On 9 December 2015 at 02:03, Fan Xin <[email protected]> wrote: > +++ > b/meta/recipes-connectivity/openssl/openssl/Fix-seg-fault-with-0-p-val-in-SKE.patch > @@ -0,0 +1,101 @@ > +Upstream-Status: Backport > + > +From ada57746b6b80beae73111fe1291bf8dd89af91c Mon Sep 17 00:00:00 2001 > +From: Guy Leaver (guleaver) <[email protected]> > +Date: Fri, 7 Aug 2015 15:45:21 +0100 > +Subject: [PATCH] Fix seg fault with 0 p val in SKE > + > +If a client receives a ServerKeyExchange for an anon DH ciphersuite with > the > +value of p set to 0 then a seg fault can occur. This commits adds a test > to > +reject p, g and pub key parameters that have a 0 value (in accordance with > +RFC 5246) > + > +The security vulnerability only affects master and 1.0.2, but the fix is > +additionally applied to 1.0.1 for additional confidence. > + > +CVE-2015-1794 > + > +Reviewed-by: Richard Levitte <[email protected]> > +Reviewed-by: Matt Caswell <[email protected]> >
This patch needs to have your (or whoever actually did the work) signed-off-by inside the patch, alongside the Upstream-Status. Thanks, Ross
-- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
