From: Patrick Ohly <patrick.ohly@intel.com>
To: Paul Eggleton <paul.eggleton@linux.intel.com>
Cc: openembedded-core@lists.openembedded.org,
Armin Kuster <akuster@mvista.com>
Subject: Re: [master][PATCH] openssl: security fix CVE-2016-6304
Date: Fri, 23 Sep 2016 17:20:06 +0200 [thread overview]
Message-ID: <1474644006.8561.15.camel@intel.com> (raw)
In-Reply-To: <5465751.PuAniykgrn@peggleto-mobl.ger.corp.intel.com>
[resending from my Intel account, the one on GMX isn't subscribed]
On Fri, 2016-09-23 at 21:06 +1200, Paul Eggleton wrote:
> On Fri, 23 Sep 2016 11:56:41 Maxin B. John wrote:
> > On Fri, Sep 23, 2016 at 04:48:37PM +0800, Anuj Mittal wrote:
> > > Reference:
> > > https://www.openssl.org/news/secadv/20160922.txt
> > >
> > > Upstream fix:
> > > https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a
> > > 7771c15b
> > >
> > > Signed-off-by: Anuj Mittal <anujx.mittal@intel.com>
> > > ---
> > >
> > > .../openssl/openssl/CVE-2016-6304.patch | 75
> > > ++++++++++++++++++++++
> > Mid air collision with Patrick's patch.
>
> I guess for krogoth and jethro we have the choice of applying just this fix or
> the upgrade. Looking over the commits for 1.0.2i it does look like quite a lot
> more than the list of CVEs in the recent security advisory were fixed, and
> it's somewhat concerning that the 1.0.2i release went out with an apparently
> compile-breaking typo in it (subsequently fixed, patch applied in Patrick's
> upgrade).
The compile error is inside an #ifdef, so it could be that just that
particular configuration hadn't been tested. But yes, one has to wonder.
So what's preferred for OE-core master and the 2.2 release? Updating to
1.0.2i or backporting the critical patch?
I don't have any strong opinion either way myself.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
next prev parent reply other threads:[~2016-09-23 15:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-23 8:48 [master][PATCH] openssl: security fix CVE-2016-6304 Anuj Mittal
2016-09-23 8:56 ` Maxin B. John
2016-09-23 9:06 ` Paul Eggleton
2016-09-23 15:20 ` Patrick Ohly [this message]
2016-09-26 12:40 ` Alexander Kanavin
2016-09-23 16:59 ` akuster808
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1474644006.8561.15.camel@intel.com \
--to=patrick.ohly@intel.com \
--cc=akuster@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=paul.eggleton@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox