Hello community, here is the log from the commit of package gnome-vfs2 for openSUSE:12.2 checked in at 2012-08-13 18:26:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2/gnome-vfs2 (Old) and /work/SRC/openSUSE:12.2/.gnome-vfs2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnome-vfs2", Maintainer is "gnome-maintain...@suse.de" Changes: -------- --- /work/SRC/openSUSE:12.2/gnome-vfs2/gnome-vfs2.changes 2012-06-25 15:20:40.000000000 +0200 +++ /work/SRC/openSUSE:12.2/.gnome-vfs2.new/gnome-vfs2.changes 2012-08-13 18:27:02.000000000 +0200 @@ -1,0 +2,12 @@ +Mon Jul 16 03:31:18 UTC 2012 - crrodrig...@opensuse.org + +- Add gnome-vfs2-ssl.patch: + + Never try to negotiate SSLv2 as it is completely broken from + the security POV. + + Use SSL_MODE_RELEASE_BUFFERS to keep openSSL memory usage as + low as possible. + + There are a myriad of other possible attacks like BEAST, + version/cipher downgrades still possible but this patch do not + address this concerns. + +------------------------------------------------------------------- New: ---- gnome-vfs2-ssl.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnome-vfs2.spec ++++++ --- /var/tmp/diff_new_pack.AdVurf/_old 2012-08-13 18:27:03.000000000 +0200 +++ /var/tmp/diff_new_pack.AdVurf/_new 2012-08-13 18:27:03.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package gnome-vfs2 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,8 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild - Name: gnome-vfs2 %define _name gnome-vfs @@ -46,7 +44,7 @@ BuildRequires: openssl-devel BuildRequires: samba Version: 2.24.4 -Release: 5 +Release: 0 Summary: The GNOME 2.x Desktop Virtual File System Libraries License: GPL-2.0+ ; LGPL-2.1+ Group: Development/Libraries/GNOME @@ -71,6 +69,8 @@ Patch41: gnome-vfs-url_handler_irc.patch # PATCH-FIX-UPSTREAM gnome-vfs2-non_void.patch bgo#611574 r...@novell.com -- Fix no-return-in-non-void-function. Patch42: gnome-vfs2-non_void.patch +# PATCH-FIX-OPENSUSE gnome-vfs2-ssl.patch bgo#681242 crrodrig...@opensuse.org - Never negotiate SSLv2 because it is broken +Patch43: gnome-vfs2-ssl.patch # bug437293 %ifarch ppc64 Obsoletes: gnome-vfs2-64bit @@ -108,10 +108,11 @@ Mathieu Lacage <math...@eazel.com> %package devel -License: GPL-2.0+ ; LGPL-2.1+ Summary: Include Files and Libraries mandatory for Development Group: Development/Libraries/GNOME -Requires: %{name} = %{version} glib2-devel gconf2-devel +Requires: %{name} = %{version} +Requires: gconf2-devel +Requires: glib2-devel %description devel This package contains all necessary include files and libraries needed @@ -136,7 +137,6 @@ Mathieu Lacage <math...@eazel.com> %package doc -License: GPL-2.0+ ; LGPL-2.1+ Summary: Additional Package Documentation for gnome-vfs2 Group: Development/Libraries/GNOME Requires: %{name} = %{version} @@ -186,6 +186,7 @@ %patch22 %patch41 -p1 %patch42 +%patch43 # No patches without own translation management here! # Put your patches upper from gnome-patch-translation-update # Generate translations for "news", "ftp" and "irc" entries from "h323". ++++++ gnome-vfs2-ssl.patch ++++++ --- libgnomevfs/gnome-vfs-ssl.c.orig +++ libgnomevfs/gnome-vfs-ssl.c @@ -364,7 +364,14 @@ gnome_vfs_ssl_create_from_fd (GnomeVFSSS if (ssl_ctx == NULL) { return GNOME_VFS_ERROR_INTERNAL; } + /* Never negotiate SSLv2 as it is broken from the security POV. */ + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); + /* Make openssl to release internal buffers when no longer needed + * to keep memory usage low */ +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif /* FIXME: SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER, &ssl_verify);*/ ssl->private->ssl = SSL_new (ssl_ctx); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org