Skip to content
Snippets Groups Projects
Commit a1fa812b authored by Ariadne Conill's avatar Ariadne Conill
Browse files

main/spice: add mitigation for CVE-2021-20101

parent 2e8b5312
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
main/spice/APKBUILD
+ 9
3
View file @ a1fa812b
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=spice pkgname=spice
pkgver=0.14.3 pkgver=0.14.3
pkgrel=0 pkgrel=1
pkgdesc="Implements the SPICE protocol" pkgdesc="Implements the SPICE protocol"
url="http://www.spice-space.org/" url="http://www.spice-space.org/"
arch="all" arch="all"
...@@ -28,9 +28,12 @@ makedepends=" ...@@ -28,9 +28,12 @@ makedepends="
subpackages="$pkgname-static $pkgname-dev $pkgname-server" subpackages="$pkgname-static $pkgname-dev $pkgname-server"
source="https://www.spice-space.org/download/releases/spice-server/spice-$pkgver.tar.bz2 source="https://www.spice-space.org/download/releases/spice-server/spice-$pkgver.tar.bz2
failing-tests.patch failing-tests.patch
CVE-2021-20201.patch
" "
# secfixes: # secfixes:
# 0.14.3-r1:
# - CVE-2021-20201
# 0.14.1-r4: # 0.14.1-r4:
# - CVE-2019-3813 # - CVE-2019-3813
# 0.14.1-r0: # 0.14.1-r0:
...@@ -66,5 +69,8 @@ server() { ...@@ -66,5 +69,8 @@ server() {
mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/ mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/
} }
sha512sums="9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4 spice-0.14.3.tar.bz2 sha512sums="
10104feb05ce9d70074cad58efb9772cc8521666ea1c694bedf5c3ecfaa15a755324ac989b94d3be61e69be4286ab8369b900452fe98864596dcbc45d4a896b5 failing-tests.patch" 9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4 spice-0.14.3.tar.bz2
10104feb05ce9d70074cad58efb9772cc8521666ea1c694bedf5c3ecfaa15a755324ac989b94d3be61e69be4286ab8369b900452fe98864596dcbc45d4a896b5 failing-tests.patch
f7584c07c2c521c1454d1a7bc49aba4fd17553b96ce5107114e9bb02d58439cabd1471dd6e6e639a3f783255efecbd1a17cd543672a8021c9d59f68acb4fcbb7 CVE-2021-20201.patch
"
main/spice/CVE-2021-20201.patch 0 → 100644
+ 36
0
View file @ a1fa812b
From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
Date: Wed, 2 Dec 2020 13:39:27 +0100
Subject: [PATCH] With OpenSSL 1.1: Disable client-initiated renegotiation.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes issue #49
Fixes BZ#1904459
Signed-off-by: Julien Ropé <jrope@redhat.com>
Reported-by: BlackKD
Acked-by: Frediano Ziglio <fziglio@redhat.com>
---
server/reds.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/server/reds.c b/server/reds.c
index fe69508e..f61086cb 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2753,6 +2753,10 @@ static int reds_init_ssl(RedsState *reds)
* When some other SSL/TLS version becomes obsolete, add it to this
* variable. */
long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
+#ifdef SSL_OP_NO_RENEGOTIATION
+ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier
+ ssl_options |= SSL_OP_NO_RENEGOTIATION;
+#endif
/* Global system initialization*/
openssl_global_init();
--
GitLab
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment