[OE-core] [PATCH] openssl: Address CVE-2014-0160
Mark Hatle
mark.hatle at windriver.com
Mon Apr 7 22:48:35 UTC 2014
On 4/7/14, 5:05 PM, Saul Wold wrote:
> This was the suggested fix for those unable to update to the new 1.0.1g version.
> Since we are so close to our release, we should hold of on the update until 1.7
>
> Signed-off-by: Saul Wold <sgw at linux.intel.com>
> ---
> meta/recipes-connectivity/openssl/openssl_1.0.1e.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> index 618ba68..874aa21 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> @@ -4,7 +4,7 @@ require openssl.inc
> # if they are available.
> DEPENDS += "cryptodev-linux"
>
> -CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
> +CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DOPENSSL_NO_HEARTBEATS"
>
> PR = "${INC_PR}.0"
>
>
Between 1.0.1e and f there are 3 CVEs. 'g' adds two more.
This is a very low risk change, as the API and other components are stable.
--Mark
More information about the Openembedded-core
mailing list