Re: [OE-core][langdale 01/20] openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encryption
On Thu, Nov 03, 2022 at 06:28:04AM -1000, Steve Sakoman wrote: > On Thu, Nov 3, 2022 at 5:54 AM Patrick Williams wrote: > > Instead of picking up this patch, wouldn't it make a lot more sense to > > go to 3.0.7 like we did with [1]? Since 3.0.7 contains a HIGH severity > > CVE fix as well as the one mentioned here, it seems like we should get > > that backported to both Langdale and Kirkstone quickly. > > This patchset was tested and sent out for review prior to the 3.0.7 > upgrade hitting master. Understood. > Note that I have the 3.0.7 upgrade in the patches currently under test > for both langdale and kirkstone: > > https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/langdale-nut > https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut > > If the langdale test succeeds I will include the 3.0.7 upgrade patch > in the pull request for the above series (hopefully later today) Great. Thank you. -- Patrick Williams signature.asc Description: PGP signature -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#172644): https://lists.openembedded.org/g/openembedded-core/message/172644 Mute This Topic: https://lists.openembedded.org/mt/94726924/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][langdale 01/20] openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encryption
On Thu, Nov 3, 2022 at 5:54 AM Patrick Williams wrote: > > On Tue, Nov 01, 2022 at 04:41:51PM -1000, Steve Sakoman wrote: > > From: Hitendra Prajapati > > > > Upstream-Status: Backport from > > https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] > > Description: > > CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead > > to NULL encryption. > > Affects "openssl < 3.0.6" > > > > Signed-off-by: Hitendra Prajapati > > Signed-off-by: Alexandre Belloni > > (cherry picked from commit f98b2273c6f03f8f6029a7a409600ce290817e27) > > Signed-off-by: Steve Sakoman > > Instead of picking up this patch, wouldn't it make a lot more sense to > go to 3.0.7 like we did with [1]? Since 3.0.7 contains a HIGH severity > CVE fix as well as the one mentioned here, it seems like we should get > that backported to both Langdale and Kirkstone quickly. This patchset was tested and sent out for review prior to the 3.0.7 upgrade hitting master. Note that I have the 3.0.7 upgrade in the patches currently under test for both langdale and kirkstone: https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/langdale-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut If the langdale test succeeds I will include the 3.0.7 upgrade patch in the pull request for the above series (hopefully later today) Steve > 1. > https://lore.kernel.org/openembedded-core/20221101170310.2740317-1-edtan...@google.com/ > > -- > Patrick Williams -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#172643): https://lists.openembedded.org/g/openembedded-core/message/172643 Mute This Topic: https://lists.openembedded.org/mt/94726924/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][langdale 01/20] openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encryption
On Tue, Nov 01, 2022 at 04:41:51PM -1000, Steve Sakoman wrote: > From: Hitendra Prajapati > > Upstream-Status: Backport from > https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] > Description: > CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to > NULL encryption. > Affects "openssl < 3.0.6" > > Signed-off-by: Hitendra Prajapati > Signed-off-by: Alexandre Belloni > (cherry picked from commit f98b2273c6f03f8f6029a7a409600ce290817e27) > Signed-off-by: Steve Sakoman Instead of picking up this patch, wouldn't it make a lot more sense to go to 3.0.7 like we did with [1]? Since 3.0.7 contains a HIGH severity CVE fix as well as the one mentioned here, it seems like we should get that backported to both Langdale and Kirkstone quickly. 1. https://lore.kernel.org/openembedded-core/20221101170310.2740317-1-edtan...@google.com/ -- Patrick Williams signature.asc Description: PGP signature -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#172639): https://lists.openembedded.org/g/openembedded-core/message/172639 Mute This Topic: https://lists.openembedded.org/mt/94726924/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-