summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
AgeCommit message (Collapse)AuthorFilesLines
2014-11-06openssl: Fix for CVE-2014-3568Sona Sarmadi1-0/+1
Fix for no-ssl3 configuration option This patch is a backport from OpenSSL_1.0.1j. (From OE-Core rev: 97e7b7a96178cf32411309f3e9e3e3b138d2050b) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-11-06openssl: Fix for CVE-2014-3567Sona Sarmadi1-0/+1
Fix for session tickets memory leak. This patch is a backport from OpenSSL_1.0.1j. (From OE-Core rev: 420a8dc7b84b03a9c0a56280132e15b6c9a8b4df) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-11-06openssl: Fix for CVE-2014-3513Sona Sarmadi1-0/+1
Fix for SRTP Memory Leak This patch is a backport from OpenSSL_1.0.1j. (From OE-Core rev: 6c19ca0d5aa6094aa2cfede821d63c008951cfb7) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-11-06openssl: Fix for CVE-2014-3566Sona Sarmadi1-0/+1
OpenSSL_1.0.1 SSLV3 POODLE VULNERABILITY (CVE-2014-3566) This patch is a backport from OpenSSL_1.0.1j. (From OE-Core rev: 47633059a8556c03c0eaff2dd310af87d33e2b28) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10openssl: fix for CVE-2010-5298Yue Tao1-0/+1
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 (From OE-Core master rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b) (From OE-Core rev: 3cc799213e6528fc9fb4a0c40a01a1817484f499) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10openssl: fix CVE-2014-3470Paul Eggleton1-0/+1
http://www.openssl.org/news/secadv_20140605.txt Anonymous ECDH denial of service (CVE-2014-3470) OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. (Patch borrowed from Fedora.) (From OE-Core rev: fe4e278f1794dda2e1aded56360556fe933614ca) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10openssl: fix CVE-2014-0224Paul Eggleton1-0/+1
http://www.openssl.org/news/secadv_20140605.txt SSL/TLS MITM vulnerability (CVE-2014-0224) An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. (Patch borrowed from Fedora.) (From OE-Core rev: f19dbbc864b12b0f87248d3199296b41a0dcd5b0) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10openssl: fix CVE-2014-0221Paul Eggleton1-0/+1
http://www.openssl.org/news/secadv_20140605.txt DTLS recursion flaw (CVE-2014-0221) By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected. (Patch borrowed from Fedora.) (From OE-Core rev: 6506f8993c84b966642ef857bb15cf96eada32e8) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10openssl: use upstream fix for CVE-2014-0198Paul Eggleton1-1/+1
This replaces the fix for CVE-2014-0198 with one borrowed from Fedora, which is the same as the patch which was actually applied upstream for the issue, i.e.: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b107586c0c3447ea22dba8698ebbcd81bb29d48c (From OE-Core rev: 21fa437a37dad14145b6c8c8c16c95f1b074e09c) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10openssl: fix CVE-2014-0195Paul Eggleton1-0/+1
http://www.openssl.org/news/secadv_20140605.txt DTLS invalid fragment vulnerability (CVE-2014-0195) A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected. (Patch borrowed from Fedora.) (From OE-Core rev: c707b3ea9e1fbff2c6a82670e4b1af2b4f53d5e2) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-05-21openssl: fix CVE-2014-0198Maxin B. John1-1/+2
A null pointer dereference bug was discovered in do_ssl3_write(). An attacker could possibly use this to cause OpenSSL to crash, resulting in a denial of service. https://access.redhat.com/security/cve/CVE-2014-0198 (From OE-Core rev: 4c58fe468790822fe48e0a570779979c831d0f10) Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Matt Fleming <matt.fleming@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-11openssl: bump PRPaul Eggleton1-1/+1
We don't normally do this, but with the recent CVE fixes (most importantly the one for the serious CVE-2014-0160 vulnerability) I am bumping PR explicitly to make it a bit more obvious that the patch has been applied. (From OE-Core rev: 813fa9ed5e492e5dc08155d23d74127ca87304df) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-09openssl: backport fix for CVE-2014-0160Paul Eggleton1-0/+1
Fixes the "heartbleed" TLS vulnerability (CVE-2014-0160). More information here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 Patch borrowed from Debian; this is just a tweaked version of the upstream commit (without patching the CHANGES file which otherwise would fail to apply on top of this version). (From OE-Core rev: c3acfdfe0c0c3579c5f469f10b87a2926214ba5d) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-09Security Advisory - openssl - CVE-2013-6449Yue Tao1-0/+1
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. (From OE-Core master rev: 3e0ac7357a962e3ef6595d21ec4843b078a764dd) (From OE-Core rev: 33b6441429603b82cfca3d35e68e47e1ca021fd7) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-09Security Advisory - openssl - CVE-2013-6450Yue Tao1-0/+1
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c. (From OE-Core master rev: 94352e694cd828aa84abd846149712535f48ab0f) (From OE-Core rev: 1e934529e501110a7bfe1cb09fe89dd0078bd426) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-09Security Advisory - openssl - CVE-2013-4353Yue Tao1-0/+1
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake. (From OE-Core master rev: 35ccce7002188c8270d2fead35f9763b22776877) (From OE-Core rev: a5060594208de172cb31ad406b34b25decd061e4) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2013-08-26openssl: avoid NULL pointer dereference in three placesXufeng Zhang1-0/+2
There are three potential NULL pointer dereference in EVP_DigestInit_ex(), dh_pub_encode() and dsa_pub_encode() functions. Fix them by adding proper null pointer check. [YOCTO #4600] [ CQID: WIND00373257 ] (From OE-Core rev: 4779d3c89cf0129763a4f5b7306c1247a0d6d021) Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2013-06-17openssl: Add fix for cipher des-ede3-cfb1Muhammad Shakeel1-0/+1
Add patch file for one of the ciphers used in openssl, namely the cipher des-ede3-cfb1. Details of the bug, without this patch, can be found here. http://rt.openssl.org/Ticket/Display.html?id=2867 (From OE-Core rev: ed61c28b9af2f11f46488332b80752b734a3cdeb) Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2013-05-30openssl: fix documentation build errors with Perl 5.18 pod2manJonathan Liu1-0/+1
(From OE-Core rev: 8792b7fb4ef8d66336d52de7e81efbb818e16b08) Signed-off-by: Jonathan Liu <net147@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2013-04-28openssl: Disable parallel makePhil Blundell1-0/+1
Otherwise you get errors like: | ../libcrypto.so: file not recognized: File truncated | collect2: error: ld returned 1 exit status | make[2]: *** [link_o.gnu] Error 1 (From OE-Core rev: 61c21a0f7a2041446a82b76ee3658fda5dfbff1d) Signed-off-by: Phil Blundell <philb@gnu.org> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2013-04-09openssl: Upgrade to v1.0.1eRadu Moisan1-0/+50
Dropped obolete patches and pulled updates for debian patches. Addresses CVEs: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2686 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0166 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 [YOCTO #3965] (From OE-Core rev: 0470edd01c0aebaa78db137e365a7e22bfb199e9) Signed-off-by: Radu Moisan <radu.moisan@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>