openssl and heartbleed


Richard Schmitt <richard.schmitt@...>
 

Does the Yocto project plan to have some response to the heartbleed exploit in openssl in the near term?  Has this already been addressed?

 

Thanks,

Rich

 


Martin Jansa
 

On Mon, Apr 14, 2014 at 02:37:52PM +0000, Richard Schmitt wrote:
Does the Yocto project plan to have some response to the heartbleed exploit in openssl in the near term? Has this already been addressed?
It was already addressed for master, daisy, dora and dylan.

--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com


Paul Eggleton
 

On Monday 14 April 2014 16:41:21 Martin Jansa wrote:
On Mon, Apr 14, 2014 at 02:37:52PM +0000, Richard Schmitt wrote:
Does the Yocto project plan to have some response to the heartbleed
exploit in openssl in the near term? Has this already been addressed?
It was already addressed for master, daisy, dora and dylan.
Specifically, for master and daisy (what will be the 1.6 release), OpenSSL was
upgraded to 1.0.1g which includes the fix. For dora (1.5) and dylan (1.4)
branches, the specific fix was backported as a patch on top of 1.0.1e.

We haven't yet had a point release of 1.4 or 1.5 that includes the fix. At this
point given the nature of our project, I'm not sure if we would rush to do
one. It's certainly likely we will have a 1.5 point release in the near future
though.

Cheers,
Paul

--

Paul Eggleton
Intel Open Source Technology Centre


Michael Halstead
 

On 04/14/2014 07:41 AM, Martin Jansa wrote:
On Mon, Apr 14, 2014 at 02:37:52PM +0000, Richard Schmitt wrote:
Does the Yocto project plan to have some response to the heartbleed exploit in openssl in the near term?  Has this already been addressed?
It was already addressed for master, daisy, dora and dylan.
It's a separate issue but as far as the yoctoproject.org infrastructure is concerned our primary SSL termination server runs OpenSSL 0.9.8k and was not vulnerable to heartbleed. Other servers were not publicly accessible and were patched quickly after the announcement. On the build hosts the only running service linked linked against OpenSSL was NTP. We discussed this on the https://www.yoctoproject.org/tools-resources/community/weekly-technical-call the day after heartbleed was announced.

Michael Halstead
Yocto Project / Sys Admin