[SCM] Qt 4 packaging branch, master, updated. debian/4.8.2+dfsg-2-2-g99e20c9

Lisandro Damián Nicanor Pérez lisandro at alioth.debian.org
Fri Nov 23 21:04:17 UTC 2012 

Gitweb-URL: http://git.debian.org/?p=pkg-kde/qt/qt4-x11.git;a=commitdiff;h=99e20c9

The following commit has been merged in the master branch:
commit 99e20c9284eae6761d74c7dd276c0c879fcb7453
Author: Lisandro Damián Nicanor Pérez Meyer <perezmeyer at gmail.com>
Date:   Fri Nov 23 18:03:31 2012 -0300

    Disable SSL compression by default.
    
    Against the CRIME attack.
---
 debian/changelog                                   |    5 +-
 .../disable-SSL-compression-by-default.patch       |   65 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 3 files changed, 70 insertions(+), 1 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 4b1e36f..1419e1c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 qt4-x11 (4:4.8.2+dfsg-3) UNRELEASED; urgency=low
 
-
+  [ Lisandro Damián Nicanor Pérez Meyer ]
+  * Apply disable-SSL-compression-by-default.patch. Disables SSL compression
+    by default since this appears to be the a likely cause of the currently
+    hyped CRIME attack.
 
  -- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>  Fri, 23 Nov 2012 18:01:31 -0300
 
diff --git a/debian/patches/disable-SSL-compression-by-default.patch b/debian/patches/disable-SSL-compression-by-default.patch
new file mode 100644
index 0000000..bf7d695
--- /dev/null
+++ b/debian/patches/disable-SSL-compression-by-default.patch
@@ -0,0 +1,65 @@
+Description:: Disable SSL compression by default.
+ Disable SSL compression by default since this appears to be the a likely
+ cause of the currently hyped CRIME attack.
+ .
+ This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74
+From: commit d41dc3e101a694dec98d7bbb582d428d209e5401 Mon Sep 17 00:00:00 2001
+Author: Richard Moore <rich at kde.org>
+Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a
+Reviewed-by: Thiago Macieira <thiago.macieira at intel.com>
+Reviewed-by: Peter Hartmann <phartmann at rim.com>
+---
+ src/network/ssl/qssl.cpp              |    5 +++--
+ src/network/ssl/qsslconfiguration.cpp |    4 +++-
+ src/network/ssl/qsslconfiguration_p.h |    4 +++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
+index 49e086f..9578178 100644
+--- a/src/network/ssl/qssl.cpp
++++ b/src/network/ssl/qssl.cpp
+@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE
+ 
+     By default, SslOptionDisableEmptyFragments is turned on since this causes
+     problems with a large number of servers. SslOptionDisableLegacyRenegotiation
+-    is also turned on, since it introduces a security risk. The other options
+-    are turned off.
++    is also turned on, since it introduces a security risk.
++    SslOptionDisableCompression is turned on to prevent the attack publicised by
++    CRIME. The other options are turned off.
+ 
+     Note: Availability of above options depends on the version of the SSL
+     backend in use.
+diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
+index 24c7b77..3a05f54 100644
+--- a/src/network/ssl/qsslconfiguration.cpp
++++ b/src/network/ssl/qsslconfiguration.cpp
+@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const
+             d->privateKey.isNull() &&
+             d->peerCertificate.isNull() &&
+             d->peerCertificateChain.count() == 0 &&
+-            d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation));
++            d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
++                              |QSsl::SslOptionDisableLegacyRenegotiation
++                              |QSsl::SslOptionDisableCompression));
+ }
+ 
+ /*!
+diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
+index 74f17cd..c36b651 100644
+--- a/src/network/ssl/qsslconfiguration_p.h
++++ b/src/network/ssl/qsslconfiguration_p.h
+@@ -83,7 +83,9 @@ public:
+         : protocol(QSsl::SecureProtocols),
+           peerVerifyMode(QSslSocket::AutoVerifyPeer),
+           peerVerifyDepth(0),
+-          sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
++          sslOptions(QSsl::SslOptionDisableEmptyFragments
++                     |QSsl::SslOptionDisableLegacyRenegotiation
++                     |QSsl::SslOptionDisableCompression)
+     { }
+ 
+     QSslCertificate peerCertificate;
+-- 
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 5522a5c..82bf9bf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,6 +4,7 @@ QTBUG-14724_close_orphaned_file_descriptors_after_printing.patch
 QTBUG-21900_Buttons_in_Qt_applications_not_clickable_when_run_under_gnome-shell.patch
 QElfParser-fix-type-of-sh_size.patch
 Fix-cursor-truncate-to-include-line-position.patch
+disable-SSL-compression-by-default.patch
 
 # qt-copy patches
 0195-compositing-properties.diff

-- 
Qt 4 packaging

More information about the pkg-kde-commits mailing list