Control: tags -1 -moreinfo Hi there Adam,
Le samedi, 28 janvier 2017, 17.15:32 h CET Adam D. Barratt a écrit :
> On Tue, 2016-12-20 at 09:20 +0100, Didier 'OdyX' Raboud wrote:
> > Le samedi, 17 décembre 2016, 11.38:59 h CET Julien Cristau a écrit :
> > > The debdiff is the one we tend to look at, but it looks like it was not
> > > attached.
> >
> > Indeed, sorry. Here it comes.
>
> +--- a/doc/help/ref-cupsd-conf.html.in
> ++++ b/doc/help/ref-cupsd-conf.html.in
> +@@ -2004,23 +2004,23 @@
> + variable that should be passed to child processes.</P>
> +
> +
> +-<H2 CLASS="title"><A NAME="SSLListen">SSLListen</A></H2>
> ++<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
> +
> + <H3>Examples</H3>
> +
> + <PRE CLASS="command">
> +-SSLListen 127.0.0.1:443
> +-SSLListen 192.0.2.1:443
> ++SSLOptions 127.0.0.1:443
> ++SSLOptions 192.0.2.1:443
> + </PRE>
>
> This looks wrong, as do the remainder of the changes to that hunk of the
> diff.
That's Ubuntu's patch as released in their 1.7.2-0ubuntu1.7 trusty-security
upload from Nov 2015, fixing [LP:1505328], written by Bryan Quigley and
reviewed by their security team member Marc Deslauriers. But they arguably
missed that wrong documentation change, indeed.
Updated debdiff attached.
--
OdyX
[LP:1505328] https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog 2015-06-09 09:45:50.000000000 +0200
+++ cups-1.7.5/debian/changelog 2016-10-10 10:05:10.000000000 +0200
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+ * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+ (Closes: #839226)
+ - Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+ respectively
+ * Refresh patches
+
+ -- Didier Raboud <o...@debian.org> Mon, 10 Oct 2016 10:05:10 +0200
+
cups (1.7.5-11+deb8u1) jessie-security; urgency=high
* Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch 2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch 2016-10-10 10:05:10.000000000 +0200
@@ -27,7 +27,7 @@
LaunchdTimeout = 10;
--- a/scheduler/conf.h
+++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
/* SSL/TLS options */
#endif /* HAVE_SSL */
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch 2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch 2016-10-10 10:05:10.000000000 +0200
@@ -21,7 +21,7 @@
LaunchdTimeout = 10;
--- a/scheduler/conf.h
+++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
VAR int IdleExitTimeout VALUE(0);
/* Time after which an idle cupsd will exit */
@@ -51,7 +51,7 @@
#endif /* HAVE_SYSTEMD */
--- a/man/cupsd.conf.man.in
+++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
"notify-events", "notify-pull-method", "notify-recipient-uri",
"notify-subscriber-user-name", and "notify-user-data".
