Hello community, here is the log from the commit of package libqt4 for openSUSE:Factory checked in at 2016-02-17 10:32:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libqt4 (Old) and /work/SRC/openSUSE:Factory/.libqt4.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libqt4" Changes: -------- --- /work/SRC/openSUSE:Factory/libqt4/libqt4-devel-doc.changes 2015-05-24 19:30:34.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libqt4.new/libqt4-devel-doc.changes 2016-02-17 12:14:35.000000000 +0100 @@ -1,0 +2,37 @@ +Thu Feb 11 14:45:23 UTC 2016 - [email protected] + +- Explicitely build with -std=gnu++98. [bnc#964458] + +------------------------------------------------------------------- +Wed Feb 10 12:28:49 UTC 2016 - [email protected] + +- Added 0001-Fix-exclusion-of-anonymous-ciphers.patch from upstream + to disable exp-adh and aecdh ciphers. +- Added disable-rc4-ciphers-bnc865241.diff to disable <128 bits and + RC4 based ciphers which are now considered insecure. This + makes konqueror pass the https://www.howsmyssl.com test (bnc#865241) + +------------------------------------------------------------------- +Thu May 28 21:45:10 UTC 2015 - [email protected] + +- update to 4.8.7: + * see http://download.qt.io/official_releases/qt/4.8/4.8.7/changes-4.8.7 + +- remove 0001-Don-t-crash-on-broken-GIF-images.patch, + 0001-Don-t-leak-RENDER-Pictures-in-QPixmap-paintEngine.patch, + 0001-Fix-DateTime-with-recent-versions-of-tzdata.patch, + 0001-Fix-crash-when-deleting-top-level-windows-embedded-i.patch, + 0001-Fixes-crash-in-gif-image-decoder.patch, + 0001-Ignore-expired-certificate-during-certificate-valida.patch, + 0001-Memory-and-file-descriptor-leak-in-QFontCache.patch, + 0001-QDbus-Fix-a-b-comparison.patch, + 0001-QDeclarativeTextEdit-fix-use-of-uninitialised-value.patch, + 0001-QPdf-addImage-avoid-a-QImage-detach-when-it-s-in-an-.patch, + 0001-QSslCertificate-blacklist-NIC-certificates-from-Indi.patch, + 0002-Fixes-crash-in-bmp-and-ico-image-decoding.patch, + fix-a-division-by-zero.patch, + fix-detection-of-GCC5.patch, + fix-upload-corruptions-when-server-closes-connection.patch: + * upstreamed + +------------------------------------------------------------------- libqt4-sql-plugins.changes: same change --- /work/SRC/openSUSE:Factory/libqt4/libqt4.changes 2015-06-03 08:15:29.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libqt4.new/libqt4.changes 2016-02-17 12:14:35.000000000 +0100 @@ -1,0 +2,14 @@ +Thu Feb 11 14:45:23 UTC 2016 - [email protected] + +- Explicitely build with -std=gnu++98. [bnc#964458] + +------------------------------------------------------------------- +Wed Feb 10 12:28:49 UTC 2016 - [email protected] + +- Added 0001-Fix-exclusion-of-anonymous-ciphers.patch from upstream + to disable exp-adh and aecdh ciphers. +- Added disable-rc4-ciphers-bnc865241.diff to disable <128 bits and + RC4 based ciphers which are now considered insecure. This + makes konqueror pass the https://www.howsmyssl.com test (bnc#865241) + +------------------------------------------------------------------- New: ---- 0001-Fix-exclusion-of-anonymous-ciphers.patch disable-rc4-ciphers-bnc865241.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libqt4-devel-doc.spec ++++++ --- /var/tmp/diff_new_pack.Qzc6r2/_old 2016-02-17 12:14:40.000000000 +0100 +++ /var/tmp/diff_new_pack.Qzc6r2/_new 2016-02-17 12:14:40.