From owner-freebsd-gecko@FreeBSD.ORG Wed Oct 15 10:55:54 2014 Return-Path: Delivered-To: gecko@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0555C873 for ; Wed, 15 Oct 2014 10:55:54 +0000 (UTC) Received: from vfemail.net (nine.vfemail.net [108.76.175.9]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7C3A036A for ; Wed, 15 Oct 2014 10:55:13 +0000 (UTC) Received: (qmail 27785 invoked by uid 89); 15 Oct 2014 10:54:34 -0000 Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1) by localhost with (DHE-RSA-AES256-SHA encrypted) SMTP; 15 Oct 2014 10:54:34 -0000 Received: (qmail 27757 invoked by uid 89); 15 Oct 2014 10:54:16 -0000 Received: by simscan 1.3.1 ppid: 27751, pid: 27754, t: 0.0116s scanners:none Received: from unknown (HELO smtp102-2.vfemail.net) (172.16.100.62) by FreeQueue with SMTP; 15 Oct 2014 10:54:16 -0000 Received: (qmail 11124 invoked by uid 89); 15 Oct 2014 10:54:16 -0000 Received: by simscan 1.4.0 ppid: 11060, pid: 11105, t: 0.9732s scanners:none Received: from unknown (HELO nil) (amJlaWNoQHZmZW1haWwubmV0@172.16.100.27) by 172.16.100.62 with ESMTPA; 15 Oct 2014 10:54:15 -0000 From: Jan Beich To: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: Re: POODLE SSLv3 vulnerability References: <86iojmgn40.fsf@nine.des.no> <8661fmgk1c.fsf@nine.des.no> <86egu9zoej.fsf@nine.des.no> Date: Wed, 15 Oct 2014 12:54:09 +0200 In-Reply-To: <86egu9zoej.fsf@nine.des.no> ("Dag-Erling \=\?utf-8\?Q\?Sm\=C3\=B8r\?\= \=\?utf-8\?Q\?grav\=22's\?\= message of "Wed, 15 Oct 2014 11:13:24 +0200") Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: gecko@freebsd.org, ports-secteam@freebsd.org X-BeenThere: freebsd-gecko@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Gecko Rendering Engine issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2014 10:55:54 -0000 Dag-Erling Sm=C3=B8rgrav writes: > Updated (still untested) patch which also adds CPE information: > > Index: www/firefox/Makefile > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- www/firefox/Makefile (revision 370893) > +++ www/firefox/Makefile (working copy) > @@ -4,6 +4,7 @@ > PORTNAME=3D firefox > DISTVERSION=3D 32.0.3 > DISTVERSIONSUFFIX=3D.source > +PORTREVISION=3D 1 Too late. Mozilla already announced (other) vulnerabilities in Firefox 32.0. Firefox 33.0 is pending merge to ports in bug 194356. https://www.mozilla.org/security/announce/ > PORTEPOCH=3D 1 > CATEGORIES=3D www ipv6 > MASTER_SITES=3D MOZILLA/${PORTNAME}/releases/${DISTVERSION}/source \ > @@ -44,9 +45,10 @@ > ALL_TARGET=3D default > GNU_CONFIGURE=3D yes > USE_GL=3D gl > -USES=3D dos2unix tar:bzip2 > +USES=3D cpe dos2unix tar:bzip2 > DOS2UNIX_FILES=3D media/webrtc/trunk/webrtc/system_wrappers/source/sprea= dsortlib/spreadsort.hpp > NO_MOZPKGINSTALL=3Dyes > +CPE_VENDOR=3D mozilla Already in bsd.gecko.mk since r363978 or Firefox 31.0 update. >=20=20 > FIREFOX_ICON=3D ${MOZILLA}.png > FIREFOX_ICON_SRC=3D ${PREFIX}/lib/${MOZILLA}/browser/chrome/icons/defaul= t/default48.png > Index: www/firefox/files/patch-disable-ssl3 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- www/firefox/files/patch-disable-ssl3 (revision 0) > +++ www/firefox/files/patch-disable-ssl3 (working copy) > @@ -0,0 +1,22 @@ > +--- netwerk/base/public/security-prefs.js.orig > ++++ netwerk/base/public/security-prefs.js > +@@ -2,7 +2,7 @@ > + * License, v. 2.0. If a copy of the MPL was not distributed with this > + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > +=20 > +-pref("security.tls.version.min", 0); > ++pref("security.tls.version.min", 1); > + pref("security.tls.version.max", 3); > +=20 > + pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_av= ailable_pref", false); > +--- security/manager/ssl/src/nsNSSComponent.cpp.orig > ++++ security/manager/ssl/src/nsNSSComponent.cpp > +@@ -1076,7 +1076,7 @@ nsresult > + nsNSSComponent::setEnabledTLSVersions() > + { > + // keep these values in sync with security-prefs.js > +- static const int32_t PSM_DEFAULT_MIN_TLS_VERSION =3D 0; > ++ static const int32_t PSM_DEFAULT_MIN_TLS_VERSION =3D 1; > + static const int32_t PSM_DEFAULT_MAX_TLS_VERSION =3D 3; > +=20 > + int32_t minVersion =3D Preferences::GetInt("security.tls.version.min", This is already tracked upstream and may land *before* 34.0. Anyway, I've added the patch under different filename and applied to linux- ports. https://bugzilla.mozilla.org/show_bug.cgi?id=3D1076983 ------------------------------------------------- VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!