Hello community, here is the log from the commit of package lftp for openSUSE:Factory checked in at 2014-12-19 09:38:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lftp (Old) and /work/SRC/openSUSE:Factory/.lftp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lftp" Changes: -------- --- /work/SRC/openSUSE:Factory/lftp/lftp.changes 2014-11-04 17:28:26.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.lftp.new/lftp.changes 2014-12-19 09:37:19.000000000 +0100 @@ -1,0 +2,11 @@ +Thu Dec 11 13:30:28 UTC 2014 - vci...@suse.com + +- build with openssl instead of gnutls as suggested in bnc#792456 + * don't default to /etc/ssl/ca-bundle.pem (bnc#907803) + * drop lftp-ca-bundle-path.patch +- fix a "curl" vulnerability CVE-2014-0139 + * that's because lftp uses code borrowed from curl 7.21.3 which + contains this incorrect wildcard certificate validation + * added lftp-CVE-2014-0139.patch + +------------------------------------------------------------------- Old: ---- lftp-ca-bundle-path.patch New: ---- lftp-CVE-2014-0139.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lftp.spec ++++++ --- /var/tmp/diff_new_pack.ZaHcyJ/_old 2014-12-19 09:37:20.000000000 +0100 +++ /var/tmp/diff_new_pack.ZaHcyJ/_new 2014-12-19 09:37:20.000000000 +0100 @@ -37,17 +37,15 @@ Patch4: lftp-autoconf-req.patch Patch6: lftp-completion.patch Patch7: lftp-stdio.h.patch -# PATCH-FEATURE-OPENSUSE lftp-ca-bundle-path.patch dims...@opensuse.org -- Use /etc/ssl/ca-bundle.pem as root CA store. -Patch8: lftp-ca-bundle-path.patch # PATCH-FIX-UPSTREAM -- Include config.h where needed. Patch9: lftp-config_h.patch # PATCH-FEATURE-OPENSUSE lftp-ssl-cipher.patch pgaj...@suse.cz -- use stronger cipher [bnc#857148] Patch10: lftp-default-ssl-cipher.patch +Patch11: lftp-CVE-2014-0139.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: gzip -BuildRequires: libgnutls-devel BuildRequires: libstdc++-devel BuildRequires: libtool BuildRequires: make @@ -92,9 +90,9 @@ %patch6 popd #src %patch7 -p1 -%patch8 -p1 %patch9 -p1 %patch10 +%patch11 %build autoreconf -fi @@ -104,7 +102,8 @@ LDFLAGS=' ' \ %configure \ --with-modules \ - --with-gnutls --without-openssl \ + --without-gnutls \ + --with-openssl \ --with-modules \ --with-debug \ --without-profiling \ ++++++ lftp-CVE-2014-0139.patch ++++++ >From f44e3a4d0df9397278735d1520f7681715b83b59 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <dan...@haxx.se> Date: Mon, 3 Mar 2014 11:46:36 +0100 Subject: [PATCH] Curl_cert_hostcheck: reject IP address wildcard matches There are server certificates used with IP address in the CN field, but we MUST not allow wild cart certs for hostnames given as IP addresses only. Therefore we must make Curl_cert_hostcheck() fail such attempts. Bug: http://curl.haxx.se/docs/adv_20140326B.html Reported-by: Richard Moore --- lib/hostcheck.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) Index: src/lftp_ssl.cc =================================================================== --- src/lftp_ssl.cc.orig 2014-12-11 14:23:30.412572378 +0100 +++ src/lftp_ssl.cc 2014-12-11 14:23:30.422572496 +0100 @@ -1185,10 +1185,22 @@ static int hostmatch(const char *hostnam { for(;;) { char c = *pattern++; + struct in_addr ignored; +#ifdef ENABLE_IPV6 + struct sockaddr_in6 si6; +#endif if(c == '\0') return (*hostname ? HOST_NOMATCH : HOST_MATCH); + /* detect IP address as hostname and fail the match if so */ + if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) + return HOST_NOMATCH; +#ifdef ENABLE_IPV6 + else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0) + return HOST_NOMATCH; +#endif + if(c == '*') { c = *pattern; if(c == '\0') /* "*\0" matches anything remaining */ -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org