Improve output related to SSLv3 disabling
This commit is contained in:
Vitezslav Crhonek
parent
5bdf35bfca
commit
e1ac68c76f
@ -1,8 +1,33 @@
|
||||
diff -up fetchmail-6.3.26/configure.ac.orig fetchmail-6.3.26/configure.ac
|
||||
--- fetchmail-6.3.26/configure.ac.orig 2013-04-23 22:51:10.000000000 +0200
|
||||
+++ fetchmail-6.3.26/configure.ac 2016-05-02 14:14:34.908139601 +0200
|
||||
@@ -803,6 +803,7 @@ fi
|
||||
|
||||
case "$LIBS" in *-lssl*)
|
||||
AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>])
|
||||
+ AC_CHECK_DECLS([SSLv3_client_method],,,[#include <openssl/ssl.h>])
|
||||
;;
|
||||
esac
|
||||
|
||||
diff -up fetchmail-6.3.26/fetchmail.c.orig fetchmail-6.3.26/fetchmail.c
|
||||
--- fetchmail-6.3.26/fetchmail.c.orig 2013-04-23 22:00:45.000000000 +0200
|
||||
+++ fetchmail-6.3.26/fetchmail.c 2016-05-02 14:14:34.908139601 +0200
|
||||
@@ -263,6 +263,12 @@ int main(int argc, char **argv)
|
||||
#ifdef SSL_ENABLE
|
||||
"+SSL"
|
||||
#endif
|
||||
+#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 == 0
|
||||
+ "-SSLv2"
|
||||
+#endif
|
||||
+#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0
|
||||
+ "-SSLv3"
|
||||
+#endif
|
||||
#ifdef OPIE_ENABLE
|
||||
"+OPIE"
|
||||
#endif /* OPIE_ENABLE */
|
||||
diff -up fetchmail-6.3.26/fetchmail.h.orig fetchmail-6.3.26/fetchmail.h
|
||||
--- fetchmail-6.3.26/fetchmail.h.orig 2013-04-23 22:00:45.000000000 +0200
|
||||
+++ fetchmail-6.3.26/fetchmail.h 2015-10-20 09:49:13.748349055 +0200
|
||||
+++ fetchmail-6.3.26/fetchmail.h 2016-05-02 14:14:34.905139590 +0200
|
||||
@@ -771,9 +771,9 @@ int servport(const char *service);
|
||||
int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res);
|
||||
void fm_freeaddrinfo(struct addrinfo *ai);
|
||||
@ -18,7 +43,7 @@ diff -up fetchmail-6.3.26/fetchmail.h.orig fetchmail-6.3.26/fetchmail.h
|
||||
int rfc822_valid_msgid(const unsigned char *);
|
||||
diff -up fetchmail-6.3.26/fetchmail.man.orig fetchmail-6.3.26/fetchmail.man
|
||||
--- fetchmail-6.3.26/fetchmail.man.orig 2013-04-23 22:51:17.000000000 +0200
|
||||
+++ fetchmail-6.3.26/fetchmail.man 2015-10-20 09:49:13.749349060 +0200
|
||||
+++ fetchmail-6.3.26/fetchmail.man 2016-05-02 14:14:34.906139594 +0200
|
||||
@@ -412,23 +412,22 @@ from. The folder information is written
|
||||
.B \-\-ssl
|
||||
(Keyword: ssl)
|
||||
@ -210,7 +235,7 @@ diff -up fetchmail-6.3.26/fetchmail.man.orig fetchmail-6.3.26/fetchmail.man
|
||||
force strict certificate checking - see below.
|
||||
diff -up fetchmail-6.3.26/imap.c.orig fetchmail-6.3.26/imap.c
|
||||
--- fetchmail-6.3.26/imap.c.orig 2013-04-23 22:00:45.000000000 +0200
|
||||
+++ fetchmail-6.3.26/imap.c 2015-10-20 09:49:13.750349064 +0200
|
||||
+++ fetchmail-6.3.26/imap.c 2016-05-02 14:14:34.906139594 +0200
|
||||
@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct
|
||||
/* apply for connection authorization */
|
||||
{
|
||||
@ -280,7 +305,7 @@ diff -up fetchmail-6.3.26/imap.c.orig fetchmail-6.3.26/imap.c
|
||||
|
||||
diff -up fetchmail-6.3.26/Makefile.am.orig fetchmail-6.3.26/Makefile.am
|
||||
--- fetchmail-6.3.26/Makefile.am.orig 2013-04-23 22:00:45.000000000 +0200
|
||||
+++ fetchmail-6.3.26/Makefile.am 2015-10-20 09:49:13.750349064 +0200
|
||||
+++ fetchmail-6.3.26/Makefile.am 2016-05-02 14:14:34.906139594 +0200
|
||||
@@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8
|
||||
servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
|
||||
smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
|
||||
@ -292,7 +317,7 @@ diff -up fetchmail-6.3.26/Makefile.am.orig fetchmail-6.3.26/Makefile.am
|
||||
if NTLM_ENABLE
|
||||
diff -up fetchmail-6.3.26/Makefile.in.orig fetchmail-6.3.26/Makefile.in
|
||||
--- fetchmail-6.3.26/Makefile.in.orig 2013-04-23 23:36:56.000000000 +0200
|
||||
+++ fetchmail-6.3.26/Makefile.in 2015-10-20 09:49:13.751349069 +0200
|
||||
+++ fetchmail-6.3.26/Makefile.in 2016-05-02 14:14:34.906139594 +0200
|
||||
@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas
|
||||
rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
|
||||
smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
|
||||
@ -321,9 +346,14 @@ diff -up fetchmail-6.3.26/Makefile.in.orig fetchmail-6.3.26/Makefile.in
|
||||
libfm_a_DEPENDENCIES = $(EXTRAOBJ)
|
||||
diff -up fetchmail-6.3.26/NEWS.orig fetchmail-6.3.26/NEWS
|
||||
--- fetchmail-6.3.26/NEWS.orig 2013-04-23 23:35:49.000000000 +0200
|
||||
+++ fetchmail-6.3.26/NEWS 2015-10-20 09:49:13.751349069 +0200
|
||||
@@ -56,6 +56,29 @@ removed from a 6.4.0 or newer release.)
