[Buildroot] [PATCH] openssl: security bump to version 1.0.0j

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH] openssl: security bump to version 1.0.0j
@ 2012-05-11 15:45 Gustavo Zacarias
  2012-05-14 12:36 ` Peter Korsgaard
  2012-08-17 16:49 ` Thomas Petazzoni
  0 siblings, 2 replies; 6+ messages in thread
From: Gustavo Zacarias @ 2012-05-11 15:45 UTC (permalink / raw)
  To: buildroot

Bump to version 1.0.0j to fix CVE-2012-2333

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/openssl/openssl.mk |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/package/openssl/openssl.mk b/package/openssl/openssl.mk
index 748252c..62861c5 100644
--- a/package/openssl/openssl.mk
+++ b/package/openssl/openssl.mk
@@ -4,7 +4,7 @@
 #
 #############################################################
 
-OPENSSL_VERSION = 1.0.0i
+OPENSSL_VERSION = 1.0.0j
 OPENSSL_SITE = http://www.openssl.org/source
 OPENSSL_INSTALL_STAGING = YES
 OPENSSL_DEPENDENCIES = zlib
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] openssl: security bump to version 1.0.0j
  2012-05-11 15:45 [Buildroot] [PATCH] openssl: security bump to version 1.0.0j Gustavo Zacarias
@ 2012-05-14 12:36 ` Peter Korsgaard
  2012-08-17 16:49 ` Thomas Petazzoni
  1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2012-05-14 12:36 UTC (permalink / raw)
  To: buildroot

>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:

 Gustavo> Bump to version 1.0.0j to fix CVE-2012-2333

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] openssl: security bump to version 1.0.0j
  2012-05-11 15:45 [Buildroot] [PATCH] openssl: security bump to version 1.0.0j Gustavo Zacarias
  2012-05-14 12:36 ` Peter Korsgaard
@ 2012-08-17 16:49 ` Thomas Petazzoni
  2012-08-17 16:55   ` Gustavo Zacarias
  1 sibling, 1 reply; 6+ messages in thread
From: Thomas Petazzoni @ 2012-08-17 16:49 UTC (permalink / raw)
  To: buildroot

Hello Gustavo,

Le Fri, 11 May 2012 12:45:48 -0300,
Gustavo Zacarias <gustavo@zacarias.com.ar> a ?crit :

> Bump to version 1.0.0j to fix CVE-2012-2333
> 
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has
been sitting for a long time, which bumps the version of openssl to
1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X
versions and 1.0.1X versions are maintained. Do you know what they
mean, and whether we should stay at 1.0.0 or move to 1.0.1?

I simply would like to know what to do with this patch in our
patchwork :)

Thanks!

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] openssl: security bump to version 1.0.0j
  2012-08-17 16:49 ` Thomas Petazzoni
@ 2012-08-17 16:55   ` Gustavo Zacarias
  2012-08-17 17:23     ` Thomas Petazzoni
  2012-08-17 18:03     ` Stefan Fröberg
  0 siblings, 2 replies; 6+ messages in thread
From: Gustavo Zacarias @ 2012-08-17 16:55 UTC (permalink / raw)
  To: buildroot

On 08/17/12 13:49, Thomas Petazzoni wrote:

> At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has
> been sitting for a long time, which bumps the version of openssl to
> 1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X
> versions and 1.0.1X versions are maintained. Do you know what they
> mean, and whether we should stay at 1.0.0 or move to 1.0.1?
> 
> I simply would like to know what to do with this patch in our
> patchwork :)
> 
> Thanks!
> 
> Thomas

1.0.1 is security-vulnerable, so it can't be bumped as-is, the target
should be 1.0.1c at the moment.
The big difference between 1.0.0* and 1.0.1* is that the later has
initial support for TLSv1.1 and TLSv1.2 among other minor details.
Both are API compatible though not ABI (and we don't care).
I can give it a test during the weekend and give it a go for -next.
Regards.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] openssl: security bump to version 1.0.0j
  2012-08-17 16:55   ` Gustavo Zacarias
@ 2012-08-17 17:23     ` Thomas Petazzoni
  2012-08-17 18:03     ` Stefan Fröberg
  1 sibling, 0 replies; 6+ messages in thread
From: Thomas Petazzoni @ 2012-08-17 17:23 UTC (permalink / raw)
  To: buildroot

Le Fri, 17 Aug 2012 13:55:17 -0300,
Gustavo Zacarias <gustavo@zacarias.com.ar> a ?crit :

> 1.0.1 is security-vulnerable, so it can't be bumped as-is, the target
> should be 1.0.1c at the moment.

Yes, agreed. I was referring to 1.0.1 as a branch, not specifically to
1.0.1. The patch I mentioned did target 1.0.1 because this patch is
about 6 months old.

> The big difference between 1.0.0* and 1.0.1* is that the later has
> initial support for TLSv1.1 and TLSv1.2 among other minor details.
> Both are API compatible though not ABI (and we don't care).
> I can give it a test during the weekend and give it a go for -next.

Great, thanks!

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH] openssl: security bump to version 1.0.0j
  2012-08-17 16:55   ` Gustavo Zacarias
  2012-08-17 17:23     ` Thomas Petazzoni
@ 2012-08-17 18:03     ` Stefan Fröberg
  1 sibling, 0 replies; 6+ messages in thread
From: Stefan Fröberg @ 2012-08-17 18:03 UTC (permalink / raw)
  To: buildroot

17.8.2012 19:55, Gustavo Zacarias kirjoitti:
> On 08/17/12 13:49, Thomas Petazzoni wrote:
>
>> At http://patchwork.ozlabs.org/patch/148560/ we have a patch that has
>> been sitting for a long time, which bumps the version of openssl to
>> 1.0.1. Looking at the OpenSSL website, I see that both the 1.0.0X
>> versions and 1.0.1X versions are maintained. Do you know what they
>> mean, and whether we should stay at 1.0.0 or move to 1.0.1?
>>
>> I simply would like to know what to do with this patch in our
>> patchwork :)
>>
>> Thanks!
>>
>> Thomas
> 1.0.1 is security-vulnerable, so it can't be bumped as-is, the target
> should be 1.0.1c at the moment.
> The big difference between 1.0.0* and 1.0.1* is that the later has
> initial support for TLSv1.1 and TLSv1.2 among other minor details.
> Both are API compatible though not ABI (and we don't care).
> I can give it a test during the weekend and give it a go for -next.
> Regards.

Don't know about 1.0.1c version (or greater) but what's it worth, I have
had version 1.0.1b sitting in my buildroot copy like ages
and so far have not noticed anything strange in my buildroot based home
distro.


Best regards
Stefan
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2012-08-17 18:03 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-05-11 15:45 [Buildroot] [PATCH] openssl: security bump to version 1.0.0j Gustavo Zacarias
2012-05-14 12:36 ` Peter Korsgaard
2012-08-17 16:49 ` Thomas Petazzoni
2012-08-17 16:55   ` Gustavo Zacarias
2012-08-17 17:23     ` Thomas Petazzoni
2012-08-17 18:03     ` Stefan Fröberg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.