Hello community, here is the log from the commit of package links for openSUSE:Factory checked in at 2013-02-25 20:37:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/links (Old) and /work/SRC/openSUSE:Factory/.links.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "links", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/links/links.changes 2012-05-25 16:16:43.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.links.new/links.changes 2013-02-25 20:37:31.000000000 +0100 @@ -1,0 +2,23 @@ +Mon Feb 11 01:25:09 UTC 2013 - [email protected] + +- Extend configure.diff so _GNU_SOURCE and largefile Support + is tested properly + +- expand inks-nosslcomp.patch to fix other misuses of the openssl + API including TLSv1 being disabled (with the wrong API too) + +- build with SSL_NO_INTERN so we can escape ABI breaks in future + openSSL versions + +------------------------------------------------------------------- +Mon Feb 11 00:24:37 UTC 2013 - [email protected] + +- links was used to demonstrate bnc#803004 + "openSSL 1.0.1d breaks most, if not all, SSL connections" +It also turns out that links is not doing SSL stuff quite right.. +HTTPS clients must not negotiate SSL compression which is compromised +since CVE-2012-4929 (aka. the CRIME attack) and should not even +try to use SSLv2 either which is broken since a very long time +(links-nosslcomp.patch) + +------------------------------------------------------------------- New: ---- links-nosslcomp.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ links.spec ++++++ --- /var/tmp/diff_new_pack.4z1QNf/_old 2013-02-25 20:37:33.000000000 +0100 +++ /var/tmp/diff_new_pack.4z1QNf/_new 2013-02-25 20:37:33.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package links # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -36,6 +36,7 @@ Group: Productivity/Networking/Web/Browsers Source: links-%{version}.tar.bz2 Patch2: configure.diff +Patch3: links-nosslcomp.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -53,10 +54,10 @@ %prep %setup -q -n links-%{version} %patch2 - +%patch3 %build autoreconf -ifv -CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -pipe" +CFLAGS="$RPM_OPT_FLAGS -DOPENSSL_NO_SSL_INTERN -fno-strict-aliasing -pipe" %configure \ --with-fb --with-ssl \ --with-x --enable-graphics --with-pic ++++++ configure.diff ++++++ --- /var/tmp/diff_new_pack.4z1QNf/_old 2013-02-25 20:37:33.000000000 +0100 +++ /var/tmp/diff_new_pack.4z1QNf/_new 2013-02-25 20:37:33.000000000 +0100 @@ -1,12 +1,16 @@ ---- configure.in 2005/08/15 11:48:12 1.1 -+++ configure.in 2005/08/15 11:48:19 -@@ -18,7 +18,7 @@ +--- configure.in.orig ++++ configure.in +@@ -16,9 +16,11 @@ image_formats="GIF PNG XBM" + AM_CONFIG_HEADER(config.h) + dnl Checks for programs. - AC_PROG_CC +-AC_PROG_CC ++AC_PROG_CC_STDC ++AC_USE_SYSTEM_EXTENSIONS ++AC_SYS_LARGEFILE -#AC_PROG_CXX +AC_PROG_CXX #AC_PROG_AWK #AM_PROG_LEX #AC_PROG_YACC - ++++++ links-nosslcomp.patch ++++++ --- https.c.orig +++ https.c @@ -44,7 +44,23 @@ SSL *getSSL(void) if (!m) return NULL; context = SSL_CTX_new((void *)m); if (!context) return NULL; - SSL_CTX_set_options(context, SSL_OP_ALL); + SSL_CTX_set_options(context, SSL_OP_ALL | SSL_OP_NO_SSLv2); + +#ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options(context, SSL_OP_NO_COMPRESSION); +#endif + +#ifdef SSL_OP_NO_TICKET + SSL_CTX_set_options(context, SSL_OP_NO_TICKET); +#endif +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(context, SSL_MODE_RELEASE_BUFFERS); +#endif + +#ifdef SSL_MODE_AUTO_RETRY + SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY); +#endif + SSL_CTX_set_default_verify_paths(context); /* needed for systems without /dev/random, but obviously kills security. */ /*{ --- connect.c.orig +++ connect.c @@ -184,9 +184,6 @@ static void ssl_want_read(struct connect set_timeout(c); -#ifndef HAVE_NSS - if (c->no_tsl) c->ssl->options |= SSL_OP_NO_TLSv1; -#endif switch (SSL_get_error(c->ssl, SSL_connect(c->ssl))) { case SSL_ERROR_NONE: c->newconn = NULL; @@ -374,9 +371,6 @@ static void connected(struct connection goto ssl_error; } SSL_set_fd(c->ssl, *b->sock); -#ifndef HAVE_NSS - if (c->no_tsl) c->ssl->options |= SSL_OP_NO_TLSv1; -#endif switch (SSL_get_error(c->ssl, SSL_connect(c->ssl))) { case SSL_ERROR_WANT_READ: setcstate(c, S_SSL_NEG); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
