From: Patrick Ohly <patrick.ohly@intel.com>
To: Paul Eggleton <paul.eggleton@linux.intel.com>
Cc: openembedded-core@lists.openembedded.org,
Armin Kuster <akuster@mvista.com>
Subject: Re: [master][PATCH] openssl: security fix CVE-2016-6304
Date: Fri, 23 Sep 2016 17:20:06 +0200 [thread overview]
Message-ID: <1474644006.8561.15.camel@intel.com> (raw)
In-Reply-To: <5465751.PuAniykgrn@peggleto-mobl.ger.corp.intel.com>
[resending from my Intel account, the one on GMX isn't subscribed]
On Fri, 2016-09-23 at 21:06 +1200, Paul Eggleton wrote:
> On Fri, 23 Sep 2016 11:56:41 Maxin B. John wrote:
> > On Fri, Sep 23, 2016 at 04:48:37PM +0800, Anuj Mittal wrote:
> > > Reference:
> > > https://www.openssl.org/news/secadv/20160922.txt
> > >
> > > Upstream fix:
> > > https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a
> > > 7771c15b
> > >
> > > Signed-off-by: Anuj Mittal <anujx.mittal@intel.com>
> > > ---
> > >
> > > .../openssl/openssl/CVE-2016-6304.patch | 75
> > > ++++++++++++++++++++++
> > Mid air collision with Patrick's patch.
>
> I guess for krogoth and jethro we have the choice of applying just this fix or
> the upgrade. Looking over the commits for 1.0.2i it does look like quite a lot
> more than the list of CVEs in the recent security advisory were fixed, and
> it's somewhat concerning that the 1.0.2i release went out with an apparently
> compile-breaking typo in it (subsequently fixed, patch applied in Patrick's
> upgrade).
The compile error is inside an #ifdef, so it could be that just that
particular configuration hadn't been tested. But yes, one has to wonder.
So what's preferred for OE-core master and the 2.2 release? Updating to
1.0.2i or backporting the critical patch?
I don't have any strong opinion either way myself.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
next prev parent reply other threads:[~2016-09-23 15:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-23 8:48 [master][PATCH] openssl: security fix CVE-2016-6304 Anuj Mittal
2016-09-23 8:56 ` Maxin B. John
2016-09-23 9:06 ` Paul Eggleton
2016-09-23 15:20 ` Patrick Ohly [this message]
2016-09-26 12:40 ` Alexander Kanavin
2016-09-23 16:59 ` akuster808
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1474644006.8561.15.camel@intel.com \
--to=patrick.ohly@intel.com \
--cc=akuster@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=paul.eggleton@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.