openssh: upgrade to 6.7p1

* Drop two CVE patches already handled upstream. * Drop nostrip.patch which no longer applies and use the existing --disable-strip configure option instead. * OpenSSH 6.7+ no longer supports tcp wrappers. We could apply the Debian patch to add support back in, but it seems best to follow upstream here unless we have a good reason to do otherwise. (From OE-Core rev: 59e0833e24e4945569d36928dc0f231e822670ba) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Paul Eggleton <paul.eggleton@linux.intel.com> 2014-12-26 15:05:36 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-01-07 23:35:06 +0000
commit: 3fb5191d4da52c6b352a23881c0ea63c2e348619 (patch)
tree: d64060e9d298fc5cf45e4650f11c615144bbfcc1 /meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
parent: 060e35492d5b4d416ede1fd18db3647796271aa6 (diff)
download: poky-3fb5191d4da52c6b352a23881c0ea63c2e348619.tar.gz
1 files changed, 0 insertions, 114 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
deleted file mode 100644
index 674d186044..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-Upstream-Status: Backport
-This CVE could be removed if openssh is upgrade to 6.6 or higher.
-Below are some details.
-Attempt SSHFP lookup even if server presents a certificate
-Reference:
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
-If an ssh server presents a certificate to the client, then the client
-does not check the DNS for SSHFP records. This means that a malicious
-server can essentially disable DNS-host-key-checking, which means the
-client will fall back to asking the user (who will just say "yes" to
-the fingerprint, sadly).
-This patch means that the ssh client will, if necessary, extract the
-server key from the proffered certificate, and attempt to verify it
-against the DNS. The patch was written by Mark Wooding
-<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
-it, and tested it.
-Signed-off-by: Matthew Vernon <matthew@debian.org>
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
--- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -1210,36 +1210,63 @@ fail:
-        return -1;
- }
- 
-+static int
-+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
-+{
-+       int rc = -1;
-+       int flags = 0;
-+       Key *raw_key = NULL;
-+
-+       if (!options.verify_host_key_dns)
-+               goto done;
-+
-+       /* XXX certs are not yet supported for DNS; try looking the raw key
-+        * up in the DNS anyway.
-+        */
-+       if (key_is_cert(host_key)) {
-+               debug2("Extracting key from cert for SSHFP lookup");
-+               raw_key = key_from_private(host_key);
-+               if (key_drop_cert(raw_key))
-+                       fatal("Couldn't drop certificate");
-+               host_key = raw_key;
-+       }
-+
-+       if (verify_host_key_dns(host, hostaddr, host_key, &flags))
-+               goto done;
-+
-+       if (flags & DNS_VERIFY_FOUND) {
-+
-+               if (options.verify_host_key_dns == 1 &&
-+                               flags & DNS_VERIFY_MATCH &&
-+                               flags & DNS_VERIFY_SECURE) {
-+                       rc = 0;
-+               } else if (flags & DNS_VERIFY_MATCH) {
-+                       matching_host_key_dns = 1;
-+               } else {
-+                       warn_changed_key(host_key);
-+                       error("Update the SSHFP RR in DNS with the new "
-+                                       "host key to get rid of this message.");
-+               }
-+       }
-+
-+done:
-+       if (raw_key)
-+               key_free(raw_key);
-+       return rc;
-+}
-+
- /* returns 0 if key verifies or -1 if key does NOT verify */
- int
- verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
- {
-       int flags = 0;
-        char *fp;
- 
-        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-        debug("Server host key: %s %s", key_type(host_key), fp);
-        free(fp);
- 
-       /* XXX certs are not yet supported for DNS */
-       if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-           verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-               if (flags & DNS_VERIFY_FOUND) {
-
-                       if (options.verify_host_key_dns == 1 &&
-                           flags & DNS_VERIFY_MATCH &&
-                           flags & DNS_VERIFY_SECURE)
-                               return 0;
-
-                       if (flags & DNS_VERIFY_MATCH) {
-                               matching_host_key_dns = 1;
-                       } else {
-                               warn_changed_key(host_key);
-                               error("Update the SSHFP RR in DNS with the new "
-                                   "host key to get rid of this message.");
-                       }
-               }
-       }
-+       if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
-+               return 0;
- 
-        return check_host_key(host, hostaddr, options.port, host_key, RDRW,
-            options.user_hostfiles, options.num_user_hostfiles,
-- 
-1.7.9.5
author	Paul Eggleton <paul.eggleton@linux.intel.com>	2014-12-26 15:05:36 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-01-07 23:35:06 +0000
commit	3fb5191d4da52c6b352a23881c0ea63c2e348619 (patch)
tree	d64060e9d298fc5cf45e4650f11c615144bbfcc1 /meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
parent	060e35492d5b4d416ede1fd18db3647796271aa6 (diff)
download	poky-3fb5191d4da52c6b352a23881c0ea63c2e348619.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch deleted file mode 100644 index 674d186044..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch +++ /dev/null
