diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-03-16 10:54:31 +0100 |
|---|---|---|
| committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-03-21 11:29:21 +0100 |
| commit | 7e14191bb3bf457907727f3125e5cbc846d39b9f (patch) | |
| tree | 9770da8380271fe318845b69262590263ee0ebe9 /meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | |
| parent | dfde5b94e82264ea16a189252d615d67366e3d98 (diff) | |
| download | poky-7e14191bb3bf457907727f3125e5cbc846d39b9f.tar.gz | |
openssl: upgrade to 1.0.2k
Following vulnerabilities have been solved between 1.0.2h and
1.0.2k releases:
Vulnerabilities detected in 1.0.2h and fixed in 1.0.2i
======================================================
Ref: https://www.openssl.org/news/secadv/20160922.txt
CVE-2016-6304 (High): OCSP Status Request extension unbounded memory growth
CVE-2016-2183 (Low): SWEET32 Mitigation
CVE-2016-6303 (Low): OOB write in MDC2_Update()
CVE-2016-6302 (Low): Malformed SHA512 ticket DoS
CVE-2016-2182 (Low): OOB write in BN_bn2dec()
CVE-2016-2180 (Low): OOB read in TS_OBJ_print_bio()
CVE-2016-2177 (Low): Pointer arithmetic undefined behaviour
CVE-2016-2178 (Low): Constant time flag not preserved in DSA signing
CVE-2016-2179 (Low): DTLS buffered message DoS
CVE-2016-2181 (Low): DTLS replay protection DoS
CVE-2016-6306 (Low): Certificate message OOB reads
Vulnerabilities detected in 1.0.ih and fixed in 1.0.2j
======================================================
https://www.openssl.org/news/secadv/20160926.txt
CVE-2016-7052 (Moderate): This issue only affects OpenSSL 1.0.2i
1.0.2j - 1.0.2k
Vulnerabilities detected in 1.0.2j and fixed in 1.0.2k
======================================================
CVE-2017-3731 (Moderate): For Openssl 1.0.2, the crash can be triggered when using
RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k
CVE-2017-3732 (Moderate): BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055 (Low): Montgomery multiplication may produce incorrect results
References:
https://www.openssl.org/news/secadv/20160922.txt
https://www.openssl.org/news/secadv/20160926.txt
https://www.openssl.org/news/secadv/20170126.txt
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl_1.0.2k.bb')
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb new file mode 100644 index 0000000000..922819b3d5 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | |||
| @@ -0,0 +1,60 @@ | |||
| 1 | require openssl.inc | ||
| 2 | |||
| 3 | # For target side versions of openssl enable support for OCF Linux driver | ||
| 4 | # if they are available. | ||
| 5 | DEPENDS += "cryptodev-linux" | ||
| 6 | |||
| 7 | CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" | ||
| 8 | CFLAG_append_class-native = " -fPIC" | ||
| 9 | |||
| 10 | LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" | ||
| 11 | |||
| 12 | export DIRS = "crypto ssl apps engines" | ||
| 13 | export OE_LDFLAGS="${LDFLAGS}" | ||
| 14 | |||
| 15 | SRC_URI += "file://find.pl;subdir=${BP}/util/ \ | ||
| 16 | file://run-ptest \ | ||
| 17 | file://openssl-c_rehash.sh \ | ||
| 18 | file://configure-targets.patch \ | ||
| 19 | file://shared-libs.patch \ | ||
| 20 | file://oe-ldflags.patch \ | ||
| 21 | file://engines-install-in-libdir-ssl.patch \ | ||
| 22 | file://debian1.0.2/block_diginotar.patch \ | ||
| 23 | file://debian1.0.2/block_digicert_malaysia.patch \ | ||
| 24 | file://debian/ca.patch \ | ||
| 25 | file://debian/c_rehash-compat.patch \ | ||
| 26 | file://debian/debian-targets.patch \ | ||
| 27 | file://debian/man-dir.patch \ | ||
| 28 | file://debian/man-section.patch \ | ||
| 29 | file://debian/no-rpath.patch \ | ||
| 30 | file://debian/no-symbolic.patch \ | ||
| 31 | file://debian/pic.patch \ | ||
| 32 | file://debian1.0.2/version-script.patch \ | ||
| 33 | file://openssl_fix_for_x32.patch \ | ||
| 34 | file://fix-cipher-des-ede3-cfb1.patch \ | ||
| 35 | file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \ | ||
| 36 | file://openssl-fix-des.pod-error.patch \ | ||
| 37 | file://Makefiles-ptest.patch \ | ||
| 38 | file://ptest-deps.patch \ | ||
| 39 | file://openssl-1.0.2a-x32-asm.patch \ | ||
| 40 | file://ptest_makefile_deps.patch \ | ||
| 41 | file://configure-musl-target.patch \ | ||
| 42 | file://parallel.patch \ | ||
| 43 | file://openssl-util-perlpath.pl-cwd.patch \ | ||
| 44 | file://Use-SHA256-not-MD5-as-default-digest.patch \ | ||
| 45 | " | ||
| 46 | SRC_URI[md5sum] = "f965fc0bf01bf882b31314b61391ae65" | ||
| 47 | SRC_URI[sha256sum] = "6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0" | ||
| 48 | |||
| 49 | PACKAGES =+ "${PN}-engines" | ||
| 50 | FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" | ||
| 51 | |||
| 52 | # The crypto_use_bigint patch means that perl's bignum module needs to be | ||
| 53 | # installed, but some distributions (for example Fedora 23) don't ship it by | ||
| 54 | # default. As the resulting error is very misleading check for bignum before | ||
| 55 | # building. | ||
| 56 | do_configure_prepend() { | ||
| 57 | if ! perl -Mbigint -e true; then | ||
| 58 | bbfatal "The perl module 'bignum' was not found but this is required to build openssl. Please install this module (often packaged as perl-bignum) and re-run bitbake." | ||
| 59 | fi | ||
| 60 | } | ||