| Age | Commit message (Collapse) | Author |
|---|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS invalid fragment vulnerability (CVE-2014-0195)
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Only applications using OpenSSL as a DTLS client or server affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.
https://access.redhat.com/security/cve/CVE-2014-0198
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We don't normally do this, but with the recent CVE fixes (most
importantly the one for the serious CVE-2014-0160 vulnerability) I am
bumping PR explicitly to make it a bit more obvious that the patch has
been applied.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes the "heartbleed" TLS vulnerability (CVE-2014-0160). More
information here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Patch borrowed from Debian; this is just a tweaked version of the
upstream commit (without patching the CHANGES file which otherwise
would fail to apply on top of this version).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2
obtains a certain version number from an incorrect data structure, which
allows remote attackers to cause a denial of service (daemon crash) via
crafted traffic from a TLS 1.2 client.
(From OE-Core master rev: 3e0ac7357a962e3ef6595d21ec4843b078a764dd)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
through 1.0.1e does not properly maintain data structures for digest and
encryption contexts, which might allow man-in-the-middle attackers to
trigger the use of a different context by interfering with packet delivery,
related to ssl/d1_both.c and ssl/t1_enc.c.
(From OE-Core master rev: 94352e694cd828aa84abd846149712535f48ab0f)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before
1.0.1f allows remote TLS servers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake.
(From OE-Core master rev: 35ccce7002188c8270d2fead35f9763b22776877)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add patch file for one of the ciphers used in openssl, namely the cipher
des-ede3-cfb1. Details of the bug, without this patch, can be found here.
http://rt.openssl.org/Ticket/Display.html?id=2867
(From OE-Core master rev: ed61c28b9af2f11f46488332b80752b734a3cdeb)
Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core master rev: 8792b7fb4ef8d66336d52de7e81efbb818e16b08)
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Otherwise you get errors like:
| ../libcrypto.so: file not recognized: File truncated
| collect2: error: ld returned 1 exit status
| make[2]: *** [link_o.gnu] Error 1
(From OE-Core master rev: 61c21a0f7a2041446a82b76ee3658fda5dfbff1d)
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
do_patch failed after upgrading to openssl-1.0.1e. Log:
| ERROR: Command Error: exit status: 1 Output:
| Applying patch man-section.patch
| patching file Makefile.org
| Hunk #1 succeeded at 160 (offset 26 lines).
| Hunk #2 succeeded at 626 (offset 19 lines).
| misordered hunks! output would be garbled
| Hunk #3 FAILED at 633.
| 1 out of 3 hunks FAILED -- rejects in file Makefile.org
| Patch man-section.patch does not apply (enforce with -f)
| ERROR: Function failed: patch_do_patch
| ERROR: Logfile of failure stored in:temp/log.do_patch.14679
| ERROR: Task 646 (virtual:native:openssl_1.0.1e.bb, do_patch) failed with exit code '1'
Change-Id: Ib63031fdbd09443e387ee57efa70381e0aca382c
Signed-off-by: Ting Liu <b28495@freescale.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Dropped obolete patches and pulled updates for debian patches.
Addresses CVEs:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2686
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0166
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169
[YOCTO #3965]
Signed-off-by: Radu Moisan <radu.moisan@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There is no reason to disable exec-stack only for -native builds;
binaries on the target will suffer from the same SELinux ACLs.
OpenSSL does not use executable stack so this option can be disabled
unconditionally.
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There are various usages of ALLOW_EMPTY with no packages specified. This
is not recommended syntax, nor is it likely to be supported in the future.
This patch improves the references in OE-Core, either removing them if they're
pointless (e.g. when PACKAGES="") or specifying which package it applies to.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add mips64 configure support but assume mips(32) userspace.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
README changes to update the CHKSUM
ocf directory is now in main tarball so no need to untar now.
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The overrides virtclass-native and virtclass-nativesdk are deprecated,
which should be replaced by class-native and class-nativesdk.
[YOCTO #3297]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The latter variable is only applicable for target builds and could
result in passing incompatible options (and/or failing to pass
required options) to ${BUILD_CC} for a virtclass-native build.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Addresses CVE-2012-2333
Fixes [YOCTO #2682]
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
perlpath.pl
* openembedded-core/meta/recipes-connectivity/openssl/openssl.inc
*
* is using perlpath.pl:
*
* do_configure () {
* cd util
* perl perlpath.pl ${STAGING_BINDIR_NATIVE}
* ...
*
* and perlpath.pl is using find.pl:
* openssl-1.0.0i/util/perlpath.pl:
* #!/usr/local/bin/perl
* #
* # modify the '#!/usr/local/bin/perl'
* # line in all scripts that rely on perl.
* #
*
* require "find.pl";
* ...
