[OE-core] [PATCH] openssl: upgrade from 1.0.1g to 1.0.1h

Paul Eggleton paul.eggleton at linux.intel.com
Mon Jun 9 10:44:55 UTC 2014 

Hi there,

On Saturday 07 June 2014 14:27:02 Yao Xinpan wrote:
> The following bugs had been fixed in 1.0.1h:
> CVE-2014-0224, CVE-2014-0221, CVE-2014-3470
> CVE-2014-0198, CVE-2010-5298.
> 
> Signed-off-by: Yao Xinpan <yaoxp at cn.fujitsu.com>
> Signed-off-by: Lei Maohui <leimaohui at cn.fujitsu.com>
> ---
>  .../0001-add-functions-into-openssl.ld.patch       |  35 ++
>  .../openssl/openssl/openssl-CVE-2010-5298.patch    |  24 --
>  .../openssl/openssl-CVE-2014-0198-fix.patch        |  23 --
>  .../openssl/openssl/openssl-fix-doc.patch          | 401
> --------------------- .../{openssl_1.0.1g.bb => openssl_1.0.1h.bb}       | 
>  8 +-
>  5 files changed, 38 insertions(+), 453 deletions(-)
>  create mode 100644
> meta/recipes-connectivity/openssl/openssl/0001-add-functions-into-openssl.l
> d.patch delete mode 100644
> meta/recipes-connectivity/openssl/openssl/openssl-CVE-2010-5298.patch
> delete mode 100644
> meta/recipes-connectivity/openssl/openssl/openssl-CVE-2014-0198-fix.patch
> delete mode 100644
> meta/recipes-connectivity/openssl/openssl/openssl-fix-doc.patch rename
> meta/recipes-connectivity/openssl/{openssl_1.0.1g.bb => openssl_1.0.1h.bb}
> (86%)
> 
> diff --git
> a/meta/recipes-connectivity/openssl/openssl/0001-add-functions-into-openssl
> .ld.patch
> b/meta/recipes-connectivity/openssl/openssl/0001-add-functions-into-openssl
> .ld.patch new file mode 100644
> index 0000000..2bd261d
> --- /dev/null
> +++
> b/meta/recipes-connectivity/openssl/openssl/0001-add-functions-into-openssl
> .ld.patch @@ -0,0 +1,35 @@
> +From 7d41b2ae4dff7a4caffb06e0d6dd533f77be8437 Mon Sep 17 00:00:00 2001
> +From: Yao Xinpan <yaoxp at cn.fujitsu.com>
> +Date: Sat, 7 Jun 2014 04:59:23 +0900
> +Subject: [PATCH] add functions into openssl.ld
> +
> +add ssl_init_wbio_buffer ssl3_setup_buffers dtls1_process_heartbeat and
> +tls1_process_heartbeat into openssl.ld

So it turns out I've been working on this as well; however the preferred fix 
discussed upstream for the heartbeat_test failure (that the above patch 
attempts to fix) instead links heartbeat_test against the static version of the 
library. Also, patches included in recipes need to have signed-off-by and 
Upstream-Status.

Since this is a critical fix I'll be sending out my version shortly, however I 
will include your names in the commit message.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the Openembedded-core mailing list