[OE-core] [master][krogoth][PATCH] openssl: Security fix via update to 1.0.2h
Richard Purdie
richard.purdie at linuxfoundation.org
Sat May 14 08:36:14 UTC 2016
On Fri, 2016-05-13 at 13:07 -0700, akuster808 wrote:
>
> On 05/13/2016 07:31 AM, Martin Jansa wrote:
> > On Wed, May 11, 2016 at 03:37:59AM -0700, akuster808 wrote:
> > > Robert,
> > >
> > >
> > > On 05/10/2016 11:22 PM, Robert Yang wrote:
> > > >
> > > >
> > > > On 05/04/2016 07:46 AM, Armin Kuster wrote:
> > > > > From: Armin Kuster <akuster at mvista.com>
> > > > >
> > > > > CVE-2016-2105
> > > > > CVE-2016-2106
> > > > > CVE-2016-2109
> > > > > CVE-2016-2176
> > > > >
> > > > > https://www.openssl.org/news/secadv/20160503.txt
> > > > >
> > > > > fixup openssl-avoid-NULL-pointer-dereference-in
> > > > > -EVP_DigestInit_ex.patch
> > > > >
> > > > > drop crypto_use_bigint_in_x86-64_perl.patch as that fix is in
> > > > > latest.
> > > >
> > > > After I looked into the code, it seems that this patch is not
> > > > in latest
> > > > code ?
> > >
> > > hmm, my old eyes deceive me.
> > >
> > > thanks for checking.
> > >
> > > I will send a correcting.
> >
> > 1.0.2h is already in fido, jethro and master, can we quickly get it
> > to krogoth
> > which is still using older version 1.0.2g?
>
> this hit master 2 days ago. I just sync'd changes over to krogth and
> am
> doing sanity checks. The last time I backported something before
> master
> folks got the shorts-in-a-twist.
>
> >
> > It's always strange to see recipe version downgrades when upgrading
> > to
> > newer Yocto release.
>
> yes it is. I have no control when the other maintainers do their
> merges.
I should explain that in this case we had 1.8.2 pretty much ready to
go, then the openssl issue came to light. I therefore fast tracked that
merge on the basis that getting it into the release and a build into QA
was "a good thing", and on the assumption that getting this into jethro
would follow quickly.
In general we do fallow the waterfall model and this was an exception
to the rule, purely to try and help my sanity and keep builds/releases
moving.
Cheers,
Richard
More information about the Openembedded-core
mailing list