.TP 5
diff -Nru cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch
--- cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch 2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch 2016-10-10 10:05:10.000000000 +0200
@@ -13,7 +13,7 @@
LogTimeFormat = CUPSD_TIME_STANDARD;
--- a/scheduler/conf.h
+++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
/* Allow overrides? */
ConfigFilePerm VALUE(0640),
/* Permissions for config files */
diff -Nru cups-1.7.5/debian/patches/pidfile.patch cups-1.7.5/debian/patches/pidfile.patch
--- cups-1.7.5/debian/patches/pidfile.patch 2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/pidfile.patch 2016-10-10 10:05:10.000000000 +0200
@@ -24,7 +24,7 @@
if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -3333,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
!_cups_strcasecmp(line, "SystemGroup") ||
!_cups_strcasecmp(line, "SystemGroupAuthKey") ||
!_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@
cupsdLogMessage(CUPSD_LOG_INFO,
--- a/scheduler/conf.h
+++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
VAR int SSLOptions VALUE(CUPSD_SSL_NONE);
/* SSL/TLS options */
#endif /* HAVE_SSL */
diff -Nru cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
--- cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch 2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch 2016-10-10 10:05:10.000000000 +0200
@@ -11,7 +11,7 @@
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
-@@ -8249,6 +8249,11 @@
+@@ -8206,6 +8206,11 @@
ipp_attribute_t *attr, /* Current attribute */
*attr2, /* Job attribute */
*prev2; /* Previous job attribute */
@@ -23,7 +23,7 @@
/*
-@@ -8310,6 +8315,85 @@
+@@ -8267,6 +8272,85 @@
}
/*
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series 2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/series 2016-10-10 10:05:10.000000000 +0200
@@ -6,6 +6,7 @@
str4500-cupsGetPPD3-Only-use-symlink-if-file-is-readable-STR.patch
str4551-fix-buffer-overflow-in-cupsRasterReadPixels.patch
str4609-prevent-privilege-escalation-through-dynamic-linker.patch
+str4476-disable-sslv3-and-rc4-by-default.patch
# patches sent upstream
pwg-raster-attributes.patch
diff -Nru cups-1.7.5/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch cups-1.7.5/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch
--- cups-1.7.5/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-1.7.5/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch 2016-10-10 10:05:10.000000000 +0200
@@ -0,0 +1,437 @@
+Description: Disable SSLv3 and RC4; implement SSLOptions.
+ This disables SSLv3 in cups. It also provides 2 configuration
+ options to reenable by specifying SSLOptions in the cupsd.conf
+ file. AllowSSL3 turns SSLv3 back on and AllowRC4 turns on just
+ the RC4 cypers.
+ .
+---
+Origin: vendor, https://bugzilla.redhat.com/show_bug.cgi?id=1161172
+Bug: https://www.cups.org/str.php?L4476
+Bug-Ubuntu: https://launchpad.net/bugs/1505328
+Bug-Debian: https://bugs.debian.org/839226
+
+--- a/cups/http-private.h
++++ b/cups/http-private.h
+@@ -147,6 +147,10 @@
+ #define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */
+ #define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */
+
++/* care - these should be the same values as the CUPSD_SSL_* equivalents */
++#define _HTTP_TLS_ALLOW_RC4 2
++#define _HTTP_TLS_ALLOW_SSL3 4
++
+
+ /*
+ * Types and functions for SSL support...
+@@ -425,6 +429,8 @@
+ extern int _httpUpdate(http_t *http, http_status_t *status);
+ extern int _httpWait(http_t *http, int msec, int usessl);
+
++extern void _httpTLSSetOptions(int options);
++
+
+ /*
+ * C++ magic...
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -87,6 +87,8 @@
+ * Local globals...
+ */
+
++static int tls_options = 0; /* Options for TLS connections */
++
+ static const char * const http_fields[] =
+ {
+ "Accept-Language",
+@@ -5094,6 +5096,10 @@
+ context = SSL_CTX_new(SSLv23_client_method());
+
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
++ if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
++ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
++ if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
++ SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
+
+ bio = BIO_new(_httpBIOMethods());
+ BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
+@@ -5151,7 +5157,16 @@
+ gnutls_certificate_allocate_credentials(credentials);
+
+ gnutls_init(&http->tls, GNUTLS_CLIENT);
+- gnutls_set_default_priority(http->tls);
++ if (!tls_options)
++ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
++ else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
++ (tls_options & _HTTP_TLS_ALLOW_RC4))
++ gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
++ else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
++ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
++ else
++ gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
++
+ gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
+ strlen(hostname));
+ gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+@@ -5904,6 +5919,16 @@
+ }
+ #endif /* HAVE_SSL */
+
++/*
++ * '_httpTLSSetOptions()' - Set TLS/SSL options.
++ */
++
++void
++_httpTLSSetOptions(int options)
++{
++ tls_options = options;
++}
++
+
+ /*
+ * End of "$Id: http.c 11761 2014-03-28 13:04:33Z msweet $".
