diff options
| author | Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com> | 2012-11-23 18:03:31 -0300 |
|---|---|---|
| committer | Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com> | 2012-11-23 18:03:31 -0300 |
| commit | 99e20c9284eae6761d74c7dd276c0c879fcb7453 (patch) | |
| tree | 1d0f1c533a1a29818d4d38f0069ed5b8f9a777ae | |
| parent | 30de3522be01476eed4c63cb672158e3a81ab8d6 (diff) | |
| download | qt4-x11-99e20c9284eae6761d74c7dd276c0c879fcb7453.tar.gz | |
Disable SSL compression by default.
Against the CRIME attack.
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/patches/disable-SSL-compression-by-default.patch | 65 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 70 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 4b1e36f..1419e1c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,9 @@ qt4-x11 (4:4.8.2+dfsg-3) UNRELEASED; urgency=low - + [ Lisandro Damián Nicanor Pérez Meyer ] + * Apply disable-SSL-compression-by-default.patch. Disables SSL compression + by default since this appears to be the a likely cause of the currently + hyped CRIME attack. -- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Fri, 23 Nov 2012 18:01:31 -0300 diff --git a/debian/patches/disable-SSL-compression-by-default.patch b/debian/patches/disable-SSL-compression-by-default.patch new file mode 100644 index 0000000..bf7d695 --- /dev/null +++ b/debian/patches/disable-SSL-compression-by-default.patch @@ -0,0 +1,65 @@ +Description:: Disable SSL compression by default. + Disable SSL compression by default since this appears to be the a likely + cause of the currently hyped CRIME attack. + . + This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74 +From: commit d41dc3e101a694dec98d7bbb582d428d209e5401 Mon Sep 17 00:00:00 2001 +Author: Richard Moore <rich@kde.org> +Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a +Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> +Reviewed-by: Peter Hartmann <phartmann@rim.com> +--- + src/network/ssl/qssl.cpp | 5 +++-- + src/network/ssl/qsslconfiguration.cpp | 4 +++- + src/network/ssl/qsslconfiguration_p.h | 4 +++- + 3 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp +index 49e086f..9578178 100644 +--- a/src/network/ssl/qssl.cpp ++++ b/src/network/ssl/qssl.cpp +@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE + + By default, SslOptionDisableEmptyFragments is turned on since this causes + problems with a large number of servers. SslOptionDisableLegacyRenegotiation +- is also turned on, since it introduces a security risk. The other options +- are turned off. ++ is also turned on, since it introduces a security risk. ++ SslOptionDisableCompression is turned on to prevent the attack publicised by ++ CRIME. The other options are turned off. + + Note: Availability of above options depends on the version of the SSL + backend in use. +diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp +index 24c7b77..3a05f54 100644 +--- a/src/network/ssl/qsslconfiguration.cpp ++++ b/src/network/ssl/qsslconfiguration.cpp +@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const + d->privateKey.isNull() && + d->peerCertificate.isNull() && + d->peerCertificateChain.count() == 0 && +- d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)); ++ d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments ++ |QSsl::SslOptionDisableLegacyRenegotiation ++ |QSsl::SslOptionDisableCompression)); + } + + /*! +diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h +index 74f17cd..c36b651 100644 +--- a/src/network/ssl/qsslconfiguration_p.h ++++ b/src/network/ssl/qsslconfiguration_p.h +@@ -83,7 +83,9 @@ public: + : protocol(QSsl::SecureProtocols), + peerVerifyMode(QSslSocket::AutoVerifyPeer), + peerVerifyDepth(0), +- sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation) ++ sslOptions(QSsl::SslOptionDisableEmptyFragments ++ |QSsl::SslOptionDisableLegacyRenegotiation ++ |QSsl::SslOptionDisableCompression) + { } + + QSslCertificate peerCertificate; +-- +1.7.10.4 + diff --git a/debian/patches/series b/debian/patches/series index 5522a5c..82bf9bf 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,6 +4,7 @@ QTBUG-14724_close_orphaned_file_descriptors_after_printing.patch QTBUG-21900_Buttons_in_Qt_applications_not_clickable_when_run_under_gnome-shell.patch QElfParser-fix-type-of-sh_size.patch Fix-cursor-truncate-to-include-line-position.patch +disable-SSL-compression-by-default.patch # qt-copy patches 0195-compositing-properties.diff |