[OE-core] [PATCH] openssl: fix for CVE-2015-1794
Burton, Ross
ross.burton at intel.com
Wed Dec 9 11:52:45 UTC 2015
On 9 December 2015 at 02:03, Fan Xin <fan.xin at jp.fujitsu.com> wrote:
> +++
> b/meta/recipes-connectivity/openssl/openssl/Fix-seg-fault-with-0-p-val-in-SKE.patch
> @@ -0,0 +1,101 @@
> +Upstream-Status: Backport
> +
> +From ada57746b6b80beae73111fe1291bf8dd89af91c Mon Sep 17 00:00:00 2001
> +From: Guy Leaver (guleaver) <guleaver at cisco.com>
> +Date: Fri, 7 Aug 2015 15:45:21 +0100
> +Subject: [PATCH] Fix seg fault with 0 p val in SKE
> +
> +If a client receives a ServerKeyExchange for an anon DH ciphersuite with
> the
> +value of p set to 0 then a seg fault can occur. This commits adds a test
> to
> +reject p, g and pub key parameters that have a 0 value (in accordance with
> +RFC 5246)
> +
> +The security vulnerability only affects master and 1.0.2, but the fix is
> +additionally applied to 1.0.1 for additional confidence.
> +
> +CVE-2015-1794
> +
> +Reviewed-by: Richard Levitte <levitte at openssl.org>
> +Reviewed-by: Matt Caswell <matt at openssl.org>
>
This patch needs to have your (or whoever actually did the work)
signed-off-by inside the patch, alongside the Upstream-Status.
Thanks,
Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20151209/fddeb5b5/attachment-0002.html>
More information about the Openembedded-core
mailing list