Re: [OE-core] [jethro][PATCH] Forklift OpenSSL 1.0.k to Jethro

Mon, 06 Mar 2017 08:03:08 -0800 


On 03/05/2017 07:20 PM, Rebecca Chang Swee Fun wrote:

From: "Chang, Rebecca Swee Fun" <[email protected]>

Hi all,

This is an version upgrade for OpenSSL from 1.0.2h to 1.0.2k.
The upgrade was forklifted from OE-Core master branch to
Jethro branch and remove upstream dependencies to new bbclasses.

The details of CVEs are mentioned in the patch commit message.

The main purpose of this forklifting effort is to make sure
OpenSSL shipped in BSPs is updated.
Due to OpenSSL version
fork in Jethro, it is difficult to do purely "git cherry-pick"
and resolving conflicts everywhere.


Its not difficult, its just time consuming.


This is main reason I opted for forklifting approach.

We have discussed updating openssl as the method for managing this 
package in stable branches and it was met with lots of resistance. 
Seeing this is Jethro ( nearly 2 yrs old), I would suspect this is a 
much harder sell to make.





This is the first time I did an upgrade for OpenSSL. Please
help to review and provide feedbacks if this approach is not
feasible.

The feasible call is on the stable branch maintainer and oe-core layer 
maintainers.



per policy, these changes would have to propagate through the other 
stable branches first if we didn't want to make an exception.


- armin


  I'm looking forward to learn from everyone of you.

Thank you very much.

Regards,
Rebecca

Chang, Rebecca Swee Fun (1):
   openssl: upgrade 1.0.2h -> 1.0.2k

  meta/recipes-connectivity/openssl/openssl.inc      |  104 +-
  .../openssl/openssl/0002-CVE-2017-3731.patch       |   53 +
  .../openssl/openssl/CVE-2016-2177.patch            |  286 --
  .../openssl/openssl/CVE-2016-2178.patch            |   51 -
  .../openssl/openssl/CVE-2016-2179.patch            |  255 --
  .../openssl/openssl/CVE-2016-2180.patch            |   44 -
  .../openssl/openssl/CVE-2016-2181_p1.patch         |   91 -
  .../openssl/openssl/CVE-2016-2181_p2.patch         |  239 -
  .../openssl/openssl/CVE-2016-2181_p3.patch         |   30 -
  .../openssl/openssl/CVE-2016-2182.patch            |   70 -
  .../openssl/openssl/CVE-2016-6302.patch            |   53 -
  .../openssl/openssl/CVE-2016-6303.patch            |   36 -
  .../openssl/openssl/CVE-2016-6304.patch            |   75 -
  .../openssl/openssl/CVE-2016-6306.patch            |   71 -
  .../openssl/openssl/CVE-2016-8610.patch            |  124 -
  .../Use-SHA256-not-MD5-as-default-digest.patch     |   69 +
  .../openssl/crypto_use_bigint_in_x86-64_perl.patch |   33 -
  .../openssl/openssl/debian/ca.patch                |    2 +-
  .../openssl/openssl/debian/version-script.patch    | 4663 ++++++++++++++++++++
  .../openssl/debian1.0.2/version-script.patch       |   31 +-
  .../openssl/openssl/fix-cipher-des-ede3-cfb1.patch |    2 +-
  .../openssl/openssl/openssl-c_rehash.sh            |  222 +
  .../openssl/openssl-util-perlpath.pl-cwd.patch     |   34 +
  .../openssl/openssl/openssl_fix_for_x32.patch      |    4 +-
  .../openssl/openssl/parallel.patch                 |   17 +-
  .../recipes-connectivity/openssl/openssl_1.0.2h.bb |   82 -
  .../recipes-connectivity/openssl/openssl_1.0.2k.bb |   64 +
  27 files changed, 5200 insertions(+), 1605 deletions(-)
  create mode 100644 
meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-2179.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-6302.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-6303.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-6306.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch
  create mode 100644 
meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch
  delete mode 100644 
meta/recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch
  create mode 100644 
meta/recipes-connectivity/openssl/openssl/debian/version-script.patch
  create mode 100644 
meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
  create mode 100644 
meta/recipes-connectivity/openssl/openssl/openssl-util-perlpath.pl-cwd.patch
  delete mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
  create mode 100644 meta/recipes-connectivity/openssl/openssl_1.0.2k.bb



--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core






















					Reply via email to