Wind River Security Alert for Wind River Linux 4.x/5.0.1.x/6.0.0.x
This alert confirms that the Wind River Linux releases 4.3.0.x/5.0.1.x/6.0.0.x ARE SUSCEPTIBLE
to the following Vulnerabilities
- CVE-2014-5139
- CVE-2014-3512
- CVE-2014-3511
- CVE-2014-3510
- CVE-2014-3509
- CVE-2014-3508
- CVE-2014-3507
- CVE-2014-3506
- CVE-2014-3505
Additional information for each Wind River Linux release is provided below.
Wind River Linux 4.3.0.x
================
CVE-2014-5139 - not vulnerable
CVE-2014-3512 - not vulnerable
CVE-2014-3511 - vunlerable
CVE-2014-3510 - vunlerable
CVE-2014-3509 - vunlerable
CVE-2014-3508 - vunlerable
CVE-2014-3507 - vunlerable
CVE-2014-3506 - vunlerable
CVE-2014-3505 - vunlerable
How to apply the patch to 4.3.0.25
$cd /wrlinux-4/layers/updates/RCPL-4.3-WRL.0025/wrll-userspace
$patch -p1 < 0001-Fix-following-CVEs-for-4.3.0.25.patch
How to apply the patch to 4.3.0.26 (It will be released 30AUG)
$cd /wrlinux-4/layers/updates/RCPL-4.3-WRL.0026/wrll-userspace
$patch -p1 < 0001-Fix-following-CVEs-for-4.3.0.26.patch
Note: this vulnerabilities will be patched in Wind River Linux 4.3.0.27 scheduled for release 22SEP2014.
Wind River Linux 5.0.1.x
================
CVE-2014-5139 - vulnerable
CVE-2014-3512 - vulnerable
CVE-2014-3511 - vunlerable
CVE-2014-3510 - vunlerable
CVE-2014-3509 - vunlerable
CVE-2014-3508 - vunlerable
CVE-2014-3507 - vunlerable
CVE-2014-3506 - vunlerable
CVE-2014-3505 - vunlerable
How to apply the patch 5.0.1.17
1) configure project with .. --with-rcpl-version=0017
2) cd project/layers/oe-core
3) git am 0001-Fix-openssl-CVEs-for-5.0.1.17.patch
Note: this vulnerabilities will be patched in Wind River Linux 5.0.1.18 scheduled for release 30AUG2014.
Wind River Linux 6.0.0.x
================
CVE-2014-5139 - vulnerable
CVE-2014-3512 - vulnerable
CVE-2014-3511 - vunlerable
CVE-2014-3510 - vunlerable
CVE-2014-3509 - vunlerable
CVE-2014-3508 - vunlerable
CVE-2014-3507 - vunlerable
CVE-2014-3506 - vunlerable
CVE-2014-3505 - vunlerable
How to apply the patch 6.0.0.10
1) configure project with .. --with-rcpl-version=0010
2) cd project/layers/oe-core
3) git am 0001-Fix-openssl-CVEs-for-6.0.0.10.patch
Note this vulnerabilities will be patched in Wind River Linux 6.0.0.11 scheduled for release 30AUG2014.
For more information please contact Wind River Support at +1-800-872-4977 or your local Wind River representative.