diff options
author | Dengke Du <dengke.du@windriver.com> | 2017-01-22 02:12:40 -0500 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-01-26 10:44:28 +0000 |
commit | d742290d8497d6d3abecc12462c65cb3cbdf4cb0 (patch) | |
tree | c0f06f19dc7f054da08f79681d35c53827e0ed4f /meta/recipes-connectivity/openssh | |
parent | 543d0b0d1b44bcf12d433b1a1ae7134ca11c25e5 (diff) | |
download | poky-d742290d8497d6d3abecc12462c65cb3cbdf4cb0.tar.gz |
openssh: upgrade to 7.4p1
1. Drop CVE patch: fix-CVE-2016-8858.patch, because the version 7.4p1 have
been fixed it.
2. Rebase the remaining patchs on the version 7.4p1.
(From OE-Core rev: b648b382046bd94f0cf5fe0aa4b77ab250f126cd)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch | 39 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch | 39 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch | 12 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_7.4p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_7.3p1.bb) | 5 |
4 files changed, 28 insertions, 67 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch b/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch deleted file mode 100644 index b26ee81b9a..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | Fix CVE-2016-8858 of openssh | ||
2 | |||
3 | Backport patch from upstream and drop the change of comment which can NOT be applied. | ||
4 | |||
5 | Upstream-Status: Backport [ https://anongit.mindrot.org/openssh.git/commit/?id=ec165c3 ] | ||
6 | CVE: CVE-2016-8858 | ||
7 | |||
8 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
9 | --- | ||
10 | From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 | ||
11 | From: "markus@openbsd.org" <markus@openbsd.org> | ||
12 | Date: Mon, 10 Oct 2016 19:28:48 +0000 | ||
13 | Subject: [PATCH] upstream commit | ||
14 | |||
15 | Unregister the KEXINIT handler after message has been | ||
16 | received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause | ||
17 | allocation of up to 128MB -- until the connection is closed. Reported by | ||
18 | shilei-c at 360.cn | ||
19 | |||
20 | Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 | ||
21 | --- | ||
22 | kex.c | 3 ++- | ||
23 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/kex.c b/kex.c | ||
26 | index 3f97f8c..6a94bc5 100644 | ||
27 | --- a/kex.c | ||
28 | +++ b/kex.c | ||
29 | @@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) | ||
30 | if (kex == NULL) | ||
31 | return SSH_ERR_INVALID_ARGUMENT; | ||
32 | |||
33 | + ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); | ||
34 | ptr = sshpkt_ptr(ssh, &dlen); | ||
35 | if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) | ||
36 | return r; | ||
37 | -- | ||
38 | 2.10.1 | ||
39 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch index 2773c14e5a..1098b972ce 100644 --- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch +++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch | |||
@@ -1,18 +1,19 @@ | |||
1 | From d7eb26785ad4f25fb09fae46726ab8ca3fe16921 Mon Sep 17 00:00:00 2001 | 1 | From 27740c918fe5d78441bcf69e7d2eefb23ddeca4c Mon Sep 17 00:00:00 2001 |
2 | From: Haiqing Bai <Haiqing.Bai@windriver.com> | 2 | From: Dengke Du <dengke.du@windriver.com> |
3 | Date: Mon, 22 Aug 2016 14:11:16 +0300 | 3 | Date: Thu, 19 Jan 2017 03:00:08 -0500 |
4 | Subject: [PATCH] Remove des in cipher. | 4 | Subject: [PATCH 1/3] Remove des in cipher. |
5 | 5 | ||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> | 8 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> |
9 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> | 9 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> |
10 | Signed-off-by: Dengke Du <dengke.du@windriver.com> | ||
10 | --- | 11 | --- |
11 | cipher.c | 18 ++++++++++++++++++ | 12 | cipher.c | 18 ++++++++++++++++++ |
12 | 1 file changed, 18 insertions(+) | 13 | 1 file changed, 18 insertions(+) |
13 | 14 | ||
14 | diff --git a/cipher.c b/cipher.c | 15 | diff --git a/cipher.c b/cipher.c |
