* [PATCH 0/1][Dizzy] serf: uprev to 1.3.7 for fixing CVE-2014-3504
@ 2014-11-21 6:02 wenzong.fan
2014-11-21 6:02 ` [PATCH 1/1][Dizzy] " wenzong.fan
0 siblings, 1 reply; 2+ messages in thread
From: wenzong.fan @ 2014-11-21 6:02 UTC (permalink / raw)
To: openembedded-core
From: Wenzong Fan <wenzong.fan@windriver.com>
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_-
ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7
does not properly handle a NUL byte in a domain name in the subject's
Common Name (CN) field of an X.509 certificate, which allows man-in-
the-middle attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification Authority.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504
The following changes since commit 081fddd3e464935e5f438a7686eb8f8856da6281:
bitbake: data_smart.py: fix variable splitting at _remove mechanism (2014-11-19 10:46:41 +0000)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib wenzong/dizzy
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/dizzy
Wenzong Fan (1):
serf: uprev to 1.3.7 for fixing CVE-2014-3504
.../serf/{serf_1.3.6.bb => serf_1.3.7.bb} | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
rename meta/recipes-support/serf/{serf_1.3.6.bb => serf_1.3.7.bb} (82%)
--
1.7.9.5
^ permalink raw reply [flat|nested] 2+ messages in thread* [PATCH 1/1][Dizzy] serf: uprev to 1.3.7 for fixing CVE-2014-3504 2014-11-21 6:02 [PATCH 0/1][Dizzy] serf: uprev to 1.3.7 for fixing CVE-2014-3504 wenzong.fan @ 2014-11-21 6:02 ` wenzong.fan 0 siblings, 0 replies; 2+ messages in thread From: wenzong.fan @ 2014-11-21 6:02 UTC (permalink / raw) To: openembedded-core From: Wenzong Fan <wenzong.fan@windriver.com> The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_- ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in- the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> --- .../serf/{serf_1.3.6.bb => serf_1.3.7.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename meta/recipes-support/serf/{serf_1.3.6.bb => serf_1.3.7.bb} (82%) diff --git a/meta/recipes-support/serf/serf_1.3.6.bb b/meta/recipes-support/serf/serf_1.3.7.bb similarity index 82% rename from meta/recipes-support/serf/serf_1.3.6.bb rename to meta/recipes-support/serf/serf_1.3.7.bb index 08b04d3..5230ef7 100644 --- a/meta/recipes-support/serf/serf_1.3.6.bb +++ b/meta/recipes-support/serf/serf_1.3.7.bb @@ -1,8 +1,8 @@ -SRC_URI = "http://serf.googlecode.com/svn/src_releases/serf-1.3.6.tar.bz2 \ +SRC_URI = "http://serf.googlecode.com/svn/src_releases/serf-1.3.7.tar.bz2 \ file://norpath.patch" -SRC_URI[md5sum] = "7fe38fa6eab078e0beabf291d8e4995d" -SRC_URI[sha256sum] = "ca637beb0399797d4fc7ffa85e801733cd9c876997fac4a4fd12e9afe86563f2" +SRC_URI[md5sum] = "0a6fa745df4517dd8f79c75c538919bc" +SRC_URI[sha256sum] = "ecccb74e665e6ea7539271e126a21d0f7eeddfeaa8ce090adb3aec6682f9f0ae" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-11-21 6:02 UTC | newest] Thread overview: 2+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-11-21 6:02 [PATCH 0/1][Dizzy] serf: uprev to 1.3.7 for fixing CVE-2014-3504 wenzong.fan 2014-11-21 6:02 ` [PATCH 1/1][Dizzy] " wenzong.fan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox