Re: [fido][PATCH 0/1] Fido OpenSSL security upgrade

[Martin Jansa <martin.jansa@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3715 bytes --]

On Wed, May 11, 2016 at 02:18:03PM +0100, Joshua Lock wrote:
> Backport a patch from jethro for an OpenSSL upgrade to ensure recent CVE
> fixes are included.

Be aware that this upgrade changes the ABI of openssl because of the
changes in version-script.patch, so all the binaries built against
openssl from older fido revision may start failing to build/work. In our
builds we had 3 components (when testing upgrade to krogoth with this
version include) like this so it's not good to spread such breakage in
"release" branches.

As temporary work around I've partially reverted version-script.patch
changes to keep ABI as it was and only to add 2 new symbols required by
1.0.2h.
 
> The following changes since commit fd27f8620ae4d95dfe07b27eee4256b0a128348a:
> 
>   gtk+_2.24.25: backport a fix for building with newer host perl (2016-05-06 15:51:15 +0100)
> 
> are available in the git repository at:
> 
>   git://git.openembedded.org/openembedded-core-contrib joshuagl/fido-next
>   http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=joshuagl/fido-next
> 
> Robert Yang (1):
>   openssl: 1.0.2d -> 1.0.2h (mainly for CVEs)
> 
>  .../openssl/0001-Add-test-for-CVE-2015-3194.patch  |  66 ---
>  ...64-mont5.pl-fix-carry-propagating-bug-CVE.patch | 101 ----
>  .../CVE-2015-3194-1-Add-PSS-parameter-check.patch  |  45 --
>  ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch |  66 ---
>  .../openssl/openssl/CVE-2015-3197.patch            |  63 ---
>  .../openssl/openssl/CVE-2016-0701_1.patch          | 102 ----
>  .../openssl/openssl/CVE-2016-0701_2.patch          | 156 ------
>  .../openssl/openssl/CVE-2016-0800.patch            | 198 -------
>  .../openssl/openssl/CVE-2016-0800_2.patch          | 592 ---------------------
>  .../openssl/openssl/CVE-2016-0800_3.patch          | 503 -----------------
>  .../openssl/crypto_use_bigint_in_x86-64_perl.patch |  14 +-
>  .../openssl/debian1.0.2/block_diginotar.patch      |  17 +-
>  .../{debian => debian1.0.2}/version-script.patch   |  35 +-
>  ...-pointer-dereference-in-EVP_DigestInit_ex.patch |  14 +-
>  .../{openssl_1.0.2d.bb => openssl_1.0.2h.bb}       |  18 +-
>  15 files changed, 40 insertions(+), 1950 deletions(-)
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch
>  rename meta/recipes-connectivity/openssl/openssl/{debian => debian1.0.2}/version-script.patch (99%)
>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2d.bb => openssl_1.0.2h.bb} (67%)
> 
> -- 
> 2.5.5
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]