4 files changed, 5 insertions, 172 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/nostrip.patch b/meta/recipes-connectivity/openssh/openssh/nostrip.patch
deleted file mode 100644
index 33111f5494..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/nostrip.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Disable stripping binaries during make install.
-Upstream-Status: Inappropriate [configuration]
-Build system specific.
-Signed-off-by: Scott Garman <scott.a.garman@intel.com>
-diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in
--- openssh-5.6p1.orig/Makefile.in      2010-05-11 23:51:39.000000000 -0700
-+++ openssh-5.6p1/Makefile.in   2010-08-30 16:49:54.000000000 -0700
-@@ -29,7 +29,7 @@
- RAND_HELPER=$(libexecdir)/ssh-rand-helper
- PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-STRIP_OPT=@STRIP_OPT@
-+STRIP_OPT=
- 
- PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-        -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
deleted file mode 100644
index 30c11cf432..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-openssh-CVE-2011-4327
-A security flaw was found in the way ssh-keysign,
-a ssh helper program for host based authentication,
-attempted to retrieve enough entropy information on configurations that
-lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
-be executed to retrieve the entropy from the system environment).
-A local attacker could use this flaw to obtain unauthorized access to host keys
-via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
-http://www.openssh.com/txt/portable-keysign-rand-helper.adv
-Upstream-Status: Pending
-Signed-off-by: Li Wang <li.wang@windriver.com>
--- a/ssh-keysign.c
-+++ b/ssh-keysign.c
-@@ -170,6 +170,10 @@
-        key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
-        key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
-        key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
-+       if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
-+           fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
-+           fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
-+               fatal("fcntl failed");
- 
-        original_real_uid = getuid();   /* XXX readconf.c needs this */
-        if ((pw = getpwuid(original_real_uid)) == NULL)
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
deleted file mode 100644
index 674d186044..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-Upstream-Status: Backport
-This CVE could be removed if openssh is upgrade to 6.6 or higher.
-Below are some details.
-Attempt SSHFP lookup even if server presents a certificate
-Reference:
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
-If an ssh server presents a certificate to the client, then the client
-does not check the DNS for SSHFP records. This means that a malicious
-server can essentially disable DNS-host-key-checking, which means the
-client will fall back to asking the user (who will just say "yes" to
-the fingerprint, sadly).
-This patch means that the ssh client will, if necessary, extract the
-server key from the proffered certificate, and attempt to verify it
-against the DNS. The patch was written by Mark Wooding
-<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
-it, and tested it.
-Signed-off-by: Matthew Vernon <matthew@debian.org>
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
--- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -1210,36 +1210,63 @@ fail:
-        return -1;
- }
- 
-+static int
-+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
-+{
-+       int rc = -1;
-+       int flags = 0;
-+       Key *raw_key = NULL;
-+
-+       if (!options.verify_host_key_dns)
-+               goto done;
-+
-+       /* XXX certs are not yet supported for DNS; try looking the raw key
-+        * up in the DNS anyway.
-+        */
-+       if (key_is_cert(host_key)) {
-+               debug2("Extracting key from cert for SSHFP lookup");
-+               raw_key = key_from_private(host_key);
-+               if (key_drop_cert(raw_key))
-+                       fatal("Couldn't drop certificate");
-+               host_key = raw_key;
-+       }
-+
-+       if (verify_host_key_dns(host, hostaddr, host_key, &flags))
-+               goto done;
-+
-+       if (flags & DNS_VERIFY_FOUND) {
-+
-+               if (options.verify_host_key_dns == 1 &&
-+                               flags & DNS_VERIFY_MATCH &&
-+                               flags & DNS_VERIFY_SECURE) {
-+                       rc = 0;
-+               } else if (flags & DNS_VERIFY_MATCH) {
-+                       matching_host_key_dns = 1;
-+               } else {
-+                       warn_changed_key(host_key);
-+                       error("Update the SSHFP RR in DNS with the new "
-+                                       "host key to get rid of this message.");
-+               }
-+       }
-+
-+done:
-+       if (raw_key)
-+               key_free(raw_key);
-+       return rc;
-+}
-+
- /* returns 0 if key verifies or -1 if key does NOT verify */
- int
- verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
- {
-       int flags = 0;
-        char *fp;
- 
-        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-        debug("Server host key: %s %s", key_type(host_key), fp);
-        free(fp);
- 
-       /* XXX certs are not yet supported for DNS */
-       if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-           verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-               if (flags & DNS_VERIFY_FOUND) {
-
-                       if (options.verify_host_key_dns == 1 &&
-                           flags & DNS_VERIFY_MATCH &&
-                           flags & DNS_VERIFY_SECURE)
-                               return 0;
-
-                       if (flags & DNS_VERIFY_MATCH) {
-                               matching_host_key_dns = 1;
-                       } else {
-                               warn_changed_key(host_key);
-                               error("Update the SSHFP RR in DNS with the new "
-                                   "host key to get rid of this message.");
-                       }
-               }
-       }
-+       if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
-+               return 0;
- 
-        return check_host_key(host, hostaddr, options.port, host_key, RDRW,
-            options.user_hostfiles, options.num_user_hostfiles,
-- 
-1.7.9.5
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
index abc302b90f..19093fc992 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
@@ -11,11 +11,9 @@ DEPENDS = "zlib openssl"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
-           file://nostrip.patch \
           file://sshd_config \
           file://ssh_config \
           file://init \
-           file://openssh-CVE-2011-4327.patch \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
           file://sshd.socket \
           file://sshd@.service \
@@ -23,13 +21,12 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
           file://volatiles.99_sshd \
           file://add-test-support-for-busybox.patch \
           file://run-ptest \
-           file://openssh-CVE-2014-2653.patch \
           file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
 PAM_SRC_URI = "file://sshd"
-SRC_URI[md5sum] = "3e9800e6bca1fbac0eea4d41baa7f239"
+SRC_URI[md5sum] = "3246aa79317b1d23cae783a3bf8275d6"
-SRC_URI[sha256sum] = "48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb"
+SRC_URI[sha256sum] = "b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507"
 inherit useradd update-rc.d update-alternatives systemd
@@ -42,9 +39,6 @@ INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
 SYSTEMD_PACKAGES = "${PN}-sshd"
 SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
-PACKAGECONFIG ??= "tcp-wrappers"
-PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
 inherit autotools-brokensep ptest
 # LFS support:
@@ -56,7 +50,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
                --without-zlib-version-check \
                --with-privsep-path=/var/run/sshd \
                --sysconfdir=${sysconfdir}/ssh \
-                --with-xauth=/usr/bin/xauth"
+                --with-xauth=/usr/bin/xauth \
+                --disable-strip \
+                "
 # Since we do not depend on libbsd, we do not want configure to use it
 # just because it finds libutil.h.  But, specifying --disable-libutil

diff --git a/meta/recipes-connectivity/openssh/openssh/nostrip.patch b/meta/recipes-connectivity/openssh/openssh/nostrip.patch deleted file mode 100644 index 33111f5494..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/nostrip.patch +++ /dev/null
@@ -1,20 +0,0 @@
1	Disable stripping binaries during make install.
2
3	Upstream-Status: Inappropriate [configuration]
4
5	Build system specific.
6
7	Signed-off-by: Scott Garman <scott.a.garman@intel.com>
8
9	diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in
10	--- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700
11	+++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700
12	@@ -29,7 +29,7 @@
13	RAND_HELPER=$(libexecdir)/ssh-rand-helper
14	PRIVSEP_PATH=@PRIVSEP_PATH@
15	SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
16	-STRIP_OPT=@STRIP_OPT@
17	+STRIP_OPT=
18
19	PATHS= -DSSHDIR=\"$(sysconfdir)\" \
20	-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \


diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch deleted file mode 100644 index 30c11cf432..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch +++ /dev/null
@@ -1,29 +0,0 @@
1	openssh-CVE-2011-4327
2
3	A security flaw was found in the way ssh-keysign,
4	a ssh helper program for host based authentication,
5	attempted to retrieve enough entropy information on configurations that
6	lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
7	be executed to retrieve the entropy from the system environment).
