[OE-core] [master][PATCH] openssl: security fix CVE-2016-6304
akuster808
akuster808 at gmail.com
Fri Sep 23 16:59:10 UTC 2016
On 09/23/2016 02:06 AM, Paul Eggleton wrote:
> On Fri, 23 Sep 2016 11:56:41 Maxin B. John wrote:
>> On Fri, Sep 23, 2016 at 04:48:37PM +0800, Anuj Mittal wrote:
>>> Reference:
>>> https://www.openssl.org/news/secadv/20160922.txt
>>>
>>> Upstream fix:
>>> https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a
>>> 7771c15b
>>>
>>> Signed-off-by: Anuj Mittal <anujx.mittal at intel.com>
>>> ---
>>>
>>> .../openssl/openssl/CVE-2016-6304.patch | 75
>>> ++++++++++++++++++++++
>> Mid air collision with Patrick's patch.
> I guess for krogoth and jethro we have the choice of applying just this fix or
> the upgrade.
The last time we upgraded openssl, we broke stuff in other layers. I am
more nervous about upgrading jethro than krogoth do to the age of the
other packages openssl supports.
> Looking over the commits for 1.0.2i it does look like quite a lot
> more than the list of CVEs in the recent security advisory were fixed,
Its hard to say at this time if some of the other commits are in support
of a CVE fix.
- armin
> and
> it's somewhat concerning that the 1.0.2i release went out with an apparently
> compile-breaking typo in it (subsequently fixed, patch applied in Patrick's
> upgrade).
>
> Cheers,
> Paul
>
More information about the Openembedded-core
mailing list