main/lighttpd: security fix for CVE-2015-3200

The upstream patch does not apply without applying lot other stuff so we
simply apply all since 1.4.35 release.

ref #4329

1 files changed, 44 insertions, 0 deletions

diff --git a/main/lighttpd/0009-ssl-disable-SSL3.0-by-default.patch b/main/lighttpd/0009-ssl-disable-SSL3.0-by-default.patch
new file mode 100644
index 0000000000..6980a19497
--- /dev/null
+++ b/main/lighttpd/0009-ssl-disable-SSL3.0-by-default.patch
@@ -0,0 +1,44 @@
+From 084df7e99a8738be79f83e330415a8963280dc4a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
+Date: Thu, 16 Oct 2014 17:52:14 +0000
+Subject: [PATCH 09/29] [ssl] disable SSL3.0 by default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefan Bühler <stbuehler@web.de>
+
+git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2969 152afb58-edef-0310-8abb-c4023f1b3aa9
+---
+ NEWS             | 1 +
+ src/configfile.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 7260fc5..a702941 100644
+--- a/NEWS
++++ b/NEWS
+@@ -10,6 +10,7 @@ NEWS
+   * add support for (Free)BSD extended attributes
+   * [build] use fortify flags with "extra-warnings"
+   * [mod_dirlisting,mod_redirect,mod_rewrite] abort config parsing if pcre-compile fails or isn't available
++  * [ssl] disable SSL3.0 by default
+ 
+ - 1.4.35 - 2014-03-12
+   * [network/ssl] fix build error if TLSEXT is disabled
+diff --git a/src/configfile.c b/src/configfile.c
+index 1e96ce0..bf9a34d 100644
+--- a/src/configfile.c
++++ b/src/configfile.c
+@@ -182,7 +182,7 @@ static int config_insert(server *srv) {
+ 		s->ssl_honor_cipher_order = 1;
+ 		s->ssl_empty_fragments = 0;
+ 		s->ssl_use_sslv2 = 0;
+-		s->ssl_use_sslv3 = 1;
++		s->ssl_use_sslv3 = 0;
+ 		s->use_ipv6      = 0;
+ 		s->set_v6only    = 1;
+ 		s->defer_accept  = 0;
+-- 
+2.4.5
+