Ross, > -----Original Message----- > From: openembedded-core-boun...@lists.openembedded.org > [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf > Of Burton, Ross > Sent: Wednesday, October 15, 2014 6:07 AM > To: Sona Sarmadi > Cc: yocto@yoctoproject.org; openembedded- > c...@lists.openembedded.org > Subject: Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon: > > On 15 October 2014 07:48, Sona Sarmadi <sona.sarm...@enea.com> wrote: > > The advice is: Disable SSLv3. > > > > I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843 so we > can start to work with this immediately. > > Presumably the list of affected packages is: > - gnutls > - openssl > - nss > > Are there more? Will ENEA be able to send patches to these packages? >
I did a few quick searches of recipe names and descriptions on the meta-openembedded and poky (which includes oe-core) layers for SSL and TLS relation. The searches I used from the poky directory were: find meta* -name "*ssl*.bb" find meta* -name "*tls*.bb" grep -nrE '(ssl|SSL|tls|TLS)' meta* | grep -vE '(DSSSL|dsssl|[Ll]ossless)' | grep '\.bb:' Then ignoring packages that expressly disable SSL, here's what I found for other packages to evaluate: python-pyopenssl socat curl libsoup packagegroup-toolset-native packagegroup-core-basic packagegroup-core-lsb ltp mailx libarchive iputils msmtp webkit-gtk packagegroup-self-hosted eglibc glib-networking x11vnc bind telepathy-idle openssh valgrind tcf-agent python-native python rpm neon nostromo cherokee apache2 ajenti net-snmp claws-mail sylpheed libimobiledevice loudmouth hostap-daemon gateone libtorrent krb5 networkmanager nodejs4 nodejs libc-client python-twisted python-m2crypto links links-x11 openldap gsoap mbuffer cryptsetup iksemel strongswan ca-certificates libetpan cyrus-sasl vsftpd accel-ppp openvpn znc azy midori oscam tvheadend Almost all the packages require openssl or gnutls, so patching openssl and gnutls may be sufficient for most of these packages. I'm still working with the dylan branch. If any new packages have been added since then I may have missed them. I'm not sure how dropbear does its encryption, so that may be one to look at also. Regards, Bryan Evenson > Ross > -- > _______________________________________________ > Openembedded-core mailing list > openembedded-c...@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