*
* which was removed in perl-5.16.0 and marked as deprecated and
* unmaintained in 5.14 and older:
* /tmp/usr/lib/perl5/5.14.2/find.pl:
* warn "Legacy library @{[(caller(0))[6]]} will be removed from the Perl
* core distribution in the next major release. Please install it from the
* CPAN distribution Perl4::CoreLibs. It is being used at @{[(caller)[1]]},
* line @{[(caller)[2]]}.\n";
*
* # This library is deprecated and unmaintained. It is included for
* # compatibility with Perl 4 scripts which may use it, but it will be
* # removed in a future version of Perl. Please use the File::Find module
* # instead.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Restore INC_PR to r15 to prevent breakage with out of tree openssl
recipes (e.g, meta-oe).
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Addresses CVE-2012-2110
Fixes bug [YOCTO #2368]
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Removed pkg-config.patch, which was incorporated upstream.
Addresses CVE-2012-0884.
Fixes bug [YOCTO #2139].
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
|
|
This fix is for dhclient. It needs libcrypto at runtime and if
libcrypto is in libdir, it's path can be inaccessible on systems
where /usr is on nfs for example or dhclient is needed before
/usr is mounted.
Signed-off-by: Andrei Gherzan <andrei@gherzan.ro>
[Fix comment to from /usr -> /lib - sgw]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Now that Openssl 1.0.0 has been out for a while, there is no need to
keep multiple versions.
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4108
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4576
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4619
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0027
[YOCTO #1905]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4108
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4109
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4576
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4619
[YOCTO #1904]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
These patches were marked by "UpstreamStatus:" line, fix it to use
"Upstream-Status:" instead.
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
Make linux-x32 as close to linux-x86_64 as possible:
1. Add -mx32 -DMD32_REG_T=int.
2. Changed to -O3.
3. Remove -pipe -g -feliminate-unused-debug-types.
4. Remove -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS.
5. Add :::x32 for multilib.
Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-Off-By: H.J. Lu <hjl.tools@gmail.com>
|
|
Add BN_ADDR for address type instead of using BN_ULONG or unsigned long:
1. For W64, address type is unsigned long long, not unsigned long.
2. For x32, address type is unsigned long , not BN_ULONG.
Added a new targetlinux-x32 in the config file
The do_install() code to move lib/* to lib64 is not needed now with the
enhanced multilib support.
Make the x86-64 assembly syntax compatible with x32 compiler.
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* Thanks to meta-oe for this contribution
* Add Patch Upstream-Status info
* Merged the meta-oe version of openssl-1.0.inc with openssl.inc
* Fix make install parallel issue with PARALLEL_MAKEINST = ""
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
[YOCTO #1712]
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Fixed YOCTO bug format and location
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Without this change the perl path from the build system is used.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There is this discrepency in spelling. Lets fix it in
core. There are lot of layers using SITEINFO_ENDIANNESS
This was shielded since meta-oe had its own copy of
siteinfo class. But that class has now been deleted in
favor of oe-core
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If try to build for an ppc64 target openssl will fail to build since
the configure script didn't know how to handle a 'linux-powerpc64' target.
Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If trying to build for an e500v2 target openssl will fail to build since
the configure script didn't know how to handle a 'gnuspe' target.
Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
|
|
Otherwise it will use the openssl internal default of /usr/share/man which may not be correct.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
if libdir is not /usr/lib, e.g /usr/lib64, openssl build will fail
because it still use /usr/lib as library dir.
this patch appends the configure option "--libdir" to specify the correct
library directory
Signed-off-by: Yu Ke <ke.yu@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Dexuan Cui <dexuan.cui@intel.com>
|
|
This fixes a build failure when ${prefix}="".
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch includes the update of patch upstream status of the following
recipes (50 in all):
grub pciutils setserial dhcp iproute2 libnss-mdns nfs-utils openssl portmap
busybox coreutils dbus dropbear ncurses readline sysfsutils sysvinit tinylogin
udev update-rc.d util-linux elfutils file pkgconfig syslinux ubootchart
yaffs2 findutils gamin hdparm libaio libzypp parted procps sat-solver
screen sed sysklogd tcp-wrapper time zypper attr boost createrepo gnutls
hal js libgcrypt libnl libusb-compat
Signed-off-by: Qing He <qing.he@intel.com>
|
|
[YOCTO #979]
from 0.9.8p
fixes CVE-2010-4180, CVE-2010-4252, CVE-2010-0014
Signed-off-by: Qing He <qing.he@intel.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Qing He <qing.he@intel.com>
|
Paul Eggleton
Maxin B. John
Yue Tao
Muhammad Shakeel
Jonathan Liu
Phil Blundell
Ting Liu
Radu Moisan
Enrico Scholz
Richard Purdie
Randy MacLeod
Saul Wold
Robert Yang
Phil Blundell
Marcin Juszkiewicz
Scott Garman
Martin Jansa
Khem Raj
Andrei Gherzan
Nitin A Kamble
H.J. Lu
Kumar Gala
Yu Ke
Dexuan Cui
Qing He