1 files changed, 36 insertions, 0 deletions

diff --git a/main/spice/CVE-2021-20201.patch b/main/spice/CVE-2021-20201.patch
new file mode 100644
index 00000000000..9c633c89e25
--- /dev/null
+++ b/main/spice/CVE-2021-20201.patch
@@ -0,0 +1,36 @@
+From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
+Date: Wed, 2 Dec 2020 13:39:27 +0100
+Subject: [PATCH] With OpenSSL 1.1: Disable client-initiated renegotiation.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes issue #49
+Fixes BZ#1904459
+
+Signed-off-by: Julien Ropé <jrope@redhat.com>
+Reported-by: BlackKD
+Acked-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ server/reds.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/server/reds.c b/server/reds.c
+index fe69508e..f61086cb 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2753,6 +2753,10 @@ static int reds_init_ssl(RedsState *reds)
+      * When some other SSL/TLS version becomes obsolete, add it to this
+      * variable. */
+     long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
++#ifdef SSL_OP_NO_RENEGOTIATION
++    // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier
++    ssl_options |= SSL_OP_NO_RENEGOTIATION;
++#endif
+ 
+     /* Global system initialization*/
+     openssl_global_init();
+-- 
+GitLab
+