@@ -1,114 +0,0 @@
1	Upstream-Status: Backport
2
3	This CVE could be removed if openssh is upgrade to 6.6 or higher.
4	Below are some details.
5
6	Attempt SSHFP lookup even if server presents a certificate
7
8	Reference:
9	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
10
11	If an ssh server presents a certificate to the client, then the client
12	does not check the DNS for SSHFP records. This means that a malicious
13	server can essentially disable DNS-host-key-checking, which means the
14	client will fall back to asking the user (who will just say "yes" to
15	the fingerprint, sadly).
16
17	This patch means that the ssh client will, if necessary, extract the
18	server key from the proffered certificate, and attempt to verify it
19	against the DNS. The patch was written by Mark Wooding
20	<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
21	it, and tested it.
22
23	Signed-off-by: Matthew Vernon <matthew@debian.org>
24	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
25	---
26	--- a/sshconnect.c
27	+++ b/sshconnect.c
28	@@ -1210,36 +1210,63 @@ fail:
29	return -1;
30	}
31
32	+static int
33	+check_host_key_sshfp(char host, struct sockaddr hostaddr, Key *host_key)
34	+{
35	+ int rc = -1;
36	+ int flags = 0;
37	+ Key *raw_key = NULL;
38	+
39	+ if (!options.verify_host_key_dns)
40	+ goto done;
41	+
42	+ /* XXX certs are not yet supported for DNS; try looking the raw key
43	+ * up in the DNS anyway.
44	+ */
45	+ if (key_is_cert(host_key)) {
46	+ debug2("Extracting key from cert for SSHFP lookup");
47	+ raw_key = key_from_private(host_key);
48	+ if (key_drop_cert(raw_key))
49	+ fatal("Couldn't drop certificate");
50	+ host_key = raw_key;
51	+ }
52	+
53	+ if (verify_host_key_dns(host, hostaddr, host_key, &flags))
54	+ goto done;
55	+
56	+ if (flags & DNS_VERIFY_FOUND) {
57	+
58	+ if (options.verify_host_key_dns == 1 &&
59	+ flags & DNS_VERIFY_MATCH &&
60	+ flags & DNS_VERIFY_SECURE) {
61	+ rc = 0;
62	+ } else if (flags & DNS_VERIFY_MATCH) {
63	+ matching_host_key_dns = 1;
64	+ } else {
65	+ warn_changed_key(host_key);
66	+ error("Update the SSHFP RR in DNS with the new "
67	+ "host key to get rid of this message.");
68	+ }
69	+ }
70	+
71	+done:
72	+ if (raw_key)
73	+ key_free(raw_key);
74	+ return rc;
75	+}
76	+
77	/* returns 0 if key verifies or -1 if key does NOT verify */
78	int
79	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
80	{
81	- int flags = 0;
82	char *fp;
83
84	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
85	debug("Server host key: %s %s", key_type(host_key), fp);
86	free(fp);
87
88	- /* XXX certs are not yet supported for DNS */
89	- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
90	- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
91	- if (flags & DNS_VERIFY_FOUND) {
92	-
93	- if (options.verify_host_key_dns == 1 &&
94	- flags & DNS_VERIFY_MATCH &&
95	- flags & DNS_VERIFY_SECURE)
96	- return 0;
97	-
98	- if (flags & DNS_VERIFY_MATCH) {
99	- matching_host_key_dns = 1;
100	- } else {
101	- warn_changed_key(host_key);
102	- error("Update the SSHFP RR in DNS with the new "
103	- "host key to get rid of this message.");
104	- }
105	- }
106	- }
107	+ if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
108	+ return 0;
109
110	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
111	options.user_hostfiles, options.num_user_hostfiles,
112	--
113	1.7.9.5
114