openssl: upgrade to 1.0.2k

Following vulnerabilities have been solved between 1.0.2h and
1.0.2k releases:

Vulnerabilities detected in 1.0.2h and fixed in 1.0.2i
======================================================
Ref: https://www.openssl.org/news/secadv/20160922.txt
CVE-2016-6304 (High): OCSP Status Request extension unbounded memory growth
CVE-2016-2183 (Low): SWEET32 Mitigation
CVE-2016-6303 (Low): OOB write in MDC2_Update()
CVE-2016-6302 (Low): Malformed SHA512 ticket DoS
CVE-2016-2182 (Low): OOB write in BN_bn2dec()
CVE-2016-2180 (Low): OOB read in TS_OBJ_print_bio()
CVE-2016-2177 (Low): Pointer arithmetic undefined behaviour
CVE-2016-2178 (Low): Constant time flag not preserved in DSA signing
CVE-2016-2179 (Low): DTLS buffered message DoS
CVE-2016-2181 (Low): DTLS replay protection DoS
CVE-2016-6306 (Low): Certificate message OOB reads

Vulnerabilities detected in 1.0.ih and fixed in 1.0.2j
======================================================
https://www.openssl.org/news/secadv/20160926.txt
CVE-2016-7052 (Moderate): This issue only affects OpenSSL 1.0.2i

1.0.2j - 1.0.2k
Vulnerabilities detected in 1.0.2j and fixed in 1.0.2k
======================================================
CVE-2017-3731 (Moderate): For Openssl 1.0.2, the crash can be triggered when using
RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k

CVE-2017-3732 (Moderate): BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055 (Low):  Montgomery multiplication may produce incorrect results

References:
https://www.openssl.org/news/secadv/20160922.txt
https://www.openssl.org/news/secadv/20160926.txt
https://www.openssl.org/news/secadv/20170126.txt

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>

1 files changed, 35 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch b/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch
new file mode 100644
index 0000000000..e975a4e7db
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch
@@ -0,0 +1,35 @@
+From e427748f3bb5d37e78dc8d70a558c373aa8ababb Mon Sep 17 00:00:00 2001
+From: Robert Yang <liezhi.yang@windriver.com>
+Date: Mon, 19 Sep 2016 22:06:28 -0700
+Subject: [PATCH] util/perlpath.pl: make it work when cwd is not in @INC
+
+Fixed when building on Debian-testing:
+| Can't locate find.pl in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at perlpath.pl line 7.
+
+The find.pl is added by oe-core, so once openssl/find.pl is removed,
+then this patch can be dropped.
+
+Upstream-Status: Inappropriate [OE-Specific]
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ util/perlpath.pl | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/util/perlpath.pl b/util/perlpath.pl
+index a1f236b..5599892 100755
+--- a/util/perlpath.pl
++++ b/util/perlpath.pl
+@@ -4,6 +4,8 @@
+ # line in all scripts that rely on perl.
+ #
+ 
++BEGIN { unshift @INC, "."; }
++
+ require "find.pl";
+ 
+ $#ARGV == 0 || print STDERR "usage: perlpath newpath  (eg /usr/bin)\n";
+-- 
+2.9.0
+