[erlang/epel7] Disable SSLv3
by Peter Lemenkov
commit 961faf17fa13ee2f34fd684e3784b8f1444d6d48
Author: Peter Lemenkov <lemenkov(a)gmail.com>
Date: Mon Dec 1 21:37:45 2014 +0300
Disable SSLv3
Disable SSLv3 (see rhbz #1169375). Also backport useful os:getenv/2 from
master (see https://github.com/erlang/otp/pull/535 )
Signed-off-by: Peter Lemenkov <lemenkov(a)gmail.com>
erlang.spec | 14 +++-
otp-0018-Introduce-os-getenv-2.patch | 63 +++++++++++++
...es-support-for-SSLv3-protocol-because-it-.patch | 99 ++++++++++++++++++++
3 files changed, 175 insertions(+), 1 deletions(-)
---
diff --git a/erlang.spec b/erlang.spec
index 659fdbd..14887e4 100644
--- a/erlang.spec
+++ b/erlang.spec
@@ -25,7 +25,7 @@
Name: erlang
Version: %{upstream_ver}
-Release: %{upstream_rel_for_rpm}.9%{?dist}
+Release: %{upstream_rel_for_rpm}.10%{?dist}
Summary: General-purpose programming language and runtime environment
Group: Development/Languages
@@ -107,6 +107,12 @@ Patch16: otp-0016-Split-off-webtool-dependency-from-tools.patch
# Fedora specific patch
# lib/inets/src/ftp/ftp.erl: Check the filenames, usernames,
Patch17: otp-0017-lib-inets-src-ftp-ftp.erl-Check-the-filenames-userna.patch
+# Fedora specific patch
+# Introduce os:getenv/2
+Patch18: otp-0018-Introduce-os-getenv-2.patch
+# Fedora specific patch
+# Patch removes support for SSLv3 protocol because it is proved
+Patch19: otp-0019-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
# end of autogenerated patch tag list
BuildRequires: lksctp-tools-devel
@@ -989,6 +995,8 @@ Erlang mode for XEmacs (source lisp files).
%patch15 -p1 -b .Expose_NIF_version
%patch16 -p1 -b .Split_off_webtool_dependency_from_tools
%patch17 -p1 -b .lib_inets_src_ftp_ftp_erl_Check_the_filenames_userna
+%patch18 -p1 -b .Introduce_os_getenv_2
+%patch19 -p1 -b .Patch_removes_support_for_SSLv3_protocol_because_it_
# end of autogenerated prep patch list
# FIXME we should come up with a better solution
@@ -2320,6 +2328,10 @@ useradd -r -g epmd -d /tmp -s /sbin/nologin \
%changelog
+* Mon Dec 01 2014 Peter Lemenkov <lemenkov(a)gmail.com> - R16B-03.10
+- Disable SSLv3 (see rhbz #1169375)
+- Backport useful os:getenv/2 from master (see https://github.com/erlang/otp/pull/535 )
+
* Mon Nov 17 2014 Peter Lemenkov <lemenkov(a)gmail.com> - R16B-03.9
- Fixed CVE-2014-1693 (backported fix from ver. 17.x.x, see patch no. 17)
diff --git a/otp-0018-Introduce-os-getenv-2.patch b/otp-0018-Introduce-os-getenv-2.patch
new file mode 100644
index 0000000..7ee1429
--- /dev/null
+++ b/otp-0018-Introduce-os-getenv-2.patch
@@ -0,0 +1,63 @@
+From: Peter Lemenkov <lemenkov(a)gmail.com>
+Date: Sat, 8 Nov 2014 15:11:04 +0300
+Subject: [PATCH] Introduce os:getenv/2
+
+Signed-off-by: Peter Lemenkov <lemenkov(a)gmail.com>
+
+diff --git a/lib/kernel/doc/src/os.xml b/lib/kernel/doc/src/os.xml
+index 9122267..7ec1f8e 100644
+--- a/lib/kernel/doc/src/os.xml
++++ b/lib/kernel/doc/src/os.xml
+@@ -100,6 +100,19 @@ DirOut = os:cmd("dir"), % on Win32 platform</code>
+ </desc>
+ </func>
+ <func>
++ <name name="getenv" arity="2"/>
++ <fsummary>Get the value of an environment variable</fsummary>
++ <desc>
++ <p>Returns the <c><anno>Value</anno></c> of the environment variable
++ <c><anno>VarName</anno></c>, or <c>DefaultValue</c> if the environment variable
++ is undefined.</p>
++ <p>If Unicode file name encoding is in effect (see the <seealso
++ marker="erts:erl#file_name_encoding">erl manual
++ page</seealso>), the strings (both <c><anno>VarName</anno></c> and
++ <c><anno>Value</anno></c>) may contain characters with codepoints > 255.</p>
++ </desc>
++ </func>
++ <func>
+ <name name="getpid" arity="0"/>
+ <fsummary>Return the process identifier of the emulator process</fsummary>
+ <desc>
+diff --git a/lib/kernel/src/os.erl b/lib/kernel/src/os.erl
+index 9415593..d5ef994 100644
+--- a/lib/kernel/src/os.erl
++++ b/lib/kernel/src/os.erl
+@@ -26,7 +26,7 @@
+
+ %%% BIFs
+
+--export([getenv/0, getenv/1, getpid/0, putenv/2, timestamp/0, unsetenv/1]).
++-export([getenv/0, getenv/1, getenv/2, getpid/0, putenv/2, timestamp/0, unsetenv/1]).
+
+ -spec getenv() -> [string()].
+
+@@ -39,6 +39,19 @@ getenv() -> erlang:nif_error(undef).
+ getenv(_) ->
+ erlang:nif_error(undef).
+
++-spec getenv(VarName, DefaultValue) -> Value when
++ VarName :: string(),
++ DefaultValue :: string(),
++ Value :: string().
++
++getenv(VarName, DefaultValue) ->
++ case os:getenv(VarName) of
++ false ->
++ DefaultValue;
++ Value ->
++ Value
++ end.
++
+ -spec getpid() -> Value when
+ Value :: string().
+
diff --git a/otp-0019-Patch-removes-support-for-SSLv3-protocol-because-it-.patch b/otp-0019-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
new file mode 100644
index 0000000..359c011
--- /dev/null
+++ b/otp-0019-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
@@ -0,0 +1,99 @@
+From: Sergei Golovan <sgolovan(a)debian.org>
+Date: Sun, 30 Nov 2014 20:20:41 +0300
+Subject: [PATCH] Patch removes support for SSLv3 protocol because it is proved
+ to be insecure and nobody should use it anymore.
+
+
+diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
+index 1d74faf..912acc2 100644
+--- a/lib/ssl/doc/src/ssl.xml
++++ b/lib/ssl/doc/src/ssl.xml
+@@ -123,7 +123,7 @@
+
+ <p><c>sslsocket() - opaque to the user. </c></p>
+
+- <p><c>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
++ <p><c>protocol() = tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
+
+ <p><c>ciphers() = [ciphersuite()] | string() (according to old API)</c></p>
+
+diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
+index 0ee5b23..c65f8a3 100644
+--- a/lib/ssl/doc/src/ssl_app.xml
++++ b/lib/ssl/doc/src/ssl_app.xml
+@@ -47,10 +47,10 @@
+ </p>
+ <p>Note that the environment parameters can be set on the command line,
+ for instance,</p>
+- <p><c>erl ... -ssl protocol_version '[sslv3, tlsv1]' ...</c>.
++ <p><c>erl ... -ssl protocol_version '[tlsv1.1, tlsv1]' ...</c>.
+ </p>
+ <taglist>
+- <tag><c><![CDATA[protocol_version = [sslv3|tlsv1] <optional>]]></c>.</tag>
++ <tag><c><![CDATA[protocol_version = [tlsv1|tlsv1.1|tlsv1.2] <optional>]]></c>.</tag>
+ <item>
+ <p>Protocol that will be supported by started clients and
+ servers. If this option is not set it will default to all
+@@ -58,6 +58,9 @@
+ Note that this option may be overridden by the version option
+ to ssl:connect/[2,3] and ssl:listen/2.
+ </p>
++ <p>For Debian GNU/Linux distribution the sslv3 protocol was
++ disabled due to its security issues.
++ </p>
+ </item>
+
+ <tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag>
+diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
+index 0186f9f..6f84830 100644
+--- a/lib/ssl/src/ssl_internal.hrl
++++ b/lib/ssl/src/ssl_internal.hrl
+@@ -67,8 +67,8 @@
+ -define(TRUE, 0).
+ -define(FALSE, 1).
+
+--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
+--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]).
++-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
++-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
+ -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+ -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+
+diff --git a/lib/ssl/src/ssl_record.hrl b/lib/ssl/src/ssl_record.hrl
+index c17fa53..f4be9be 100644
+--- a/lib/ssl/src/ssl_record.hrl
++++ b/lib/ssl/src/ssl_record.hrl
+@@ -144,6 +144,7 @@
+ %% }).
+
+ -define(LOWEST_MAJOR_SUPPORTED_VERSION, 3).
++-define(LOWEST_MINOR_SUPPORTED_VERSION, 1).
+
+
+ -record(generic_stream_cipher, {
+diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
+index 8810755..3c5c7e9 100644
+--- a/lib/ssl/src/tls_record.erl
++++ b/lib/ssl/src/tls_record.erl
+@@ -269,13 +269,19 @@ supported_protocol_versions([_|_] = Vsns) ->
+ %%
+ %%--------------------------------------------------------------------
+ is_acceptable_version({N,_})
+- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ true;
++is_acceptable_version({N,M})
++ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
+ true;
+ is_acceptable_version(_) ->
+ false.
+
+ is_acceptable_version({N,_} = Version, Versions)
+- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ lists:member(Version, Versions);
++is_acceptable_version({N,M} = Version, Versions)
++ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
+ lists:member(Version, Versions);
+ is_acceptable_version(_,_) ->
+ false.
9 years, 4 months
[erlang/f20] Disable SSLv3
by Peter Lemenkov
commit a296fdacf31171784e2c9436725d9fc48b5a321a
Author: Peter Lemenkov <lemenkov(a)gmail.com>
Date: Mon Dec 1 21:37:45 2014 +0300
Disable SSLv3
Disable SSLv3 (see rhbz #1169375). Also backport useful os:getenv/2 from
master (see https://github.com/erlang/otp/pull/535 )
Signed-off-by: Peter Lemenkov <lemenkov(a)gmail.com>
erlang.spec | 14 +++-
otp-0018-Introduce-os-getenv-2.patch | 63 +++++++++++++
...es-support-for-SSLv3-protocol-because-it-.patch | 99 ++++++++++++++++++++
3 files changed, 175 insertions(+), 1 deletions(-)
---
diff --git a/erlang.spec b/erlang.spec
index 659fdbd..14887e4 100644
--- a/erlang.spec
+++ b/erlang.spec
@@ -25,7 +25,7 @@
Name: erlang
Version: %{upstream_ver}
-Release: %{upstream_rel_for_rpm}.9%{?dist}
+Release: %{upstream_rel_for_rpm}.10%{?dist}
Summary: General-purpose programming language and runtime environment
Group: Development/Languages
@@ -107,6 +107,12 @@ Patch16: otp-0016-Split-off-webtool-dependency-from-tools.patch
# Fedora specific patch
# lib/inets/src/ftp/ftp.erl: Check the filenames, usernames,
Patch17: otp-0017-lib-inets-src-ftp-ftp.erl-Check-the-filenames-userna.patch
+# Fedora specific patch
+# Introduce os:getenv/2
+Patch18: otp-0018-Introduce-os-getenv-2.patch
+# Fedora specific patch
+# Patch removes support for SSLv3 protocol because it is proved
+Patch19: otp-0019-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
# end of autogenerated patch tag list
BuildRequires: lksctp-tools-devel
@@ -989,6 +995,8 @@ Erlang mode for XEmacs (source lisp files).
%patch15 -p1 -b .Expose_NIF_version
%patch16 -p1 -b .Split_off_webtool_dependency_from_tools
%patch17 -p1 -b .lib_inets_src_ftp_ftp_erl_Check_the_filenames_userna
+%patch18 -p1 -b .Introduce_os_getenv_2
+%patch19 -p1 -b .Patch_removes_support_for_SSLv3_protocol_because_it_
# end of autogenerated prep patch list
# FIXME we should come up with a better solution
@@ -2320,6 +2328,10 @@ useradd -r -g epmd -d /tmp -s /sbin/nologin \
%changelog
+* Mon Dec 01 2014 Peter Lemenkov <lemenkov(a)gmail.com> - R16B-03.10
+- Disable SSLv3 (see rhbz #1169375)
+- Backport useful os:getenv/2 from master (see https://github.com/erlang/otp/pull/535 )
+
* Mon Nov 17 2014 Peter Lemenkov <lemenkov(a)gmail.com> - R16B-03.9
- Fixed CVE-2014-1693 (backported fix from ver. 17.x.x, see patch no. 17)
diff --git a/otp-0018-Introduce-os-getenv-2.patch b/otp-0018-Introduce-os-getenv-2.patch
new file mode 100644
index 0000000..7ee1429
--- /dev/null
+++ b/otp-0018-Introduce-os-getenv-2.patch
@@ -0,0 +1,63 @@
+From: Peter Lemenkov <lemenkov(a)gmail.com>
+Date: Sat, 8 Nov 2014 15:11:04 +0300
+Subject: [PATCH] Introduce os:getenv/2
+
+Signed-off-by: Peter Lemenkov <lemenkov(a)gmail.com>
+
+diff --git a/lib/kernel/doc/src/os.xml b/lib/kernel/doc/src/os.xml
+index 9122267..7ec1f8e 100644
+--- a/lib/kernel/doc/src/os.xml
++++ b/lib/kernel/doc/src/os.xml
+@@ -100,6 +100,19 @@ DirOut = os:cmd("dir"), % on Win32 platform</code>
+ </desc>
+ </func>
+ <func>
++ <name name="getenv" arity="2"/>
++ <fsummary>Get the value of an environment variable</fsummary>
++ <desc>
++ <p>Returns the <c><anno>Value</anno></c> of the environment variable
++ <c><anno>VarName</anno></c>, or <c>DefaultValue</c> if the environment variable
++ is undefined.</p>
++ <p>If Unicode file name encoding is in effect (see the <seealso
++ marker="erts:erl#file_name_encoding">erl manual
++ page</seealso>), the strings (both <c><anno>VarName</anno></c> and
++ <c><anno>Value</anno></c>) may contain characters with codepoints > 255.</p>
++ </desc>
++ </func>
++ <func>
+ <name name="getpid" arity="0"/>
+ <fsummary>Return the process identifier of the emulator process</fsummary>
+ <desc>
+diff --git a/lib/kernel/src/os.erl b/lib/kernel/src/os.erl
+index 9415593..d5ef994 100644
+--- a/lib/kernel/src/os.erl
++++ b/lib/kernel/src/os.erl
+@@ -26,7 +26,7 @@
+
+ %%% BIFs
+
+--export([getenv/0, getenv/1, getpid/0, putenv/2, timestamp/0, unsetenv/1]).
++-export([getenv/0, getenv/1, getenv/2, getpid/0, putenv/2, timestamp/0, unsetenv/1]).
+
+ -spec getenv() -> [string()].
+
+@@ -39,6 +39,19 @@ getenv() -> erlang:nif_error(undef).
+ getenv(_) ->
+ erlang:nif_error(undef).
+
++-spec getenv(VarName, DefaultValue) -> Value when
++ VarName :: string(),
++ DefaultValue :: string(),
++ Value :: string().
++
++getenv(VarName, DefaultValue) ->
++ case os:getenv(VarName) of
++ false ->
++ DefaultValue;
++ Value ->
++ Value
++ end.
++
+ -spec getpid() -> Value when
+ Value :: string().
+
diff --git a/otp-0019-Patch-removes-support-for-SSLv3-protocol-because-it-.patch b/otp-0019-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
new file mode 100644
index 0000000..359c011
--- /dev/null
+++ b/otp-0019-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
@@ -0,0 +1,99 @@
+From: Sergei Golovan <sgolovan(a)debian.org>
+Date: Sun, 30 Nov 2014 20:20:41 +0300
+Subject: [PATCH] Patch removes support for SSLv3 protocol because it is proved
+ to be insecure and nobody should use it anymore.
