[OE-core] Truly scary SSL 3.0 vuln to be revealed soon:
Otavio Salvador
otavio at ossystems.com.br
Thu Oct 16 18:27:03 UTC 2014
On Thu, Oct 16, 2014 at 1:45 PM, Burton, Ross <ross.burton at intel.com> wrote:
> On 15 October 2014 16:31, Burton, Ross <ross.burton at intel.com> wrote:
>> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
>> "disabling SSLv3 didn't work"...). I think considering the situation
>> we'd take the upgrade for dizzy, even though we've frozen. Anyone
>> volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
>> the relevant patches to the previous releases? (eg daisy is on
>> 1.0.1g).
>
> For anyone else interested, I've currently got 1.0.1j patches for
> dizzy in testing. There's been debate over whether we backport the
> fixes to daisy's 1.0.1g, or upgrade as the number of fixes is
> growing...
I think the upgrade is the way to go. We are likely to break 1.0.1g
someday during backporting of security fixes.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
More information about the Openembedded-core
mailing list