15 | index 031bda9..6cd667a 100644 | 16 | index 2def333..59f6792 100644 |
16 | --- a/cipher.c | 17 | --- a/cipher.c |
17 | +++ b/cipher.c | 18 | +++ b/cipher.c |
18 | @@ -53,8 +53,10 @@ | 19 | @@ -53,8 +53,10 @@ |
@@ -25,8 +26,8 @@ index 031bda9..6cd667a 100644 | |||
25 | +#endif /* OPENSSL_NO_DES */ | 26 | +#endif /* OPENSSL_NO_DES */ |
26 | #endif | 27 | #endif |
27 | 28 | ||
28 | struct sshcipher { | 29 | struct sshcipher_ctx { |
29 | @@ -79,15 +81,19 @@ struct sshcipher { | 30 | @@ -88,15 +90,19 @@ struct sshcipher { |
30 | 31 | ||
31 | static const struct sshcipher ciphers[] = { | 32 | static const struct sshcipher ciphers[] = { |
32 | #ifdef WITH_SSH1 | 33 | #ifdef WITH_SSH1 |
@@ -39,14 +40,14 @@ index 031bda9..6cd667a 100644 | |||
39 | # endif /* OPENSSL_NO_BF */ | 40 | # endif /* OPENSSL_NO_BF */ |
40 | #endif /* WITH_SSH1 */ | 41 | #endif /* WITH_SSH1 */ |
41 | #ifdef WITH_OPENSSL | 42 | #ifdef WITH_OPENSSL |
42 | { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, | ||
43 | +#ifndef OPENSSL_NO_DES | 43 | +#ifndef OPENSSL_NO_DES |
44 | { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, | ||
44 | { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, | 45 | { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, |
45 | +#endif /* OPENSSL_NO_DES */ | 46 | +#endif /* OPENSSL_NO_DES */ |
46 | # ifndef OPENSSL_NO_BF | 47 | # ifndef OPENSSL_NO_BF |
47 | { "blowfish-cbc", | 48 | { "blowfish-cbc", |
48 | SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, | 49 | SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, |
49 | @@ -171,8 +177,10 @@ cipher_keylen(const struct sshcipher *c) | 50 | @@ -180,8 +186,10 @@ cipher_keylen(const struct sshcipher *c) |
50 | u_int | 51 | u_int |
51 | cipher_seclen(const struct sshcipher *c) | 52 | cipher_seclen(const struct sshcipher *c) |
52 | { | 53 | { |
@@ -57,7 +58,7 @@ index 031bda9..6cd667a 100644 | |||
57 | return cipher_keylen(c); | 58 | return cipher_keylen(c); |
58 | } | 59 | } |
59 | 60 | ||
60 | @@ -209,11 +217,13 @@ u_int | 61 | @@ -230,11 +238,13 @@ u_int |
61 | cipher_mask_ssh1(int client) | 62 | cipher_mask_ssh1(int client) |
62 | { | 63 | { |
63 | u_int mask = 0; | 64 | u_int mask = 0; |
@@ -71,7 +72,7 @@ index 031bda9..6cd667a 100644 | |||
71 | return mask; | 72 | return mask; |
72 | } | 73 | } |
73 | 74 | ||
74 | @@ -553,7 +563,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) | 75 | @@ -606,7 +616,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) |
75 | switch (c->number) { | 76 | switch (c->number) { |
76 | #ifdef WITH_OPENSSL | 77 | #ifdef WITH_OPENSSL |
77 | case SSH_CIPHER_SSH2: | 78 | case SSH_CIPHER_SSH2: |
@@ -79,20 +80,20 @@ index 031bda9..6cd667a 100644 | |||
79 | case SSH_CIPHER_DES: | 80 | case SSH_CIPHER_DES: |
80 | +#endif /* OPENSSL_NO_DES */ | 81 | +#endif /* OPENSSL_NO_DES */ |
81 | case SSH_CIPHER_BLOWFISH: | 82 | case SSH_CIPHER_BLOWFISH: |
82 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); | 83 | evplen = EVP_CIPHER_CTX_iv_length(cc->evp); |
83 | if (evplen == 0) | 84 | if (evplen == 0) |
84 | @@ -576,8 +588,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) | 85 | @@ -629,8 +641,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) |
85 | break; | 86 | break; |
86 | #endif | 87 | #endif |
87 | #ifdef WITH_SSH1 | 88 | #ifdef WITH_SSH1 |
88 | +#ifndef OPENSSL_NO_DES | 89 | +#ifndef OPENSSL_NO_DES |
89 | case SSH_CIPHER_3DES: | 90 | case SSH_CIPHER_3DES: |
90 | return ssh1_3des_iv(&cc->evp, 0, iv, 24); | 91 | return ssh1_3des_iv(cc->evp, 0, iv, 24); |
91 | +#endif /* OPENSSL_NO_DES */ | 92 | +#endif /* OPENSSL_NO_DES */ |
92 | #endif | 93 | #endif |
93 | default: | 94 | default: |
94 | return SSH_ERR_INVALID_ARGUMENT; | 95 | return SSH_ERR_INVALID_ARGUMENT; |
95 | @@ -601,7 +615,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) | 96 | @@ -654,7 +668,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) |
