[OE-core] [yocto] Truly scary SSL 3.0 vuln to be revealed soon:
akuster808
akuster808 at gmail.com
Thu Oct 16 18:38:50 UTC 2014
On 10/16/2014 11:27 AM, Otavio Salvador wrote:
> On Thu, Oct 16, 2014 at 1:45 PM, Burton, Ross <ross.burton at intel.com> wrote:
>> On 15 October 2014 16:31, Burton, Ross <ross.burton at intel.com> wrote:
>>> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
>>> "disabling SSLv3 didn't work"...). I think considering the situation
>>> we'd take the upgrade for dizzy, even though we've frozen. Anyone
>>> volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
>>> the relevant patches to the previous releases? (eg daisy is on
>>> 1.0.1g).
>>
>> For anyone else interested, I've currently got 1.0.1j patches for
>> dizzy in testing. There's been debate over whether we backport the
>> fixes to daisy's 1.0.1g, or upgrade as the number of fixes is
>> growing...
>
> I think the upgrade is the way to go. We are likely to break 1.0.1g
> someday during backporting of security fixes.
>
In this case I would agree. Updating daisy makes sense as we are only
dealing with a minor version update.
- Armin
More information about the Openembedded-core
mailing list