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libqt4-devel-doc # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -114,6 +114,10 @@ Patch164: l-qclipboard_delay.patch # PATCH-FIX-OPENSUSE fix_qrasterpixmapdata_bnc847880.diff -- fix image rect copy optimization that copied "garbage" when used in qemu/cirrus (bnc#847880) Patch165: fix_qrasterpixmapdata_bnc847880.diff +# PATCH-FIX-UPSTREAM 0001-Fix-exclusion-of-anonymous-ciphers.patch -- Exclude more ciphers from being used by default +Patch166: 0001-Fix-exclusion-of-anonymous-ciphers.patch +# PATCH-FIX-OPENSUSE disable-insecure-ciphers-bnc865241.diff -- Disable insecure ciphers (rc4, aecdh, adh, exp-adh, <128 bits) +Patch167: disable-rc4-ciphers-bnc865241.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %define common_options --opensource -fast -no-separate-debug-info -shared -xkb -openssl-linked -xrender -xcursor -dbus-linked -xfixes -xrandr -xinerama -sm -no-nas-sound -no-rpath -system-libjpeg -system-libpng -accessibility -cups -stl -nis -system-zlib -prefix /usr -L %{_libdir} -libdir %{_libdir} -docdir %_docdir/%{base_name} -examplesdir %{_libdir}/qt4/examples -demosdir %{_libdir}/qt4/demos -plugindir %plugindir -translationdir %{_datadir}/qt4/translations -iconv -sysconfdir /etc/settings -datadir %{_datadir}/qt4/ -no-pch -reduce-relocations -exceptions -system-libtiff -glib -optimized-qmake -no-webkit -no-xmlpatterns -system-sqlite -qt3support -no-sql-mysql -importdir %plugindir/imports -xsync -xinput -gtkstyle @@ -197,6 +201,8 @@ %patch163 -p0 %patch164 %patch165 -p1 +%patch166 -p1 +%patch167 -p1 # be sure not to use them rm -rf src/3rdparty/{libjpeg,freetype,libpng,zlib,libtiff,fonts} libqt4-sql-plugins.spec: same change ++++++ libqt4.spec ++++++ --- /var/tmp/diff_new_pack.Qzc6r2/_old 2016-02-17 12:14:40.000000000 +0100 +++ /var/tmp/diff_new_pack.Qzc6r2/_new 2016-02-17 12:14:40.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libqt4 # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -136,6 +136,10 @@ Patch164: l-qclipboard_delay.patch # PATCH-FIX-OPENSUSE fix_qrasterpixmapdata_bnc847880.diff -- fix image rect copy optimization that copied "garbage" when used in qemu/cirrus (bnc#847880) Patch165: fix_qrasterpixmapdata_bnc847880.diff +# PATCH-FIX-UPSTREAM 0001-Fix-exclusion-of-anonymous-ciphers.patch -- Exclude more ciphers from being used by default +Patch166: 0001-Fix-exclusion-of-anonymous-ciphers.patch +# PATCH-FIX-OPENSUSE disable-insecure-ciphers-bnc865241.diff -- Disable insecure ciphers (rc4, aecdh, adh, exp-adh, <128 bits) +Patch167: disable-rc4-ciphers-bnc865241.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %define common_options --opensource -fast -no-separate-debug-info -shared -xkb -openssl-linked -xrender -xcursor -dbus-linked -xfixes -xrandr -xinerama -sm -no-nas-sound -no-rpath -system-libjpeg -system-libpng -accessibility -cups -stl -nis -system-zlib -prefix /usr -L %{_libdir} -libdir %{_libdir} -docdir %_docdir/%{base_name} -examplesdir %{_libdir}/qt4/examples -demosdir %{_libdir}/qt4/demos -plugindir %plugindir -translationdir %{_datadir}/qt4/translations -iconv -sysconfdir /etc/settings -datadir %{_datadir}/qt4/ -no-pch -reduce-relocations -exceptions -system-libtiff -glib -optimized-qmake -no-webkit -no-xmlpatterns -system-sqlite -qt3support -no-sql-mysql -importdir %plugindir/imports -xsync -xinput -gtkstyle @@ -445,6 +449,8 @@ %patch163 -p0 %patch164 %patch165 -p1 +%patch166 -p1 +%patch167 -p1 # be sure not to use them rm -rf src/3rdparty/{libjpeg,freetype,libpng,zlib,libtiff,fonts} @@ -457,7 +463,7 @@ %ifarch ppc64 RPM_OPT_FLAGS="$RPM_OPT_FLAGS -mminimal-toc" %endif -export CXXFLAGS="$CXXFLAGS $RPM_OPT_FLAGS -DOPENSSL_LOAD_CONF" +export CXXFLAGS="$CXXFLAGS $RPM_OPT_FLAGS -DOPENSSL_LOAD_CONF -std=gnu++98" export CFLAGS="$CFLAGS $RPM_OPT_FLAGS -DOPENSSL_LOAD_CONF" export MAKEFLAGS="%{?_smp_mflags}" touch translations/qt_de.qm ++++++ 0001-Fix-exclusion-of-anonymous-ciphers.patch ++++++ >From 479e84dcbd0d7f1333105c495d7931f1bef3e63b Mon Sep 17 00:00:00 2001 From: "Richard J. Moore" <[email protected]> Date: Sat, 18 Apr 2015 12:44:30 +0100 Subject: [PATCH] Fix exclusion of anonymous ciphers. Qt attempted to exclude anonymous ciphers since they offer no MITM protection, but missed export ADH ciphers and AECDH from the exclude list. Change-Id: Icdfa9b31643a0e9927010885c7c1d02c42460d79 Reviewed-by: Peter Hartmann <[email protected]> --- src/network/ssl/qsslsocket_openssl.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index ce98494..00b2b9e 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -662,7 +662,10 @@ void QSslSocketPrivate::resetDefaultCiphers() if (cipher->valid) { QSslCipher ciph = QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher); if (!ciph.isNull()) { - if (!ciph.name().toLower().startsWith(QLatin1String("adh"))) + // Unconditionally exclude ADH and AECDH ciphers since they offer no MITM protection + if (!ciph.name().toLower().startsWith(QLatin1String("adh")) && + !ciph.name().toLower().startsWith(QLatin1String("exp-adh")) && + !ciph.name().toLower().startsWith(QLatin1String("aecdh"))) ciphers << ciph; } } -- 2.6.2 ++++++ disable-rc4-ciphers-bnc865241.diff ++++++ Index: qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket_openssl.cpp =================================================================== --- qt-everywhere-opensource-src-4.8.7.orig/src/network/ssl/qsslsocket_openssl.cpp +++ qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket_openssl.cpp @@ -655,6 +655,7 @@ void QSslSocketPrivate::resetDefaultCiph SSL *mySsl = q_SSL_new(myCtx); QList<QSslCipher> ciphers; + QList<QSslCipher> defaultCiphers; STACK_OF(SSL_CIPHER) *supportedCiphers = q_SSL_get_ciphers(mySsl); for (int i = 0; i < q_sk_SSL_CIPHER_num(supportedCiphers); ++i) { @@ -665,8 +666,13 @@ void QSslSocketPrivate::resetDefaultCiph // Unconditionally exclude ADH and AECDH ciphers since they offer no MITM protection if (!ciph.name().toLower().startsWith(QLatin1String("adh")) && !ciph.name().toLower().startsWith(QLatin1String("exp-adh")) && - !ciph.name().toLower().startsWith(QLatin1String("aecdh"))) + !ciph.name().toLower().startsWith(QLatin1String("aecdh"))) { ciphers << ciph; + + if (ciph.usedBits() >= 128 && + !ciph.encryptionMethod().toLower().startsWith(QLatin1String("rc4"))) + defaultCiphers << ciph; + } } } } @@ -676,7 +682,7 @@ void QSslSocketPrivate::resetDefaultCiph q_SSL_free(mySsl); setDefaultSupportedCiphers(ciphers); - setDefaultCiphers(ciphers); + setDefaultCiphers(defaultCiphers); } #if defined(Q_OS_SYMBIAN)
