diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh_8.2p1.bb')
| -rw-r--r-- | meta/recipes-connectivity/openssh/openssh_8.2p1.bb | 58 |
1 files changed, 56 insertions, 2 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index fe94f30503..9d6cf7da6c 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb | |||
| @@ -5,7 +5,7 @@ Ssh (Secure Shell) is a program for logging into a remote machine \ | |||
| 5 | and for executing commands on a remote machine." | 5 | and for executing commands on a remote machine." |
| 6 | HOMEPAGE = "http://www.openssh.com/" | 6 | HOMEPAGE = "http://www.openssh.com/" |
| 7 | SECTION = "console/network" | 7 | SECTION = "console/network" |
| 8 | LICENSE = "BSD & ISC & MIT" | 8 | LICENSE = "BSD-2-Clause & BSD-3-Clause & BSD-4-Clause & ISC & MIT" |
| 9 | LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" | 9 | LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" |
| 10 | 10 | ||
| 11 | DEPENDS = "zlib openssl virtual/crypt" | 11 | DEPENDS = "zlib openssl virtual/crypt" |
| @@ -24,14 +24,63 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
| 24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ | 24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ |
| 25 | file://sshd_check_keys \ | 25 | file://sshd_check_keys \ |
| 26 | file://add-test-support-for-busybox.patch \ | 26 | file://add-test-support-for-busybox.patch \ |
| 27 | file://CVE-2020-14145.patch \ | ||
| 28 | file://CVE-2021-28041.patch \ | ||
| 29 | file://CVE-2021-41617.patch \ | ||
| 30 | file://CVE-2023-38408-01.patch \ | ||
| 31 | file://CVE-2023-38408-02.patch \ | ||
| 32 | file://CVE-2023-38408-03.patch \ | ||
| 33 | file://CVE-2023-38408-04.patch \ | ||
| 34 | file://CVE-2023-38408-05.patch \ | ||
| 35 | file://CVE-2023-38408-06.patch \ | ||
| 36 | file://CVE-2023-38408-07.patch \ | ||
| 37 | file://CVE-2023-38408-08.patch \ | ||
| 38 | file://CVE-2023-38408-09.patch \ | ||
| 39 | file://CVE-2023-38408-10.patch \ | ||
| 40 | file://CVE-2023-38408-11.patch \ | ||
| 41 | file://CVE-2023-38408-12.patch \ | ||
| 42 | file://CVE-2023-48795.patch \ | ||
| 43 | file://CVE-2023-51385.patch \ | ||
| 27 | " | 44 | " |
| 28 | SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" | 45 | SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" |
| 29 | SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" | 46 | SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" |
| 30 | 47 | ||
| 48 | # This CVE is specific to OpenSSH with the pam opie which we don't build/use here | ||
| 49 | CVE_CHECK_WHITELIST += "CVE-2007-2768" | ||
| 50 | |||
| 31 | # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 | 51 | # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 |
| 32 | # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded | 52 | # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded |
| 33 | CVE_CHECK_WHITELIST += "CVE-2014-9278" | 53 | CVE_CHECK_WHITELIST += "CVE-2014-9278" |
| 34 | 54 | ||
| 55 | # As per upstream, because of the way scp is based on a historical protocol called rcp | ||
| 56 | # which relies on that style of argument passing and therefore encounters expansion | ||
| 57 | # problems. Making changes to how the scp command line works breaks the pattern used | ||
| 58 | # by scp consumers. Upstream therefore recommends the use of rsync in the place of | ||
| 59 | # scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487 | ||
| 60 | CVE_CHECK_WHITELIST += "CVE-2020-15778" | ||
| 61 | |||
| 62 | # CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and | ||
| 63 | # certain packages may have been compromised. This CVE is not applicable | ||
| 64 | # as our source is OpenBSD. https://securitytracker.com/id?1020730 | ||
| 65 | # https://www.securityfocus.com/bid/30794 | ||
| 66 | CVE_CHECK_WHITELIST += "CVE-2008-3844" | ||
| 67 | |||
| 68 | # openssh-ssh1 is provided for compatibility with old devices that | ||
| 69 | # cannot be upgraded to modern protocols. Thus they may not provide security | ||
| 70 | # support for this package because doing so would prevent access to equipment. | ||
| 71 | # The upstream OpenSSH developers see this as an important | ||
| 72 | # security feature and do not intend to 'fix' it. | ||
| 73 | # https://security-tracker.debian.org/tracker/CVE-2016-20012 | ||
| 74 | # https://ubuntu.com/security/CVE-2016-20012 | ||
| 75 | CVE_CHECK_WHITELIST += "CVE-2016-20012" | ||
| 76 | |||
| 77 | # As per debian, the issue is fixed by a feature called "agent restriction" in openssh 8.9 | ||
| 78 | # Urgency is unimportant as per debian, Hence this CVE is whitelisting. | ||
| 79 | # https://security-tracker.debian.org/tracker/CVE-2021-36368 | ||
| 80 | # https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2 | ||
| 81 | # https://docs.ssh-mitm.at/trivialauth.html | ||
| 82 | CVE_CHECK_WHITELIST += "CVE-2021-36368" | ||
| 83 | |||
| 35 | PAM_SRC_URI = "file://sshd" | 84 | PAM_SRC_URI = "file://sshd" |
| 36 | 85 | ||
| 37 | inherit manpages useradd update-rc.d update-alternatives systemd | 86 | inherit manpages useradd update-rc.d update-alternatives systemd |
| @@ -155,12 +204,17 @@ FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" | |||
| 155 | FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" | 204 | FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" |
| 156 | FILES_${PN}-keygen = "${bindir}/ssh-keygen" | 205 | FILES_${PN}-keygen = "${bindir}/ssh-keygen" |
| 157 | 206 | ||
| 158 | RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" | 207 | RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" |
| 159 | RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" | 208 | RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" |
| 160 | RRECOMMENDS_${PN}-sshd_append_class-target = "\ | 209 | RRECOMMENDS_${PN}-sshd_append_class-target = "\ |
| 161 | ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ | 210 | ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ |
| 162 | " | 211 | " |
| 163 | 212 | ||
| 213 | # break dependency on base package for -dev package | ||
| 214 | # otherwise SDK fails to build as the main openssh and dropbear packages | ||
| 215 | # conflict with each other | ||
| 216 | RDEPENDS:${PN}-dev = "" | ||
| 217 | |||
| 164 | # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies | 218 | # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies |
| 165 | RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" | 219 | RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" |
| 166 | 220 | ||