[OE-core] [jethro][fido][PATCH 4/4] openssl: three CVE fixes
Robert Yang
liezhi.yang at windriver.com
Tue Dec 8 08:14:43 UTC 2015
On 12/08/2015 03:49 PM, Anders Darander wrote:
> Hi,
>
> * Armin Kuster <akuster808 at gmail.com> [151208 02:49]:
>
>> meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | 4 ++++
>> 1 file changed, 4 insertions(+)
>
> I'm just a little curious about this serious, and a few others that I've
> seen recently. They all add a number of CVE-patches, with one commit per
> patch, and as the last commit, they all get added to SRC_URI in a single
> patch.
>
> What's the reason to do it like this? i
>
> I'd personally prefer to have each CVE-path also add the patch to
> SRC_URI, as that make cherry-picking more straightforward. And it also
> ensures that if we have a need to bisect some issue, that'll work. At
> the same time that will make the meta-data consistent, i.e. no dead
> patches.
>
> I'd personally even prefer that whole series squashed to one commit,
> compared to this adding a lot of un-applied patches.
Yes, I think that would be better.
// Robert.
>
> Any comments on this?
>
> Cheers,
> Anders
>
>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> index fd56841..3864e88 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> @@ -37,6 +37,10 @@ SRC_URI += "file://configure-targets.patch \
>> file://crypto_use_bigint_in_x86-64_perl.patch \
>> file://openssl-1.0.2a-x32-asm.patch \
>> file://ptest_makefile_deps.patch \
>> + file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
>> + file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
>> + file://0001-Add-test-for-CVE-2015-3194.patch \
>> + file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
>> "
>
More information about the Openembedded-core
mailing list