+--- a/cups/usersys.c
++++ b/cups/usersys.c
+@@ -52,7 +52,8 @@
+ #endif /* HAVE_GSSAPI */
+ const char *cups_anyroot,
+ const char *cups_expiredroot,
+- const char *cups_expiredcerts);
++ const char *cups_expiredcerts,
++ int ssl_options);
+
+
+ /*
+@@ -237,6 +238,9 @@
+ _cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */
+
+
++ if (cg->encryption == (http_encryption_t)-1)
++ _cupsSetDefaults();
++
+ cg->encryption = e;
+
+ if (cg->http)
+@@ -861,6 +865,29 @@
+ if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
+ !cg->user[0] || !cg->ipp_port)
+ {
++ /*
++ * Look for CUPS_SERVERROOT/client.conf...
++ */
++
++ snprintf(filename, sizeof(filename), "%s/client.conf",
++ cg->cups_serverroot);
++ fp = cupsFileOpen(filename, "r");
++ /*
++ * Read the configuration file and apply any environment variables; both
++ * functions handle NULL cups_file_t pointers...
++ */
++
++ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
++#ifdef HAVE_GSSAPI
++ cups_gssservicename,
++#endif /* HAVE_GSSAPI */
++ cups_anyroot, cups_expiredroot,
++ cups_expiredcerts, 1);
++
++ /*
++ * Then user defaults, if it is safe to do so...
++ */
++
+ # ifdef HAVE_GETEUID
+ if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL)
+ # elif !defined(WIN32)
+@@ -875,19 +902,7 @@
+
+ snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
+ fp = cupsFileOpen(filename, "r");
+- }
+- else
+- fp = NULL;
+
+- if (!fp)
+- {
+- /*
+- * Look for CUPS_SERVERROOT/client.conf...
+- */
+-
+- snprintf(filename, sizeof(filename), "%s/client.conf",
+- cg->cups_serverroot);
+- fp = cupsFileOpen(filename, "r");
+ }
+
+ /*
+@@ -895,12 +910,12 @@
+ * functions handle NULL cups_file_t pointers...
+ */
+
+- cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
++ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+ #ifdef HAVE_GSSAPI
+ cups_gssservicename,
+ #endif /* HAVE_GSSAPI */
+ cups_anyroot, cups_expiredroot,
+- cups_expiredcerts);
++ cups_expiredcerts, 0);
+ cupsFileClose(fp);
+ }
+ }
+@@ -923,7 +938,8 @@
+ #endif /* HAVE_GSSAPI */
+ const char *cups_anyroot, /* I - CUPS_ANYROOT env var */
+ const char *cups_expiredroot, /* I - CUPS_EXPIREDROOT env var */
+- const char *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */
++ const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */
++ int ssl_options) /* I - Allow setting of SSLOptions? */
+ {
+ int linenum; /* Current line number */
+ char line[1024], /* Line from file */
+@@ -996,6 +1012,43 @@
+ cups_gssservicename = gss_service_name;
+ }
+ #endif /* HAVE_GSSAPI */
++ else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
++ {
++ /*
++ * SSLOptions [AllowRC4] [AllowSSL3] [None]
++ */
++
++ int options = 0; /* SSL/TLS options */
++ char *start, /* Start of option */
++ *end; /* End of option */
++
++ for (start = value; *start; start = end)
++ {
++ /*
++ * Find end of keyword...
++ */
++
++ end = start;
++ while (*end && !_cups_isspace(*end))
++ end++;
++
++ if (*end)
++ *end++ = '\0';
++
++ /*
++ * Compare...
