* [PATCH 0/1] openssl security upgrade
@ 2012-03-20 18:10 Scott Garman
2012-03-20 18:11 ` [PATCH 1/1] openssl: upgrade to 1.0.0.h Scott Garman
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Scott Garman @ 2012-03-20 18:10 UTC (permalink / raw)
To: openembedded-core
Hello,
This upgrade to the openssl recipe addresses a security vulnerability,
CVE-2012-0884. I would like to ensure it gets included in our upcoming
1.2 release.
This upgrade has been build-tested on all 5 of our qemu architectures,
and I have inspected the image and package output to ensure there were
no significant differences between the output of this recipe upgrade
and the last version of openssl we were using.
Scott
The following changes since commit 5d404fdb36b0535ce758d98408b02134cdbce4ee:
xserver-kdrive: compile xserver without dtrace support (2012-03-20 15:21:18 +0000)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib sgarman/openssl-upgrade-oe
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=sgarman/openssl-upgrade-oe
Scott Garman (1):
openssl: upgrade to 1.0.0.h
.../openssl/openssl-1.0.0g/debian/pkg-config.patch | 36 --------------------
.../configure-targets.patch | 0
.../debian/c_rehash-compat.patch | 0
.../debian/ca.patch | 0
.../debian/debian-targets.patch | 0
.../debian/make-targets.patch | 0
.../debian/man-dir.patch | 0
.../debian/man-section.patch | 0
.../debian/no-rpath.patch | 0
.../debian/no-symbolic.patch | 0
.../debian/pic.patch | 0
.../debian/version-script.patch | 0
.../engines-install-in-libdir-ssl.patch | 0
.../oe-ldflags.patch | 0
.../openssl-fix-link.patch | 0
.../openssl_fix_for_x32.patch | 0
.../shared-libs.patch | 0
.../{openssl_1.0.0g.bb => openssl_1.0.0h.bb} | 5 +--
18 files changed, 2 insertions(+), 39 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/pkg-config.patch
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/configure-targets.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/c_rehash-compat.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/ca.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/debian-targets.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/make-targets.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/man-dir.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/man-section.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/no-rpath.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/no-symbolic.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/pic.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/version-script.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/engines-install-in-libdir-ssl.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/oe-ldflags.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/openssl-fix-link.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/openssl_fix_for_x32.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/shared-libs.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl_1.0.0g.bb => openssl_1.0.0h.bb} (87%)
--
1.7.5.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] openssl: upgrade to 1.0.0.h
2012-03-20 18:10 [PATCH 0/1] openssl security upgrade Scott Garman
@ 2012-03-20 18:11 ` Scott Garman
2012-03-21 0:35 ` [PATCH 0/1] openssl security upgrade Scott Garman
2012-03-21 14:05 ` Richard Purdie
2 siblings, 0 replies; 4+ messages in thread
From: Scott Garman @ 2012-03-20 18:11 UTC (permalink / raw)
To: openembedded-core
Removed pkg-config.patch, which was incorporated upstream.
Addresses CVE-2012-0884.
Fixes bug [YOCTO #2139].
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
.../openssl/openssl-1.0.0g/debian/pkg-config.patch | 36 --------------------
.../configure-targets.patch | 0
.../debian/c_rehash-compat.patch | 0
.../debian/ca.patch | 0
.../debian/debian-targets.patch | 0
.../debian/make-targets.patch | 0
.../debian/man-dir.patch | 0
.../debian/man-section.patch | 0
.../debian/no-rpath.patch | 0
.../debian/no-symbolic.patch | 0
.../debian/pic.patch | 0
.../debian/version-script.patch | 0
.../engines-install-in-libdir-ssl.patch | 0
.../oe-ldflags.patch | 0
.../openssl-fix-link.patch | 0
.../openssl_fix_for_x32.patch | 0
.../shared-libs.patch | 0
.../{openssl_1.0.0g.bb => openssl_1.0.0h.bb} | 5 +--
18 files changed, 2 insertions(+), 39 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/pkg-config.patch
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/configure-targets.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/c_rehash-compat.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/ca.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/debian-targets.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/make-targets.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/man-dir.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/man-section.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/no-rpath.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/no-symbolic.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/pic.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/debian/version-script.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/engines-install-in-libdir-ssl.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/oe-ldflags.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/openssl-fix-link.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/openssl_fix_for_x32.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl-1.0.0g => openssl-1.0.0h}/shared-libs.patch (100%)
rename meta/recipes-connectivity/openssl/{openssl_1.0.0g.bb => openssl_1.0.0h.bb} (87%)
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/pkg-config.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/pkg-config.patch
deleted file mode 100644
index 0f1f392..0000000
--- a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/pkg-config.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Upstream-Status: Backport [debian]
-
-Index: openssl-1.0.0c/Makefile.org
-===================================================================
---- openssl-1.0.0c.orig/Makefile.org 2010-12-12 16:13:28.000000000 +0100
-+++ openssl-1.0.0c/Makefile.org 2010-12-12 17:01:49.000000000 +0100
-@@ -323,7 +323,8 @@
- echo 'Description: OpenSSL cryptography library'; \
- echo 'Version: '$(VERSION); \
- echo 'Requires: '; \
-- echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
-+ echo 'Libs: -L$${libdir} -lcrypto'; \
-+ echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
-
- libssl.pc: Makefile
-@@ -336,7 +337,8 @@
- echo 'Description: Secure Sockets Layer and cryptography libraries'; \
- echo 'Version: '$(VERSION); \
- echo 'Requires: '; \
-- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
-+ echo 'Libs: -L$${libdir} -lssl'; \
-+ echo 'Libs.private: -lcrypto $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
-
- openssl.pc: Makefile
-@@ -349,7 +351,8 @@
- echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
- echo 'Version: '$(VERSION); \
- echo 'Requires: '; \
-- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
-+ echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
-+ echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
-
- Makefile: Makefile.org Configure config