+
+
+diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
+index 1d74faf..912acc2 100644
+--- a/lib/ssl/doc/src/ssl.xml
++++ b/lib/ssl/doc/src/ssl.xml
+@@ -123,7 +123,7 @@
+
+ <p><c>sslsocket() - opaque to the user. </c></p>
+
+- <p><c>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
++ <p><c>protocol() = tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
+
+ <p><c>ciphers() = [ciphersuite()] | string() (according to old API)</c></p>
+
+diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
+index 0ee5b23..c65f8a3 100644
+--- a/lib/ssl/doc/src/ssl_app.xml
++++ b/lib/ssl/doc/src/ssl_app.xml
+@@ -47,10 +47,10 @@
+ </p>
+ <p>Note that the environment parameters can be set on the command line,
+ for instance,</p>
+- <p><c>erl ... -ssl protocol_version '[sslv3, tlsv1]' ...</c>.
++ <p><c>erl ... -ssl protocol_version '[tlsv1.1, tlsv1]' ...</c>.
+ </p>
+ <taglist>
+- <tag><c><![CDATA[protocol_version = [sslv3|tlsv1] <optional>]]></c>.</tag>
++ <tag><c><![CDATA[protocol_version = [tlsv1|tlsv1.1|tlsv1.2] <optional>]]></c>.</tag>
+ <item>
+ <p>Protocol that will be supported by started clients and
+ servers. If this option is not set it will default to all
+@@ -58,6 +58,9 @@
+ Note that this option may be overridden by the version option
+ to ssl:connect/[2,3] and ssl:listen/2.
+ </p>
++ <p>For Debian GNU/Linux distribution the sslv3 protocol was
++ disabled due to its security issues.
++ </p>
+ </item>
+
+ <tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag>
+diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
+index 0186f9f..6f84830 100644
+--- a/lib/ssl/src/ssl_internal.hrl
++++ b/lib/ssl/src/ssl_internal.hrl
+@@ -67,8 +67,8 @@
+ -define(TRUE, 0).
+ -define(FALSE, 1).
+
+--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
+--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]).
++-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
++-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
+ -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+ -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+
+diff --git a/lib/ssl/src/ssl_record.hrl b/lib/ssl/src/ssl_record.hrl
+index c17fa53..f4be9be 100644
+--- a/lib/ssl/src/ssl_record.hrl
++++ b/lib/ssl/src/ssl_record.hrl
+@@ -144,6 +144,7 @@
+ %% }).
+
+ -define(LOWEST_MAJOR_SUPPORTED_VERSION, 3).
++-define(LOWEST_MINOR_SUPPORTED_VERSION, 1).
+
+
+ -record(generic_stream_cipher, {
+diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
+index 8810755..3c5c7e9 100644
+--- a/lib/ssl/src/tls_record.erl
++++ b/lib/ssl/src/tls_record.erl
+@@ -269,13 +269,19 @@ supported_protocol_versions([_|_] = Vsns) ->
+ %%
+ %%--------------------------------------------------------------------
+ is_acceptable_version({N,_})
+- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ true;
++is_acceptable_version({N,M})
++ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
+ true;
+ is_acceptable_version(_) ->
+ false.
+
+ is_acceptable_version({N,_} = Version, Versions)
+- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ lists:member(Version, Versions);
++is_acceptable_version({N,M} = Version, Versions)
++ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
+ lists:member(Version, Versions);
+ is_acceptable_version(_,_) ->
+ false.
9 years, 4 months
[erlang/f21] (2 commits) ...Disable SSLv3
by Peter Lemenkov
Summary of changes:
0156fcd... Backport useful os:getenv/2 from master (*)
918fdf2... Disable SSLv3 (*)
(*) This commit already existed in another branch; no separate mail sent
9 years, 4 months
[erlang] Disable SSLv3
by Peter Lemenkov
commit 918fdf26b715336be8386b8c865b32ac34d84535
Author: Peter Lemenkov <lemenkov(a)gmail.com>
Date: Mon Dec 1 17:13:00 2014 +0300
Disable SSLv3
See rhbz #1169375 for further details:
https://bugzilla.redhat.com/1169375
Signed-off-by: Peter Lemenkov <lemenkov(a)gmail.com>
erlang.spec | 9 ++-
...es-support-for-SSLv3-protocol-because-it-.patch | 100 ++++++++++++++++++++
2 files changed, 108 insertions(+), 1 deletions(-)
---
diff --git a/erlang.spec b/erlang.spec
index eff8714..66fdfd8 100644
--- a/erlang.spec
+++ b/erlang.spec
@@ -10,7 +10,7 @@
Name: erlang
Version: 17.3.4
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: General-purpose programming language and runtime environment
Group: Development/Languages
@@ -74,6 +74,9 @@ Patch10: otp-0010-Split-off-webtool-dependency-from-tools.patch
# Fedora specific patch
# Introduce os:getenv/2
Patch11: otp-0011-Introduce-os-getenv-2.patch
+# Fedora specific patch
+# Patch removes support for SSLv3 protocol because it is proved
+Patch12: otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
# end of autogenerated patch tag list
BuildRequires: lksctp-tools-devel
@@ -904,6 +907,7 @@ Erlang mode for XEmacs (source lisp files).
%patch9 -p1 -b .Expose_NIF_version
%patch10 -p1 -b .Split_off_webtool_dependency_from_tools
%patch11 -p1 -b .Introduce_os_getenv_2
+%patch12 -p1 -b .Patch_removes_support_for_SSLv3_protocol_because_it_
# end of autogenerated prep patch list
# FIXME we should come up with a better solution
@@ -2224,6 +2228,9 @@ useradd -r -g epmd -d /tmp -s /sbin/nologin \
%changelog
+* Mon Dec 01 2014 Peter Lemenkov <lemenkov(a)gmail.com> - 17.3.4-3
+- Disable SSLv3 (see rhbz #1169375)
+
* Mon Dec 01 2014 Peter Lemenkov <lemenkov(a)gmail.com> - 17.3.4-2
- Backport useful os:getenv/2 from master (see https://github.com/erlang/otp/pull/535 )
diff --git a/otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch b/otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
new file mode 100644
index 0000000..584fa59
--- /dev/null
+++ b/otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
@@ -0,0 +1,100 @@
+From: Sergei Golovan <sgolovan(a)debian.org>
+Date: Sun, 30 Nov 2014 20:20:41 +0300
+Subject: [PATCH] Patch removes support for SSLv3 protocol because it is proved
+ to be insecure and nobody should use it anymore.
+
+
+diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
+index f14d0b8..3a768e9 100644
+--- a/lib/ssl/doc/src/ssl.xml
++++ b/lib/ssl/doc/src/ssl.xml
+@@ -123,7 +123,7 @@
+
+ <p><c>sslsocket() - opaque to the user. </c></p>
+
+- <p><c>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
++ <p><c>protocol() = tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
+
+ <p><c>ciphers() = [ciphersuite()] | string() (according to old API)</c></p>
+
+diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
+index 43cb393..ff12e04 100644
+--- a/lib/ssl/doc/src/ssl_app.xml
++++ b/lib/ssl/doc/src/ssl_app.xml
+@@ -47,10 +47,10 @@
+ </p>
+ <p>Note that the environment parameters can be set on the command line,
+ for instance,</p>
+- <p><c>erl ... -ssl protocol_version '[sslv3, tlsv1]' ...</c>.
++ <p><c>erl ... -ssl protocol_version '[tlsv1.1, tlsv1]' ...</c>.
+ </p>
+ <taglist>
+- <tag><c><![CDATA[protocol_version = [sslv3|tlsv1] <optional>]]></c>.</tag>
++ <tag><c><![CDATA[protocol_version = [tlsv1|tlsv1.1|tlsv1.2] <optional>]]></c>.</tag>
+ <item>
+ <p>Protocol that will be supported by started clients and
+ servers. If this option is not set it will default to all
+@@ -58,6 +58,9 @@
+ Note that this option may be overridden by the version option
+ to ssl:connect/[2,3] and ssl:listen/2.
+ </p>
++ <p>For Debian GNU/Linux distribution the sslv3 protocol was
++ disabled due to its security issues.
