Date: Wed, 15 Oct 2014 12:54:09 +0200 From: Jan Beich <jbeich@vfemail.net> To: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@des.no> Cc: gecko@freebsd.org, ports-secteam@freebsd.org Subject: Re: POODLE SSLv3 vulnerability Message-ID: <r3y9-txgu-wny@vfemail.net> In-Reply-To: <86egu9zoej.fsf@nine.des.no> ("Dag-Erling \=\?utf-8\?Q\?Sm\=C3\=B8r\?\= \=\?utf-8\?Q\?grav\=22's\?\= message of "Wed, 15 Oct 2014 11:13:24 %2B0200") References: <86iojmgn40.fsf@nine.des.no> <8661fmgk1c.fsf@nine.des.no> <86egu9zoej.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smørgrav <des@des.no> writes: > Updated (still untested) patch which also adds CPE information: > > Index: www/firefox/Makefile > =================================================================== > --- www/firefox/Makefile (revision 370893) > +++ www/firefox/Makefile (working copy) > @@ -4,6 +4,7 @@ > PORTNAME= firefox > DISTVERSION= 32.0.3 > DISTVERSIONSUFFIX=.source > +PORTREVISION= 1 Too late. Mozilla already announced (other) vulnerabilities in Firefox 32.0. Firefox 33.0 is pending merge to ports in bug 194356. https://www.mozilla.org/security/announce/ > PORTEPOCH= 1 > CATEGORIES= www ipv6 > MASTER_SITES= MOZILLA/${PORTNAME}/releases/${DISTVERSION}/source \ > @@ -44,9 +45,10 @@ > ALL_TARGET= default > GNU_CONFIGURE= yes > USE_GL= gl > -USES= dos2unix tar:bzip2 > +USES= cpe dos2unix tar:bzip2 > DOS2UNIX_FILES= media/webrtc/trunk/webrtc/system_wrappers/source/spreadsortlib/spreadsort.hpp > NO_MOZPKGINSTALL=yes > +CPE_VENDOR= mozilla Already in bsd.gecko.mk since r363978 or Firefox 31.0 update. > > FIREFOX_ICON= ${MOZILLA}.png > FIREFOX_ICON_SRC= ${PREFIX}/lib/${MOZILLA}/browser/chrome/icons/default/default48.png > Index: www/firefox/files/patch-disable-ssl3 > =================================================================== > --- www/firefox/files/patch-disable-ssl3 (revision 0) > +++ www/firefox/files/patch-disable-ssl3 (working copy) > @@ -0,0 +1,22 @@ > +--- netwerk/base/public/security-prefs.js.orig > ++++ netwerk/base/public/security-prefs.js > +@@ -2,7 +2,7 @@ > + * License, v. 2.0. If a copy of the MPL was not distributed with this > + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > + > +-pref("security.tls.version.min", 0); > ++pref("security.tls.version.min", 1); > + pref("security.tls.version.max", 3); > + > + pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", false); > +--- security/manager/ssl/src/nsNSSComponent.cpp.orig > ++++ security/manager/ssl/src/nsNSSComponent.cpp > +@@ -1076,7 +1076,7 @@ nsresult > + nsNSSComponent::setEnabledTLSVersions() > + { > + // keep these values in sync with security-prefs.js > +- static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0; > ++ static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 1; > + static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 3; > + > + int32_t minVersion = Preferences::GetInt("security.tls.version.min", This is already tracked upstream and may land *before* 34.0. Anyway, I've added the patch under different filename and applied to linux- ports. https://bugzilla.mozilla.org/show_bug.cgi?id=1076983 ------------------------------------------------- VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?r3y9-txgu-wny>