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/configure-targets.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/configure-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/configure-targets.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/configure-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/c_rehash-compat.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/c_rehash-compat.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/c_rehash-compat.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/c_rehash-compat.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/ca.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/ca.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/ca.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/ca.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/debian-targets.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/debian-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/debian-targets.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/debian-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/make-targets.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/make-targets.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/make-targets.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/make-targets.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/man-dir.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/man-dir.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/man-dir.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/man-dir.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/man-section.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/man-section.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/man-section.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/man-section.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/no-rpath.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/no-rpath.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/no-rpath.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/no-rpath.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/no-symbolic.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/no-symbolic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/no-symbolic.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/no-symbolic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/pic.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/pic.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/pic.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/pic.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/version-script.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/version-script.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/debian/version-script.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/debian/version-script.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/engines-install-in-libdir-ssl.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/engines-install-in-libdir-ssl.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/engines-install-in-libdir-ssl.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/engines-install-in-libdir-ssl.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/oe-ldflags.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/oe-ldflags.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/oe-ldflags.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/oe-ldflags.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/openssl-fix-link.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/openssl-fix-link.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/openssl-fix-link.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/openssl-fix-link.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/openssl_fix_for_x32.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/openssl_fix_for_x32.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/openssl_fix_for_x32.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/openssl_fix_for_x32.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0g/shared-libs.patch b/meta/recipes-connectivity/openssl/openssl-1.0.0h/shared-libs.patch
similarity index 100%
rename from meta/recipes-connectivity/openssl/openssl-1.0.0g/shared-libs.patch
rename to meta/recipes-connectivity/openssl/openssl-1.0.0h/shared-libs.patch
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.0g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.0h.bb
similarity index 87%
rename from meta/recipes-connectivity/openssl/openssl_1.0.0g.bb
rename to meta/recipes-connectivity/openssl/openssl_1.0.0h.bb
index 8ffe931..744fe2a 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.0g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.0h.bb
@@ -26,14 +26,13 @@ SRC_URI += "file://configure-targets.patch \
file://debian/no-rpath.patch \
file://debian/man-dir.patch \
file://debian/man-section.patch \
- file://debian/pkg-config.patch \
file://debian/no-symbolic.patch \
file://debian/debian-targets.patch \
file://openssl_fix_for_x32.patch \
"
-SRC_URI[md5sum] = "07ecbe4324f140d157478637d6beccf1"
-SRC_URI[sha256sum] = "905106a1505e7d9f7c36ee81408d3aa3d41aac291a9603d0c290c9530c92fc2c"
+SRC_URI[md5sum] = "a5bc483c570f2ac3758ce5c19b667fab"
+SRC_URI[sha256sum] = "7e3dfc21aa57ed33ea673170053d1921322803b8a6a624a4f0d2e4c308bd418d"
PACKAGES =+ " \
${PN}-engines \
--
1.7.5.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/1] openssl security upgrade
2012-03-20 18:10 [PATCH 0/1] openssl security upgrade Scott Garman
2012-03-20 18:11 ` [PATCH 1/1] openssl: upgrade to 1.0.0.h Scott Garman
@ 2012-03-21 0:35 ` Scott Garman
2012-03-21 14:05 ` Richard Purdie
2 siblings, 0 replies; 4+ messages in thread
From: Scott Garman @ 2012-03-21 0:35 UTC (permalink / raw)
To: openembedded-core
On 03/20/2012 11:10 AM, Scott Garman wrote:
> Hello,
>
> This upgrade to the openssl recipe addresses a security vulnerability,
> CVE-2012-0884. I would like to ensure it gets included in our upcoming
> 1.2 release.
>
> This upgrade has been build-tested on all 5 of our qemu architectures,
> and I have inspected the image and package output to ensure there were
> no significant differences between the output of this recipe upgrade
> and the last version of openssl we were using.
I had forgotten to update the distro_tracking fields with this pull
request - so I've pushed a commit onto this branch to do so.
Scott
--
Scott Garman
Embedded Linux Engineer - Yocto Project
Intel Open Source Technology Center
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 0/1] openssl security upgrade
2012-03-20 18:10 [PATCH 0/1] openssl security upgrade Scott Garman
2012-03-20 18:11 ` [PATCH 1/1] openssl: upgrade to 1.0.0.h Scott Garman
2012-03-21 0:35 ` [PATCH 0/1] openssl security upgrade Scott Garman
@ 2012-03-21 14:05 ` Richard Purdie
2 siblings, 0 replies; 4+ messages in thread
From: Richard Purdie @ 2012-03-21 14:05 UTC (permalink / raw)
To: Patches and discussions about the oe-core layer
On Tue, 2012-03-20 at 11:10 -0700, Scott Garman wrote:
> This upgrade to the openssl recipe addresses a security vulnerability,
> CVE-2012-0884. I would like to ensure it gets included in our upcoming
> 1.2 release.
>
> This upgrade has been build-tested on all 5 of our qemu architectures,
> and I have inspected the image and package output to ensure there were
> no significant differences between the output of this recipe upgrade
> and the last version of openssl we were using.
Merged to master, thanks.
Richard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-03-21 14:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-20 18:10 [PATCH 0/1] openssl security upgrade Scott Garman
2012-03-20 18:11 ` [PATCH 1/1] openssl: upgrade to 1.0.0.h Scott Garman
2012-03-21 0:35 ` [PATCH 0/1] openssl security upgrade Scott Garman
2012-03-21 14:05 ` Richard Purdie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox