On Tue, Mar 1, 2016 at 11:38 PM, Armin Kuster <akuster...@gmail.com> wrote: > From: Armin Kuster <akus...@mvista.com> > > CVE-2016-0800 > CVE-2016-0705 > CVE-2016-0798 > CVE-2016-0797 > CVE-2016-0799 > CVE-2016-0702 > CVE-2016-0703 > CVE-2016-0704 > > https://www.openssl.org/news/secadv/20160301.txt > > Updated 2 debian patches to match changes in 1.0.1g
Could you give some details on why the linker version script is now required and how it was generated? > Signed-off-by: Armin Kuster <akus...@mvista.com> > --- > .../openssl/debian1.0.2/block_diginotar.patch | 17 +- > .../openssl/debian1.0.2/version-script.patch | 4656 > ++++++++++++++++++++ > .../{openssl_1.0.2f.bb => openssl_1.0.2g.bb} | 6 +- > 3 files changed, 4668 insertions(+), 11 deletions(-) > create mode 100644 > meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch > rename meta/recipes-connectivity/openssl/{openssl_1.0.2f.bb => > openssl_1.0.2g.bb} (91%) > > diff --git > a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch > b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch > index 0c1a0b6..d81e22c 100644 > --- > a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch > +++ > b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch > @@ -9,14 +9,15 @@ Reviewed-by: Kurt Roeckx <k...@roeckx.be> > Reviewed-by: Dr Stephen N Henson <shen...@drh-consultancy.co.uk> > > This is not meant as final patch. > - > + > Upstream-Status: Backport [debian] > > +Signed-off-by: Armin Kuster <akus...@mvista.com> > > -Index: openssl-1.0.2/crypto/x509/x509_vfy.c > +Index: openssl-1.0.2g/crypto/x509/x509_vfy.c > =================================================================== > ---- openssl-1.0.2.orig/crypto/x509/x509_vfy.c > -+++ openssl-1.0.2/crypto/x509/x509_vfy.c > +--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c > ++++ openssl-1.0.2g/crypto/x509/x509_vfy.c > @@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c > static int check_revocation(X509_STORE_CTX *ctx); > static int check_cert(X509_STORE_CTX *ctx); > @@ -25,17 +26,17 @@ Index: openssl-1.0.2/crypto/x509/x509_vfy.c > > static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, > unsigned int *preasons, X509_CRL *crl, X509 *x); > -@@ -438,6 +439,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx > +@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx > if (!ok) > - goto end; > + goto err; > > + ok = check_ca_blacklist(ctx); > -+ if(!ok) goto end; > ++ if(!ok) goto err; > + > #ifndef OPENSSL_NO_RFC3779 > /* RFC 3779 path validation, now that CRL check has been done */ > ok = v3_asid_validate_path(ctx); > -@@ -938,6 +942,29 @@ static int check_crl_time(X509_STORE_CTX > +@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX > return 1; > } > > diff --git > a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch > b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch > new file mode 100644 > index 0000000..29f11a2 > --- /dev/null > +++ > b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch > @@ -0,0 +1,4656 @@ > +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure > +=================================================================== > +--- openssl-1.0.2~beta1.obsolete.0.0498436515490575.orig/Configure > 2014-02-24 21:02:30.000000000 +0100 > ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure 2014-02-24 > 21:02:30.000000000 +0100 > +@@ -1651,6 +1651,8 @@ > + } > + } > + > ++$shared_ldflag .= " -Wl,--version-script=openssl.ld"; > ++ > + open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n"; > + unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if > -e "$Makefile.new"; > + open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n"; > +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld > +=================================================================== > +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 > ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld 2014-02-24 > 22:19:08.601827266 +0100 > +@@ -0,0 +1,4608 @@ > ++OPENSSL_1.0.2d { > ++ global: > ++ BIO_f_ssl; > ++ BIO_new_buffer_ssl_connect; > ++ BIO_new_ssl; > ++ BIO_new_ssl_connect; > ++ BIO_proxy_ssl_copy_session_id; > ++ BIO_ssl_copy_session_id; > ++ BIO_ssl_shutdown; > ++ d2i_SSL_SESSION; > ++ ... > ++ ... -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core