440916e+dfsg1-4+deb8u2) jessie-proposed-updates; urgency=medium
+
+  [ Bernhard Miklautz ]
+  * debian/patches:
+    + Add 0009-enable-TLS-12.patch. Enable TLS 1+ support. (Closes: #871478).
+
+ -- Mike Gabriel <sunweaver at debian.org>  Mon, 28 Aug 2017 18:56:18 +0200
+
 freerdp (1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) jessie-security; urgency=high
 
   [ Bernhard Miklautz ]
diff -Nru freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/patches/0009-enable-TLS-12.patch freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/patches/0009-enable-TLS-12.patch
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/patches/0009-enable-TLS-12.patch	1970-01-01 01:00:00.000000000 +0100
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/patches/0009-enable-TLS-12.patch	2017-08-28 18:55:20.000000000 +0200
@@ -0,0 +1,38 @@
+From 3ba81cbd5a59434f3053665e9fc4a432afd0db20 Mon Sep 17 00:00:00 2001
+From: Bernhard Miklautz <bernhard.miklautz at shacknet.at>
+Date: Thu, 10 Aug 2017 09:31:21 +0200
+Subject: [PATCH 1/1] enable TLS 1+
+
+Currently TLS version 1.0 is used implicitly by using the TLSv1_method.
+To be able to also use TLS 1.1 and later use SSLv23_client_method
+instead. To make sure SSLv2 or SSLv3 isn't used disable them.
+
+cherry-picked from aa80f63b4ab19101cbdc376f7e0613ed410fee11
+---
+ libfreerdp/crypto/tls.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/libfreerdp/crypto/tls.c
++++ b/libfreerdp/crypto/tls.c
+@@ -102,7 +102,7 @@
+ 	int connection_status;
+ 	char *hostname;
+ 
+-	tls->ctx = SSL_CTX_new(TLSv1_client_method());
++	tls->ctx = SSL_CTX_new(SSLv23_client_method());
+ 
+ 	if (tls->ctx == NULL)
+ 	{
+@@ -141,6 +141,12 @@
+ 	 */
+ 	options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ 
++	/**
++	 * disable SSLv2 and SSLv3
++	 */
++	options |= SSL_OP_NO_SSLv2;
++	options |= SSL_OP_NO_SSLv3;
++
+ 	SSL_CTX_set_options(tls->ctx, options);
+ 
+ 	tls->ssl = SSL_new(tls->ctx);
diff -Nru freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/patches/series freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/patches/series
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/patches/series	2017-07-28 11:11:23.000000000 +0200
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/patches/series	2017-08-28 18:55:20.000000000 +0200
@@ -11,3 +11,4 @@
 0002_handle-old-style-cmdline-options.patch
 0003_copy-data-when-adding-glyph-to-cache.patch
 0008-Fix-multiple-security-issues.patch
+0009-enable-TLS-12.patch

More information about the pkg-remote-team mailing list