On 09/23/2016 05:01 AM, Alexander Kanavin wrote:
On 09/23/2016 11:39 AM, Patrick Ohly wrote:
This update fixes several CVEs:
* OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
* SWEET32 Mitigation (CVE-2016-2183)
* OOB write in MDC2_Update() (CVE-2016-6303)
* Malformed SHA512 ticket DoS (CVE-2016-6302)
* OOB write in BN_bn2dec() (CVE-2016-2182)
* OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
* DTLS buffered message DoS (CVE-2016-2179)
* DTLS replay protection DoS (CVE-2016-2181)
* Certificate message OOB reads (CVE-2016-6306)
Of these, only CVE-2016-6304 is considered of high
severity. Everything else is low. CVE-2016-2177 and CVE-2016-2178 were
already fixed via local patches, which can be removed now.
This demonstrates that:
a) if CVEs are fixed with backported patches, the process must be
*thorough* and not shotgun-ish like now. It's pointless to fix some
CVEs and ignore the others, just because that's what automated tools
like cve-checker reported or someone saw some mail on a mailing list.
b) it's okay to not fix low-severity CVEs until the upstream makes a
new release. Upstream is much more competent than we are to judge
that, and if the issue is high severity, they should make a new
release anyway.
No this demonstrates that folks do want to help out. They to the best
they can with their abilities and situation. The community has made a
lot of noise about how important it is to address security issues.
Except a few of us who do send patches, the community as a whole does
not stepped up to the table to help out.
Opensource is not an all or nothing proposition. I for one appreciate
contributions folks make in this area.
- Armin
Please feel free to disagree.
Alex
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
