[meta-freescale] meta-fsl-ppc in krogoth branch is using a vulnerable version of OpenSSL (openssl_1.0.1i).

Wed Sep 28 03:49:48 PDT 2016

Zhenhua,

I just wonder what is the reason for using another version of OpenSSl in meta-fsl-ppc krogoth branch? I guess it is because of these patches, right? Shouldn't these be upstreamed to the OpenSSL project?

meta-fsl-ppc/recipes-connectivity/openssl/openssl-fsl/

0001-remove-double-initialization-of-cryptodev-engine.patch

0002-eng_cryptodev-add-support-for-TLS-algorithms-offload.patch

0003-cryptodev-fix-algorithm-registration.patch

0004-linux-pcc-make-it-more-robust-and-recognize-KERNEL_B.patch

....

How comes that OpenSSL version in meta-fsl-ppc is not the same as in poky/meta krogoth? Is there any specific reason for this? Meta-fsl-ppc in master is using OpenSSL 1.0.2 the same OpenSSL version in poky/meta/krogoth.

http://git.yoctoproject.org/cgit/cgit.cgi/meta-fsl-ppc/tree/recipes-connectivity

Can we upgrade OpenSSL version in meta-fsl-ppc (krogoth) to 1.0.2h? Or are this related to the kernel version which is 3.12 in meta-fsl-ppc, krogoth and 4.1 in meta-fsl-ppc master?

Best regards

/Sona
P.S. sorry, too many questions ;)

From: Zhenhua Luo [mailto:zhenhua.luo at nxp.com]
Sent: den 27 september 2016 12:10
To: Sona Sarmadi <sona.sarmadi at enea.com>
Cc: meta-freescale at yoctoproject.org
Subject: RE: [meta-freescale] meta-fsl-ppc in krogoth branch is using a vulnerable version of OpenSSL (openssl_1.0.1i).

Hi Sona,

Is it possible to backport the vulnerability patches for openssl_1.0.1i directly? This version is fully verified by our testing.

Best Regards,

Zhenhua

From: meta-freescale-bounces at yoctoproject.org<mailto:meta-freescale-bounces at yoctoproject.org> [mailto:meta-freescale-bounces at yoctoproject.org] On Behalf Of Sona Sarmadi
Sent: Tuesday, September 27, 2016 2:10 PM
To: meta-freescale at yoctoproject.org<mailto:meta-freescale at yoctoproject.org>
Subject: [meta-freescale] meta-fsl-ppc in krogoth branch is using a vulnerable version of OpenSSL (openssl_1.0.1i).

Hi guys

meta-fsl-ppc/recipes-connectivity/openssl in krogoth is using a vulnerable version of OpenSSL (openssl_1.0.1i).
OpenSSL recommends 1.0.1 users to upgrade to 1.0.1u version:

https://www.openssl.org/news/secadv/20160922.txt

Can we upgrade openssl version or do you prefer to keep this version? In this case I can try to backport individual patches if possible.

Regards
//Sona
---------------------------------------
Sona Sarmadi
Security Responsible for Enea Linux/
GPG Fingerprint: 444F A5E9 CDC6 4620 85C7  2CA9 60FF AF33 15BD 5928

Enea Software AB
Jan Stenbecks Torg 17
P.O Box 1033
SE-164 26 Kista, Sweden
Phone  +46 70 971 4475

www.enea.com<www.enea.com%20>

This message, including attachments, is CONFIDENTIAL. It may also be privileged or otherwise protected by law. If you received this email by mistake
please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone. All messages sent to and from
Enea  may be monitored to ensure compliance with internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be
error free as they can be intercepted, a mended, lost or destroyed, or contain viruses. The sender therefore does not accept liability for any errors or
omissions in the contents of this message, which arise as a result of email  transmission. Anyone who communicates with us by email accepts these risks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/meta-freescale/attachments/20160928/ed190acf/attachment.html>