Re: [OE-core][langdale 01/20] openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encryption

From: Patrick Williams <patrick@stwcx.xyz>
To: Steve Sakoman <steve@sakoman.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][langdale 01/20] openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encryption
Date: Thu, 3 Nov 2022 11:48:12 -0500	[thread overview]
Message-ID: <Y2PwzAYE9uTZgZHA@heinlein.taila677.ts.net> (raw)
In-Reply-To: <CAOSpxdb0PxRcf7Xgq5sP3JHVe9doF7XH71xW=yK4wYQwpRnegQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1027 bytes --]

On Thu, Nov 03, 2022 at 06:28:04AM -1000, Steve Sakoman wrote:
> On Thu, Nov 3, 2022 at 5:54 AM Patrick Williams <patrick@stwcx.xyz> wrote:
> > Instead of picking up this patch, wouldn't it make a lot more sense to
> > go to 3.0.7 like we did with [1]?  Since 3.0.7 contains a HIGH severity
> > CVE fix as well as the one mentioned here, it seems like we should get
> > that backported to both Langdale and Kirkstone quickly.
> 
> This patchset was tested and sent out for review prior to the 3.0.7
> upgrade hitting master.

Understood.

> Note that I have the 3.0.7 upgrade in the patches currently under test
> for both langdale and kirkstone:
> 
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/langdale-nut
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
> 
> If the langdale test succeeds I will include the 3.0.7 upgrade patch
> in the pull request for the above series (hopefully later today)

Great.  Thank you.

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]