Hello community, here is the log from the commit of package w3m for openSUSE:Factory checked in at 2012-11-13 17:10:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/w3m (Old) and /work/SRC/openSUSE:Factory/.w3m.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "w3m", Maintainer is "m...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/w3m/w3m.changes 2012-10-03 10:13:38.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.w3m.new/w3m.changes 2012-11-13 17:10:42.000000000 +0100 @@ -1,0 +2,9 @@ +Mon Nov 12 18:26:45 UTC 2012 - crrodrig...@opensuse.org + +- Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients + that negotiate TLS-level compression can be abused for + MITM attacks. (w3m-openssl.patch) + +- Use SSL_MODE_RELEASE_BUFFERS if available . + +------------------------------------------------------------------- New: ---- w3m-openssl.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ w3m.spec ++++++ --- /var/tmp/diff_new_pack.Ox3NDA/_old 2012-11-13 17:10:44.000000000 +0100 +++ /var/tmp/diff_new_pack.Ox3NDA/_new 2012-11-13 17:10:44.000000000 +0100 @@ -50,6 +50,7 @@ Patch501: gc-configure.patch Patch502: gc-arm.patch Patch503: w3m-fh-def.patch +Patch504: w3m-openssl.patch %package inline-image Summary: An inline image extension for w3m @@ -101,6 +102,7 @@ %patch11 %patch12 %patch503 +%patch504 cd ../gc* %patch500 %patch501 ++++++ w3m-openssl.patch ++++++ --- url.c.orig +++ url.c @@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname, if (strchr(ssl_forbid_method, 'T')) option |= SSL_OP_NO_TLSv1; } +#ifdef SSL_OP_NO_COMPRESSION + option |= SSL_OP_NO_COMPRESSION; +#endif SSL_CTX_set_options(ssl_ctx, option); + +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif + #ifdef USE_SSL_VERIFY /* derived from openssl-0.9.5/apps/s_{client,cb}.c */ #if 1 /* use SSL_get_verify_result() to verify cert */ -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org