|
||||
|
||||
+++ fetchmail-6.3.26/NEWS 2016-05-02 14:14:34.907139597 +0200
|
||||
@@ -53,9 +53,33 @@ removed from a 6.4.0 or newer release.)
|
||||
fetchmail may switch to a different SSL library.
|
||||
* SSLv2 support will be removed from a future fetchmail release. It has been
|
||||
obsolete for more than a decade.
|
||||
-
|
||||
+* SSLv3 support may be removed from a future fetchmail release. It has been
|
||||
+ obsolete for many years and found insecure. Use TLS.
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
+## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY WANT RECONFIGURATION
|
||||
@ -352,9 +382,21 @@ diff -up fetchmail-6.3.26/NEWS.orig fetchmail-6.3.26/NEWS
|
||||
fetchmail-6.3.26 (released 2013-04-23, 26180 LoC):
|
||||
|
||||
# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
|
||||
@@ -75,6 +99,11 @@ fetchmail-6.3.26 (released 2013-04-23, 2
|
||||
|
||||
Fixes Launchpad Bug#1171818.
|
||||
|
||||
+* Fix SSL-enabled build on systems that do not declare SSLv3_client_method().
|
||||
+ Related to Debian Bug#775255.
|
||||
+* Version report lists -SSLv3 on +SSL builds that omit SSLv3_client_method().
|
||||
+* Version report lists -SSLv2 on +SSL builds that omit SSLv2_client_method().
|
||||
+
|
||||
# KNOWN BUGS AND WORKAROUNDS
|
||||
(This section floats upwards through the NEWS file so it stays with the
|
||||
current release information)
|
||||
diff -up fetchmail-6.3.26/pop3.c.orig fetchmail-6.3.26/pop3.c
|
||||
--- fetchmail-6.3.26/pop3.c.orig 2013-04-23 22:00:45.000000000 +0200
|
||||
+++ fetchmail-6.3.26/pop3.c 2015-10-20 09:49:13.752349073 +0200
|
||||
+++ fetchmail-6.3.26/pop3.c 2016-05-02 14:14:34.907139597 +0200
|
||||
@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct
|
||||
#endif /* OPIE_ENABLE */
|
||||
#ifdef SSL_ENABLE
|
||||
@ -446,7 +488,7 @@ diff -up fetchmail-6.3.26/pop3.c.orig fetchmail-6.3.26/pop3.c
|
||||
/*
|
||||
diff -up fetchmail-6.3.26/README.SSL.orig fetchmail-6.3.26/README.SSL
|
||||
--- fetchmail-6.3.26/README.SSL.orig 2013-01-02 23:38:24.000000000 +0100
|
||||
+++ fetchmail-6.3.26/README.SSL 2015-10-20 09:49:13.752349073 +0200
|
||||
+++ fetchmail-6.3.26/README.SSL 2016-05-02 14:14:34.907139597 +0200
|
||||
@@ -11,36 +11,48 @@ specific to fetchmail.
|
||||
In case of troubles, mail the README.SSL-SERVER file to your ISP and
|
||||
have them check their server configuration against it.
|
||||
@ -508,7 +550,7 @@ diff -up fetchmail-6.3.26/README.SSL.orig fetchmail-6.3.26/README.SSL
|
||||
Background and use (long version :-))
|
||||
diff -up fetchmail-6.3.26/socket.c.orig fetchmail-6.3.26/socket.c
|
||||
--- fetchmail-6.3.26/socket.c.orig 2013-04-23 22:00:45.000000000 +0200
|
||||
+++ fetchmail-6.3.26/socket.c 2015-10-20 09:50:16.160634211 +0200
|
||||
+++ fetchmail-6.3.26/socket.c 2016-05-02 14:16:27.711570350 +0200
|
||||
@@ -876,6 +876,9 @@ int SSLOpen(int sock, char *mycert, char
|
||||
{
|
||||
struct stat randstat;
|
||||
@ -519,19 +561,22 @@ diff -up fetchmail-6.3.26/socket.c.orig fetchmail-6.3.26/socket.c
|
||||
long sslopts = SSL_OP_ALL;
|
||||
|
||||
SSL_load_error_strings();
|
||||
@@ -907,24 +910,54 @@ int SSLOpen(int sock, char *mycert, char
|
||||
_ssl_context[sock] = NULL;
|
||||
if(myproto) {
|
||||
if(!strcasecmp("ssl2",myproto)) {
|
||||
-#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
|
||||
@@ -910,21 +913,61 @@ int SSLOpen(int sock, char *mycert, char
|
||||
#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
|
||||
_ctx[sock] = SSL_CTX_new(SSLv2_client_method());
|
||||
-#else
|
||||
#else
|
||||
- report(stderr, GT_("Your operating system does not support SSLv2.\n"));
|
||||
- return -1;
|
||||
-#endif
|
||||
+ report(stderr, GT_("Your OpenSSL version does not support SSLv2.\n"));
|
||||
return -1;
|
||||
#endif
|
||||
+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv2;
|
||||
} else if(!strcasecmp("ssl3",myproto)) {
|
||||
+#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 > 0
|
||||
_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
|
||||
+#else
|
||||
+ report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n"));
|
||||
+ return -1;
|
||||
+#endif
|
||||
+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
|
||||
+ } else if(!strcasecmp("ssl3+",myproto)) {
|
||||
+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
|
||||
@ -581,7 +626,7 @@ diff -up fetchmail-6.3.26/socket.c.orig fetchmail-6.3.26/socket.c
|
||||
_ctx[sock] = SSL_CTX_new(SSLv23_client_method());
|
||||
}
|
||||
if(_ctx[sock] == NULL) {
|
||||
@@ -938,7 +971,7 @@ int SSLOpen(int sock, char *mycert, char
|
||||
@@ -938,7 +981,7 @@ int SSLOpen(int sock, char *mycert, char
|
||||
sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
||||
}
|
||||
|
||||
@ -590,7 +635,7 @@ diff -up fetchmail-6.3.26/socket.c.orig fetchmail-6.3.26/socket.c
|
||||
|
||||
if (certck) {
|
||||
SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
|
||||
@@ -1017,6 +1050,24 @@ int SSLOpen(int sock, char *mycert, char
|
||||
@@ -1017,6 +1060,24 @@ int SSLOpen(int sock, char *mycert, char
|
||||
return(-1);
|
||||
}
|
||||
|
||||
@ -616,8 +661,8 @@ diff -up fetchmail-6.3.26/socket.c.orig fetchmail-6.3.26/socket.c
|
||||
if (!_depth0ck) {
|
||||
report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n"));
|
||||
diff -up fetchmail-6.3.26/starttls.c.orig fetchmail-6.3.26/starttls.c
|
||||
--- fetchmail-6.3.26/starttls.c.orig 2015-10-20 09:49:13.753349078 +0200
|
||||
+++ fetchmail-6.3.26/starttls.c 2015-10-20 09:49:13.753349078 +0200
|
||||
--- fetchmail-6.3.26/starttls.c.orig 2016-05-02 14:14:34.908139601 +0200
|
||||
+++ fetchmail-6.3.26/starttls.c 2016-05-02 14:14:34.908139601 +0200
|
||||
@@ -0,0 +1,37 @@
|
||||
+/** \file tls.c - collect common TLS functionality
|
||||
+ * \author Matthias Andree
|
||||
@ -658,7 +703,7 @@ diff -up fetchmail-6.3.26/starttls.c.orig fetchmail-6.3.26/starttls.c
|
||||
+}
|
||||
diff -up fetchmail-6.3.26/tls.c.orig fetchmail-6.3.26/tls.c
|
||||
--- fetchmail-6.3.26/tls.c.orig 2013-04-23 22:00:45.000000000 +0200
|
||||
+++ fetchmail-6.3.26/tls.c 2015-10-20 09:49:13.753349078 +0200
|
||||
+++ fetchmail-6.3.26/tls.c 2016-05-02 14:14:34.908139601 +0200
|
||||
@@ -1,35 +0,0 @@
|
||||
-/** \file tls.c - collect common TLS functionality
|
||||
- * \author Matthias Andree
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: A remote mail retrieval and forwarding utility
|
||||
Name: fetchmail
|
||||
Version: 6.3.26
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz
|
||||
Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc
|
||||
# systemd service file
|
||||
@ -64,6 +64,10 @@ rm -f $RPM_BUILD_ROOT%{python_sitelib}/fetchmailconf.py*
|
||||
%config(noreplace) %attr(0600, mail, mail) %{_sysconfdir}/fetchmailrc.example
|
||||
|
||||
%changelog
|
||||
* Mon May 02 2016 Vitezslav Crhonek <vcrhonek@redhat.com> - 6.3.26-10
|
||||
- Improve output related to SSLv3 disabling
|
||||
Resolves: #1331702
|
||||
|
||||
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 6.3.26-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user