openssl: security bump to version 1.0.0j

Bump to version 1.0.0j to fix CVE-2012-2333

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/openssl/openssl.mk |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:

 Gustavo> Bump to version 1.0.0j to fix CVE-2012-2333

Committed, thanks.

Hello Gustavo,

Le Fri, 11 May 2012 12:45:48 -0300,
Gustavo Zacarias <gustavo@zacarias.com.ar> a écrit :

> Bump to version 1.0.0j to fix CVE-2012-2333
> 
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has
been sitting for a long time, which bumps the version of openssl to
1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X
versions and 1.0.1X versions are maintained. Do you know what they
mean, and whether we should stay at 1.0.0 or move to 1.0.1?

I simply would like to know what to do with this patch in our
patchwork :)

Thanks!

Thomas

On 08/17/12 13:49, Thomas Petazzoni wrote:

> At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has
> been sitting for a long time, which bumps the version of openssl to
> 1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X
> versions and 1.0.1X versions are maintained. Do you know what they
> mean, and whether we should stay at 1.0.0 or move to 1.0.1?
> 
> I simply would like to know what to do with this patch in our
> patchwork :)
> 
> Thanks!
> 
> Thomas

1.0.1 is security-vulnerable, so it can't be bumped as-is, the target
should be 1.0.1c at the moment.
The big difference between 1.0.0* and 1.0.1* is that the later has
initial support for TLSv1.1 and TLSv1.2 among other minor details.
Both are API compatible though not ABI (and we don't care).
I can give it a test during the weekend and give it a go for -next.
Regards.

Le Fri, 17 Aug 2012 13:55:17 -0300,
Gustavo Zacarias <gustavo@zacarias.com.ar> a écrit :

> 1.0.1 is security-vulnerable, so it can't be bumped as-is, the target
> should be 1.0.1c at the moment.

Yes, agreed. I was referring to 1.0.1 as a branch, not specifically to
1.0.1. The patch I mentioned did target 1.0.1 because this patch is
about 6 months old.

> The big difference between 1.0.0* and 1.0.1* is that the later has
> initial support for TLSv1.1 and TLSv1.2 among other minor details.
> Both are API compatible though not ABI (and we don't care).
> I can give it a test during the weekend and give it a go for -next.

Great, thanks!

Thomas

17.8.2012 19:55, Gustavo Zacarias kirjoitti:
> On 08/17/12 13:49, Thomas Petazzoni wrote:
>
>> At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has
>> been sitting for a long time, which bumps the version of openssl to
>> 1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X
>> versions and 1.0.1X versions are maintained. Do you know what they
>> mean, and whether we should stay at 1.0.0 or move to 1.0.1?
>>
>> I simply would like to know what to do with this patch in our
>> patchwork :)
>>
>> Thanks!
>>
>> Thomas
> 1.0.1 is security-vulnerable, so it can't be bumped as-is, the target
> should be 1.0.1c at the moment.
> The big difference between 1.0.0* and 1.0.1* is that the later has
> initial support for TLSv1.1 and TLSv1.2 among other minor details.
> Both are API compatible though not ABI (and we don't care).
> I can give it a test during the weekend and give it a go for -next.
> Regards.

Don't know about 1.0.1c version (or greater) but what's it worth, I have
had version 1.0.1b sitting in my buildroot copy like ages
and so far have not noticed anything strange in my buildroot based home
distro.


Best regards
Stefan
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot