Fwd: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE [Jessie]

Mon, 10 Oct 2016 02:26:18 -0700

Re-sending differently, as somehow my MUA messed this sending in some weird way. 

-------- Original Message --------

Subject: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE 
[Jessie]

Date: 2016-10-10 10:13
From: Didier 'OdyX' Raboud <o...@debian.org>
To: 839...@bugs.debian.org, debian-release@lists.debian.org
Cc: Frederic Bonnard <fre...@linux.vnet.ibm.com>

Hi again,
(dropping debian-lts from the loop, as this'd be for stable)

Le samedi, 1 octobre 2016, 06.34:28 h CEST Moritz Mühlenhoff a écrit :

> Have we removed protocols' support in {old,}stable  before?.


We have done that on a case-by-case basis via point updates in the 
past,

seems also fine here.


Here come:
- patch;
        str4476-disable-sslv3-and-rc4-by-default.patch
- git commit series;
        0001-Disable-SSLv3-and-RC4-by-default-to-address-POODLE-v.patch
        0002-Refresh-patches.patch
        0003-cups-1.7.5-11-deb8u2-Debian-release.patch
- and debdiff
        cups_1.7.5-11+deb8u2.debdiff

Can I upload to jessie-security ?

--
Cheers,
    OdyX
Description: Disable SSLv3 and RC4; implement SSLOptions.
  This disables SSLv3 in cups. It also provides 2 configuration
  options to reenable by specifying SSLOptions in the cupsd.conf
  file. AllowSSL3 turns SSLv3 back on and AllowRC4 turns on just
  the RC4 cypers.
 .
---
Origin: vendor, https://bugzilla.redhat.com/show_bug.cgi?id=1161172
Bug: https://www.cups.org/str.php?L4476
Bug-Ubuntu: https://launchpad.net/bugs/1505328
Bug-Debian: https://bugs.debian.org/839226

--- a/cups/http-private.h
+++ b/cups/http-private.h
@@ -147,6 +147,10 @@
 #define _HTTP_RESOLVE_FQDN	2	/* Resolve to a FQDN */
 #define _HTTP_RESOLVE_FAXOUT	4	/* Resolve FaxOut service? */
 
+/* care - these should be the same values as the CUPSD_SSL_* equivalents */
+#define _HTTP_TLS_ALLOW_RC4	2
+#define _HTTP_TLS_ALLOW_SSL3	4
+
 
 /*
  * Types and functions for SSL support...
@@ -425,6 +429,8 @@
 extern int		_httpUpdate(http_t *http, http_status_t *status);
 extern int		_httpWait(http_t *http, int msec, int usessl);
 
+extern void		_httpTLSSetOptions(int options);
+
 
 /*
  * C++ magic...
--- a/cups/http.c
+++ b/cups/http.c
@@ -87,6 +87,8 @@
  * Local globals...
  */
 
+static int		tls_options = 0; /* Options for TLS connections */
+
 static const char * const http_fields[] =
 			{
 			  "Accept-Language",
@@ -5094,6 +5096,10 @@
   context = SSL_CTX_new(SSLv23_client_method());
 
   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+  if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
+    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
+  if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
+    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
 
   bio = BIO_new(_httpBIOMethods());
   BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
@@ -5151,7 +5157,16 @@
   gnutls_certificate_allocate_credentials(credentials);
 
   gnutls_init(&http->tls, GNUTLS_CLIENT);
-  gnutls_set_default_priority(http->tls);
+  if (!tls_options)
+    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
+  else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
+	   (tls_options & _HTTP_TLS_ALLOW_RC4))
+    gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
+  else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
+  else
+    gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
+
   gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
                          strlen(hostname));
   gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
@@ -5904,6 +5919,16 @@
 }
 #endif /* HAVE_SSL */
 
+/*
+ * '_httpTLSSetOptions()' - Set TLS/SSL options.
+ */
+
+void
+_httpTLSSetOptions(int options)
+{
+  tls_options = options;
+}
+
 
 /*
  * End of "$Id: http.c 11761 2014-03-28 13:04:33Z msweet $".
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -52,7 +52,8 @@
 #endif /* HAVE_GSSAPI */
 				      const char *cups_anyroot,
 				      const char *cups_expiredroot,
-				      const char *cups_expiredcerts);
+				      const char *cups_expiredcerts,
+				      int ssl_options);
 
 
 /*
@@ -237,6 +238,9 @@
   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
 
 
+  if (cg->encryption == (http_encryption_t)-1)
+    _cupsSetDefaults();
+
   cg->encryption = e;
 
   if (cg->http)
@@ -861,6 +865,29 @@
   if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
       !cg->user[0] || !cg->ipp_port)
   {
+   /*
+    * Look for CUPS_SERVERROOT/client.conf...
+    */
+
+    snprintf(filename, sizeof(filename), "%s/client.conf",
+	     cg->cups_serverroot);
+    fp = cupsFileOpen(filename, "r");
+   /*
+    * Read the configuration file and apply any environment variables; both
+    * functions handle NULL cups_file_t pointers...
+    */
+
+    cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+#ifdef HAVE_GSSAPI
+		  cups_gssservicename,
+#endif /* HAVE_GSSAPI */
+			  cups_anyroot, cups_expiredroot,
+			  cups_expiredcerts, 1);
+
+   /*
+    * Then user defaults, if it is safe to do so...
+    */
+
 #  ifdef HAVE_GETEUID
     if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL)
 #  elif !defined(WIN32)
@@ -875,19 +902,7 @@
 
       snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
       fp = cupsFileOpen(filename, "r");
-    }
-    else
-      fp = NULL;
 
-    if (!fp)
-    {
-     /*
-      * Look for CUPS_SERVERROOT/client.conf...
-      */
-
-      snprintf(filename, sizeof(filename), "%s/client.conf",
-               cg->cups_serverroot);
-      fp = cupsFileOpen(filename, "r");
     }
 
    /*
@@ -895,12 +910,12 @@
     * functions handle NULL cups_file_t pointers...
     */
 
-    cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+      cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
 #ifdef HAVE_GSSAPI
 			  cups_gssservicename,
 #endif /* HAVE_GSSAPI */
 			  cups_anyroot, cups_expiredroot,
-			  cups_expiredcerts);
+			  cups_expiredcerts, 0);
     cupsFileClose(fp);
   }
 }
@@ -923,7 +938,8 @@
 #endif /* HAVE_GSSAPI */
     const char	    *cups_anyroot,	/* I - CUPS_ANYROOT env var */
     const char	    *cups_expiredroot,	/* I - CUPS_EXPIREDROOT env var */
-    const char	    *cups_expiredcerts)	/* I - CUPS_EXPIREDCERTS env var */
+    const char	    *cups_expiredcerts,	/* I - CUPS_EXPIREDCERTS env var */
+    int		     ssl_options)	/* I - Allow setting of SSLOptions? */
 {
   int	linenum;			/* Current line number */
   char	line[1024],			/* Line from file */
@@ -996,6 +1012,43 @@
       cups_gssservicename = gss_service_name;
     }
 #endif /* HAVE_GSSAPI */
+    else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
+    {
+     /*
+      * SSLOptions [AllowRC4] [AllowSSL3] [None]
+      */
+
+      int	options = 0;		/* SSL/TLS options */
+      char	*start,			/* Start of option */
+		*end;			/* End of option */
+
+      for (start = value; *start; start = end)
+      {
+       /*
+	* Find end of keyword...
+	*/
+
+	end = start;
+	while (*end && !_cups_isspace(*end))
+	  end++;
+
+	if (*end)
+	  *end++ = '\0';
+
+       /*
+	* Compare...
+	*/
+
+	if (!_cups_strcasecmp(start, "AllowRC4"))
+	  options |= _HTTP_TLS_ALLOW_RC4;
+	else if (!_cups_strcasecmp(start, "AllowSSL3"))
+	  options |= _HTTP_TLS_ALLOW_SSL3;
+	else if (!_cups_strcasecmp(start, "None"))
+	  options = 0;
+      }
+
+      _httpTLSSetOptions(options);
+    }
   }
 
  /*
--- a/doc/help/ref-client-conf.html
+++ b/doc/help/ref-client-conf.html
@@ -76,6 +76,26 @@
 </BLOCKQUOTE>
 
 
+<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
+
+<H3>Examples</H3>
+
+<PRE CLASS="command">
+SSLOptions None
+SSLOptions AllowSSL3
+SSLOptions AllowRC4
+</PRE>
+
+<H3>Description</H3>
+
+<P>Sets encryption options (only in /etc/cups/client.conf). By
+default, CUPS only supports encryption using TLS v1.0 or higher using
+known secure cipher suites. The <i>AllowRC4</i> option enables the
+128-bit RC4 cipher suites, which are required for some older clients
+that do not implement newer ones. The <i>AllowSSL3</i> option enables
+SSL v3.0, which is required for some older clients that do not support
+TLS v1.0.</P>
+
 <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.6/OS X 10.8</SPAN><A NAME="User">User</A></H2>
 
 <H3>Examples</H3>
--- a/doc/help/ref-cupsd-conf.html.in
+++ b/doc/help/ref-cupsd-conf.html.in
@@ -2004,23 +2004,23 @@
 variable that should be passed to child processes.</P>
 
 
-<H2 CLASS="title"><A NAME="SSLListen">SSLListen</A></H2>
+<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
 
 <H3>Examples</H3>
 
 <PRE CLASS="command">
-SSLListen 127.0.0.1:443
-SSLListen 192.0.2.1:443
+SSLOptions 127.0.0.1:443
+SSLOptions 192.0.2.1:443
 </PRE>
 
 <H3>Description</H3>
 
-<P>The <CODE>SSLListen</CODE> directive specifies a network
+<P>The <CODE>SSLOptions</CODE> directive specifies a network
 address and port to listen for secure connections. Multiple
-<CODE>SSLListen</CODE> directives can be provided to listen on
+<CODE>SSLOptions</CODE> directives can be provided to listen on
 multiple addresses.</P>
 
-<P>The <CODE>SSLListen</CODE> directive is similar to the <A
+<P>The <CODE>SSLOptions</CODE> directive is similar to the <A
 HREF="#SSLPort"><CODE>SSLPort</CODE></A> directive but allows you
 to restrict access to specific interfaces or networks.</P>
 
@@ -2032,15 +2032,22 @@
 <PRE CLASS="command">
 SSLOptions None
 SSLOptions NoEmptyFragments
+SSLOptions AllowSSL3
+SSLOptions AllowRC4
 </PRE>
 
 <H3>Description</H3>
 
 <P>The <CODE>SSLOptions</CODE> directive specifies additional SSL/TLS
-protocol options to use for encrypted connected. Currently only two
-options are supported - <code>None</code> (the default) for the most
-secure mode and <code>NoEmptyFragments</code> to allow CUPS to work with
-Microsoft Windows with the FIPS conformance mode enabled.</p>
+protocol options to use for encrypted connected. By default, CUPS only
+supports encryption using TLS v1.0 or higher using known secure cipher
+suites. The <code>NoEmptyFragments</code> option allows CUPS to work
+with Microsoft Windows with the FIPS conformance mode
+enabled. The <code>AllowRC4</code> option enables the 128-bit RC4
+cipher suites, which are required for some older clients that do not
+implement newer ones. The <code>AllowSSL3</code> option enables SSL
+v3.0, which is required for some older clients that do not support TLS
+v1.0.</p>
 
 
 <H2 CLASS="title"><A NAME="SSLPort">SSLPort</A></H2>
--- a/man/client.conf.man.in
+++ b/man/client.conf.man.in
@@ -53,6 +53,15 @@
 server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
 later.\fR
 .TP 5
+SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
+.br
+Sets SSL/TLS protocol options for encrypted connections. By default,
+CUPS only supports encryption using TLS v1.0 or higher using known
+secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
+RC4 cipher suites, which are required for some older clients that do
+not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
+which is required for some older clients that do not support TLS v1.0.
+.TP 5
 User name
 .br
 Specifies the default user name to use for requests.
--- a/man/cupsd.conf.man.in
+++ b/man/cupsd.conf.man.in
@@ -480,9 +480,16 @@
 .TP 5
 SSLOptions None
 .TP 5
-SSLOptions NoEmptyFragments
+SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
 .br
-Sets SSL/TLS protocol options for encrypted connections.
+Sets SSL/TLS protocol options for encrypted connections. By default,
+CUPS only supports encryption using TLS v1.0 or higher using known
+secure cipher suites. The \fINoEmptyFragments\fR option allows CUPS to
+work with Microsoft Windows with the FIPS conformance mode
+enabled. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher
+suites, which are required for some older clients that do not
+implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
+which is required for some older clients that do not support TLS v1.0.
 .TP 5
 SSLPort
 .br
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3292,17 +3292,54 @@
     else if (!_cups_strcasecmp(line, "SSLOptions"))
     {
      /*
+      * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
+      */
+
+      int	options = 0;	/* SSL/TLS options */
+
+     /*
       * SSLOptions options
       */
 
-      if (!value || !_cups_strcasecmp(value, "none"))
-        SSLOptions = CUPSD_SSL_NONE;
-      else if (!_cups_strcasecmp(value, "noemptyfragments"))
-        SSLOptions = CUPSD_SSL_NOEMPTY;
-      else
-        cupsdLogMessage(CUPSD_LOG_ERROR,
-	                "Unknown value \"%s\" for SSLOptions directive on "
-			"line %d.", value, linenum);
+      if (value)
+      {
+	char	*start,		/* Start of option */
+		*end;		/* End of option */
+
+	for (start = value; *start; start = end)
+	{
+	 /*
+	  * Find end of keyword...
+	  */
+
+	  end = start;
+	  while (*end && !_cups_isspace(*end))
+	    end++;
+
+	  if (*end)
+	    *end++ = '\0';
+
+	 /*
+	  * Compare...
+	  */
+
+	  if (!_cups_strcasecmp(start, "NoEmptyFragments"))
+	    options |= CUPSD_SSL_NOEMPTY;
+	  else if (!_cups_strcasecmp(start, "AllowRC4"))
+	    options |= CUPSD_SSL_ALLOW_RC4;
+	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
+	    options |= CUPSD_SSL_ALLOW_SSL3;
+	  else if (!_cups_strcasecmp(start, "None"))
+	    options = 0;
+	  else
+	    cupsdLogMessage(CUPSD_LOG_ERROR,
+			    "Unknown value \"%s\" for SSLOptions directive on "
+			    "line %d.", start, linenum);
+	}
+      }
+
+      SSLOptions = options;
+      _httpTLSSetOptions (SSLOptions & ~CUPSD_SSL_NOEMPTY);
     }
 #endif /* HAVE_SSL */
     else if (!_cups_strcasecmp(line, "AccessLog") ||
--- a/scheduler/conf.h
+++ b/scheduler/conf.h
@@ -79,6 +79,8 @@
 
 #define CUPSD_SSL_NONE		0	/* No special options */
 #define CUPSD_SSL_NOEMPTY	1	/* Do not insert empty fragments */
+#define CUPSD_SSL_ALLOW_RC4	2	/* Allow RC4 cipher suites */
+#define CUPSD_SSL_ALLOW_SSL3	4	/* Allow SSL 3.0 */
 
 
 /*
--- a/scheduler/tls-gnutls.c
+++ b/scheduler/tls-gnutls.c
@@ -114,7 +114,15 @@
 				       ServerKey, GNUTLS_X509_FMT_PEM);
 
   gnutls_init(&con->http.tls, GNUTLS_SERVER);
-  gnutls_set_default_priority(con->http.tls);
+  if (!SSLOptions)
+    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
+  else if ((SSLOptions & CUPSD_SSL_ALLOW_SSL3) &&
+	   (SSLOptions & CUPSD_SSL_ALLOW_RC4))
+    gnutls_priority_set_direct(con->http.tls, "NORMAL", NULL);
+  else if (SSLOptions & CUPSD_SSL_ALLOW_SSL3)
+    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128", NULL);
+  else
+    gnutls_priority_set_direct(con->http.tls, "NORMAL:-VERS-SSL3.0", NULL);
 
   gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
   gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr_t)HTTP(con));
--- a/scheduler/tls-openssl.c
+++ b/scheduler/tls-openssl.c
@@ -107,6 +107,10 @@
   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
   if (SSLOptions & CUPSD_SSL_NOEMPTY)
     SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+  if (!(SSLOptions & CUPSD_SSL_ALLOW_SSL3))
+    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
+  if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
+    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
   SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
   SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
 

From=205ecb6ee8aa29337b6904c7c6f3e324ab0c5c1a7a Mon Sep 17 00:00:00 2001
From: Didier Raboud <o...@debian.org>
Date: Mon, 10 Oct 2016 09:50:45 +0200
Subject: [PATCH 1/3] Disable SSLv3 and RC4 by default to address POODLE
 vulnerability

Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4 respectively

This patch is Ubuntu's 1.7.2 backport

Closes: #839226
---
 debian/patches/series                              |   1 +
 .../str4476-disable-sslv3-and-rc4-by-default.patch | 467 +++++++++++++++++++++
 2 files changed, 468 insertions(+)
 create mode 100644 debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch

diff --git a/debian/patches/series b/debian/patches/series
index e226189..cf5c89d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,6 +6,7 @@ str4484-fix-random-crash-in-scheduler.patch
 str4500-cupsGetPPD3-Only-use-symlink-if-file-is-readable-STR.patch
 str4551-fix-buffer-overflow-in-cupsRasterReadPixels.patch
 str4609-prevent-privilege-escalation-through-dynamic-linker.patch
+str4476-disable-sslv3-and-rc4-by-default.patch
 
 # patches sent upstream
 pwg-raster-attributes.patch
diff --git a/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch b/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch
new file mode 100644
index 0000000..de6ddda
--- /dev/null
+++ b/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch
@@ -0,0 +1,467 @@
+Description: Disable SSLv3 and RC4; implement SSLOptions.
+  This disables SSLv3 in cups. It also provides 2 configuration
+  options to reenable by specifying SSLOptions in the cupsd.conf
+  file. AllowSSL3 turns SSLv3 back on and AllowRC4 turns on just
+  the RC4 cypers.
+ .
+---
+Origin: vendor, https://bugzilla.redhat.com/show_bug.cgi?id=1161172
+Bug: https://www.cups.org/str.php?L4476
+Bug-Ubuntu: https://launchpad.net/bugs/1505328
+Bug-Debian: https://bugs.debian.org/839226
+
+--- a/cups/http-private.h
++++ b/cups/http-private.h
+@@ -147,6 +147,10 @@
+ #define _HTTP_RESOLVE_FQDN	2	/* Resolve to a FQDN */
+ #define _HTTP_RESOLVE_FAXOUT	4	/* Resolve FaxOut service? */
+ 
++/* care - these should be the same values as the CUPSD_SSL_* equivalents */
++#define _HTTP_TLS_ALLOW_RC4	2
++#define _HTTP_TLS_ALLOW_SSL3	4
++
+ 
+ /*
+  * Types and functions for SSL support...
+@@ -425,6 +429,8 @@
+ extern int		_httpUpdate(http_t *http, http_status_t *status);
+ extern int		_httpWait(http_t *http, int msec, int usessl);
+ 
++extern void		_httpTLSSetOptions(int options);
++
+ 
+ /*
+  * C++ magic...
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -87,6 +87,8 @@
+  * Local globals...
+  */
+ 
++static int		tls_options = 0; /* Options for TLS connections */
++
+ static const char * const http_fields[] =
+ 			{
+ 			  "Accept-Language",
+@@ -5094,6 +5096,10 @@
+   context = SSL_CTX_new(SSLv23_client_method());
+ 
+   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
++  if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
++    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
++  if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
++    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
+ 
+   bio = BIO_new(_httpBIOMethods());
+   BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
+@@ -5151,7 +5157,16 @@
+   gnutls_certificate_allocate_credentials(credentials);
+ 
+   gnutls_init(&http->tls, GNUTLS_CLIENT);
+-  gnutls_set_default_priority(http->tls);
++  if (!tls_options)
++    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
++  else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
++	   (tls_options & _HTTP_TLS_ALLOW_RC4))
++    gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
++  else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
++    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
++  else
++    gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
++
+   gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
+                          strlen(hostname));
+   gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+@@ -5904,6 +5919,16 @@
+ }
+ #endif /* HAVE_SSL */
+ 
++/*
++ * '_httpTLSSetOptions()' - Set TLS/SSL options.
++ */
++
++void
++_httpTLSSetOptions(int options)
++{
++  tls_options = options;
++}
++
+ 
+ /*
+  * End of "$Id: http.c 11761 2014-03-28 13:04:33Z msweet $".
+--- a/cups/usersys.c
++++ b/cups/usersys.c
+@@ -52,7 +52,8 @@
+ #endif /* HAVE_GSSAPI */
+ 				      const char *cups_anyroot,
+ 				      const char *cups_expiredroot,
+-				      const char *cups_expiredcerts);
++				      const char *cups_expiredcerts,
++				      int ssl_options);
+ 
+ 
+ /*
+@@ -237,6 +238,9 @@
+   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
+ 
+ 
++  if (cg->encryption == (http_encryption_t)-1)
++    _cupsSetDefaults();
++
+   cg->encryption = e;
+ 
+   if (cg->http)
+@@ -861,6 +865,29 @@
+   if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
+       !cg->user[0] || !cg->ipp_port)
+   {
++   /*
++    * Look for CUPS_SERVERROOT/client.conf...
++    */
++
++    snprintf(filename, sizeof(filename), "%s/client.conf",
++	     cg->cups_serverroot);
++    fp = cupsFileOpen(filename, "r");
++   /*
++    * Read the configuration file and apply any environment variables; both
++    * functions handle NULL cups_file_t pointers...
++    */
++
++    cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
++#ifdef HAVE_GSSAPI
++		  cups_gssservicename,
++#endif /* HAVE_GSSAPI */
++			  cups_anyroot, cups_expiredroot,
++			  cups_expiredcerts, 1);
++
++   /*
++    * Then user defaults, if it is safe to do so...
++    */
++
+ #  ifdef HAVE_GETEUID
+     if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL)
+ #  elif !defined(WIN32)
+@@ -875,19 +902,7 @@
+ 
+       snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
+       fp = cupsFileOpen(filename, "r");
+-    }
+-    else
+-      fp = NULL;
+ 
+-    if (!fp)
+-    {
+-     /*
+-      * Look for CUPS_SERVERROOT/client.conf...
+-      */
+-
+-      snprintf(filename, sizeof(filename), "%s/client.conf",
+-               cg->cups_serverroot);
+-      fp = cupsFileOpen(filename, "r");
+     }
+ 
+    /*
+@@ -895,12 +910,12 @@
+     * functions handle NULL cups_file_t pointers...
+     */
+ 
+-    cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
++      cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+ #ifdef HAVE_GSSAPI
+ 			  cups_gssservicename,
+ #endif /* HAVE_GSSAPI */
+ 			  cups_anyroot, cups_expiredroot,
+-			  cups_expiredcerts);
++			  cups_expiredcerts, 0);
+     cupsFileClose(fp);
+   }
+ }
+@@ -923,7 +938,8 @@
+ #endif /* HAVE_GSSAPI */
+     const char	    *cups_anyroot,	/* I - CUPS_ANYROOT env var */
+     const char	    *cups_expiredroot,	/* I - CUPS_EXPIREDROOT env var */
+-    const char	    *cups_expiredcerts)	/* I - CUPS_EXPIREDCERTS env var */
++    const char	    *cups_expiredcerts,	/* I - CUPS_EXPIREDCERTS env var */
++    int		     ssl_options)	/* I - Allow setting of SSLOptions? */
+ {
+   int	linenum;			/* Current line number */
+   char	line[1024],			/* Line from file */
+@@ -996,6 +1012,43 @@
+       cups_gssservicename = gss_service_name;
+     }
+ #endif /* HAVE_GSSAPI */
++    else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
++    {
++     /*
++      * SSLOptions [AllowRC4] [AllowSSL3] [None]
++      */
++
++      int	options = 0;		/* SSL/TLS options */
++      char	*start,			/* Start of option */
++		*end;			/* End of option */
++
++      for (start = value; *start; start = end)
++      {
++       /*
++	* Find end of keyword...
++	*/
++
++	end = start;
++	while (*end && !_cups_isspace(*end))
++	  end++;
++
++	if (*end)
++	  *end++ = '\0';
++
++       /*
++	* Compare...
++	*/
++
++	if (!_cups_strcasecmp(start, "AllowRC4"))
++	  options |= _HTTP_TLS_ALLOW_RC4;
++	else if (!_cups_strcasecmp(start, "AllowSSL3"))
++	  options |= _HTTP_TLS_ALLOW_SSL3;
++	else if (!_cups_strcasecmp(start, "None"))
++	  options = 0;
++      }
++
++      _httpTLSSetOptions(options);
++    }
+   }
+ 
+  /*
+--- a/doc/help/ref-client-conf.html
++++ b/doc/help/ref-client-conf.html
+@@ -76,6 +76,26 @@
+ </BLOCKQUOTE>
+ 
+ 
++<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
++
++<H3>Examples</H3>
++
++<PRE CLASS="command">
++SSLOptions None
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
++</PRE>
++
++<H3>Description</H3>
++
++<P>Sets encryption options (only in /etc/cups/client.conf). By
++default, CUPS only supports encryption using TLS v1.0 or higher using
++known secure cipher suites. The <i>AllowRC4</i> option enables the
++128-bit RC4 cipher suites, which are required for some older clients
++that do not implement newer ones. The <i>AllowSSL3</i> option enables
++SSL v3.0, which is required for some older clients that do not support
++TLS v1.0.</P>
++
+ <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.6/OS X 10.8</SPAN><A NAME="User">User</A></H2>
+ 
+ <H3>Examples</H3>
+--- a/doc/help/ref-cupsd-conf.html.in
++++ b/doc/help/ref-cupsd-conf.html.in
+@@ -2004,23 +2004,23 @@
+ variable that should be passed to child processes.</P>
+ 
+ 
+-<H2 CLASS="title"><A NAME="SSLListen">SSLListen</A></H2>
++<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
+ 
+ <H3>Examples</H3>
+ 
+ <PRE CLASS="command">
+-SSLListen 127.0.0.1:443
+-SSLListen 192.0.2.1:443
++SSLOptions 127.0.0.1:443
++SSLOptions 192.0.2.1:443
+ </PRE>
+ 
+ <H3>Description</H3>
+ 
+-<P>The <CODE>SSLListen</CODE> directive specifies a network
++<P>The <CODE>SSLOptions</CODE> directive specifies a network
+ address and port to listen for secure connections. Multiple
+-<CODE>SSLListen</CODE> directives can be provided to listen on
++<CODE>SSLOptions</CODE> directives can be provided to listen on
+ multiple addresses.</P>
+ 
+-<P>The <CODE>SSLListen</CODE> directive is similar to the <A
++<P>The <CODE>SSLOptions</CODE> directive is similar to the <A
+ HREF="#SSLPort"><CODE>SSLPort</CODE></A> directive but allows you
+ to restrict access to specific interfaces or networks.</P>
+ 
+@@ -2032,15 +2032,22 @@
+ <PRE CLASS="command">
+ SSLOptions None
+ SSLOptions NoEmptyFragments
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
+ </PRE>
+ 
+ <H3>Description</H3>
+ 
+ <P>The <CODE>SSLOptions</CODE> directive specifies additional SSL/TLS
+-protocol options to use for encrypted connected. Currently only two
+-options are supported - <code>None</code> (the default) for the most
+-secure mode and <code>NoEmptyFragments</code> to allow CUPS to work with
+-Microsoft Windows with the FIPS conformance mode enabled.</p>
++protocol options to use for encrypted connected. By default, CUPS only
++supports encryption using TLS v1.0 or higher using known secure cipher
++suites. The <code>NoEmptyFragments</code> option allows CUPS to work
++with Microsoft Windows with the FIPS conformance mode
++enabled. The <code>AllowRC4</code> option enables the 128-bit RC4
++cipher suites, which are required for some older clients that do not
++implement newer ones. The <code>AllowSSL3</code> option enables SSL
++v3.0, which is required for some older clients that do not support TLS
++v1.0.</p>
+ 
+ 
+ <H2 CLASS="title"><A NAME="SSLPort">SSLPort</A></H2>
+--- a/man/client.conf.man.in
++++ b/man/client.conf.man.in
+@@ -53,6 +53,15 @@
+ server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
+ later.\fR
+ .TP 5
++SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
++.br
++Sets SSL/TLS protocol options for encrypted connections. By default,
++CUPS only supports encryption using TLS v1.0 or higher using known
++secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
++RC4 cipher suites, which are required for some older clients that do
++not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
++which is required for some older clients that do not support TLS v1.0.
++.TP 5
+ User name
+ .br
+ Specifies the default user name to use for requests.
+--- a/man/cupsd.conf.man.in
++++ b/man/cupsd.conf.man.in
+@@ -480,9 +480,16 @@
+ .TP 5
+ SSLOptions None
+ .TP 5
+-SSLOptions NoEmptyFragments
++SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
+ .br
+-Sets SSL/TLS protocol options for encrypted connections.
++Sets SSL/TLS protocol options for encrypted connections. By default,
++CUPS only supports encryption using TLS v1.0 or higher using known
++secure cipher suites. The \fINoEmptyFragments\fR option allows CUPS to
++work with Microsoft Windows with the FIPS conformance mode
++enabled. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher
++suites, which are required for some older clients that do not
++implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
++which is required for some older clients that do not support TLS v1.0.
+ .TP 5
+ SSLPort
+ .br
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3292,17 +3292,54 @@
+     else if (!_cups_strcasecmp(line, "SSLOptions"))
+     {
+      /*
++      * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
++      */
++
++      int	options = 0;	/* SSL/TLS options */
++
++     /*
+       * SSLOptions options
+       */
+ 
+-      if (!value || !_cups_strcasecmp(value, "none"))
+-        SSLOptions = CUPSD_SSL_NONE;
+-      else if (!_cups_strcasecmp(value, "noemptyfragments"))
+-        SSLOptions = CUPSD_SSL_NOEMPTY;
+-      else
+-        cupsdLogMessage(CUPSD_LOG_ERROR,
+-	                "Unknown value \"%s\" for SSLOptions directive on "
+-			"line %d.", value, linenum);
++      if (value)
++      {
++	char	*start,		/* Start of option */
++		*end;		/* End of option */
++
++	for (start = value; *start; start = end)
++	{
++	 /*
++	  * Find end of keyword...
++	  */
++
++	  end = start;
++	  while (*end && !_cups_isspace(*end))
++	    end++;
++
++	  if (*end)
++	    *end++ = '\0';
++
++	 /*
++	  * Compare...
++	  */
++
++	  if (!_cups_strcasecmp(start, "NoEmptyFragments"))
++	    options |= CUPSD_SSL_NOEMPTY;
++	  else if (!_cups_strcasecmp(start, "AllowRC4"))
++	    options |= CUPSD_SSL_ALLOW_RC4;
++	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
++	    options |= CUPSD_SSL_ALLOW_SSL3;
++	  else if (!_cups_strcasecmp(start, "None"))
++	    options = 0;
++	  else
++	    cupsdLogMessage(CUPSD_LOG_ERROR,
++			    "Unknown value \"%s\" for SSLOptions directive on "
++			    "line %d.", start, linenum);
++	}
++      }
++
++      SSLOptions = options;
++      _httpTLSSetOptions (SSLOptions & ~CUPSD_SSL_NOEMPTY);
+     }
+ #endif /* HAVE_SSL */
+     else if (!_cups_strcasecmp(line, "AccessLog") ||
+--- a/scheduler/conf.h
++++ b/scheduler/conf.h
+@@ -79,6 +79,8 @@
+ 
+ #define CUPSD_SSL_NONE		0	/* No special options */
+ #define CUPSD_SSL_NOEMPTY	1	/* Do not insert empty fragments */
++#define CUPSD_SSL_ALLOW_RC4	2	/* Allow RC4 cipher suites */
++#define CUPSD_SSL_ALLOW_SSL3	4	/* Allow SSL 3.0 */
+ 
+ 
+ /*
+--- a/scheduler/tls-gnutls.c
++++ b/scheduler/tls-gnutls.c
+@@ -114,7 +114,15 @@
+ 				       ServerKey, GNUTLS_X509_FMT_PEM);
+ 
+   gnutls_init(&con->http.tls, GNUTLS_SERVER);
+-  gnutls_set_default_priority(con->http.tls);
++  if (!SSLOptions)
++    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
++  else if ((SSLOptions & CUPSD_SSL_ALLOW_SSL3) &&
++	   (SSLOptions & CUPSD_SSL_ALLOW_RC4))
++    gnutls_priority_set_direct(con->http.tls, "NORMAL", NULL);
++  else if (SSLOptions & CUPSD_SSL_ALLOW_SSL3)
++    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128", NULL);
++  else
++    gnutls_priority_set_direct(con->http.tls, "NORMAL:-VERS-SSL3.0", NULL);
+ 
+   gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+   gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr_t)HTTP(con));
+--- a/scheduler/tls-openssl.c
++++ b/scheduler/tls-openssl.c
+@@ -107,6 +107,10 @@
+   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+   if (SSLOptions & CUPSD_SSL_NOEMPTY)
+     SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
++  if (!(SSLOptions & CUPSD_SSL_ALLOW_SSL3))
++    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
++  if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
++    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
+   SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
+   SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
+ 
-- 
2.9.3


