--- a/open-src/xserver/xvnc/Makefile Wed May 27 16:45:04 2015 -0700
+++ b/open-src/xserver/xvnc/Makefile Wed Jun 03 13:30:36 2015 -0700
@@ -82,6 +82,7 @@
SOURCE_PATCHES += 17950657.patch,-p1
SOURCE_PATCHES += studio12.4-patch,-p1
SOURCE_PATCHES += CVE-2014-8240.patch,-p1
+SOURCE_PATCHES += gnutls-disable-sslv3.patch,-p1
# Need to regenerate autoconf/automake files after patching
AUTORECONF=yes
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/xserver/xvnc/gnutls-disable-sslv3.patch Wed Jun 03 13:30:36 2015 -0700
@@ -0,0 +1,38 @@
+Disable SSLv3 as long as we're using GNU TLS 2.8 - we should be able to drop
+this once we upgrade to GNU TLS 3.4.0 or later, which disable it by default
+per http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007535.html
+
+diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
+index 3421de5..3a55d16 100644
+--- a/common/rfb/CSecurityTLS.cxx
++++ b/common/rfb/CSecurityTLS.cxx
+@@ -184,8 +184,10 @@ bool CSecurityTLS::processMsg(CConnection* cc)
+ if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)
+ throw AuthFailureException("gnutls_init failed");
+
+- if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
+- throw AuthFailureException("gnutls_set_default_priority failed");
++ // SSL 3.0 is enabled by default in GNU TLS 2.8, but we want it off
++ if (gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL)
++ != GNUTLS_E_SUCCESS)
++ throw AuthFailureException("gnutls_priority_set_direct failed");
+
+ setParam();
+
+diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
+index 2ea84e0..5cd4739 100644
+--- a/common/rfb/SSecurityTLS.cxx
++++ b/common/rfb/SSecurityTLS.cxx
+@@ -137,8 +137,10 @@ bool SSecurityTLS::processMsg(SConnection *sc)
+ if (gnutls_init(&session, GNUTLS_SERVER) != GNUTLS_E_SUCCESS)
+ throw AuthFailureException("gnutls_init failed");
+
+- if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
+- throw AuthFailureException("gnutls_set_default_priority failed");
++ // SSL 3.0 is enabled by default in GNU TLS 2.8, but we want it off
++ if (gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL)
++ != GNUTLS_E_SUCCESS)
++ throw AuthFailureException("gnutls_priority_set_direct failed");
+
+ try {
+ setParams(session);