From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by yocto-www.yoctoproject.org (Postfix, from userid 118) id B55E0E00BEB; Tue, 27 Sep 2016 03:25:20 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on yocto-www.yoctoproject.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE, HTTP_ESCAPED_HOST, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS autolearn=no version=3.3.1 X-Spam-HAM-Report: * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no * trust * [104.47.2.46 listed in list.dnswl.org] * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 1.1 HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL's hostname * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.0 HTML_MESSAGE BODY: HTML included in message * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0046.outbound.protection.outlook.com [104.47.2.46]) by yocto-www.yoctoproject.org (Postfix) with ESMTP id 04405E00BE1 for ; Tue, 27 Sep 2016 03:25:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tH4PfRfZqbiLQ1ZOvKr9MM/j5QaFceiQQlDTPThVCPY=; b=TCKRu+XTuqjIhXgp5O9aDR//0Dr2jjTWTMvv1B8xDzQh+dwadAymbySBfFFTGPtZRIMOG+5I2+palp4w+gIDQsutl3d0sdRc3zziCQOYzQ53eayhHmAFQ5GSu6GHfdO0jDXK088NUDUikqWDW7lBOpCYUKx7UYgBvqC18EXS7Cg= Received: from DB6PR0401MB2630.eurprd04.prod.outlook.com (10.169.225.139) by DB6PR0401MB2631.eurprd04.prod.outlook.com (10.169.225.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.6; Tue, 27 Sep 2016 10:10:07 +0000 Received: from DB6PR0401MB2630.eurprd04.prod.outlook.com ([10.169.225.139]) by DB6PR0401MB2630.eurprd04.prod.outlook.com ([10.169.225.139]) with mapi id 15.01.0649.008; Tue, 27 Sep 2016 10:10:07 +0000 From: Zhenhua Luo To: Sona Sarmadi Thread-Topic: [meta-freescale] meta-fsl-ppc in krogoth branch is using a vulnerable version of OpenSSL (openssl_1.0.1i). Thread-Index: AdIYhboMvtWnmv3MRqCEkFxjYbZOYQAITeSQ Date: Tue, 27 Sep 2016 10:10:07 +0000 Message-ID: References: <3230301C09DEF9499B442BBE162C5E48ABE4297B@SESTOEX04.enea.se> In-Reply-To: <3230301C09DEF9499B442BBE162C5E48ABE4297B@SESTOEX04.enea.se> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=zhenhua.luo@nxp.com; x-originating-ip: [192.158.241.86] x-ms-office365-filtering-correlation-id: 2095d3a5-10fb-4681-33fe-08d3e6be758b x-microsoft-exchange-diagnostics: 1; DB6PR0401MB2631; 7:7gxcD49LYczrj5gKOnVcKH1AkD4pO+YUG2+5bgEZ85KbiVGbLpWJeL0HNzl4aJw7V1lVD94UJ2/ytIFDQT19TYAt2MI2kP2AaqK2RuYPR8MifVpzY34R3b1N0jf3Ibwj/kk8nXJWz58bcAGFQPw98/pZy/WvYhZNDAOxxbhTFeokVKG320A0TibYWpaDzvzGHiILy0K9edGX6WnsVO83qBLBJVo12EqAxyfZoswfN54u6MKHk+NMQKI8tpJHCSNprjX5wOsNGUSJONQSN4hLyEbqD6DnrIoNVzmtbsXtZg27PIoKt36ENCIz7qwQPEX/583nSUGqEi7W50AeKaouHA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0401MB2631; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(192374486261705)(36789356921836)(21748063052155); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:DB6PR0401MB2631; BCL:0; PCL:0; RULEID:; SRVR:DB6PR0401MB2631; x-forefront-prvs: 007814487B x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(189002)(199003)(377454003)(111735001)(3280700002)(3660700001)(86362001)(74316002)(9686002)(19580395003)(4326007)(68736007)(33656002)(7736002)(54356999)(81156014)(19617315012)(8936002)(66066001)(19580405001)(81166006)(19625215002)(8676002)(122556002)(2906002)(2950100002)(110136003)(50986999)(76576001)(10400500002)(9326002)(19300405004)(7906003)(5660300001)(76176999)(16236675004)(15975445007)(189998001)(7696004)(19609705001)(7846002)(101416001)(77096005)(105586002)(5890100001)(106356001)(230783001)(102836003)(97736004)(2900100001)(11100500001)(790700001)(6116002)(5002640100001)(6916009)(586003)(3846002)(92566002)(87936001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0401MB2631; H:DB6PR0401MB2630.eurprd04.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Sep 2016 10:10:07.7792 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0401MB2631 Cc: "meta-freescale@yoctoproject.org" Subject: Re: meta-fsl-ppc in krogoth branch is using a vulnerable version of OpenSSL (openssl_1.0.1i). X-BeenThere: meta-freescale@yoctoproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Usage and development list for the meta-fsl-* layers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2016 10:25:20 -0000 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_DB6PR0401MB26308C7020FAB81593F83BEFEECC0DB6PR0401MB2630_" --_000_DB6PR0401MB26308C7020FAB81593F83BEFEECC0DB6PR0401MB2630_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Sona, Is it possible to backport the vulnerability patches for openssl_1.0.1i dir= ectly? This version is fully verified by our testing. Best Regards, Zhenhua From: meta-freescale-bounces@yoctoproject.org [mailto:meta-freescale-bounce= s@yoctoproject.org] On Behalf Of Sona Sarmadi Sent: Tuesday, September 27, 2016 2:10 PM To: meta-freescale@yoctoproject.org Subject: [meta-freescale] meta-fsl-ppc in krogoth branch is using a vulnera= ble version of OpenSSL (openssl_1.0.1i). Hi guys meta-fsl-ppc/recipes-connectivity/openssl in krogoth is using a vulnerable = version of OpenSSL (openssl_1.0.1i). OpenSSL recommends 1.0.1 users to upgrade to 1.0.1u version: https://www.openssl.org/news/secadv/20160922.txt Can we upgrade openssl version or do you prefer to keep this version? In th= is case I can try to backport individual patches if possible. Regards //Sona --------------------------------------- Sona Sarmadi Security Responsible for Enea Linux/ GPG Fingerprint: 444F A5E9 CDC6 4620 85C7 2CA9 60FF AF33 15BD 5928 Enea Software AB Jan Stenbecks Torg 17 P.O Box 1033 SE-164 26 Kista, Sweden Phone +46 70 971 4475 www.enea.com This message, including attachments, is CONFIDENTIAL. It may also be privil= eged or otherwise protected by law. If you received this email by mistake please let us know by reply and then delete it from your system; you should= not copy it or disclose its contents to anyone. All messages sent to and f= rom Enea may be monitored to ensure compliance with internal policies and to p= rotect our business. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, a mended, lost or destroyed, or cont= ain viruses. The sender therefore does not accept liability for any errors = or omissions in the contents of this message, which arise as a result of email= transmission. Anyone who communicates with us by email accepts these risk= s. --_000_DB6PR0401MB26308C7020FAB81593F83BEFEECC0DB6PR0401MB2630_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Sona,

 

Is it possible to backport the vulner= ability patches for openssl_1.0.1i directly? This version is fully verified= by our testing.

 

 

Best Regards,

 

Zhenhua

 

From: meta-freescale-bounces@yoctopr= oject.org [mailto:meta-freescale-bounces@yoctoproject.org] On Behalf Of Sona Sarmadi
Sent: Tuesday, September 27, 2016 2:10 PM
To: meta-freescale@yoctoproject.org
Subject: [meta-freescale] meta-fsl-ppc in krogoth branch is using a = vulnerable version of OpenSSL (openssl_1.0.1i).

 

Hi guys

 

meta-fsl-ppc/recipes-connectivity/openssl in krogoth= is using a vulnerable version of OpenSSL (openssl_1.0.1i).

OpenSSL recommends 1.0.1 users to upgrade to 1.0.1u = version:

 

 

Can we upgrade openssl version or do you prefer to k= eep this version? In this case I can try to backport individual patches if = possible.

 

Regards

//Sona

---------------------------------------=

Sona Sarmadi

Security Responsible= for Enea Linux/

GPG Fingerprint:= 444F A5E9 CDC6 4620 85C7  2CA9 60FF AF33 15BD 5928

 <= /o:p>

Enea Software AB

Jan Stenbecks Torg 1= 7

P.O Box 1033<= o:p>

SE-164 26 Kista, Swe= den

Phone  +46= 70 971 4475

 <= /o:p>

 <= /o:p>

This message, includ= ing attachments, is CONFIDENTIAL. It may also be privileged or otherwise pr= otected by law. If you received this email by mistake

please let us know b= y reply and then delete it from your system; you should not copy it or disc= lose its contents to anyone. All messages sent to and from

Enea  may be mo= nitored to ensure compliance with internal policies and to protect our busi= ness. Emails are not secure and cannot be guaranteed to be

error free as they c= an be intercepted, a mended, lost or destroyed, or contain viruses. The sen= der therefore does not accept liability for any errors or

omissions in the con= tents of this message, which arise as a result of email  transmission.= Anyone who communicates with us by email accepts these risks.<= /o:p>

 

 

 

--_000_DB6PR0401MB26308C7020FAB81593F83BEFEECC0DB6PR0401MB2630_--