On Tue, Nov 01, 2022 at 04:41:51PM -1000, Steve Sakoman wrote: > From: Hitendra Prajapati <[email protected]> > > Upstream-Status: Backport from > https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] > Description: > CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to > NULL encryption. > Affects "openssl < 3.0.6" > > Signed-off-by: Hitendra Prajapati <[email protected]> > Signed-off-by: Alexandre Belloni <[email protected]> > (cherry picked from commit f98b2273c6f03f8f6029a7a409600ce290817e27) > Signed-off-by: Steve Sakoman <[email protected]>
Instead of picking up this patch, wouldn't it make a lot more sense to go to 3.0.7 like we did with [1]? Since 3.0.7 contains a HIGH severity CVE fix as well as the one mentioned here, it seems like we should get that backported to both Langdale and Kirkstone quickly. 1. https://lore.kernel.org/openembedded-core/[email protected]/ -- Patrick Williams
signature.asc
Description: PGP signature
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#172639): https://lists.openembedded.org/g/openembedded-core/message/172639 Mute This Topic: https://lists.openembedded.org/mt/94726924/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
