Openembedded Core Discussions
 help / color / mirror / Atom feed
* [fido][PATCH 0/1] Fido OpenSSL security upgrade
@ 2016-05-11 13:18 Joshua Lock
  2016-05-11 22:27 ` Martin Jansa
  0 siblings, 1 reply; 2+ messages in thread
From: Joshua Lock @ 2016-05-11 13:18 UTC (permalink / raw)
  To: openembedded-core

Backport a patch from jethro for an OpenSSL upgrade to ensure recent CVE
fixes are included.

The following changes since commit fd27f8620ae4d95dfe07b27eee4256b0a128348a:

  gtk+_2.24.25: backport a fix for building with newer host perl (2016-05-06 15:51:15 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib joshuagl/fido-next
  http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=joshuagl/fido-next

Robert Yang (1):
  openssl: 1.0.2d -> 1.0.2h (mainly for CVEs)

 .../openssl/0001-Add-test-for-CVE-2015-3194.patch  |  66 ---
 ...64-mont5.pl-fix-carry-propagating-bug-CVE.patch | 101 ----
 .../CVE-2015-3194-1-Add-PSS-parameter-check.patch  |  45 --
 ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch |  66 ---
 .../openssl/openssl/CVE-2015-3197.patch            |  63 ---
 .../openssl/openssl/CVE-2016-0701_1.patch          | 102 ----
 .../openssl/openssl/CVE-2016-0701_2.patch          | 156 ------
 .../openssl/openssl/CVE-2016-0800.patch            | 198 -------
 .../openssl/openssl/CVE-2016-0800_2.patch          | 592 ---------------------
 .../openssl/openssl/CVE-2016-0800_3.patch          | 503 -----------------
 .../openssl/crypto_use_bigint_in_x86-64_perl.patch |  14 +-
 .../openssl/debian1.0.2/block_diginotar.patch      |  17 +-
 .../{debian => debian1.0.2}/version-script.patch   |  35 +-
 ...-pointer-dereference-in-EVP_DigestInit_ex.patch |  14 +-
 .../{openssl_1.0.2d.bb => openssl_1.0.2h.bb}       |  18 +-
 15 files changed, 40 insertions(+), 1950 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch
 rename meta/recipes-connectivity/openssl/openssl/{debian => debian1.0.2}/version-script.patch (99%)
 rename meta/recipes-connectivity/openssl/{openssl_1.0.2d.bb => openssl_1.0.2h.bb} (67%)

-- 
2.5.5



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [fido][PATCH 0/1] Fido OpenSSL security upgrade
  2016-05-11 13:18 [fido][PATCH 0/1] Fido OpenSSL security upgrade Joshua Lock
@ 2016-05-11 22:27 ` Martin Jansa
  0 siblings, 0 replies; 2+ messages in thread
From: Martin Jansa @ 2016-05-11 22:27 UTC (permalink / raw)
  To: Joshua Lock; +Cc: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 3715 bytes --]

On Wed, May 11, 2016 at 02:18:03PM +0100, Joshua Lock wrote:
> Backport a patch from jethro for an OpenSSL upgrade to ensure recent CVE
> fixes are included.

Be aware that this upgrade changes the ABI of openssl because of the
changes in version-script.patch, so all the binaries built against
openssl from older fido revision may start failing to build/work. In our
builds we had 3 components (when testing upgrade to krogoth with this
version include) like this so it's not good to spread such breakage in
"release" branches.

As temporary work around I've partially reverted version-script.patch
changes to keep ABI as it was and only to add 2 new symbols required by
1.0.2h.
 
> The following changes since commit fd27f8620ae4d95dfe07b27eee4256b0a128348a:
> 
>   gtk+_2.24.25: backport a fix for building with newer host perl (2016-05-06 15:51:15 +0100)
> 
> are available in the git repository at:
> 
>   git://git.openembedded.org/openembedded-core-contrib joshuagl/fido-next
>   http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=joshuagl/fido-next
> 
> Robert Yang (1):
>   openssl: 1.0.2d -> 1.0.2h (mainly for CVEs)
> 
>  .../openssl/0001-Add-test-for-CVE-2015-3194.patch  |  66 ---
>  ...64-mont5.pl-fix-carry-propagating-bug-CVE.patch | 101 ----
>  .../CVE-2015-3194-1-Add-PSS-parameter-check.patch  |  45 --
>  ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch |  66 ---
>  .../openssl/openssl/CVE-2015-3197.patch            |  63 ---
>  .../openssl/openssl/CVE-2016-0701_1.patch          | 102 ----
>  .../openssl/openssl/CVE-2016-0701_2.patch          | 156 ------
>  .../openssl/openssl/CVE-2016-0800.patch            | 198 -------
>  .../openssl/openssl/CVE-2016-0800_2.patch          | 592 ---------------------
>  .../openssl/openssl/CVE-2016-0800_3.patch          | 503 -----------------
>  .../openssl/crypto_use_bigint_in_x86-64_perl.patch |  14 +-
>  .../openssl/debian1.0.2/block_diginotar.patch      |  17 +-
>  .../{debian => debian1.0.2}/version-script.patch   |  35 +-
>  ...-pointer-dereference-in-EVP_DigestInit_ex.patch |  14 +-
>  .../{openssl_1.0.2d.bb => openssl_1.0.2h.bb}       |  18 +-
>  15 files changed, 40 insertions(+), 1950 deletions(-)
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch
>  rename meta/recipes-connectivity/openssl/openssl/{debian => debian1.0.2}/version-script.patch (99%)
>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2d.bb => openssl_1.0.2h.bb} (67%)
> 
> -- 
> 2.5.5
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-05-11 22:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-11 13:18 [fido][PATCH 0/1] Fido OpenSSL security upgrade Joshua Lock
2016-05-11 22:27 ` Martin Jansa

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox