Patchwork openssl: security bump to version 1.0.0j

login
register
mail settings
Submitter Gustavo Zacarias
Date May 11, 2012, 3:45 p.m.
Message ID <1336751148-28858-1-git-send-email-gustavo@zacarias.com.ar>
Download mbox | patch
Permalink /patch/158549/
State Accepted
Commit b108e9b5dd8cfbf8d7f02e602993bdc174febc00
Headers show

Comments

Gustavo Zacarias - May 11, 2012, 3:45 p.m.
Bump to version 1.0.0j to fix CVE-2012-2333

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/openssl/openssl.mk |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Peter Korsgaard - May 14, 2012, 12:36 p.m.
>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:

 Gustavo> Bump to version 1.0.0j to fix CVE-2012-2333

Committed, thanks.
Thomas Petazzoni - Aug. 17, 2012, 4:49 p.m.
Hello Gustavo,

Le Fri, 11 May 2012 12:45:48 -0300,
Gustavo Zacarias <gustavo@zacarias.com.ar> a écrit :

> Bump to version 1.0.0j to fix CVE-2012-2333
> 
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has
been sitting for a long time, which bumps the version of openssl to
1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X
versions and 1.0.1X versions are maintained. Do you know what they
mean, and whether we should stay at 1.0.0 or move to 1.0.1?

I simply would like to know what to do with this patch in our
patchwork :)

Thanks!

Thomas
Gustavo Zacarias - Aug. 17, 2012, 4:55 p.m.
On 08/17/12 13:49, Thomas Petazzoni wrote:

> At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has
> been sitting for a long time, which bumps the version of openssl to
> 1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X
> versions and 1.0.1X versions are maintained. Do you know what they
> mean, and whether we should stay at 1.0.0 or move to 1.0.1?
> 
> I simply would like to know what to do with this patch in our
> patchwork :)
> 
> Thanks!
> 
> Thomas

1.0.1 is security-vulnerable, so it can't be bumped as-is, the target
should be 1.0.1c at the moment.
The big difference between 1.0.0* and 1.0.1* is that the later has
initial support for TLSv1.1 and TLSv1.2 among other minor details.
Both are API compatible though not ABI (and we don't care).
I can give it a test during the weekend and give it a go for -next.
Regards.
Thomas Petazzoni - Aug. 17, 2012, 5:23 p.m.
Le Fri, 17 Aug 2012 13:55:17 -0300,
Gustavo Zacarias <gustavo@zacarias.com.ar> a écrit :

> 1.0.1 is security-vulnerable, so it can't be bumped as-is, the target
> should be 1.0.1c at the moment.

Yes, agreed. I was referring to 1.0.1 as a branch, not specifically to
1.0.1. The patch I mentioned did target 1.0.1 because this patch is
about 6 months old.

> The big difference between 1.0.0* and 1.0.1* is that the later has
> initial support for TLSv1.1 and TLSv1.2 among other minor details.
> Both are API compatible though not ABI (and we don't care).
> I can give it a test during the weekend and give it a go for -next.

Great, thanks!

Thomas
Stefan Fröberg - Aug. 17, 2012, 6:03 p.m.
17.8.2012 19:55, Gustavo Zacarias kirjoitti:
> On 08/17/12 13:49, Thomas Petazzoni wrote:
>
>> At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has
>> been sitting for a long time, which bumps the version of openssl to
>> 1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X
>> versions and 1.0.1X versions are maintained. Do you know what they
>> mean, and whether we should stay at 1.0.0 or move to 1.0.1?
>>
>> I simply would like to know what to do with this patch in our
>> patchwork :)
>>
>> Thanks!
>>
>> Thomas
> 1.0.1 is security-vulnerable, so it can't be bumped as-is, the target
> should be 1.0.1c at the moment.
> The big difference between 1.0.0* and 1.0.1* is that the later has
> initial support for TLSv1.1 and TLSv1.2 among other minor details.
> Both are API compatible though not ABI (and we don't care).
> I can give it a test during the weekend and give it a go for -next.
> Regards.

Don't know about 1.0.1c version (or greater) but what's it worth, I have
had version 1.0.1b sitting in my buildroot copy like ages
and so far have not noticed anything strange in my buildroot based home
distro.


Best regards
Stefan
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

Patch

diff --git a/package/openssl/openssl.mk b/package/openssl/openssl.mk
index 748252c..62861c5 100644
--- a/package/openssl/openssl.mk
+++ b/package/openssl/openssl.mk
@@ -4,7 +4,7 @@ 
 #
 #############################################################
 
-OPENSSL_VERSION = 1.0.0i
+OPENSSL_VERSION = 1.0.0j
 OPENSSL_SITE = http://www.openssl.org/source
 OPENSSL_INSTALL_STAGING = YES
 OPENSSL_DEPENDENCIES = zlib