<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-connectivity, branch dora</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=dora</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=dora'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2014-11-06T11:42:31+00:00</updated>
<entry>
<title>openssl: Fix for CVE-2014-3568</title>
<updated>2014-11-06T11:42:31+00:00</updated>
<author>
<name>Sona Sarmadi</name>
<email>sona.sarmadi@enea.com</email>
</author>
<published>2014-11-06T06:14:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=faaf75d24faa9862407cd478317101d155bb3129'/>
<id>urn:sha1:faaf75d24faa9862407cd478317101d155bb3129</id>
<content type='text'>
Fix for no-ssl3 configuration option

This patch is a backport from OpenSSL_1.0.1j.

(From OE-Core rev: 97e7b7a96178cf32411309f3e9e3e3b138d2050b)

Signed-off-by: Sona Sarmadi &lt;sona.sarmadi@enea.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>openssl: Fix for CVE-2014-3567</title>
<updated>2014-11-06T11:42:31+00:00</updated>
<author>
<name>Sona Sarmadi</name>
<email>sona.sarmadi@enea.com</email>
</author>
<published>2014-11-06T06:14:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=10b5ec0ec8df33ec3d48e0a650e596ec39250081'/>
<id>urn:sha1:10b5ec0ec8df33ec3d48e0a650e596ec39250081</id>
<content type='text'>
Fix for session tickets memory leak.

This patch is a backport from OpenSSL_1.0.1j.

(From OE-Core rev: 420a8dc7b84b03a9c0a56280132e15b6c9a8b4df)

Signed-off-by: Sona Sarmadi &lt;sona.sarmadi@enea.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>openssl: Fix for CVE-2014-3513</title>
<updated>2014-11-06T11:42:30+00:00</updated>
<author>
<name>Sona Sarmadi</name>
<email>sona.sarmadi@enea.com</email>
</author>
<published>2014-11-06T06:14:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f4e20ca712587b9b85119f8355ac2b63ed148c81'/>
<id>urn:sha1:f4e20ca712587b9b85119f8355ac2b63ed148c81</id>
<content type='text'>
Fix for SRTP Memory Leak

This patch is a backport from OpenSSL_1.0.1j.

(From OE-Core rev: 6c19ca0d5aa6094aa2cfede821d63c008951cfb7)

Signed-off-by: Sona Sarmadi &lt;sona.sarmadi@enea.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>openssl: Fix for CVE-2014-3566</title>
<updated>2014-11-06T11:42:30+00:00</updated>
<author>
<name>Sona Sarmadi</name>
<email>sona.sarmadi@enea.com</email>
</author>
<published>2014-11-06T06:14:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=98408832c222a0abc31c48cb2b514a16998b29bc'/>
<id>urn:sha1:98408832c222a0abc31c48cb2b514a16998b29bc</id>
<content type='text'>
OpenSSL_1.0.1 SSLV3 POODLE VULNERABILITY (CVE-2014-3566)

This patch is a backport from OpenSSL_1.0.1j.

(From OE-Core rev: 47633059a8556c03c0eaff2dd310af87d33e2b28)

Signed-off-by: Sona Sarmadi &lt;sona.sarmadi@enea.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>openssl: fix for CVE-2010-5298</title>
<updated>2014-06-10T16:12:24+00:00</updated>
<author>
<name>Yue Tao</name>
<email>Yue.Tao@windriver.com</email>
</author>
<published>2014-06-09T15:53:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=381c6b89574df10411fa28a593a5c02cd169bf46'/>
<id>urn:sha1:381c6b89574df10411fa28a593a5c02cd169bf46</id>
<content type='text'>
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298

(From OE-Core master rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b)

(From OE-Core rev: 3cc799213e6528fc9fb4a0c40a01a1817484f499)

Signed-off-by: Yue Tao &lt;Yue.Tao@windriver.com&gt;
Signed-off-by: Roy Li &lt;rongqing.li@windriver.com&gt;
Signed-off-by: Saul Wold &lt;sgw@linux.intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Paul Eggleton &lt;paul.eggleton@linux.intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>openssl: fix CVE-2014-3470</title>
<updated>2014-06-10T16:12:24+00:00</updated>
<author>
<name>Paul Eggleton</name>
<email>paul.eggleton@linux.intel.com</email>
</author>
<published>2014-06-09T15:53:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8ac53f3c2d0c20409aee7161ce6b548221e43709'/>
<id>urn:sha1:8ac53f3c2d0c20409aee7161ce6b548221e43709</id>
<content type='text'>
http://www.openssl.org/news/secadv_20140605.txt

Anonymous ECDH denial of service (CVE-2014-3470)

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

(Patch borrowed from Fedora.)

