From 3fb5191d4da52c6b352a23881c0ea63c2e348619 Mon Sep 17 00:00:00 2001
From: Paul Eggleton <paul.eggleton@linux.intel.com>
Date: Fri, 26 Dec 2014 15:05:36 +0000
Subject: openssh: upgrade to 6.7p1

* Drop two CVE patches already handled upstream.
* Drop nostrip.patch which no longer applies and use the existing
  --disable-strip configure option instead.
* OpenSSH 6.7+ no longer supports tcp wrappers. We could apply the
  Debian patch to add support back in, but it seems best to follow
  upstream here unless we have a good reason to do otherwise.

(From OE-Core rev: 59e0833e24e4945569d36928dc0f231e822670ba)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../openssh/openssh/openssh-CVE-2014-2653.patch    | 114 ---------------------
 1 file changed, 114 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch

(limited to 'meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch')

diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
deleted file mode 100644
index 674d186044..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-Upstream-Status: Backport
-
-This CVE could be removed if openssh is upgrade to 6.6 or higher.
-Below are some details.
-
-Attempt SSHFP lookup even if server presents a certificate
-
-Reference:
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
-
-If an ssh server presents a certificate to the client, then the client
-does not check the DNS for SSHFP records. This means that a malicious
-server can essentially disable DNS-host-key-checking, which means the
-client will fall back to asking the user (who will just say "yes" to
-the fingerprint, sadly).
-
-This patch means that the ssh client will, if necessary, extract the
-server key from the proffered certificate, and attempt to verify it
-against the DNS. The patch was written by Mark Wooding
-<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
-it, and tested it.
-
-Signed-off-by: Matthew Vernon <matthew@debian.org>
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -1210,36 +1210,63 @@ fail:
- 	return -1;
- }
- 
-+static int
-+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
-+{
-+	int rc = -1;
-+	int flags = 0;
-+	Key *raw_key = NULL;
-+
-+	if (!options.verify_host_key_dns)
-+		goto done;
-+
-+	/* XXX certs are not yet supported for DNS; try looking the raw key
-+	 * up in the DNS anyway.
-+	 */
-+	if (key_is_cert(host_key)) {
-+		debug2("Extracting key from cert for SSHFP lookup");
-+		raw_key = key_from_private(host_key);
-+		if (key_drop_cert(raw_key))
-+			fatal("Couldn't drop certificate");
-+		host_key = raw_key;
-+	}
-+
-+	if (verify_host_key_dns(host, hostaddr, host_key, &flags))
-+		goto done;
-+
-+	if (flags & DNS_VERIFY_FOUND) {
-+
-+		if (options.verify_host_key_dns == 1 &&
-+				flags & DNS_VERIFY_MATCH &&
-+				flags & DNS_VERIFY_SECURE) {
-+			rc = 0;
-+		} else if (flags & DNS_VERIFY_MATCH) {
-+			matching_host_key_dns = 1;
-+		} else {
-+			warn_changed_key(host_key);
-+			error("Update the SSHFP RR in DNS with the new "
-+					"host key to get rid of this message.");
-+		}
-+	}
-+
-+done:
-+	if (raw_key)
-+		key_free(raw_key);
-+	return rc;
-+}
-+
- /* returns 0 if key verifies or -1 if key does NOT verify */
- int
- verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
- {
--	int flags = 0;
- 	char *fp;
- 
- 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- 	debug("Server host key: %s %s", key_type(host_key), fp);
- 	free(fp);
- 
--	/* XXX certs are not yet supported for DNS */
--	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
--	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
--		if (flags & DNS_VERIFY_FOUND) {
--
--			if (options.verify_host_key_dns == 1 &&
--			    flags & DNS_VERIFY_MATCH &&
--			    flags & DNS_VERIFY_SECURE)
--				return 0;
--
--			if (flags & DNS_VERIFY_MATCH) {
--				matching_host_key_dns = 1;
--			} else {
--				warn_changed_key(host_key);
--				error("Update the SSHFP RR in DNS with the new "
--				    "host key to get rid of this message.");
--			}
--		}
--	}
-+	if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
-+		return 0;
- 
- 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
- 	    options.user_hostfiles, options.num_user_hostfiles,
--- 
-1.7.9.5
-
-- 
cgit v1.2.3-54-g00ecf