[yocto] [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

Bryan Evenson bevenson at melinkcorp.com
Wed Oct 15 07:22:11 PDT 2014 

Ross,

> -----Original Message-----
> From: openembedded-core-bounces at lists.openembedded.org
> [mailto:openembedded-core-bounces at lists.openembedded.org] On Behalf
> Of Burton, Ross
> Sent: Wednesday, October 15, 2014 6:07 AM
> To: Sona Sarmadi
> Cc: yocto at yoctoproject.org; openembedded-
> core at lists.openembedded.org
> Subject: Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:
> 
> On 15 October 2014 07:48, Sona Sarmadi <sona.sarmadi at enea.com> wrote:
> > The advice is: Disable SSLv3.
> >
> > I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843  so we
> can start to work with this immediately.
> 
> Presumably the list of affected packages is:
> - gnutls
> - openssl
> - nss
> 
> Are there more?  Will ENEA be able to send patches to these packages?
>

I did a few quick searches of recipe names and descriptions on the meta-openembedded and poky (which includes oe-core) layers for SSL and TLS relation.  The searches I used from the poky directory were:

find meta* -name "*ssl*.bb"
find meta* -name "*tls*.bb"
grep -nrE '(ssl|SSL|tls|TLS)' meta* | grep -vE '(DSSSL|dsssl|[Ll]ossless)' | grep '\.bb:'

Then ignoring packages that expressly disable SSL, here's what I found for other packages to evaluate:
python-pyopenssl
socat
curl
libsoup
packagegroup-toolset-native
packagegroup-core-basic
packagegroup-core-lsb
ltp
mailx
libarchive
iputils
msmtp
webkit-gtk
packagegroup-self-hosted
eglibc
glib-networking
x11vnc
bind
telepathy-idle
openssh
valgrind
tcf-agent
python-native
python
rpm
neon
nostromo
cherokee
apache2
ajenti
net-snmp
claws-mail
sylpheed
libimobiledevice
loudmouth
hostap-daemon
gateone
libtorrent
krb5
networkmanager
nodejs4
nodejs
libc-client
python-twisted
python-m2crypto
links
links-x11
openldap
gsoap
mbuffer
cryptsetup
iksemel
strongswan
ca-certificates
libetpan
cyrus-sasl
vsftpd
accel-ppp
openvpn
znc
azy
midori
oscam
tvheadend

Almost all the packages require openssl or gnutls, so patching openssl and gnutls may be sufficient for most of these packages.  I'm still working with the dylan branch. If any new packages have been added since then I may have missed them.  I'm not sure how dropbear does its encryption, so that may be one to look at also.

Regards,
Bryan Evenson

> Ross
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

More information about the yocto mailing list