Package: spice / 0.14.3-2.1

With-OpenSSL-1.1-Disable-client-initiated-renegotiat.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
Date: Wed, 2 Dec 2020 13:39:27 +0100
Subject: [1/2] With OpenSSL 1.1: Disable client-initiated renegotiation.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://gitlab.freedesktop.org/spice/spice/-/commit/ca5bbc5692e052159bce1a75f55dc60b36078749
Bug: https://gitlab.freedesktop.org/spice/spice/-/issues/49
Bug-Debian: https://bugs.debian.org/983698
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-20201

Fixes issue #49
Fixes BZ#1904459

Signed-off-by: Julien Ropé <jrope@redhat.com>
Reported-by: BlackKD
Acked-by: Frediano Ziglio <fziglio@redhat.com>
[Salvatore Bonaccorso: Backport to 0.14.3: Filename change]
---
 server/reds.cpp | 4 ++++
 1 file changed, 4 insertions(+)

--- a/server/reds.c
+++ b/server/reds.c
@@ -2862,6 +2862,10 @@ static int reds_init_ssl(RedsState *reds
      * When some other SSL/TLS version becomes obsolete, add it to this
      * variable. */
     long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
+#ifdef SSL_OP_NO_RENEGOTIATION
+    // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier
+    ssl_options |= SSL_OP_NO_RENEGOTIATION;
+#endif
 
     /* Global system initialization*/
     openssl_global_init();