1 files changed, 0 insertions, 46 deletions

diff --git a/www/curl/patches/patch-bf b/www/curl/patches/patch-bf
deleted file mode 100644
index faac69c000d..00000000000
--- a/www/curl/patches/patch-bf
+++ /dev/null
@@ -1,46 +0,0 @@
-$NetBSD: patch-bf,v 1.1 2012/01/26 11:25:55 drochner Exp $
-
-CVE-2011-3389
-
---- lib/ssluse.c.orig	2011-11-06 15:58:24.000000000 +0000
-+++ lib/ssluse.c
-@@ -1420,6 +1420,7 @@ ossl_connect_step1(struct connectdata *c
-   X509_LOOKUP *lookup=NULL;
-   curl_socket_t sockfd = conn->sock[sockindex];
-   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
-+  long ctx_options;
- #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-   bool sni;
- #ifdef ENABLE_IPV6
-@@ -1525,16 +1526,27 @@ ossl_connect_step1(struct connectdata *c
-      If someone writes an application with libcurl and openssl who wants to
-      enable the feature, one can do this in the SSL callback.
- 
-+     OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
-+     (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
-+     SSL_OP_ALL that _disables_ that work-around despite the fact that
-+     SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
-+     keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
-+     must not be set.
-+
-   */
-+
-+  ctx_options = SSL_OP_ALL;
-+
- #ifdef SSL_OP_NO_TICKET
-   /* expect older openssl releases to not have this define so only use it if
-      present */
--#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET
--#else
--#define CURL_CTX_OPTIONS SSL_OP_ALL
-+  ctx_options |= SSL_OP_NO_TICKET;
-+#endif
-+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-+  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
- #endif
- 
--  SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS);
-+  SSL_CTX_set_options(connssl->ctx, ctx_options);
- 
-   /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
-   if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)