openssl: Need PRINC+1 in recipe?

openssl: Need PRINC+1 in recipe?

[Bryan Evenson]

All,

I was previously on dylan-1.4.1 and today I upgraded to poky/dylan HEAD to take in the openssl security patches.  Things are rebuilding, but I noticed that the built package version is openssl-1.0.1e-r15.0, which is the same version currently installed on my system.  Shouldn't the PR line change to:

PR = "${INC_PR+1}.0"

For the packaging systems to take in the update?

Thanks,
Bryan

Re: openssl: Need PRINC+1 in recipe?

[Alexandru Vaduva]

[-- Attachment #1: Type: text/plain, Size: 1060 bytes --]

Sorry to hijack this conversation but I believe in the next version of poky
the package openssl should be updated and and for the rest of the version a
patch should be applied to solve the newly appeared exploit.
More info here:
http://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Alex


On Thu, Apr 10, 2014 at 11:20 PM, Bryan Evenson <bevenson@melinkcorp.com>wrote:

> All,
>
> I was previously on dylan-1.4.1 and today I upgraded to poky/dylan HEAD to
> take in the openssl security patches.  Things are rebuilding, but I noticed
> that the built package version is openssl-1.0.1e-r15.0, which is the same
> version currently installed on my system.  Shouldn't the PR line change to:
>
> PR = "${INC_PR+1}.0"
>
> For the packaging systems to take in the update?
>
> Thanks,
> Bryan
>
>
>
> --
> _______________________________________________
> poky mailing list
> poky@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/poky
>

[-- Attachment #2: Type: text/html, Size: 1788 bytes --]

Re: openssl: Need PRINC+1 in recipe?

[Denys Dmytriyenko]

On Fri, Apr 11, 2014 at 12:30:31AM +0300, Alexandru Vaduva wrote:
> Sorry to hijack this conversation but I believe in the next version of poky
> the package openssl should be updated and and for the rest of the version a
> patch should be applied to solve the newly appeared exploit.
> More info here:
> http://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Yes, that's what he was referring to...


> On Thu, Apr 10, 2014 at 11:20 PM, Bryan Evenson <bevenson@melinkcorp.com>wrote:
> 
> > All,
> >
> > I was previously on dylan-1.4.1 and today I upgraded to poky/dylan HEAD to
> > take in the openssl security patches.  Things are rebuilding, but I noticed
> > that the built package version is openssl-1.0.1e-r15.0, which is the same
> > version currently installed on my system.  Shouldn't the PR line change to:
> >
> > PR = "${INC_PR+1}.0"
> >
> > For the packaging systems to take in the update?

Well, I guess people are so used to not caring about tracking PRs anymore, 
they forget to bump them when backporting fixes to older branches. Paul?

-- 
Denys

Re: openssl: Need PRINC+1 in recipe?

[Paul Eggleton]

On Thursday 10 April 2014 17:43:18 Denys Dmytriyenko wrote:
> On Fri, Apr 11, 2014 at 12:30:31AM +0300, Alexandru Vaduva wrote:
> > Sorry to hijack this conversation but I believe in the next version of
> > poky
> > the package openssl should be updated and and for the rest of the version
> > a
> > patch should be applied to solve the newly appeared exploit.
> > More info here:
> > http://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.ht
> > ml https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Just for reference this bug has been fixed in master (by an upgrade to 1.0.1g) 
and both dora and dylan. For dora and dylan only the patch to fix the bug was 
backported rather than the full upgrade (along with three other OpenSSL CVEs).

> > On Thu, Apr 10, 2014 at 11:20 PM, Bryan Evenson 
<bevenson@melinkcorp.com>wrote:
> > > All,
> > > 
> > > I was previously on dylan-1.4.1 and today I upgraded to poky/dylan HEAD
> > > to
> > > take in the openssl security patches.  Things are rebuilding, but I
> > > noticed
> > > that the built package version is openssl-1.0.1e-r15.0, which is the
> > > same
> > > version currently installed on my system.  Shouldn't the PR line change
> > > to:
> > > 
> > > PR = "${INC_PR+1}.0"
> > > 
> > > For the packaging systems to take in the update?
> 
> Well, I guess people are so used to not caring about tracking PRs anymore,
> they forget to bump them when backporting fixes to older branches. Paul?

It seems to me that we already decided for dylan not to bump PR values as part 
of standard procedure on changes - I am struggling to find a citation for this 
though. However, given the severity of this bug, for people's peace of mind I 
have sent out a PR bump patch for openssl for both dylan and dora, so it's a 
little easier to tell you have the patch applied.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: openssl: Need PRINC+1 in recipe?

[Paul Eggleton]

On Friday 11 April 2014 13:46:50 Paul Eggleton wrote:
> On Thursday 10 April 2014 17:43:18 Denys Dmytriyenko wrote:
> > On Fri, Apr 11, 2014 at 12:30:31AM +0300, Alexandru Vaduva wrote:
> > > Sorry to hijack this conversation but I believe in the next version of
> > > poky
> > > the package openssl should be updated and and for the rest of the
> > > version
> > > a
> > > patch should be applied to solve the newly appeared exploit.
> > > More info here:
> > > http://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.
> > > ht
> > > ml https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
> 
> Just for reference this bug has been fixed in master (by an upgrade to
> 1.0.1g) and both dora and dylan. For dora and dylan only the patch to fix
> the bug was backported rather than the full upgrade (along with three other
> OpenSSL CVEs).
> > > On Thu, Apr 10, 2014 at 11:20 PM, Bryan Evenson
> 
> <bevenson@melinkcorp.com>wrote:
> > > > All,
> > > > 
> > > > I was previously on dylan-1.4.1 and today I upgraded to poky/dylan
> > > > HEAD
> > > > to
> > > > take in the openssl security patches.  Things are rebuilding, but I
> > > > noticed
> > > > that the built package version is openssl-1.0.1e-r15.0, which is the
> > > > same
> > > > version currently installed on my system.  Shouldn't the PR line
> > > > change
> > > > to:
> > > > 
> > > > PR = "${INC_PR+1}.0"
> > > > 
> > > > For the packaging systems to take in the update?
> > 
> > Well, I guess people are so used to not caring about tracking PRs anymore,
> > they forget to bump them when backporting fixes to older branches. Paul?
> 
> It seems to me that we already decided for dylan not to bump PR values as
> part of standard procedure on changes - I am struggling to find a citation
> for this though. However, given the severity of this bug, for people's
> peace of mind I have sent out a PR bump patch for openssl for both dylan
> and dora, so it's a little easier to tell you have the patch applied.

I perhaps neglected to mention, if you are maintaining a package feed 
and therefore need PR values to increment automatically on changes, 
you should enable the PR service:

http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#incrementing-a-package-revision-number

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre