diff -Nru libotr2-3.2.1/debian/changelog libotr2-3.2.1/debian/changelog --- libotr2-3.2.1/debian/changelog 2012-11-05 02:32:14.000000000 +0100 +++ libotr2-3.2.1/debian/changelog 2014-01-04 17:08:20.000000000 +0100 @@ -1,3 +1,11 @@ +libotr2 (3.2.1-1ubuntu1.13.10.1) saucy-security; urgency=low + + * SECURITY UPDATE: disable insecure OTRv1 protocol to prevent downgrade + attacks (LP: #1266016) + - Add disable_otr_v1.patch, patch taken from Debian + + -- Felix Geyer Sat, 04 Jan 2014 16:18:48 +0100 + libotr2 (3.2.1-1ubuntu1) raring; urgency=low * Resurrect libotr2 in a separate package. Fixes libotr transition & diff -Nru libotr2-3.2.1/debian/patches/disable_otr_v1.patch libotr2-3.2.1/debian/patches/disable_otr_v1.patch --- libotr2-3.2.1/debian/patches/disable_otr_v1.patch 1970-01-01 01:00:00.000000000 +0100 +++ libotr2-3.2.1/debian/patches/disable_otr_v1.patch 2014-01-04 16:18:08.000000000 +0100 @@ -0,0 +1,39 @@ +Author: Rob Smits +Date: Sun Jun 3 22:38:05 2012 -0400 +Subject: Disable OTRv1 protocol. +Origin: http://sourceforge.net/p/otr/libotr/ci/7ffba65fa42052795523924279bc94e7c80fb0f7/ +Bug: http://bugs.debian.org/725779 +Forwarded: not-needed +Reviewed-by: intrigeri +Last-Update: Sun Dec 22 11:30:00 2013 +0100 +Applied-Upstream: 4.0.0 + +diff --git a/src/proto.h b/src/proto.h +index d7b0ae6..e96e2f2 100644 +--- a/src/proto.h ++++ b/src/proto.h +@@ -45,20 +45,17 @@ typedef unsigned int OtrlPolicy; + + #define OTRL_POLICY_VERSION_MASK (OTRL_POLICY_ALLOW_V1 | OTRL_POLICY_ALLOW_V2) + +-/* For v1 compatibility */ ++/* Analogous to v1 policies */ + #define OTRL_POLICY_NEVER 0x00 + #define OTRL_POLICY_OPPORTUNISTIC \ +- ( OTRL_POLICY_ALLOW_V1 | \ +- OTRL_POLICY_ALLOW_V2 | \ ++ ( OTRL_POLICY_ALLOW_V2 | \ + OTRL_POLICY_SEND_WHITESPACE_TAG | \ + OTRL_POLICY_WHITESPACE_START_AKE | \ + OTRL_POLICY_ERROR_START_AKE ) + #define OTRL_POLICY_MANUAL \ +- ( OTRL_POLICY_ALLOW_V1 | \ +- OTRL_POLICY_ALLOW_V2 ) ++ ( OTRL_POLICY_ALLOW_V2 ) + #define OTRL_POLICY_ALWAYS \ +- ( OTRL_POLICY_ALLOW_V1 | \ +- OTRL_POLICY_ALLOW_V2 | \ ++ ( OTRL_POLICY_ALLOW_V2 | \ + OTRL_POLICY_REQUIRE_ENCRYPTION | \ + OTRL_POLICY_WHITESPACE_START_AKE | \ + OTRL_POLICY_ERROR_START_AKE ) diff -Nru libotr2-3.2.1/debian/patches/series libotr2-3.2.1/debian/patches/series --- libotr2-3.2.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libotr2-3.2.1/debian/patches/series 2014-01-04 16:18:30.000000000 +0100 @@ -0,0 +1 @@ +disable_otr_v1.patch