diff options
| -rw-r--r-- | main/spice/APKBUILD | 12 | ||||
| -rw-r--r-- | main/spice/CVE-2021-20201.patch | 36 |
2 files changed, 45 insertions, 3 deletions
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD index 98e6f2fa24a..bb5efa26a2d 100644 --- a/main/spice/APKBUILD +++ b/main/spice/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=spice pkgver=0.14.3 -pkgrel=0 +pkgrel=1 pkgdesc="Implements the SPICE protocol" url="http://www.spice-space.org/" arch="all" @@ -28,9 +28,12 @@ makedepends=" subpackages="$pkgname-static $pkgname-dev $pkgname-server" source="https://www.spice-space.org/download/releases/spice-server/spice-$pkgver.tar.bz2 failing-tests.patch + CVE-2021-20201.patch " # secfixes: +# 0.14.3-r1: +# - CVE-2021-20201 # 0.14.1-r4: # - CVE-2019-3813 # 0.14.1-r0: @@ -71,5 +74,8 @@ server() { mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/ } -sha512sums="9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4 spice-0.14.3.tar.bz2 -10104feb05ce9d70074cad58efb9772cc8521666ea1c694bedf5c3ecfaa15a755324ac989b94d3be61e69be4286ab8369b900452fe98864596dcbc45d4a896b5 failing-tests.patch" +sha512sums=" +9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4 spice-0.14.3.tar.bz2 +10104feb05ce9d70074cad58efb9772cc8521666ea1c694bedf5c3ecfaa15a755324ac989b94d3be61e69be4286ab8369b900452fe98864596dcbc45d4a896b5 failing-tests.patch +f7584c07c2c521c1454d1a7bc49aba4fd17553b96ce5107114e9bb02d58439cabd1471dd6e6e639a3f783255efecbd1a17cd543672a8021c9d59f68acb4fcbb7 CVE-2021-20201.patch +" diff --git a/main/spice/CVE-2021-20201.patch b/main/spice/CVE-2021-20201.patch new file mode 100644 index 00000000000..9c633c89e25 --- /dev/null +++ b/main/spice/CVE-2021-20201.patch @@ -0,0 +1,36 @@ +From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com> +Date: Wed, 2 Dec 2020 13:39:27 +0100 +Subject: [PATCH] With OpenSSL 1.1: Disable client-initiated renegotiation. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes issue #49 +Fixes BZ#1904459 + +Signed-off-by: Julien Ropé <jrope@redhat.com> +Reported-by: BlackKD +Acked-by: Frediano Ziglio <fziglio@redhat.com> +--- + server/reds.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/server/reds.c b/server/reds.c +index fe69508e..f61086cb 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2753,6 +2753,10 @@ static int reds_init_ssl(RedsState *reds) + * When some other SSL/TLS version becomes obsolete, add it to this + * variable. */ + long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1; ++#ifdef SSL_OP_NO_RENEGOTIATION ++ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier ++ ssl_options |= SSL_OP_NO_RENEGOTIATION; ++#endif + + /* Global system initialization*/ + openssl_global_init(); +-- +GitLab + |