[OE-core] [jethro][PATCH] Forklift OpenSSL 1.0.k to Jethro

Mon Mar 6 16:01:44 UTC 2017

On 03/05/2017 07:20 PM, Rebecca Chang Swee Fun wrote:
> From: "Chang, Rebecca Swee Fun" <rebecca.swee.fun.chang at intel.com>
>
> Hi all,
>
> This is an version upgrade for OpenSSL from 1.0.2h to 1.0.2k.
> The upgrade was forklifted from OE-Core master branch to
> Jethro branch and remove upstream dependencies to new bbclasses.
>
> The details of CVEs are mentioned in the patch commit message.
>
> The main purpose of this forklifting effort is to make sure
> OpenSSL shipped in BSPs is updated.
> Due to OpenSSL version
> fork in Jethro, it is difficult to do purely "git cherry-pick"
> and resolving conflicts everywhere.

Its not difficult, its just time consuming.

> This is main reason I opted for forklifting approach.
We have discussed updating openssl as the method for managing this 
package in stable branches and it was met with lots of resistance. 
Seeing this is Jethro ( nearly 2 yrs old), I would suspect this is a 
much harder sell to make.

>
> This is the first time I did an upgrade for OpenSSL. Please
> help to review and provide feedbacks if this approach is not
> feasible.
The feasible call is on the stable branch maintainer and oe-core layer 
maintainers.

per policy, these changes would have to propagate through the other 
stable branches first if we didn't want to make an exception.

- armin

>   I'm looking forward to learn from everyone of you.
>
> Thank you very much.
>
> Regards,
> Rebecca
>
> Chang, Rebecca Swee Fun (1):
>    openssl: upgrade 1.0.2h -> 1.0.2k
>
>   meta/recipes-connectivity/openssl/openssl.inc      |  104 +-
>   .../openssl/openssl/0002-CVE-2017-3731.patch       |   53 +
>   .../openssl/openssl/CVE-2016-2177.patch            |  286 --
>   .../openssl/openssl/CVE-2016-2178.patch            |   51 -
>   .../openssl/openssl/CVE-2016-2179.patch            |  255 --
>   .../openssl/openssl/CVE-2016-2180.patch            |   44 -
>   .../openssl/openssl/CVE-2016-2181_p1.patch         |   91 -
>   .../openssl/openssl/CVE-2016-2181_p2.patch         |  239 -
>   .../openssl/openssl/CVE-2016-2181_p3.patch         |   30 -
>   .../openssl/openssl/CVE-2016-2182.patch            |   70 -
>   .../openssl/openssl/CVE-2016-6302.patch            |   53 -
>   .../openssl/openssl/CVE-2016-6303.patch            |   36 -
>   .../openssl/openssl/CVE-2016-6304.patch            |   75 -
>   .../openssl/openssl/CVE-2016-6306.patch            |   71 -
>   .../openssl/openssl/CVE-2016-8610.patch            |  124 -
>   .../Use-SHA256-not-MD5-as-default-digest.patch     |   69 +
>   .../openssl/crypto_use_bigint_in_x86-64_perl.patch |   33 -
>   .../openssl/openssl/debian/ca.patch                |    2 +-
>   .../openssl/openssl/debian/version-script.patch    | 4663 ++++++++++++++++++++
>   .../openssl/debian1.0.2/version-script.patch       |   31 +-
>   .../openssl/openssl/fix-cipher-des-ede3-cfb1.patch |    2 +-
>   .../openssl/openssl/openssl-c_rehash.sh            |  222 +
>   .../openssl/openssl-util-perlpath.pl-cwd.patch     |   34 +
>   .../openssl/openssl/openssl_fix_for_x32.patch      |    4 +-
>   .../openssl/openssl/parallel.patch                 |   17 +-
>   .../recipes-connectivity/openssl/openssl_1.0.2h.bb |   82 -
>   .../recipes-connectivity/openssl/openssl_1.0.2k.bb |   64 +
>   27 files changed, 5200 insertions(+), 1605 deletions(-)
>   create mode 100644 meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-2179.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-6302.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-6303.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-6306.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch
>   create mode 100644 meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch
>   create mode 100644 meta/recipes-connectivity/openssl/openssl/debian/version-script.patch
>   create mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
>   create mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
>   create mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
>