[OE-core] [PATCH 1/1] openssl: update to 1.0.2i (CVE-2016-6304 and more)
Alexander Kanavin
alexander.kanavin at linux.intel.com
Fri Sep 23 12:01:39 UTC 2016
On 09/23/2016 11:39 AM, Patrick Ohly wrote:
> This update fixes several CVEs:
> * OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
> * SWEET32 Mitigation (CVE-2016-2183)
> * OOB write in MDC2_Update() (CVE-2016-6303)
> * Malformed SHA512 ticket DoS (CVE-2016-6302)
> * OOB write in BN_bn2dec() (CVE-2016-2182)
> * OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
> * DTLS buffered message DoS (CVE-2016-2179)
> * DTLS replay protection DoS (CVE-2016-2181)
> * Certificate message OOB reads (CVE-2016-6306)
>
> Of these, only CVE-2016-6304 is considered of high
> severity. Everything else is low. CVE-2016-2177 and CVE-2016-2178 were
> already fixed via local patches, which can be removed now.
This demonstrates that:
a) if CVEs are fixed with backported patches, the process must be
*thorough* and not shotgun-ish like now. It's pointless to fix some CVEs
and ignore the others, just because that's what automated tools like
cve-checker reported or someone saw some mail on a mailing list.
b) it's okay to not fix low-severity CVEs until the upstream makes a new
release. Upstream is much more competent than we are to judge that, and
if the issue is high severity, they should make a new release anyway.
Please feel free to disagree.
Alex
More information about the Openembedded-core
mailing list