[resending from my Intel account, the one on GMX isn't subscribed] On Fri, 2016-09-23 at 21:06 +1200, Paul Eggleton wrote: > On Fri, 23 Sep 2016 11:56:41 Maxin B. John wrote: > > On Fri, Sep 23, 2016 at 04:48:37PM +0800, Anuj Mittal wrote: > > > Reference: > > > https://www.openssl.org/news/secadv/20160922.txt > > > > > > Upstream fix: > > > https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a > > > 7771c15b > > > > > > Signed-off-by: Anuj Mittal <anujx.mit...@intel.com> > > > --- > > > > > > .../openssl/openssl/CVE-2016-6304.patch | 75 > > > ++++++++++++++++++++++ > > Mid air collision with Patrick's patch. > > I guess for krogoth and jethro we have the choice of applying just this fix > or > the upgrade. Looking over the commits for 1.0.2i it does look like quite a > lot > more than the list of CVEs in the recent security advisory were fixed, and > it's somewhat concerning that the 1.0.2i release went out with an apparently > compile-breaking typo in it (subsequently fixed, patch applied in Patrick's > upgrade).
The compile error is inside an #ifdef, so it could be that just that particular configuration hadn't been tested. But yes, one has to wonder. So what's preferred for OE-core master and the 2.2 release? Updating to 1.0.2i or backporting the critical patch? I don't have any strong opinion either way myself. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
