Date: Wed, 15 Oct 2014 12:54:09 +0200 From: Jan Beich <jbeich@vfemail.net> To: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@des.no> Cc: gecko@freebsd.org, ports-secteam@freebsd.org Subject: Re: POODLE SSLv3 vulnerability Message-ID: <r3y9-txgu-wny@vfemail.net> In-Reply-To: <86egu9zoej.fsf@nine.des.no> ("Dag-Erling \=\?utf-8\?Q\?Sm\=C3\=B8r\?\= \=\?utf-8\?Q\?grav\=22's\?\= message of "Wed, 15 Oct 2014 11:13:24 %2B0200") References: <86iojmgn40.fsf@nine.des.no> <8661fmgk1c.fsf@nine.des.no> <86egu9zoej.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Sm=C3=B8rgrav <des@des.no> writes: > Updated (still untested) patch which also adds CPE information: > > Index: www/firefox/Makefile > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- www/firefox/Makefile (revision 370893) > +++ www/firefox/Makefile (working copy) > @@ -4,6 +4,7 @@ > PORTNAME=3D firefox > DISTVERSION=3D 32.0.3 > DISTVERSIONSUFFIX=3D.source > +PORTREVISION=3D 1 Too late. Mozilla already announced (other) vulnerabilities in Firefox 32.0. Firefox 33.0 is pending merge to ports in bug 194356. https://www.mozilla.org/security/announce/ > PORTEPOCH=3D 1 > CATEGORIES=3D www ipv6 > MASTER_SITES=3D MOZILLA/${PORTNAME}/releases/${DISTVERSION}/source \ > @@ -44,9 +45,10 @@ > ALL_TARGET=3D default > GNU_CONFIGURE=3D yes > USE_GL=3D gl > -USES=3D dos2unix tar:bzip2 > +USES=3D cpe dos2unix tar:bzip2 > DOS2UNIX_FILES=3D media/webrtc/trunk/webrtc/system_wrappers/source/sprea= dsortlib/spreadsort.hpp > NO_MOZPKGINSTALL=3Dyes > +CPE_VENDOR=3D mozilla Already in bsd.gecko.mk since r363978 or Firefox 31.0 update. >=20=20 > FIREFOX_ICON=3D ${MOZILLA}.png > FIREFOX_ICON_SRC=3D ${PREFIX}/lib/${MOZILLA}/browser/chrome/icons/defaul= t/default48.png > Index: www/firefox/files/patch-disable-ssl3 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- www/firefox/files/patch-disable-ssl3 (revision 0) > +++ www/firefox/files/patch-disable-ssl3 (working copy) > @@ -0,0 +1,22 @@ > +--- netwerk/base/public/security-prefs.js.orig > ++++ netwerk/base/public/security-prefs.js > +@@ -2,7 +2,7 @@ > + * License, v. 2.0. If a copy of the MPL was not distributed with this > + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > +=20 > +-pref("security.tls.version.min", 0); > ++pref("security.tls.version.min", 1); > + pref("security.tls.version.max", 3); > +=20 > + pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_av= ailable_pref", false); > +--- security/manager/ssl/src/nsNSSComponent.cpp.orig > ++++ security/manager/ssl/src/nsNSSComponent.cpp > +@@ -1076,7 +1076,7 @@ nsresult > + nsNSSComponent::setEnabledTLSVersions() > + { > + // keep these values in sync with security-prefs.js > +- static const int32_t PSM_DEFAULT_MIN_TLS_VERSION =3D 0; > ++ static const int32_t PSM_DEFAULT_MIN_TLS_VERSION =3D 1; > + static const int32_t PSM_DEFAULT_MAX_TLS_VERSION =3D 3; > +=20 > + int32_t minVersion =3D Preferences::GetInt("security.tls.version.min", This is already tracked upstream and may land *before* 34.0. Anyway, I've added the patch under different filename and applied to linux- ports. https://bugzilla.mozilla.org/show_bug.cgi?id=3D1076983 ------------------------------------------------- VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?r3y9-txgu-wny>