From c5d8f701e8d3cd9dc927705d16c31878bae0b5b0 Mon Sep 17 00:00:00 2001
From: Didier Raboud <o...@debian.org>
Date: Mon, 10 Oct 2016 10:03:37 +0200
Subject: [PATCH 2/3] Refresh patches

---
 debian/patches/cupsd-idleexittimeout-systemd.patch                    | 4 ++--
 debian/patches/cupsd-idleexittimeout.patch                            | 2 +-
 debian/patches/log-debug-history-nearly-unlimited.patch               | 2 +-
 debian/patches/pidfile.patch                                          | 4 ++--
 ...bedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch | 4 ++--
 debian/patches/systemd-optional-socket-activation.patch               | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/debian/patches/cupsd-idleexittimeout-systemd.patch b/debian/patches/cupsd-idleexittimeout-systemd.patch
index 4abc692..8800658 100644
--- a/debian/patches/cupsd-idleexittimeout-systemd.patch
+++ b/debian/patches/cupsd-idleexittimeout-systemd.patch
@@ -21,7 +21,7 @@ Last-Update: 2014-10-23
    LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  					/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@ Last-Update: 2014-10-23
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff --git a/debian/patches/cupsd-idleexittimeout.patch b/debian/patches/cupsd-idleexittimeout.patch
index c799b3c..9f5f3b4 100644
--- a/debian/patches/cupsd-idleexittimeout.patch
+++ b/debian/patches/cupsd-idleexittimeout.patch
@@ -27,7 +27,7 @@ Last-Update: 2014-06-04
    LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  					/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff --git a/debian/patches/log-debug-history-nearly-unlimited.patch b/debian/patches/log-debug-history-nearly-unlimited.patch
index 25378cb..fc66d3e 100644
--- a/debian/patches/log-debug-history-nearly-unlimited.patch
+++ b/debian/patches/log-debug-history-nearly-unlimited.patch
@@ -13,7 +13,7 @@ Author: till.kamppe...@gmail.com
    LogTimeFormat            = CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  					/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  					/* Permissions for config files */
diff --git a/debian/patches/pidfile.patch b/debian/patches/pidfile.patch
index 9496ed1..90bc57b 100644
--- a/debian/patches/pidfile.patch
+++ b/debian/patches/pidfile.patch
@@ -24,7 +24,7 @@ Last-Update: 2012-11-29
  
    if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
      PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -3333,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
               !_cups_strcasecmp(line, "SystemGroup") ||
               !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
               !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@ Last-Update: 2012-11-29
        cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  					/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff --git a/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch b/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
index 1c36e88..78478d5 100644
--- a/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
+++ b/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
@@ -11,7 +11,7 @@ Bug: https://www.cups.org/str.php?L4344
 
 --- a/scheduler/ipp.c
 +++ b/scheduler/ipp.c
-@@ -8249,6 +8249,11 @@
+@@ -8206,6 +8206,11 @@
    ipp_attribute_t	*attr,		/* Current attribute */
  			*attr2,		/* Job attribute */
  			*prev2;		/* Previous job attribute */
@@ -23,7 +23,7 @@ Bug: https://www.cups.org/str.php?L4344
  
  
   /*
-@@ -8310,6 +8315,85 @@
+@@ -8267,6 +8272,85 @@
    }
  
   /*
diff --git a/debian/patches/systemd-optional-socket-activation.patch b/debian/patches/systemd-optional-socket-activation.patch
index e9ce4b6..8ec3d0e 100644
--- a/debian/patches/systemd-optional-socket-activation.patch
+++ b/debian/patches/systemd-optional-socket-activation.patch
@@ -101,7 +101,7 @@ Last-Update: 2014-10-23
  	  doc/help/ref-cupsd-conf.html
 --- a/cups/usersys.c
 +++ b/cups/usersys.c
-@@ -1028,7 +1028,7 @@
+@@ -1081,7 +1081,7 @@
      struct stat	sockinfo;		/* Domain socket information */
  
      if (!stat(CUPS_DEFAULT_DOMAINSOCKET, &sockinfo) &&
-- 
2.9.3


From c2aabd5199b3acb0a1b4f3b4866ef87dc8cd6e68 Mon Sep 17 00:00:00 2001
From: Didier Raboud <o...@debian.org>
Date: Mon, 10 Oct 2016 10:05:10 +0200
Subject: [PATCH 3/3] cups 1.7.5-11+deb8u2 Debian release

---
 debian/changelog | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bff361e..01fb495 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+    (Closes: #839226)
+    - Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+      respectively
+  * Refresh patches
+
+ -- Didier Raboud <o...@debian.org>  Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
-- 
2.9.3


diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog	2015-06-09 09:45:50.000000000 +0200
+++ cups-1.7.5/debian/changelog	2016-10-10 10:05:10.000000000 +0200
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+    (Closes: #839226)
+    - Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+      respectively
+  * Refresh patches
+
+ -- Didier Raboud <o...@debian.org>  Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2016-10-10 09:55:05.000000000 +0200
@@ -27,7 +27,7 @@
    LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  					/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2016-10-10 09:55:10.000000000 +0200
@@ -21,7 +21,7 @@
    LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  					/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff -Nru cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch
--- cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2016-10-10 09:55:09.000000000 +0200
@@ -13,7 +13,7 @@
    LogTimeFormat            = CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  					/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  					/* Permissions for config files */
diff -Nru cups-1.7.5/debian/patches/pidfile.patch cups-1.7.5/debian/patches/pidfile.patch
--- cups-1.7.5/debian/patches/pidfile.patch	2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/pidfile.patch	2016-10-10 09:55:08.000000000 +0200
@@ -24,7 +24,7 @@
  
    if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
      PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -3333,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
               !_cups_strcasecmp(line, "SystemGroup") ||
               !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
               !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@
        cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  					/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff -Nru cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
--- cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2016-10-10 09:55:07.000000000 +0200
@@ -11,7 +11,7 @@
 
 --- a/scheduler/ipp.c
 +++ b/scheduler/ipp.c
-@@ -8249,6 +8249,11 @@
+@@ -8206,6 +8206,11 @@
    ipp_attribute_t	*attr,		/* Current attribute */
  			*attr2,		/* Job attribute */
  			*prev2;		/* Previous job attribute */
@@ -23,7 +23,7 @@
  
  
   /*
-@@ -8310,6 +8315,85 @@
+@@ -8267,6 +8272,85 @@
    }
  
   /*
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series	2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/series	2016-10-10 09:54:51.000000000 +0200
@@ -6,6 +6,7 @@
 str4500-cupsGetPPD3-Only-use-symlink-if-file-is-readable-STR.patch
 str4551-fix-buffer-overflow-in-cupsRasterReadPixels.patch
 str4609-prevent-privilege-escalation-through-dynamic-linker.patch
+str4476-disable-sslv3-and-rc4-by-default.patch
 