(From OE-Core rev: fe4e278f1794dda2e1aded56360556fe933614ca)

Signed-off-by: Paul Eggleton &lt;paul.eggleton@linux.intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>openssl: fix CVE-2014-0224</title>
<updated>2014-06-10T16:12:24+00:00</updated>
<author>
<name>Paul Eggleton</name>
<email>paul.eggleton@linux.intel.com</email>
</author>
<published>2014-06-09T15:53:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=0ea0a14bd934964fa84a2d655d94ea227ed1981d'/>
<id>urn:sha1:0ea0a14bd934964fa84a2d655d94ea227ed1981d</id>
<content type='text'>
http://www.openssl.org/news/secadv_20140605.txt

SSL/TLS MITM vulnerability (CVE-2014-0224)

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

(Patch borrowed from Fedora.)

(From OE-Core rev: f19dbbc864b12b0f87248d3199296b41a0dcd5b0)

Signed-off-by: Paul Eggleton &lt;paul.eggleton@linux.intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>openssl: fix CVE-2014-0221</title>
<updated>2014-06-10T16:12:24+00:00</updated>
<author>
<name>Paul Eggleton</name>
<email>paul.eggleton@linux.intel.com</email>
</author>
<published>2014-06-09T15:53:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=bd1a6f3d567e300e53301d1362b8c191ed927266'/>
<id>urn:sha1:bd1a6f3d567e300e53301d1362b8c191ed927266</id>
<content type='text'>
http://www.openssl.org/news/secadv_20140605.txt

DTLS recursion flaw (CVE-2014-0221)

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

Only applications using OpenSSL as a DTLS client are affected.

(Patch borrowed from Fedora.)

(From OE-Core rev: 6506f8993c84b966642ef857bb15cf96eada32e8)

Signed-off-by: Paul Eggleton &lt;paul.eggleton@linux.intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>openssl: use upstream fix for CVE-2014-0198</title>
<updated>2014-06-10T16:12:24+00:00</updated>
<author>
<name>Paul Eggleton</name>
<email>paul.eggleton@linux.intel.com</email>
</author>
<published>2014-06-09T15:53:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d6f29c015404fb87889e7275a398733a906b81d1'/>
<id>urn:sha1:d6f29c015404fb87889e7275a398733a906b81d1</id>
<content type='text'>
This replaces the fix for CVE-2014-0198 with one borrowed from Fedora,
which is the same as the patch which was actually applied upstream for
the issue, i.e.:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b107586c0c3447ea22dba8698ebbcd81bb29d48c

(From OE-Core rev: 21fa437a37dad14145b6c8c8c16c95f1b074e09c)

Signed-off-by: Paul Eggleton &lt;paul.eggleton@linux.intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>openssl: fix CVE-2014-0195</title>
<updated>2014-06-10T16:12:23+00:00</updated>
<author>
<name>Paul Eggleton</name>
<email>paul.eggleton@linux.intel.com</email>
</author>
<published>2014-06-09T15:53:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c5d81c3386b945293580ed87fcecc0c80851ef0e'/>
<id>urn:sha1:c5d81c3386b945293580ed87fcecc0c80851ef0e</id>
<content type='text'>
http://www.openssl.org/news/secadv_20140605.txt

DTLS invalid fragment vulnerability (CVE-2014-0195)

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Only applications using OpenSSL as a DTLS client or server affected.

(Patch borrowed from Fedora.)

(From OE-Core rev: c707b3ea9e1fbff2c6a82670e4b1af2b4f53d5e2)

Signed-off-by: Paul Eggleton &lt;paul.eggleton@linux.intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