++ */
++
++ if (!_cups_strcasecmp(start, "AllowRC4"))
++ options |= _HTTP_TLS_ALLOW_RC4;
++ else if (!_cups_strcasecmp(start, "AllowSSL3"))
++ options |= _HTTP_TLS_ALLOW_SSL3;
++ else if (!_cups_strcasecmp(start, "None"))
++ options = 0;
++ }
++
++ _httpTLSSetOptions(options);
++ }
+ }
+
+ /*
+--- a/doc/help/ref-client-conf.html
++++ b/doc/help/ref-client-conf.html
+@@ -76,6 +76,26 @@
+ </BLOCKQUOTE>
+
+
++<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
++
++<H3>Examples</H3>
++
++<PRE CLASS="command">
++SSLOptions None
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
++</PRE>
++
++<H3>Description</H3>
++
++<P>Sets encryption options (only in /etc/cups/client.conf). By
++default, CUPS only supports encryption using TLS v1.0 or higher using
++known secure cipher suites. The <i>AllowRC4</i> option enables the
++128-bit RC4 cipher suites, which are required for some older clients
++that do not implement newer ones. The <i>AllowSSL3</i> option enables
++SSL v3.0, which is required for some older clients that do not support
++TLS v1.0.</P>
++
+ <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.6/OS X 10.8</SPAN><A NAME="User">User</A></H2>
+
+ <H3>Examples</H3>
+--- a/doc/help/ref-cupsd-conf.html.in
++++ b/doc/help/ref-cupsd-conf.html.in
+@@ -2032,15 +2032,22 @@
+ <PRE CLASS="command">
+ SSLOptions None
+ SSLOptions NoEmptyFragments
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
+ </PRE>
+
+ <H3>Description</H3>
+
+ <P>The <CODE>SSLOptions</CODE> directive specifies additional SSL/TLS
+-protocol options to use for encrypted connected. Currently only two
+-options are supported - <code>None</code> (the default) for the most
+-secure mode and <code>NoEmptyFragments</code> to allow CUPS to work with
+-Microsoft Windows with the FIPS conformance mode enabled.</p>
++protocol options to use for encrypted connected. By default, CUPS only
++supports encryption using TLS v1.0 or higher using known secure cipher
++suites. The <code>NoEmptyFragments</code> option allows CUPS to work
++with Microsoft Windows with the FIPS conformance mode
++enabled. The <code>AllowRC4</code> option enables the 128-bit RC4
++cipher suites, which are required for some older clients that do not
++implement newer ones. The <code>AllowSSL3</code> option enables SSL
++v3.0, which is required for some older clients that do not support TLS
++v1.0.</p>
+
+
+ <H2 CLASS="title"><A NAME="SSLPort">SSLPort</A></H2>
+--- a/man/client.conf.man.in
++++ b/man/client.conf.man.in
+@@ -53,6 +53,15 @@
+ server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
+ later.\fR
+ .TP 5
++SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
++.br
++Sets SSL/TLS protocol options for encrypted connections. By default,
++CUPS only supports encryption using TLS v1.0 or higher using known
++secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
++RC4 cipher suites, which are required for some older clients that do
++not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
++which is required for some older clients that do not support TLS v1.0.
++.TP 5
+ User name
+ .br
+ Specifies the default user name to use for requests.
+--- a/man/cupsd.conf.man.in
++++ b/man/cupsd.conf.man.in
+@@ -480,9 +480,16 @@
+ .TP 5
+ SSLOptions None
+ .TP 5
+-SSLOptions NoEmptyFragments
++SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
+ .br
+-Sets SSL/TLS protocol options for encrypted connections.
++Sets SSL/TLS protocol options for encrypted connections. By default,
++CUPS only supports encryption using TLS v1.0 or higher using known
++secure cipher suites. The \fINoEmptyFragments\fR option allows CUPS to
++work with Microsoft Windows with the FIPS conformance mode
++enabled. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher
++suites, which are required for some older clients that do not
++implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
++which is required for some older clients that do not support TLS v1.0.
+ .TP 5
+ SSLPort
+ .br
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3292,17 +3292,54 @@
+ else if (!_cups_strcasecmp(line, "SSLOptions"))
+ {
+ /*
++ * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
++ */
++
++ int options = 0; /* SSL/TLS options */
++
++ /*
+ * SSLOptions options
+ */
+
+- if (!value || !_cups_strcasecmp(value, "none"))
+- SSLOptions = CUPSD_SSL_NONE;
+- else if (!_cups_strcasecmp(value, "noemptyfragments"))
+- SSLOptions = CUPSD_SSL_NOEMPTY;
+- else
+- cupsdLogMessage(CUPSD_LOG_ERROR,
+- "Unknown value \"%s\" for SSLOptions directive on "
+- "line %d.", value, linenum);
++ if (value)
++ {
++ char *start, /* Start of option */
++ *end; /* End of option */
++
++ for (start = value; *start; start = end)
++ {
++ /*
++ * Find end of keyword...
