Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2013-07-30 18:42:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl" Changes: -------- --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-07-04 18:04:59.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-07-30 18:42:59.000000000 +0200 @@ -1,0 +2,9 @@ +Mon Jul 29 08:06:48 UTC 2013 - meiss...@suse.com + +- compression_methods_switch.patch: Disable compression by default to + avoid the CRIME attack (CVE-2012-4929 bnc#793420) + + Can be override by setting environment variable + OPENSSL_NO_DEFAULT_ZLIB=no + +------------------------------------------------------------------- New: ---- compression_methods_switch.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.UNlkbn/_old 2013-07-30 18:43:00.000000000 +0200 +++ /var/tmp/diff_new_pack.UNlkbn/_new 2013-07-30 18:43:00.000000000 +0200 @@ -49,6 +49,7 @@ # PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049 Patch5: openssl-fix-pod-syntax.diff Patch6: openssl-1.0.1e-truststore.diff +Patch7: compression_methods_switch.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -131,6 +132,7 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++++++ compression_methods_switch.patch ++++++ Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod =================================================================== --- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod +++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod @@ -41,6 +41,24 @@ of compression methods supported on a pe The OpenSSL library has the compression methods B<COMP_rle()> and (when especially enabled during compilation) B<COMP_zlib()> available. +And, there is an environment variable to switch the compression +methods off and on. In default the compression is off to mitigate +the so called CRIME attack ( CVE-2012-4929). If you want to enable +compression again set OPENSSL_NO_DEFAULT_ZLIB to "no". + +The variable can be switched on and off at runtime; when this variable +is set "no" compression is enabled, otherwise no, for example: + +in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no' +or in C to call +int setenv(const char *name, const char *value, int overwrite); and +int unsetenv(const char *name); + +Note: This reverts the behavior of the variable as it was before! + +And pay attention that this freaure is temporary, it maybe changed by +the following updates. + =head1 WARNINGS Once the identities of the compression methods for the TLS protocol have Index: openssl-1.0.1e/ssl/ssl_ciph.c =================================================================== --- openssl-1.0.1e.orig/ssl/ssl_ciph.c +++ openssl-1.0.1e/ssl/ssl_ciph.c @@ -455,7 +455,11 @@ static void load_builtin_compressions(vo MemCheck_off(); ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); - if (ssl_comp_methods != NULL) + + if( getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL) + setenv("OPENSSL_NO_DEFAULT_ZLIB", "yes", 1); + + if (ssl_comp_methods != NULL && strncmp( getenv("OPENSSL_NO_DEFAULT_ZLIB"), "no", 2) == 0) { comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); if (comp != NULL) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org