[OE-core] [master][PATCH] openssl: security fix CVE-2016-6304
Paul Eggleton
paul.eggleton at linux.intel.com
Fri Sep 23 09:06:01 UTC 2016
On Fri, 23 Sep 2016 11:56:41 Maxin B. John wrote:
> On Fri, Sep 23, 2016 at 04:48:37PM +0800, Anuj Mittal wrote:
> > Reference:
> > https://www.openssl.org/news/secadv/20160922.txt
> >
> > Upstream fix:
> > https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a
> > 7771c15b
> >
> > Signed-off-by: Anuj Mittal <anujx.mittal at intel.com>
> > ---
> >
> > .../openssl/openssl/CVE-2016-6304.patch | 75
> > ++++++++++++++++++++++
> Mid air collision with Patrick's patch.
I guess for krogoth and jethro we have the choice of applying just this fix or
the upgrade. Looking over the commits for 1.0.2i it does look like quite a lot
more than the list of CVEs in the recent security advisory were fixed, and
it's somewhat concerning that the 1.0.2i release went out with an apparently
compile-breaking typo in it (subsequently fixed, patch applied in Patrick's
upgrade).
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the Openembedded-core
mailing list