On Wed, Mar 2, 2016 at 12:06 PM, Andre McCurdy <armccu...@gmail.com> wrote: > On Wed, Mar 2, 2016 at 11:14 AM, akuster <akus...@mvista.com> wrote: >> >> On 03/02/2016 10:06 AM, Andre McCurdy wrote: >>> On Tue, Mar 1, 2016 at 11:38 PM, Armin Kuster <akuster...@gmail.com> wrote: >>>> From: Armin Kuster <akus...@mvista.com> >>>> >>>> CVE-2016-0800 >>>> CVE-2016-0705 >>>> CVE-2016-0798 >>>> CVE-2016-0797 >>>> CVE-2016-0799 >>>> CVE-2016-0702 >>>> CVE-2016-0703 >>>> CVE-2016-0704 >>>> >>>> https://www.openssl.org/news/secadv/20160301.txt >>>> >>>> Updated 2 debian patches to match changes in 1.0.1g
That should be 1.0.2g (and the commit summary has the same typo too). >>> Could you give some details on why the linker version script is now >>> required >> >> it has been part of openssl for over a year. >> >> See commit ( Better call Saul ) >> >> http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/openssl?id=10b689033551c37d6cafa284d82bdccd43f6113e >> >>>> and how it was generated? >> >> This is just an update from debian to support 1.0.2g. Have no idea how >> they create that file. > > OK, yes, I see it now in the Debian openssl 1.0.2g patches: > > > http://http.debian.net/debian/pool/main/o/openssl/openssl_1.0.2g-1.debian.tar.xz > > It seems that Debian have been versioning openssl symbols for quite > some time and we've inherited that via the Debian patches. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333349 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=180725 > ... > > Perhaps some comments in the openssl recipe would be useful to make it > a little clearer that we are providing Debian openssl and not the > vanilla upstream version. Maybe even use Debian version numbers (ie > 1.0.2g-1 in this case) and apply the complete set of Debian patches > for each new release instead of keeping our own local copies? > >> If you don't have it this package wont build. >> >> It was there when you updated to 1.0.2f, which I suspect you did not >> realize. >> >> Sorry I don't have a better answer. >> >> - Armin >> >>> >>>> Signed-off-by: Armin Kuster <akus...@mvista.com> >>>> --- >>>> .../openssl/debian1.0.2/block_diginotar.patch | 17 +- >>>> .../openssl/debian1.0.2/version-script.patch | 4656 >>>> ++++++++++++++++++++ >>>> .../{openssl_1.0.2f.bb => openssl_1.0.2g.bb} | 6 +- >>>> 3 files changed, 4668 insertions(+), 11 deletions(-) >>>> create mode 100644 >>>> meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch >>>> rename meta/recipes-connectivity/openssl/{openssl_1.0.2f.bb => >>>> openssl_1.0.2g.bb} (91%) >>>> >>>> diff --git >>>> a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch >>>> >>>> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch >>>> index 0c1a0b6..d81e22c 100644 >>>> --- >>>> a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch >>>> +++ >>>> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch >>>> @@ -9,14 +9,15 @@ Reviewed-by: Kurt Roeckx <k...@roeckx.be> >>>> Reviewed-by: Dr Stephen N Henson <shen...@drh-consultancy.co.uk> >>>> >>>> This is not meant as final patch. >>>> - >>>> + >>>> Upstream-Status: Backport [debian] >>>> >>>> +Signed-off-by: Armin Kuster <akus...@mvista.com> >>>> >>>> -Index: openssl-1.0.2/crypto/x509/x509_vfy.c >>>> +Index: openssl-1.0.2g/crypto/x509/x509_vfy.c >>>> =================================================================== >>>> ---- openssl-1.0.2.orig/crypto/x509/x509_vfy.c >>>> -+++ openssl-1.0.2/crypto/x509/x509_vfy.c >>>> +--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c >>>> ++++ openssl-1.0.2g/crypto/x509/x509_vfy.c >>>> @@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c >>>> static int check_revocation(X509_STORE_CTX *ctx); >>>> static int check_cert(X509_STORE_CTX *ctx); >>>> @@ -25,17 +26,17 @@ Index: openssl-1.0.2/crypto/x509/x509_vfy.c >>>> >>>> static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, >>>> unsigned int *preasons, X509_CRL *crl, X509 *x); >>>> -@@ -438,6 +439,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx >>>> +@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx >>>> if (!ok) >>>> - goto end; >>>> + goto err; >>>> >>>> + ok = check_ca_blacklist(ctx); >>>> -+ if(!ok) goto end; >>>> ++ if(!ok) goto err; >>>> + >>>> #ifndef OPENSSL_NO_RFC3779 >>>> /* RFC 3779 path validation, now that CRL check has been done */ >>>> ok = v3_asid_validate_path(ctx); >>>> -@@ -938,6 +942,29 @@ static int check_crl_time(X509_STORE_CTX >>>> +@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX >>>> return 1; >>>> } >>>> >>>> diff --git >>>> a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch >>>> >>>> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch >>>> new file mode 100644 >>>> index 0000000..29f11a2 >>>> --- /dev/null >>>> +++ >>>> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch >>>> @@ -0,0 +1,4656 @@ >>>> +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure >>>> +=================================================================== >>>> +--- openssl-1.0.2~beta1.obsolete.0.0498436515490575.orig/Configure >>>> 2014-02-24 21:02:30.000000000 +0100 >>>> ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure 2014-02-24 >>>> 21:02:30.000000000 +0100 >>>> +@@ -1651,6 +1651,8 @@ >>>> + } >>>> + } >>>> + >>>> ++$shared_ldflag .= " -Wl,--version-script=openssl.ld"; >>>> ++ >>>> + open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n"; >>>> + unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" >>>> if -e "$Makefile.new"; >>>> + open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n"; >>>> +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld >>>> +=================================================================== >>>> +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 >>>> ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld 2014-02-24 >>>> 22:19:08.601827266 +0100 >>>> +@@ -0,0 +1,4608 @@ >>>> ++OPENSSL_1.0.2d { >>>> ++ global: >>>> ++ BIO_f_ssl; >>>> ++ BIO_new_buffer_ssl_connect; >>>> ++ BIO_new_ssl; >>>> ++ BIO_new_ssl_connect; >>>> ++ BIO_proxy_ssl_copy_session_id; >>>> ++ BIO_ssl_copy_session_id; >>>> ++ BIO_ssl_shutdown; >>>> ++ d2i_SSL_SESSION; >>>> ++ ... >>>> ++ ... -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core