++ </p>
+ </item>
+
+ <tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag>
+diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
+index 85724de..14013a4 100644
+--- a/lib/ssl/src/ssl_internal.hrl
++++ b/lib/ssl/src/ssl_internal.hrl
+@@ -64,8 +64,8 @@
+ -define(TRUE, 0).
+ -define(FALSE, 1).
+
+--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
+--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]).
++-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
++-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
+ -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+ -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+
+diff --git a/lib/ssl/src/ssl_record.hrl b/lib/ssl/src/ssl_record.hrl
+index 6aab35d..1511abd 100644
+--- a/lib/ssl/src/ssl_record.hrl
++++ b/lib/ssl/src/ssl_record.hrl
+@@ -144,6 +144,7 @@
+ %% }).
+
+ -define(LOWEST_MAJOR_SUPPORTED_VERSION, 3).
++-define(LOWEST_MINOR_SUPPORTED_VERSION, 1).
+
+
+ -record(generic_stream_cipher, {
+diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
+index f50ea22..aa4fc8d 100644
+--- a/lib/ssl/src/tls_record.erl
++++ b/lib/ssl/src/tls_record.erl
+@@ -276,14 +276,20 @@ supported_protocol_versions([_|_] = Vsns) ->
+ %%--------------------------------------------------------------------
+ -spec is_acceptable_version(tls_version()) -> boolean().
+ is_acceptable_version({N,_})
+- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ true;
++is_acceptable_version({N,M})
++ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
+ true;
+ is_acceptable_version(_) ->
+ false.
+
+ -spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean().
+ is_acceptable_version({N,_} = Version, Versions)
+- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++ lists:member(Version, Versions);
++is_acceptable_version({N,M} = Version, Versions)
++ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
+ lists:member(Version, Versions);
+ is_acceptable_version(_,_) ->
+ false.
9 years, 4 months
[erlang] Backport useful os:getenv/2 from master
by Peter Lemenkov
commit 0156fcd2ad6037da945ddc153996945c48966fca
Author: Peter Lemenkov <lemenkov(a)gmail.com>
Date: Mon Dec 1 16:00:04 2014 +0300
Backport useful os:getenv/2 from master
See this GitHub pull request for further details:
* https://github.com/erlang/otp/pull/535
Signed-off-by: Peter Lemenkov <lemenkov(a)gmail.com>
erlang.spec | 9 ++++-
otp-0011-Introduce-os-getenv-2.patch | 63 ++++++++++++++++++++++++++++++++++
2 files changed, 71 insertions(+), 1 deletions(-)
---
diff --git a/erlang.spec b/erlang.spec
index c1223da..eff8714 100644
--- a/erlang.spec
+++ b/erlang.spec
@@ -10,7 +10,7 @@
Name: erlang
Version: 17.3.4
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: General-purpose programming language and runtime environment
Group: Development/Languages
@@ -71,6 +71,9 @@ Patch9: otp-0009-Expose-NIF-version.patch
# Fedora specific patch
# Split off webtool dependency from tools
Patch10: otp-0010-Split-off-webtool-dependency-from-tools.patch
+# Fedora specific patch
+# Introduce os:getenv/2
+Patch11: otp-0011-Introduce-os-getenv-2.patch
# end of autogenerated patch tag list
BuildRequires: lksctp-tools-devel
@@ -900,6 +903,7 @@ Erlang mode for XEmacs (source lisp files).
%patch8 -p1 -b .Install_internal_hrl_files_when_necessary
%patch9 -p1 -b .Expose_NIF_version
%patch10 -p1 -b .Split_off_webtool_dependency_from_tools
+%patch11 -p1 -b .Introduce_os_getenv_2
# end of autogenerated prep patch list
# FIXME we should come up with a better solution
@@ -2220,6 +2224,9 @@ useradd -r -g epmd -d /tmp -s /sbin/nologin \
%changelog
+* Mon Dec 01 2014 Peter Lemenkov <lemenkov(a)gmail.com> - 17.3.4-2
+- Backport useful os:getenv/2 from master (see https://github.com/erlang/otp/pull/535 )
+
* Sat Nov 08 2014 Peter Lemenkov <lemenkov(a)gmail.com> - 17.3.4-1
- Ver. 17.3.4 (API/ABI compatible release)
- Relax an erlang-tools dependency on erlang-webtool down to Suggests
diff --git a/otp-0011-Introduce-os-getenv-2.patch b/otp-0011-Introduce-os-getenv-2.patch
new file mode 100644
index 0000000..6c48db2
--- /dev/null
+++ b/otp-0011-Introduce-os-getenv-2.patch
@@ -0,0 +1,63 @@
+From: Peter Lemenkov <lemenkov(a)gmail.com>
+Date: Sat, 8 Nov 2014 15:11:04 +0300
+Subject: [PATCH] Introduce os:getenv/2
+
+Signed-off-by: Peter Lemenkov <lemenkov(a)gmail.com>
+
+diff --git a/lib/kernel/doc/src/os.xml b/lib/kernel/doc/src/os.xml
+index 2b57e75..8b85f24 100644
+--- a/lib/kernel/doc/src/os.xml
++++ b/lib/kernel/doc/src/os.xml
+@@ -100,6 +100,19 @@ DirOut = os:cmd("dir"), % on Win32 platform</code>
+ </desc>
+ </func>
+ <func>
++ <name name="getenv" arity="2"/>
++ <fsummary>Get the value of an environment variable</fsummary>
++ <desc>
++ <p>Returns the <c><anno>Value</anno></c> of the environment variable
++ <c><anno>VarName</anno></c>, or <c>DefaultValue</c> if the environment variable
++ is undefined.</p>
++ <p>If Unicode file name encoding is in effect (see the <seealso
++ marker="erts:erl#file_name_encoding">erl manual
++ page</seealso>), the strings (both <c><anno>VarName</anno></c> and
++ <c><anno>Value</anno></c>) may contain characters with codepoints > 255.</p>
++ </desc>
++ </func>
++ <func>
+ <name name="getpid" arity="0"/>
+ <fsummary>Return the process identifier of the emulator process</fsummary>
+ <desc>
+diff --git a/lib/kernel/src/os.erl b/lib/kernel/src/os.erl
+index 187fd00..8aaf13b 100644
+--- a/lib/kernel/src/os.erl
++++ b/lib/kernel/src/os.erl
+@@ -26,7 +26,7 @@
+
+ %%% BIFs
+
+--export([getenv/0, getenv/1, getpid/0, putenv/2, timestamp/0, unsetenv/1]).
++-export([getenv/0, getenv/1, getenv/2, getpid/0, putenv/2, timestamp/0, unsetenv/1]).
+
+ -spec getenv() -> [string()].
+
+@@ -39,6 +39,19 @@ getenv() -> erlang:nif_error(undef).
+ getenv(_) ->
+ erlang:nif_error(undef).
+
++-spec getenv(VarName, DefaultValue) -> Value when
++ VarName :: string(),
++ DefaultValue :: string(),
++ Value :: string().
++
++getenv(VarName, DefaultValue) ->
++ case os:getenv(VarName) of
++ false ->
++ DefaultValue;
++ Value ->
++ Value
++ end.
++
+ -spec getpid() -> Value when
+ Value :: string().
+
9 years, 4 months
[Bug 1113504] SELinux is preventing /usr/lib64/erlang/lib/couch-1.5.0/priv/couchjs from using the 'execmem' accesses on a process.
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1113504
Lukas Vrabec <lvrabec(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |MODIFIED
Fixed In Version| |selinux-policy-3.12.1-196.f
| |c20
--- Comment #4 from Lukas Vrabec <lvrabec(a)redhat.com> ---
commit 019ea58f76d9a70ee4c9ceab34319bfab978b02a
Author: Lukas Vrabec <lvrabec(a)redhat.com>
Date: Mon Dec 1 12:49:51 2014 +0100
Dontaudit couchdb to list /var
commit 933e40ab94b18fdaca471cfb712f6a2228caf77b
Merge: 7048265 7b8271e
Author: Lukas Vrabec <wrabcak(a)users.noreply.github.com>
Date: Mon Dec 1 12:27:08 2014 +0100
Merge pull request #6 from wtogami/couchdb_policy_fix
Couchdb policy fixes
--
You are receiving this mail because:
You are on the CC list for the bug.
9 years, 4 months