Hello community, here is the log from the commit of package iksemel for openSUSE:Factory checked in at 2016-02-05 00:31:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/iksemel (Old) and /work/SRC/openSUSE:Factory/.iksemel.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iksemel" Changes: -------- --- /work/SRC/openSUSE:Factory/iksemel/iksemel.changes 2015-02-22 17:25:57.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.iksemel.new/iksemel.changes 2016-02-05 00:31:35.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Jan 26 14:19:03 UTC 2016 - bo...@steki.net + +- added patch secure_gnutls_options.patch from Debian, fixing bad + default ciphers [bdo#803204] + +------------------------------------------------------------------- New: ---- secure_gnutls_options.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ iksemel.spec ++++++ --- /var/tmp/diff_new_pack.HJyx6R/_old 2016-02-05 00:31:36.000000000 +0100 +++ /var/tmp/diff_new_pack.HJyx6R/_new 2016-02-05 00:31:36.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package iksemel # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,6 +27,7 @@ #DL-URL: http://iksemel.googlecode.com/files/iksemel-%version.tar.gz Source: %name-%version.tar.bz2 +Patch1: secure_gnutls_options.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %install_info_prereq BuildRequires: gcc-c++ @@ -63,6 +64,7 @@ %prep %setup -q +%patch -P 1 -p1 %build %configure --disable-static --with-pic ++++++ secure_gnutls_options.patch ++++++ Last-Update: 2015-10-28 Bug-Upstream: https://github.com/meduketto/iksemel/issues/48 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204 From: Marc Dequènes (duck) <d...@duckcorp.org> Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers). --- a/src/stream.c +++ b/src/stream.c @@ -62,13 +62,9 @@ static int handshake (struct stream_data *data) { - const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; - const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; - const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; - const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; + const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2"; int ret; if (gnutls_global_init () != 0) return IKS_NOMEM; @@ -79,13 +75,9 @@ if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { gnutls_certificate_free_credentials (data->cred); return IKS_NOMEM; } - gnutls_protocol_set_priority (data->sess, protocol_priority); - gnutls_cipher_set_priority(data->sess, cipher_priority); - gnutls_compression_set_priority(data->sess, comp_priority); - gnutls_kx_set_priority(data->sess, kx_priority); - gnutls_mac_set_priority(data->sess, mac_priority); + gnutls_priority_set_direct(data->sess, priority_string, NULL); gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);