From 7e14191bb3bf457907727f3125e5cbc846d39b9f Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 16 Mar 2017 10:54:31 +0100 Subject: openssl: upgrade to 1.0.2k Following vulnerabilities have been solved between 1.0.2h and 1.0.2k releases: Vulnerabilities detected in 1.0.2h and fixed in 1.0.2i ====================================================== Ref: https://www.openssl.org/news/secadv/20160922.txt CVE-2016-6304 (High): OCSP Status Request extension unbounded memory growth CVE-2016-2183 (Low): SWEET32 Mitigation CVE-2016-6303 (Low): OOB write in MDC2_Update() CVE-2016-6302 (Low): Malformed SHA512 ticket DoS CVE-2016-2182 (Low): OOB write in BN_bn2dec() CVE-2016-2180 (Low): OOB read in TS_OBJ_print_bio() CVE-2016-2177 (Low): Pointer arithmetic undefined behaviour CVE-2016-2178 (Low): Constant time flag not preserved in DSA signing CVE-2016-2179 (Low): DTLS buffered message DoS CVE-2016-2181 (Low): DTLS replay protection DoS CVE-2016-6306 (Low): Certificate message OOB reads Vulnerabilities detected in 1.0.ih and fixed in 1.0.2j ====================================================== https://www.openssl.org/news/secadv/20160926.txt CVE-2016-7052 (Moderate): This issue only affects OpenSSL 1.0.2i 1.0.2j - 1.0.2k Vulnerabilities detected in 1.0.2j and fixed in 1.0.2k ====================================================== CVE-2017-3731 (Moderate): For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k CVE-2017-3732 (Moderate): BN_mod_exp may produce incorrect results on x86_64 CVE-2016-7055 (Low): Montgomery multiplication may produce incorrect results References: https://www.openssl.org/news/secadv/20160922.txt https://www.openssl.org/news/secadv/20160926.txt https://www.openssl.org/news/secadv/20170126.txt Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../openssl/openssl-util-perlpath.pl-cwd.patch | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch (limited to 'meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch') diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch b/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch new file mode 100644 index 0000000000..e975a4e7db --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch @@ -0,0 +1,35 @@ +From e427748f3bb5d37e78dc8d70a558c373aa8ababb Mon Sep 17 00:00:00 2001 +From: Robert Yang +Date: Mon, 19 Sep 2016 22:06:28 -0700 +Subject: [PATCH] util/perlpath.pl: make it work when cwd is not in @INC + +Fixed when building on Debian-testing: +| Can't locate find.pl in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at perlpath.pl line 7. + +The find.pl is added by oe-core, so once openssl/find.pl is removed, +then this patch can be dropped. + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Robert Yang +Signed-off-by: Sona Sarmadi +--- + util/perlpath.pl | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/util/perlpath.pl b/util/perlpath.pl +index a1f236b..5599892 100755 +--- a/util/perlpath.pl ++++ b/util/perlpath.pl +@@ -4,6 +4,8 @@ + # line in all scripts that rely on perl. + # + ++BEGIN { unshift @INC, "."; } ++ + require "find.pl"; + + $#ARGV == 0 || print STDERR "usage: perlpath newpath (eg /usr/bin)\n"; +-- +2.9.0 + -- cgit v1.2.3-54-g00ecf