diff options
author | Patrick Ohly <patrick.ohly@intel.com> | 2016-09-23 15:26:05 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-24 07:30:09 +0100 |
commit | d9e1bb679eb4d625a751ad668a18eaaefeaed850 (patch) | |
tree | 91d678182f2c08db9d61f01e37ecbd9e89f8a907 /meta/recipes-connectivity/openssl/openssl_1.0.2h.bb | |
parent | 2f4b80b3061368917ecad432094e7128f8f3b740 (diff) | |
download | poky-d9e1bb679eb4d625a751ad668a18eaaefeaed850.tar.gz |
openssl: update to 1.0.2i (CVE-2016-6304 and more)
This update fixes several CVEs:
* OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
* SWEET32 Mitigation (CVE-2016-2183)
* OOB write in MDC2_Update() (CVE-2016-6303)
* Malformed SHA512 ticket DoS (CVE-2016-6302)
* OOB write in BN_bn2dec() (CVE-2016-2182)
* OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
* DTLS buffered message DoS (CVE-2016-2179)
* DTLS replay protection DoS (CVE-2016-2181)
* Certificate message OOB reads (CVE-2016-6306)
Of these, only CVE-2016-6304 is considered of high
severity. Everything else is low. CVE-2016-2177 and CVE-2016-2178 were
already fixed via local patches, which can be removed now.
See https://www.openssl.org/news/secadv/20160922.txt for details.
Some patches had to be refreshed and one compile error fix from
upstream's OpenSSL_1_0_2-stable was required. The server.pem
file is needed for test_dtls.
(From OE-Core rev: d6b69279b5d1370d9c4982d5b1842a471cfd2b0e)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl_1.0.2h.bb')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.2h.bb | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb deleted file mode 100644 index c8444d39b9..0000000000 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ /dev/null | |||
@@ -1,60 +0,0 @@ | |||
1 | require openssl.inc | ||
2 | |||
3 | # For target side versions of openssl enable support for OCF Linux driver | ||
4 | # if they are available. | ||
5 | DEPENDS += "cryptodev-linux" | ||
6 | |||
7 | CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" | ||
8 | |||
9 | LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" | ||
10 | |||
11 | export DIRS = "crypto ssl apps engines" | ||
12 | export OE_LDFLAGS="${LDFLAGS}" | ||
13 | |||
14 | SRC_URI += "file://find.pl;subdir=${BP}/util/ \ | ||
15 | file://run-ptest \ | ||
16 | file://openssl-c_rehash.sh \ | ||
17 | file://configure-targets.patch \ | ||
18 | file://shared-libs.patch \ | ||
19 | file://oe-ldflags.patch \ | ||
20 | file://engines-install-in-libdir-ssl.patch \ | ||
21 | file://debian1.0.2/block_diginotar.patch \ | ||
22 | file://debian1.0.2/block_digicert_malaysia.patch \ | ||
23 | file://debian/ca.patch \ | ||
24 | file://debian/c_rehash-compat.patch \ | ||
25 | file://debian/debian-targets.patch \ | ||
26 | file://debian/man-dir.patch \ | ||
27 | file://debian/man-section.patch \ | ||
28 | file://debian/no-rpath.patch \ | ||
29 | file://debian/no-symbolic.patch \ | ||
30 | file://debian/pic.patch \ | ||
31 | file://debian1.0.2/version-script.patch \ | ||
32 | file://openssl_fix_for_x32.patch \ | ||
33 | file://fix-cipher-des-ede3-cfb1.patch \ | ||
34 | file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \ | ||
35 | file://openssl-fix-des.pod-error.patch \ | ||
36 | file://Makefiles-ptest.patch \ | ||
37 | file://ptest-deps.patch \ | ||
38 | file://openssl-1.0.2a-x32-asm.patch \ | ||
39 | file://ptest_makefile_deps.patch \ | ||
40 | file://configure-musl-target.patch \ | ||
41 | file://parallel.patch \ | ||
42 | file://CVE-2016-2177.patch \ | ||
43 | file://CVE-2016-2178.patch \ | ||
44 | file://openssl-util-perlpath.pl-cwd.patch \ | ||
45 | " | ||
46 | SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" | ||
47 | SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919" | ||
48 | |||
49 | PACKAGES =+ "${PN}-engines" | ||
50 | FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" | ||
51 | |||
52 | # The crypto_use_bigint patch means that perl's bignum module needs to be | ||
53 | # installed, but some distributions (for example Fedora 23) don't ship it by | ||
54 | # default. As the resulting error is very misleading check for bignum before | ||
55 | # building. | ||
56 | do_configure_prepend() { | ||
57 | if ! perl -Mbigint -e true; then | ||
58 | bbfatal "The perl module 'bignum' was not found but this is required to build openssl. Please install this module (often packaged as perl-bignum) and re-run bitbake." | ||
59 | fi | ||
60 | } | ||