Message ID | 1336751148-28858-1-git-send-email-gustavo@zacarias.com.ar |
---|---|
State | Accepted |
Commit | b108e9b5dd8cfbf8d7f02e602993bdc174febc00 |
Headers | show |
>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:
Gustavo> Bump to version 1.0.0j to fix CVE-2012-2333
Committed, thanks.
Hello Gustavo, Le Fri, 11 May 2012 12:45:48 -0300, Gustavo Zacarias <gustavo@zacarias.com.ar> a écrit : > Bump to version 1.0.0j to fix CVE-2012-2333 > > Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has been sitting for a long time, which bumps the version of openssl to 1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X versions and 1.0.1X versions are maintained. Do you know what they mean, and whether we should stay at 1.0.0 or move to 1.0.1? I simply would like to know what to do with this patch in our patchwork :) Thanks! Thomas
On 08/17/12 13:49, Thomas Petazzoni wrote: > At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has > been sitting for a long time, which bumps the version of openssl to > 1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X > versions and 1.0.1X versions are maintained. Do you know what they > mean, and whether we should stay at 1.0.0 or move to 1.0.1? > > I simply would like to know what to do with this patch in our > patchwork :) > > Thanks! > > Thomas 1.0.1 is security-vulnerable, so it can't be bumped as-is, the target should be 1.0.1c at the moment. The big difference between 1.0.0* and 1.0.1* is that the later has initial support for TLSv1.1 and TLSv1.2 among other minor details. Both are API compatible though not ABI (and we don't care). I can give it a test during the weekend and give it a go for -next. Regards.
Le Fri, 17 Aug 2012 13:55:17 -0300, Gustavo Zacarias <gustavo@zacarias.com.ar> a écrit : > 1.0.1 is security-vulnerable, so it can't be bumped as-is, the target > should be 1.0.1c at the moment. Yes, agreed. I was referring to 1.0.1 as a branch, not specifically to 1.0.1. The patch I mentioned did target 1.0.1 because this patch is about 6 months old. > The big difference between 1.0.0* and 1.0.1* is that the later has > initial support for TLSv1.1 and TLSv1.2 among other minor details. > Both are API compatible though not ABI (and we don't care). > I can give it a test during the weekend and give it a go for -next. Great, thanks! Thomas
17.8.2012 19:55, Gustavo Zacarias kirjoitti: > On 08/17/12 13:49, Thomas Petazzoni wrote: > >> At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has >> been sitting for a long time, which bumps the version of openssl to >> 1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X >> versions and 1.0.1X versions are maintained. Do you know what they >> mean, and whether we should stay at 1.0.0 or move to 1.0.1? >> >> I simply would like to know what to do with this patch in our >> patchwork :) >> >> Thanks! >> >> Thomas > 1.0.1 is security-vulnerable, so it can't be bumped as-is, the target > should be 1.0.1c at the moment. > The big difference between 1.0.0* and 1.0.1* is that the later has > initial support for TLSv1.1 and TLSv1.2 among other minor details. > Both are API compatible though not ABI (and we don't care). > I can give it a test during the weekend and give it a go for -next. > Regards. Don't know about 1.0.1c version (or greater) but what's it worth, I have had version 1.0.1b sitting in my buildroot copy like ages and so far have not noticed anything strange in my buildroot based home distro. Best regards Stefan > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
diff --git a/package/openssl/openssl.mk b/package/openssl/openssl.mk index 748252c..62861c5 100644 --- a/package/openssl/openssl.mk +++ b/package/openssl/openssl.mk @@ -4,7 +4,7 @@ # ############################################################# -OPENSSL_VERSION = 1.0.0i +OPENSSL_VERSION = 1.0.0j OPENSSL_SITE = http://www.openssl.org/source OPENSSL_INSTALL_STAGING = YES OPENSSL_DEPENDENCIES = zlib
Bump to version 1.0.0j to fix CVE-2012-2333 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> --- package/openssl/openssl.mk | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)