[OE-core] [PATCH 1/1] openssl: update to 1.0.2i (CVE-2016-6304 and more)
akuster808
akuster808 at gmail.com
Fri Sep 23 16:25:18 UTC 2016
On 09/23/2016 05:01 AM, Alexander Kanavin wrote:
> On 09/23/2016 11:39 AM, Patrick Ohly wrote:
>> This update fixes several CVEs:
>> * OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
>> * SWEET32 Mitigation (CVE-2016-2183)
>> * OOB write in MDC2_Update() (CVE-2016-6303)
>> * Malformed SHA512 ticket DoS (CVE-2016-6302)
>> * OOB write in BN_bn2dec() (CVE-2016-2182)
>> * OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
>> * DTLS buffered message DoS (CVE-2016-2179)
>> * DTLS replay protection DoS (CVE-2016-2181)
>> * Certificate message OOB reads (CVE-2016-6306)
>>
>> Of these, only CVE-2016-6304 is considered of high
>> severity. Everything else is low. CVE-2016-2177 and CVE-2016-2178 were
>> already fixed via local patches, which can be removed now.
>
> This demonstrates that:
>
> a) if CVEs are fixed with backported patches, the process must be
> *thorough* and not shotgun-ish like now. It's pointless to fix some
> CVEs and ignore the others, just because that's what automated tools
> like cve-checker reported or someone saw some mail on a mailing list.
>
> b) it's okay to not fix low-severity CVEs until the upstream makes a
> new release. Upstream is much more competent than we are to judge
> that, and if the issue is high severity, they should make a new
> release anyway.
No this demonstrates that folks do want to help out. They to the best
they can with their abilities and situation. The community has made a
lot of noise about how important it is to address security issues.
Except a few of us who do send patches, the community as a whole does
not stepped up to the table to help out.
Opensource is not an all or nothing proposition. I for one appreciate
contributions folks make in this area.
- Armin
>
> Please feel free to disagree.
>
> Alex
More information about the Openembedded-core
mailing list