[OE-core] [PATCH] openssl: fix for CVE-2015-1794
Fan Xin
fan.xin at jp.fujitsu.com
Thu Dec 10 02:58:07 UTC 2015
Thanks for your kindly check.
I will correct it in Patch v2.
Best Regards,
Fan
On 2015年12月09日 20:52, Burton, Ross wrote:
>
> On 9 December 2015 at 02:03, Fan Xin <fan.xin at jp.fujitsu.com
> <mailto:fan.xin at jp.fujitsu.com>> wrote:
>
> +++
> b/meta/recipes-connectivity/openssl/openssl/Fix-seg-fault-with-0-p-val-in-SKE.patch
> @@ -0,0 +1,101 @@
> +Upstream-Status: Backport
> +
> +From ada57746b6b80beae73111fe1291bf8dd89af91c Mon Sep 17 00:00:00 2001
> +From: Guy Leaver (guleaver) <guleaver at cisco.com
> <mailto:guleaver at cisco.com>>
> +Date: Fri, 7 Aug 2015 15:45:21 +0100
> +Subject: [PATCH] Fix seg fault with 0 p val in SKE
> +
> +If a client receives a ServerKeyExchange for an anon DH ciphersuite
> with the
> +value of p set to 0 then a seg fault can occur. This commits adds a
> test to
> +reject p, g and pub key parameters that have a 0 value (in
> accordance with
> +RFC 5246)
> +
> +The security vulnerability only affects master and 1.0.2, but the
> fix is
> +additionally applied to 1.0.1 for additional confidence.
> +
> +CVE-2015-1794
> +
> +Reviewed-by: Richard Levitte <levitte at openssl.org
> <mailto:levitte at openssl.org>>
> +Reviewed-by: Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>>
>
>
> This patch needs to have your (or whoever actually did the work)
> signed-off-by inside the patch, alongside the Upstream-Status.
>
> Thanks,
> Ross
--
=====================================================
株式会社富士通コンピュータテクノロジーズ
組込みシステム技術統括部 第一ファームウェア技術部
樊 昕 Fan Xin
fan.xin at jp.fujitsu.com
┏┓ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
┗■ 【ubinux V15】のリリースを開始しました!
「SDN(Open vSwitch)」や「クラウド管理(OpenStack Heat)」などに対応
---------------------------------------------------------------------
詳細>>http://elsc.utsfd.cs.fujitsu.co.jp/location_elsc.php?id=0024
※"ubinux"は組込み装置向け当社独自のLinuxディストリビューションです
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
More information about the Openembedded-core
mailing list