[OE-core] [PATCH] openssl: fix for CVE-2015-1794

Fan Xin fan.xin at jp.fujitsu.com
Thu Dec 10 02:58:07 UTC 2015


Thanks for your kindly check.
I will correct it in Patch v2.

Best Regards,
Fan

On 2015年12月09日 20:52, Burton, Ross wrote:
>
> On 9 December 2015 at 02:03, Fan Xin <fan.xin at jp.fujitsu.com
> <mailto:fan.xin at jp.fujitsu.com>> wrote:
>
>     +++
>     b/meta/recipes-connectivity/openssl/openssl/Fix-seg-fault-with-0-p-val-in-SKE.patch
>     @@ -0,0 +1,101 @@
>     +Upstream-Status: Backport
>     +
>     +From ada57746b6b80beae73111fe1291bf8dd89af91c Mon Sep 17 00:00:00 2001
>     +From: Guy Leaver (guleaver) <guleaver at cisco.com
>     <mailto:guleaver at cisco.com>>
>     +Date: Fri, 7 Aug 2015 15:45:21 +0100
>     +Subject: [PATCH] Fix seg fault with 0 p val in SKE
>     +
>     +If a client receives a ServerKeyExchange for an anon DH ciphersuite
>     with the
>     +value of p set to 0 then a seg fault can occur. This commits adds a
>     test to
>     +reject p, g and pub key parameters that have a 0 value (in
>     accordance with
>     +RFC 5246)
>     +
>     +The security vulnerability only affects master and 1.0.2, but the
>     fix is
>     +additionally applied to 1.0.1 for additional confidence.
>     +
>     +CVE-2015-1794
>     +
>     +Reviewed-by: Richard Levitte <levitte at openssl.org
>     <mailto:levitte at openssl.org>>
>     +Reviewed-by: Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>>
>
>
> This patch needs to have your (or whoever actually did the work)
> signed-off-by inside the patch, alongside the Upstream-Status.
>
> Thanks,
> Ross

-- 
=====================================================
株式会社富士通コンピュータテクノロジーズ
組込みシステム技術統括部 第一ファームウェア技術部
樊 昕 Fan Xin
fan.xin at jp.fujitsu.com

┏┓ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
┗■ 【ubinux V15】のリリースを開始しました!
「SDN(Open vSwitch)」や「クラウド管理(OpenStack Heat)」などに対応
---------------------------------------------------------------------
詳細>>http://elsc.utsfd.cs.fujitsu.co.jp/location_elsc.php?id=0024
※"ubinux"は組込み装置向け当社独自のLinuxディストリビューションです
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━



More information about the Openembedded-core mailing list