[OE-core] [yocto] Truly scary SSL 3.0 vuln to be revealed soon:

[akuster808]

On 10/16/2014 11:27 AM, Otavio Salvador wrote:
> On Thu, Oct 16, 2014 at 1:45 PM, Burton, Ross <ross.burton at intel.com> wrote:
>> On 15 October 2014 16:31, Burton, Ross <ross.burton at intel.com> wrote:
>>> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
>>> "disabling SSLv3 didn't work"...).  I think considering the situation
>>> we'd take the upgrade for dizzy, even though we've frozen.  Anyone
>>> volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
>>> the relevant patches to the previous releases? (eg daisy is on
>>> 1.0.1g).
>>
>> For anyone else interested, I've currently got 1.0.1j patches for
>> dizzy in testing.  There's been debate over whether we backport the
>> fixes to daisy's 1.0.1g, or upgrade as the number of fixes is
>> growing...
>
> I think the upgrade is the way to go. We are likely to break 1.0.1g
> someday during backporting of security fixes.
>

In this case I would agree.  Updating daisy makes sense as we are only 
dealing with a minor version update.

- Armin