Hello community,
here is the log from the commit of package lftp for openSUSE:Factory checked in
at 2014-12-19 09:38:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lftp (Old)
and /work/SRC/openSUSE:Factory/.lftp.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lftp"
Changes:
--------
--- /work/SRC/openSUSE:Factory/lftp/lftp.changes 2014-11-04
17:28:26.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.lftp.new/lftp.changes 2014-12-19
09:37:19.000000000 +0100
@@ -1,0 +2,11 @@
+Thu Dec 11 13:30:28 UTC 2014 - vci...@suse.com
+
+- build with openssl instead of gnutls as suggested in bnc#792456
+ * don't default to /etc/ssl/ca-bundle.pem (bnc#907803)
+ * drop lftp-ca-bundle-path.patch
+- fix a "curl" vulnerability CVE-2014-0139
+ * that's because lftp uses code borrowed from curl 7.21.3 which
+ contains this incorrect wildcard certificate validation
+ * added lftp-CVE-2014-0139.patch
+
+-------------------------------------------------------------------
Old:
----
lftp-ca-bundle-path.patch
New:
----
lftp-CVE-2014-0139.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lftp.spec ++++++
--- /var/tmp/diff_new_pack.ZaHcyJ/_old 2014-12-19 09:37:20.000000000 +0100
+++ /var/tmp/diff_new_pack.ZaHcyJ/_new 2014-12-19 09:37:20.000000000 +0100
@@ -37,17 +37,15 @@
Patch4: lftp-autoconf-req.patch
Patch6: lftp-completion.patch
Patch7: lftp-stdio.h.patch
-# PATCH-FEATURE-OPENSUSE lftp-ca-bundle-path.patch dims...@opensuse.org -- Use
/etc/ssl/ca-bundle.pem as root CA store.
-Patch8: lftp-ca-bundle-path.patch
# PATCH-FIX-UPSTREAM -- Include config.h where needed.
Patch9: lftp-config_h.patch
# PATCH-FEATURE-OPENSUSE lftp-ssl-cipher.patch pgaj...@suse.cz -- use stronger
cipher [bnc#857148]
Patch10: lftp-default-ssl-cipher.patch
+Patch11: lftp-CVE-2014-0139.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gcc-c++
BuildRequires: gzip
-BuildRequires: libgnutls-devel
BuildRequires: libstdc++-devel
BuildRequires: libtool
BuildRequires: make
@@ -92,9 +90,9 @@
%patch6
popd #src
%patch7 -p1
-%patch8 -p1
%patch9 -p1
%patch10
+%patch11
%build
autoreconf -fi
@@ -104,7 +102,8 @@
LDFLAGS=' ' \
%configure \
--with-modules \
- --with-gnutls --without-openssl \
+ --without-gnutls \
+ --with-openssl \
--with-modules \
--with-debug \
--without-profiling \
++++++ lftp-CVE-2014-0139.patch ++++++
>From f44e3a4d0df9397278735d1520f7681715b83b59 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <dan...@haxx.se>
Date: Mon, 3 Mar 2014 11:46:36 +0100
Subject: [PATCH] Curl_cert_hostcheck: reject IP address wildcard matches
There are server certificates used with IP address in the CN field, but
we MUST not allow wild cart certs for hostnames given as IP addresses
only. Therefore we must make Curl_cert_hostcheck() fail such attempts.
Bug: http://curl.haxx.se/docs/adv_20140326B.html
Reported-by: Richard Moore
---
lib/hostcheck.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
Index: src/lftp_ssl.cc
===================================================================
--- src/lftp_ssl.cc.orig 2014-12-11 14:23:30.412572378 +0100
+++ src/lftp_ssl.cc 2014-12-11 14:23:30.422572496 +0100
@@ -1185,10 +1185,22 @@ static int hostmatch(const char *hostnam
{
for(;;) {
char c = *pattern++;
+ struct in_addr ignored;
+#ifdef ENABLE_IPV6
+ struct sockaddr_in6 si6;
+#endif
if(c == '\0')
return (*hostname ? HOST_NOMATCH : HOST_MATCH);
+ /* detect IP address as hostname and fail the match if so */
+ if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+ return HOST_NOMATCH;
+#ifdef ENABLE_IPV6
+ else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
+ return HOST_NOMATCH;
+#endif
+
if(c == '*') {
c = *pattern;
if(c == '\0') /* "*\0" matches anything remaining */
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
