[OE-core] [jethro][fido][PATCH 4/4] openssl: three CVE fixes
Anders Darander
anders at chargestorm.se
Tue Dec 8 07:49:23 UTC 2015
Hi,
* Armin Kuster <akuster808 at gmail.com> [151208 02:49]:
> meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | 4 ++++
> 1 file changed, 4 insertions(+)
I'm just a little curious about this serious, and a few others that I've
seen recently. They all add a number of CVE-patches, with one commit per
patch, and as the last commit, they all get added to SRC_URI in a single
patch.
What's the reason to do it like this? i
I'd personally prefer to have each CVE-path also add the patch to
SRC_URI, as that make cherry-picking more straightforward. And it also
ensures that if we have a need to bisect some issue, that'll work. At
the same time that will make the meta-data consistent, i.e. no dead
patches.
I'd personally even prefer that whole series squashed to one commit,
compared to this adding a lot of un-applied patches.
Any comments on this?
Cheers,
Anders
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
> index fd56841..3864e88 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
> @@ -37,6 +37,10 @@ SRC_URI += "file://configure-targets.patch \
> file://crypto_use_bigint_in_x86-64_perl.patch \
> file://openssl-1.0.2a-x32-asm.patch \
> file://ptest_makefile_deps.patch \
> + file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
> + file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
> + file://0001-Add-test-for-CVE-2015-3194.patch \
> + file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
> "
--
Anders Darander, Senior System Architect
ChargeStorm AB / eStorm AB
More information about the Openembedded-core
mailing list