[OE-core] [master][PATCH] openssl: security fix CVE-2016-6304
Patrick Ohly
patrick.ohly at intel.com
Fri Sep 23 15:20:06 UTC 2016
[resending from my Intel account, the one on GMX isn't subscribed]
On Fri, 2016-09-23 at 21:06 +1200, Paul Eggleton wrote:
> On Fri, 23 Sep 2016 11:56:41 Maxin B. John wrote:
> > On Fri, Sep 23, 2016 at 04:48:37PM +0800, Anuj Mittal wrote:
> > > Reference:
> > > https://www.openssl.org/news/secadv/20160922.txt
> > >
> > > Upstream fix:
> > > https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a
> > > 7771c15b
> > >
> > > Signed-off-by: Anuj Mittal <anujx.mittal at intel.com>
> > > ---
> > >
> > > .../openssl/openssl/CVE-2016-6304.patch | 75
> > > ++++++++++++++++++++++
> > Mid air collision with Patrick's patch.
>
> I guess for krogoth and jethro we have the choice of applying just this fix or
> the upgrade. Looking over the commits for 1.0.2i it does look like quite a lot
> more than the list of CVEs in the recent security advisory were fixed, and
> it's somewhat concerning that the 1.0.2i release went out with an apparently
> compile-breaking typo in it (subsequently fixed, patch applied in Patrick's
> upgrade).
The compile error is inside an #ifdef, so it could be that just that
particular configuration hadn't been tested. But yes, one has to wonder.
So what's preferred for OE-core master and the 2.2 release? Updating to
1.0.2i or backporting the critical patch?
I don't have any strong opinion either way myself.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
More information about the Openembedded-core
mailing list