Dag-Erling Smørgrav <[email protected]> writes: > Updated (still untested) patch which also adds CPE information: > > Index: www/firefox/Makefile > =================================================================== > --- www/firefox/Makefile (revision 370893) > +++ www/firefox/Makefile (working copy) > @@ -4,6 +4,7 @@ > PORTNAME= firefox > DISTVERSION= 32.0.3 > DISTVERSIONSUFFIX=.source > +PORTREVISION= 1
Too late. Mozilla already announced (other) vulnerabilities in Firefox 32.0. Firefox 33.0 is pending merge to ports in bug 194356. https://www.mozilla.org/security/announce/ > PORTEPOCH= 1 > CATEGORIES= www ipv6 > MASTER_SITES= MOZILLA/${PORTNAME}/releases/${DISTVERSION}/source \ > @@ -44,9 +45,10 @@ > ALL_TARGET= default > GNU_CONFIGURE= yes > USE_GL= gl > -USES= dos2unix tar:bzip2 > +USES= cpe dos2unix tar:bzip2 > DOS2UNIX_FILES= > media/webrtc/trunk/webrtc/system_wrappers/source/spreadsortlib/spreadsort.hpp > NO_MOZPKGINSTALL=yes > +CPE_VENDOR= mozilla Already in bsd.gecko.mk since r363978 or Firefox 31.0 update. > > FIREFOX_ICON= ${MOZILLA}.png > FIREFOX_ICON_SRC= > ${PREFIX}/lib/${MOZILLA}/browser/chrome/icons/default/default48.png > Index: www/firefox/files/patch-disable-ssl3 > =================================================================== > --- www/firefox/files/patch-disable-ssl3 (revision 0) > +++ www/firefox/files/patch-disable-ssl3 (working copy) > @@ -0,0 +1,22 @@ > +--- netwerk/base/public/security-prefs.js.orig > ++++ netwerk/base/public/security-prefs.js > +@@ -2,7 +2,7 @@ > + * License, v. 2.0. If a copy of the MPL was not distributed with this > + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > + > +-pref("security.tls.version.min", 0); > ++pref("security.tls.version.min", 1); > + pref("security.tls.version.max", 3); > + > + > pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", > false); > +--- security/manager/ssl/src/nsNSSComponent.cpp.orig > ++++ security/manager/ssl/src/nsNSSComponent.cpp > +@@ -1076,7 +1076,7 @@ nsresult > + nsNSSComponent::setEnabledTLSVersions() > + { > + // keep these values in sync with security-prefs.js > +- static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0; > ++ static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 1; > + static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 3; > + > + int32_t minVersion = Preferences::GetInt("security.tls.version.min", This is already tracked upstream and may land *before* 34.0. Anyway, I've added the patch under different filename and applied to linux- ports. https://bugzilla.mozilla.org/show_bug.cgi?id=1076983 ------------------------------------------------- VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-gecko To unsubscribe, send any mail to "[email protected]"
