Bug 73

Summary: Bump openssl package to the latest version
Product: buildroot Reporter: Gustavo Zacarias <gustavo>
Component: Outdated packageAssignee: unassigned
Status: RESOLVED FIXED    
Severity: enhancement CC: buildroot, hamish, hans-christian.egtvedt, jacmet
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Host: i686-linux Target: arm-softfloat-linux-uclibcgnueabi
Build:
Attachments: Patch to bump to 0.9.8j

Description Gustavo Zacarias 2009-01-26 18:36:49 UTC 
2009.02-rc2 uses openssl-0.9.8g which has some security issues.
This patch bumps the package to openssl-0.9.8j.
It also moves openssldir from /usr/lib/ssl to /etc/ssl otherwise the openssl binary will look for it's configuration file in that odd directory.
Tested for an arm target, someone should test if this didn't break avr32 before comitting (i can try in a couple of days with my atngw100).
Comment 1 Gustavo Zacarias 2009-01-26 18:39:32 UTC 
Patch exceeds 400k so i can't attach, fetch from http://www.zacarias.com.ar/openssl-0.9.8j.patch
Sorry!
Comment 2 Peter Korsgaard 2009-01-26 19:46:25 UTC 
That's a big patch. We're unfortunately this close to the release that I won't commit it until after the release, unless I get acks from other archs.
Comment 3 Gustavo Zacarias 2009-01-26 21:19:12 UTC 
The patch is big because of patch file renaming.
Basically it's only that plus s/0.9.8g/0.9.8j/ and the change to openssldir in the .mk file.
Probably better to apply after release, just remember it later ;-)
Comment 4 Hamish Moffatt 2009-01-27 01:12:26 UTC 
I've been using 0.9.8i locally with no issues
Comment 5 Hamish Moffatt 2009-01-27 01:22:46 UTC 
I think upgrading to 0.9.8j would be good, as this is a security-sensitive package and we should do our best to keep it up to date.
Comment 6 Gustavo Zacarias 2009-01-27 16:35:06 UTC 
The avr32 needs a rework, it won't apply cleanly.
Anyone interested in avr32 to do it?
Comment 7 Hans-Christian Egtvedt 2009-01-28 06:45:24 UTC 
Just leave out AVR32 for now, I think the security stuff is more important.

The openssl.mk needs a little love before AVR32 will work, you have to disable it selecting an optimization for AVR32 arch.
Comment 8 Gustavo Zacarias 2009-01-28 11:35:12 UTC 
Created attachment 43 [details]
Patch to bump to 0.9.8j

Here's a simplified patch, basically renames the relevant 0.9.8g patches for 0.9.8j, add a no-fips patch (removes newly introduced garbage in the target for 0.9.8j), and moves openssldir from /usr/lib/ssl to /etc/ssl.
I basically ignored the avr32 patch on this take.
Comment 9 Peter Korsgaard 2009-03-01 21:03:45 UTC 
version bumped r25433 by Hamish, care to check that everything is like you wanted?
Comment 10 Gustavo Zacarias 2009-03-02 16:42:30 UTC 
Looks ok, though it still leaves openssldir pointing to /usr/lib/ssl rather than the common approach of /etc/ssl.
Being mostly a configuration directory it should really reside in /etc/ssl.