 # patches sent upstream
 pwg-raster-attributes.patch
diff -Nru cups-1.7.5/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch cups-1.7.5/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch
--- cups-1.7.5/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-1.7.5/debian/patches/str4476-disable-sslv3-and-rc4-by-default.patch	2016-10-10 10:03:15.000000000 +0200
@@ -0,0 +1,467 @@
+Description: Disable SSLv3 and RC4; implement SSLOptions.
+  This disables SSLv3 in cups. It also provides 2 configuration
+  options to reenable by specifying SSLOptions in the cupsd.conf
+  file. AllowSSL3 turns SSLv3 back on and AllowRC4 turns on just
+  the RC4 cypers.
+ .
+---
+Origin: vendor, https://bugzilla.redhat.com/show_bug.cgi?id=1161172
+Bug: https://www.cups.org/str.php?L4476
+Bug-Ubuntu: https://launchpad.net/bugs/1505328
+Bug-Debian: https://bugs.debian.org/839226
+
+--- a/cups/http-private.h
++++ b/cups/http-private.h
+@@ -147,6 +147,10 @@
+ #define _HTTP_RESOLVE_FQDN	2	/* Resolve to a FQDN */
+ #define _HTTP_RESOLVE_FAXOUT	4	/* Resolve FaxOut service? */
+ 
++/* care - these should be the same values as the CUPSD_SSL_* equivalents */
++#define _HTTP_TLS_ALLOW_RC4	2
++#define _HTTP_TLS_ALLOW_SSL3	4
++
+ 
+ /*
+  * Types and functions for SSL support...
+@@ -425,6 +429,8 @@
+ extern int		_httpUpdate(http_t *http, http_status_t *status);
+ extern int		_httpWait(http_t *http, int msec, int usessl);
+ 
++extern void		_httpTLSSetOptions(int options);
++
+ 
+ /*
+  * C++ magic...
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -87,6 +87,8 @@
+  * Local globals...
+  */
+ 
++static int		tls_options = 0; /* Options for TLS connections */
++
+ static const char * const http_fields[] =
+ 			{
+ 			  "Accept-Language",
+@@ -5094,6 +5096,10 @@
+   context = SSL_CTX_new(SSLv23_client_method());
+ 
+   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
++  if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
++    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
++  if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
++    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
+ 
+   bio = BIO_new(_httpBIOMethods());
+   BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
+@@ -5151,7 +5157,16 @@
+   gnutls_certificate_allocate_credentials(credentials);
+ 
+   gnutls_init(&http->tls, GNUTLS_CLIENT);
+-  gnutls_set_default_priority(http->tls);
++  if (!tls_options)
++    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
++  else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
++	   (tls_options & _HTTP_TLS_ALLOW_RC4))
++    gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
++  else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
++    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
++  else
++    gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
++
+   gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
+                          strlen(hostname));
+   gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+@@ -5904,6 +5919,16 @@
+ }
+ #endif /* HAVE_SSL */
+ 
++/*
++ * '_httpTLSSetOptions()' - Set TLS/SSL options.
++ */
++
++void
++_httpTLSSetOptions(int options)
++{
++  tls_options = options;
++}
++
+ 
+ /*
+  * End of "$Id: http.c 11761 2014-03-28 13:04:33Z msweet $".
+--- a/cups/usersys.c
++++ b/cups/usersys.c
+@@ -52,7 +52,8 @@
+ #endif /* HAVE_GSSAPI */
+ 				      const char *cups_anyroot,
+ 				      const char *cups_expiredroot,
+-				      const char *cups_expiredcerts);
++				      const char *cups_expiredcerts,
++				      int ssl_options);
+ 
+ 
+ /*
+@@ -237,6 +238,9 @@
+   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
+ 
+ 
++  if (cg->encryption == (http_encryption_t)-1)
++    _cupsSetDefaults();
++
+   cg->encryption = e;
+ 
+   if (cg->http)
+@@ -861,6 +865,29 @@
+   if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
+       !cg->user[0] || !cg->ipp_port)
+   {
++   /*
++    * Look for CUPS_SERVERROOT/client.conf...
++    */
++
++    snprintf(filename, sizeof(filename), "%s/client.conf",
++	     cg->cups_serverroot);
++    fp = cupsFileOpen(filename, "r");
++   /*
++    * Read the configuration file and apply any environment variables; both
++    * functions handle NULL cups_file_t pointers...
++    */
++
++    cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
++#ifdef HAVE_GSSAPI
++		  cups_gssservicename,
++#endif /* HAVE_GSSAPI */
++			  cups_anyroot, cups_expiredroot,
++			  cups_expiredcerts, 1);
++
++   /*
++    * Then user defaults, if it is safe to do so...
++    */
++
+ #  ifdef HAVE_GETEUID
+     if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL)
+ #  elif !defined(WIN32)
+@@ -875,19 +902,7 @@
+ 
+       snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
+       fp = cupsFileOpen(filename, "r");
+-    }
+-    else
+-      fp = NULL;
+ 
+-    if (!fp)
+-    {
+-     /*
+-      * Look for CUPS_SERVERROOT/client.conf...
+-      */
+-
+-      snprintf(filename, sizeof(filename), "%s/client.conf",
+-               cg->cups_serverroot);
+-      fp = cupsFileOpen(filename, "r");
+     }
+ 
+    /*
+@@ -895,12 +910,12 @@
+     * functions handle NULL cups_file_t pointers...
+     */
+ 
+-    cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
++      cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+ #ifdef HAVE_GSSAPI
+ 			  cups_gssservicename,
+ #endif /* HAVE_GSSAPI */
+ 			  cups_anyroot, cups_expiredroot,
+-			  cups_expiredcerts);
++			  cups_expiredcerts, 0);
+     cupsFileClose(fp);
+   }
+ }
+@@ -923,7 +938,8 @@
+ #endif /* HAVE_GSSAPI */
+     const char	    *cups_anyroot,	/* I - CUPS_ANYROOT env var */
+     const char	    *cups_expiredroot,	/* I - CUPS_EXPIREDROOT env var */
+-    const char	    *cups_expiredcerts)	/* I - CUPS_EXPIREDCERTS env var */
++    const char	    *cups_expiredcerts,	/* I - CUPS_EXPIREDCERTS env var */
++    int		     ssl_options)	/* I - Allow setting of SSLOptions? */
+ {
+   int	linenum;			/* Current line number */
+   char	line[1024],			/* Line from file */
+@@ -996,6 +1012,43 @@
+       cups_gssservicename = gss_service_name;
+     }
+ #endif /* HAVE_GSSAPI */
++    else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
++    {
++     /*
++      * SSLOptions [AllowRC4] [AllowSSL3] [None]
++      */
++
++      int	options = 0;		/* SSL/TLS options */
++      char	*start,			/* Start of option */
++		*end;			/* End of option */
++
++      for (start = value; *start; start = end)
++      {
++       /*
++	* Find end of keyword...
++	*/
++
++	end = start;
++	while (*end && !_cups_isspace(*end))
++	  end++;
++
++	if (*end)
++	  *end++ = '\0';
++
++       /*
++	* Compare...
++	*/
++
++	if (!_cups_strcasecmp(start, "AllowRC4"))
++	  options |= _HTTP_TLS_ALLOW_RC4;
++	else if (!_cups_strcasecmp(start, "AllowSSL3"))
++	  options |= _HTTP_TLS_ALLOW_SSL3;
++	else if (!_cups_strcasecmp(start, "None"))
++	  options = 0;
++      }
++
++      _httpTLSSetOptions(options);
++    }
+   }
+ 
+  /*
+--- a/doc/help/ref-client-conf.html
++++ b/doc/help/ref-client-conf.html
+@@ -76,6 +76,26 @@
+ </BLOCKQUOTE>
+ 
+ 
++<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
++
++<H3>Examples</H3>
++
++<PRE CLASS="command">
++SSLOptions None
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
++</PRE>
++
++<H3>Description</H3>
++
++<P>Sets encryption options (only in /etc/cups/client.conf). By
++default, CUPS only supports encryption using TLS v1.0 or higher using
++known secure cipher suites. The <i>AllowRC4</i> option enables the
++128-bit RC4 cipher suites, which are required for some older clients
++that do not implement newer ones. The <i>AllowSSL3</i> option enables
++SSL v3.0, which is required for some older clients that do not support
++TLS v1.0.</P>
++
+ <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.6/OS X 10.8</SPAN><A NAME="User">User</A></H2>
+ 
+ <H3>Examples</H3>
+--- a/doc/help/ref-cupsd-conf.html.in
