Re: [yocto] Truly scary SSL 3.0 vuln to be revealed soon:

All of lore.kernel.org
 help / color / mirror / Atom feed

From: akuster808 <akuster808@gmail.com>
To: Otavio Salvador <otavio@ossystems.com.br>,
	 "Burton, Ross" <ross.burton@intel.com>
Cc: "yocto@yoctoproject.org" <yocto@yoctoproject.org>,
	"openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>
Subject: Re: [yocto] Truly scary SSL 3.0 vuln to be revealed soon:
Date: Thu, 16 Oct 2014 11:38:50 -0700	[thread overview]
Message-ID: <544010BA.8060808@gmail.com> (raw)
In-Reply-To: <CAP9ODKrgD2WDQFd=-xPw6NvV-W-CLkVhzXMH_jAmES7z83JOXw@mail.gmail.com>



On 10/16/2014 11:27 AM, Otavio Salvador wrote:
> On Thu, Oct 16, 2014 at 1:45 PM, Burton, Ross <ross.burton@intel.com> wrote:
>> On 15 October 2014 16:31, Burton, Ross <ross.burton@intel.com> wrote:
>>> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
>>> "disabling SSLv3 didn't work"...).  I think considering the situation
>>> we'd take the upgrade for dizzy, even though we've frozen.  Anyone
>>> volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
>>> the relevant patches to the previous releases? (eg daisy is on
>>> 1.0.1g).
>>
>> For anyone else interested, I've currently got 1.0.1j patches for
>> dizzy in testing.  There's been debate over whether we backport the
>> fixes to daisy's 1.0.1g, or upgrade as the number of fixes is
>> growing...
>
> I think the upgrade is the way to go. We are likely to break 1.0.1g
> someday during backporting of security fixes.
>

In this case I would agree.  Updating daisy makes sense as we are only 
dealing with a minor version update.

- Armin

WARNING: multiple messages have this Message-ID (diff)

From: akuster808 <akuster808@gmail.com>
To: Otavio Salvador <otavio@ossystems.com.br>,
	 "Burton, Ross" <ross.burton@intel.com>
Cc: "yocto@yoctoproject.org" <yocto@yoctoproject.org>,
	"openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:
Date: Thu, 16 Oct 2014 11:38:50 -0700	[thread overview]
Message-ID: <544010BA.8060808@gmail.com> (raw)
In-Reply-To: <CAP9ODKrgD2WDQFd=-xPw6NvV-W-CLkVhzXMH_jAmES7z83JOXw@mail.gmail.com>



On 10/16/2014 11:27 AM, Otavio Salvador wrote:
> On Thu, Oct 16, 2014 at 1:45 PM, Burton, Ross <ross.burton@intel.com> wrote:
>> On 15 October 2014 16:31, Burton, Ross <ross.burton@intel.com> wrote:
>>> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
>>> "disabling SSLv3 didn't work"...).  I think considering the situation
>>> we'd take the upgrade for dizzy, even though we've frozen.  Anyone
>>> volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
>>> the relevant patches to the previous releases? (eg daisy is on
>>> 1.0.1g).
>>
>> For anyone else interested, I've currently got 1.0.1j patches for
>> dizzy in testing.  There's been debate over whether we backport the
>> fixes to daisy's 1.0.1g, or upgrade as the number of fixes is
>> growing...
>
> I think the upgrade is the way to go. We are likely to break 1.0.1g
> someday during backporting of security fixes.
>

In this case I would agree.  Updating daisy makes sense as we are only 
dealing with a minor version update.

- Armin

next prev parent reply	other threads:[~2014-10-16 18:38 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-15  6:48 Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi
2014-10-15 10:07 ` Burton, Ross
2014-10-15 14:22   ` Bryan Evenson
2014-10-15 14:22     ` [OE-core] " Bryan Evenson
2014-10-15 15:31   ` Burton, Ross
2014-10-16 11:04     ` Sona Sarmadi
2014-10-16 16:09     ` Sona Sarmadi
2014-10-16 16:15       ` Burton, Ross
2014-10-16 16:45     ` Burton, Ross
2014-10-16 18:27       ` Otavio Salvador
2014-10-16 18:27         ` [OE-core] " Otavio Salvador
2014-10-16 18:38         ` akuster808 [this message]
2014-10-16 18:38           ` akuster808

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=544010BA.8060808@gmail.com \
    --to=akuster808@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=otavio@ossystems.com.br \
    --cc=ross.burton@intel.com \
    --cc=yocto@yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.