++ */
++
++ end = start;
++ while (*end && !_cups_isspace(*end))
++ end++;
++
++ if (*end)
++ *end++ = '\0';
++
++ /*
++ * Compare...
++ */
++
++ if (!_cups_strcasecmp(start, "NoEmptyFragments"))
++ options |= CUPSD_SSL_NOEMPTY;
++ else if (!_cups_strcasecmp(start, "AllowRC4"))
++ options |= CUPSD_SSL_ALLOW_RC4;
++ else if (!_cups_strcasecmp(start, "AllowSSL3"))
++ options |= CUPSD_SSL_ALLOW_SSL3;
++ else if (!_cups_strcasecmp(start, "None"))
++ options = 0;
++ else
++ cupsdLogMessage(CUPSD_LOG_ERROR,
++ "Unknown value \"%s\" for SSLOptions directive on "
++ "line %d.", start, linenum);
++ }
++ }
++
++ SSLOptions = options;
++ _httpTLSSetOptions (SSLOptions & ~CUPSD_SSL_NOEMPTY);
+ }
+ #endif /* HAVE_SSL */
+ else if (!_cups_strcasecmp(line, "AccessLog") ||
+--- a/scheduler/conf.h
++++ b/scheduler/conf.h
+@@ -79,6 +79,8 @@
+
+ #define CUPSD_SSL_NONE 0 /* No special options */
+ #define CUPSD_SSL_NOEMPTY 1 /* Do not insert empty fragments */
++#define CUPSD_SSL_ALLOW_RC4 2 /* Allow RC4 cipher suites */
++#define CUPSD_SSL_ALLOW_SSL3 4 /* Allow SSL 3.0 */
+
+
+ /*
+--- a/scheduler/tls-gnutls.c
++++ b/scheduler/tls-gnutls.c
+@@ -114,7 +114,15 @@
+ ServerKey, GNUTLS_X509_FMT_PEM);
+
+ gnutls_init(&con->http.tls, GNUTLS_SERVER);
+- gnutls_set_default_priority(con->http.tls);
++ if (!SSLOptions)
++ gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
++ else if ((SSLOptions & CUPSD_SSL_ALLOW_SSL3) &&
++ (SSLOptions & CUPSD_SSL_ALLOW_RC4))
++ gnutls_priority_set_direct(con->http.tls, "NORMAL", NULL);
++ else if (SSLOptions & CUPSD_SSL_ALLOW_SSL3)
++ gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128", NULL);
++ else
++ gnutls_priority_set_direct(con->http.tls, "NORMAL:-VERS-SSL3.0", NULL);
+
+ gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+ gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr_t)HTTP(con));
+--- a/scheduler/tls-openssl.c
++++ b/scheduler/tls-openssl.c
+@@ -107,6 +107,10 @@
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+ if (SSLOptions & CUPSD_SSL_NOEMPTY)
+ SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
++ if (!(SSLOptions & CUPSD_SSL_ALLOW_SSL3))
++ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
++ if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
++ SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
+ SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
+ SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
+
diff -Nru cups-1.7.5/debian/patches/systemd-optional-socket-activation.patch cups-1.7.5/debian/patches/systemd-optional-socket-activation.patch
--- cups-1.7.5/debian/patches/systemd-optional-socket-activation.patch 2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/systemd-optional-socket-activation.patch 2016-10-10 10:05:10.000000000 +0200
@@ -101,7 +101,7 @@
doc/help/ref-cupsd-conf.html
--- a/cups/usersys.c
+++ b/cups/usersys.c
-@@ -1028,7 +1028,7 @@
+@@ -1081,7 +1081,7 @@
struct stat sockinfo; /* Domain socket information */
if (!stat(CUPS_DEFAULT_DOMAINSOCKET, &sockinfo) &&
signature.asc
Description: This is a digitally signed message part.