++++ b/doc/help/ref-cupsd-conf.html.in
+@@ -2004,23 +2004,23 @@
+ variable that should be passed to child processes.</P>
+ 
+ 
+-<H2 CLASS="title"><A NAME="SSLListen">SSLListen</A></H2>
++<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
+ 
+ <H3>Examples</H3>
+ 
+ <PRE CLASS="command">
+-SSLListen 127.0.0.1:443
+-SSLListen 192.0.2.1:443
++SSLOptions 127.0.0.1:443
++SSLOptions 192.0.2.1:443
+ </PRE>
+ 
+ <H3>Description</H3>
+ 
+-<P>The <CODE>SSLListen</CODE> directive specifies a network
++<P>The <CODE>SSLOptions</CODE> directive specifies a network
+ address and port to listen for secure connections. Multiple
+-<CODE>SSLListen</CODE> directives can be provided to listen on
++<CODE>SSLOptions</CODE> directives can be provided to listen on
+ multiple addresses.</P>
+ 
+-<P>The <CODE>SSLListen</CODE> directive is similar to the <A
++<P>The <CODE>SSLOptions</CODE> directive is similar to the <A
+ HREF="#SSLPort"><CODE>SSLPort</CODE></A> directive but allows you
+ to restrict access to specific interfaces or networks.</P>
+ 
+@@ -2032,15 +2032,22 @@
+ <PRE CLASS="command">
+ SSLOptions None
+ SSLOptions NoEmptyFragments
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
+ </PRE>
+ 
+ <H3>Description</H3>
+ 
+ <P>The <CODE>SSLOptions</CODE> directive specifies additional SSL/TLS
+-protocol options to use for encrypted connected. Currently only two
+-options are supported - <code>None</code> (the default) for the most
+-secure mode and <code>NoEmptyFragments</code> to allow CUPS to work with
+-Microsoft Windows with the FIPS conformance mode enabled.</p>
++protocol options to use for encrypted connected. By default, CUPS only
++supports encryption using TLS v1.0 or higher using known secure cipher
++suites. The <code>NoEmptyFragments</code> option allows CUPS to work
++with Microsoft Windows with the FIPS conformance mode
++enabled. The <code>AllowRC4</code> option enables the 128-bit RC4
++cipher suites, which are required for some older clients that do not
++implement newer ones. The <code>AllowSSL3</code> option enables SSL
++v3.0, which is required for some older clients that do not support TLS
++v1.0.</p>
+ 
+ 
+ <H2 CLASS="title"><A NAME="SSLPort">SSLPort</A></H2>
+--- a/man/client.conf.man.in
++++ b/man/client.conf.man.in
+@@ -53,6 +53,15 @@
+ server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
+ later.\fR
+ .TP 5
++SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
++.br
++Sets SSL/TLS protocol options for encrypted connections. By default,
++CUPS only supports encryption using TLS v1.0 or higher using known
++secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
++RC4 cipher suites, which are required for some older clients that do
++not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
++which is required for some older clients that do not support TLS v1.0.
++.TP 5
+ User name
+ .br
+ Specifies the default user name to use for requests.
+--- a/man/cupsd.conf.man.in
++++ b/man/cupsd.conf.man.in
+@@ -480,9 +480,16 @@
+ .TP 5
+ SSLOptions None
+ .TP 5
+-SSLOptions NoEmptyFragments
++SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
+ .br
+-Sets SSL/TLS protocol options for encrypted connections.
++Sets SSL/TLS protocol options for encrypted connections. By default,
++CUPS only supports encryption using TLS v1.0 or higher using known
++secure cipher suites. The \fINoEmptyFragments\fR option allows CUPS to
++work with Microsoft Windows with the FIPS conformance mode
++enabled. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher
++suites, which are required for some older clients that do not
++implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
++which is required for some older clients that do not support TLS v1.0.
+ .TP 5
+ SSLPort
+ .br
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3292,17 +3292,54 @@
+     else if (!_cups_strcasecmp(line, "SSLOptions"))
+     {
+      /*
++      * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
++      */
++
++      int	options = 0;	/* SSL/TLS options */
++
++     /*
+       * SSLOptions options
+       */
+ 
+-      if (!value || !_cups_strcasecmp(value, "none"))
+-        SSLOptions = CUPSD_SSL_NONE;
+-      else if (!_cups_strcasecmp(value, "noemptyfragments"))
+-        SSLOptions = CUPSD_SSL_NOEMPTY;
+-      else
+-        cupsdLogMessage(CUPSD_LOG_ERROR,
+-	                "Unknown value \"%s\" for SSLOptions directive on "
+-			"line %d.", value, linenum);
++      if (value)
++      {
++	char	*start,		/* Start of option */
++		*end;		/* End of option */
++
++	for (start = value; *start; start = end)
++	{
++	 /*
++	  * Find end of keyword...
++	  */
++
++	  end = start;
++	  while (*end && !_cups_isspace(*end))
++	    end++;
++
++	  if (*end)
++	    *end++ = '\0';
++
++	 /*
++	  * Compare...
++	  */
++
++	  if (!_cups_strcasecmp(start, "NoEmptyFragments"))
++	    options |= CUPSD_SSL_NOEMPTY;
++	  else if (!_cups_strcasecmp(start, "AllowRC4"))
++	    options |= CUPSD_SSL_ALLOW_RC4;
++	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
++	    options |= CUPSD_SSL_ALLOW_SSL3;
++	  else if (!_cups_strcasecmp(start, "None"))
++	    options = 0;
++	  else
++	    cupsdLogMessage(CUPSD_LOG_ERROR,
++			    "Unknown value \"%s\" for SSLOptions directive on "
++			    "line %d.", start, linenum);
++	}
++      }
++
++      SSLOptions = options;
++      _httpTLSSetOptions (SSLOptions & ~CUPSD_SSL_NOEMPTY);
+     }
+ #endif /* HAVE_SSL */
+     else if (!_cups_strcasecmp(line, "AccessLog") ||
+--- a/scheduler/conf.h
++++ b/scheduler/conf.h
+@@ -79,6 +79,8 @@
+ 
+ #define CUPSD_SSL_NONE		0	/* No special options */
+ #define CUPSD_SSL_NOEMPTY	1	/* Do not insert empty fragments */
++#define CUPSD_SSL_ALLOW_RC4	2	/* Allow RC4 cipher suites */
++#define CUPSD_SSL_ALLOW_SSL3	4	/* Allow SSL 3.0 */
+ 
+ 
+ /*
+--- a/scheduler/tls-gnutls.c
++++ b/scheduler/tls-gnutls.c
+@@ -114,7 +114,15 @@
+ 				       ServerKey, GNUTLS_X509_FMT_PEM);
+ 
+   gnutls_init(&con->http.tls, GNUTLS_SERVER);
+-  gnutls_set_default_priority(con->http.tls);
++  if (!SSLOptions)
++    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
++  else if ((SSLOptions & CUPSD_SSL_ALLOW_SSL3) &&
++	   (SSLOptions & CUPSD_SSL_ALLOW_RC4))
++    gnutls_priority_set_direct(con->http.tls, "NORMAL", NULL);
++  else if (SSLOptions & CUPSD_SSL_ALLOW_SSL3)
++    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128", NULL);
++  else
++    gnutls_priority_set_direct(con->http.tls, "NORMAL:-VERS-SSL3.0", NULL);
+ 
+   gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+   gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr_t)HTTP(con));
+--- a/scheduler/tls-openssl.c
++++ b/scheduler/tls-openssl.c
+@@ -107,6 +107,10 @@
+   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+   if (SSLOptions & CUPSD_SSL_NOEMPTY)
+     SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
++  if (!(SSLOptions & CUPSD_SSL_ALLOW_SSL3))
++    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
++  if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
++    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
+   SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
+   SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
+ 
diff -Nru cups-1.7.5/debian/patches/systemd-optional-socket-activation.patch cups-1.7.5/debian/patches/systemd-optional-socket-activation.patch
--- cups-1.7.5/debian/patches/systemd-optional-socket-activation.patch	2015-06-09 09:36:38.000000000 +0200
+++ cups-1.7.5/debian/patches/systemd-optional-socket-activation.patch	2016-10-10 09:55:05.000000000 +0200
@@ -101,7 +101,7 @@
  	  doc/help/ref-cupsd-conf.html
 --- a/cups/usersys.c
 +++ b/cups/usersys.c
-@@ -1028,7 +1028,7 @@
+@@ -1081,7 +1081,7 @@
      struct stat	sockinfo;		/* Domain socket information */
  
      if (!stat(CUPS_DEFAULT_DOMAINSOCKET, &sockinfo) &&






















					Reply via email to