96 | switch (c->number) { | 97 | switch (c->number) { |
97 | #ifdef WITH_OPENSSL | 98 | #ifdef WITH_OPENSSL |
98 | case SSH_CIPHER_SSH2: | 99 | case SSH_CIPHER_SSH2: |
@@ -100,19 +101,19 @@ index 031bda9..6cd667a 100644 | |||
100 | case SSH_CIPHER_DES: | 101 | case SSH_CIPHER_DES: |
101 | +#endif /* OPENSSL_NO_DES */ | 102 | +#endif /* OPENSSL_NO_DES */ |
102 | case SSH_CIPHER_BLOWFISH: | 103 | case SSH_CIPHER_BLOWFISH: |
103 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); | 104 | evplen = EVP_CIPHER_CTX_iv_length(cc->evp); |
104 | if (evplen <= 0) | 105 | if (evplen <= 0) |
105 | @@ -616,8 +632,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) | 106 | @@ -675,8 +691,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) |
106 | break; | 107 | break; |
107 | #endif | 108 | #endif |
108 | #ifdef WITH_SSH1 | 109 | #ifdef WITH_SSH1 |
109 | +#ifndef OPENSSL_NO_DES | 110 | +#ifndef OPENSSL_NO_DES |
110 | case SSH_CIPHER_3DES: | 111 | case SSH_CIPHER_3DES: |
111 | return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24); | 112 | return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24); |
112 | +#endif /* OPENSSL_NO_DES */ | 113 | +#endif /* OPENSSL_NO_DES */ |
113 | #endif | 114 | #endif |
114 | default: | 115 | default: |
115 | return SSH_ERR_INVALID_ARGUMENT; | 116 | return SSH_ERR_INVALID_ARGUMENT; |
116 | -- | 117 | -- |
117 | 2.1.4 | 118 | 2.8.1 |
118 | 119 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch index 815af422ff..47dc73ba10 100644 --- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch +++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch | |||
@@ -1,12 +1,12 @@ | |||
1 | From 04cfd84423f693d879dc3ffebb0f6fe2680c254f Mon Sep 17 00:00:00 2001 | 1 | From e816fc06e4f8070b09e677ead4d21768784e4c99 Mon Sep 17 00:00:00 2001 |
2 | From: Haiqing Bai <Haiqing.Bai@windriver.com> | 2 | From: Dengke Du <dengke.du@windriver.com> |
3 | Date: Fri, 18 Mar 2016 15:59:21 +0800 | 3 | Date: Thu, 19 Jan 2017 03:21:40 -0500 |
4 | Subject: [PATCH 3/3] remove des in pkcs11. | 4 | Subject: [PATCH 2/3] remove des in pkcs11. |
5 | 5 | ||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> | 8 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> |
9 | 9 | Signed-off-by: Dengke Du <dengke.du@windriver.com> | |
10 | --- | 10 | --- |
11 | pkcs11.h | 8 ++++++++ | 11 | pkcs11.h | 8 ++++++++ |
12 | 1 file changed, 8 insertions(+) | 12 | 1 file changed, 8 insertions(+) |
@@ -66,5 +66,5 @@ index b01d58f..98b36e6 100644 | |||
66 | #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) | 66 | #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) |
67 | #define CKM_PKCS5_PBKD2 (0x3b0) | 67 | #define CKM_PKCS5_PBKD2 (0x3b0) |
68 | -- | 68 | -- |
69 | 1.9.1 | 69 | 2.8.1 |
70 | 70 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb index 94eb0ed208..3b3d667a68 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb | |||
@@ -25,13 +25,12 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
25 | file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ | 25 | file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ |
26 | file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ | 26 | file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ |
27 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ | 27 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ |
28 | file://fix-CVE-2016-8858.patch \ | ||
29 | " | 28 | " |
30 | 29 | ||
31 | PAM_SRC_URI = "file://sshd" | 30 | PAM_SRC_URI = "file://sshd" |
32 | 31 | ||
33 | SRC_URI[md5sum] = "dfadd9f035d38ce5d58a3bf130b86d08" | 32 | SRC_URI[md5sum] = "b2db2a83caf66a208bb78d6d287cdaa3" |
34 | SRC_URI[sha256sum] = "3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc" | 33 | SRC_URI[sha256sum] = "1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1" |
35 | 34 | ||
36 | inherit useradd update-rc.d update-alternatives systemd | 35 | inherit useradd update-rc.d update-alternatives systemd |
37 | 36 | ||