8	A local attacker could use this flaw to obtain unauthorized access to host keys
9	via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
10
11	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
12	http://www.openssh.com/txt/portable-keysign-rand-helper.adv
13
14	Upstream-Status: Pending
15
16	Signed-off-by: Li Wang <li.wang@windriver.com>
17	--- a/ssh-keysign.c
18	+++ b/ssh-keysign.c
19	@@ -170,6 +170,10 @@
20	key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
21	key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
22	key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
23	+ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 \|\|
24	+ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 \|\|
25	+ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
26	+ fatal("fcntl failed");
27
28	original_real_uid = getuid(); /* XXX readconf.c needs this */
29	if ((pw = getpwuid(original_real_uid)) == NULL)


diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch deleted file mode 100644 index 674d186044..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch +++ /dev/null
@@ -1,114 +0,0 @@
1	Upstream-Status: Backport
2
3	This CVE could be removed if openssh is upgrade to 6.6 or higher.
4	Below are some details.
5
6	Attempt SSHFP lookup even if server presents a certificate
7
8	Reference:
9	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
10
11	If an ssh server presents a certificate to the client, then the client
12	does not check the DNS for SSHFP records. This means that a malicious
13	server can essentially disable DNS-host-key-checking, which means the
14	client will fall back to asking the user (who will just say "yes" to
15	the fingerprint, sadly).
16
17	This patch means that the ssh client will, if necessary, extract the
18	server key from the proffered certificate, and attempt to verify it
19	against the DNS. The patch was written by Mark Wooding
20	<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
21	it, and tested it.
22
23	Signed-off-by: Matthew Vernon <matthew@debian.org>
24	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
25	---
26	--- a/sshconnect.c
27	+++ b/sshconnect.c
28	@@ -1210,36 +1210,63 @@ fail:
29	return -1;
30	}
31
32	+static int
33	+check_host_key_sshfp(char host, struct sockaddr hostaddr, Key *host_key)
34	+{
35	+ int rc = -1;
36	+ int flags = 0;
37	+ Key *raw_key = NULL;
38	+
39	+ if (!options.verify_host_key_dns)
40	+ goto done;
41	+
42	+ /* XXX certs are not yet supported for DNS; try looking the raw key
43	+ * up in the DNS anyway.
44	+ */
45	+ if (key_is_cert(host_key)) {
46	+ debug2("Extracting key from cert for SSHFP lookup");
47	+ raw_key = key_from_private(host_key);
48	+ if (key_drop_cert(raw_key))
49	+ fatal("Couldn't drop certificate");
50	+ host_key = raw_key;
51	+ }
52	+
53	+ if (verify_host_key_dns(host, hostaddr, host_key, &flags))
54	+ goto done;
55	+
56	+ if (flags & DNS_VERIFY_FOUND) {
57	+
58	+ if (options.verify_host_key_dns == 1 &&
59	+ flags & DNS_VERIFY_MATCH &&
60	+ flags & DNS_VERIFY_SECURE) {
61	+ rc = 0;
62	+ } else if (flags & DNS_VERIFY_MATCH) {
63	+ matching_host_key_dns = 1;
64	+ } else {
65	+ warn_changed_key(host_key);
66	+ error("Update the SSHFP RR in DNS with the new "
67	+ "host key to get rid of this message.");
68	+ }
69	+ }
70	+
71	+done:
72	+ if (raw_key)
73	+ key_free(raw_key);
74	+ return rc;
75	+}
76	+
77	/* returns 0 if key verifies or -1 if key does NOT verify */
78	int
79	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
80	{
81	- int flags = 0;
82	char *fp;
83
84	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
85	debug("Server host key: %s %s", key_type(host_key), fp);
86	free(fp);
87
88	- /* XXX certs are not yet supported for DNS */
89	- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
90	- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
91	- if (flags & DNS_VERIFY_FOUND) {
92	-
93	- if (options.verify_host_key_dns == 1 &&
94	- flags & DNS_VERIFY_MATCH &&
95	- flags & DNS_VERIFY_SECURE)
96	- return 0;
97	-
98	- if (flags & DNS_VERIFY_MATCH) {
99	- matching_host_key_dns = 1;
100	- } else {
101	- warn_changed_key(host_key);
102	- error("Update the SSHFP RR in DNS with the new "
103	- "host key to get rid of this message.");
104	- }
105	- }
106	- }
107	+ if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
108	+ return 0;
109
110	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
111	options.user_hostfiles, options.num_user_hostfiles,
112	--
113	1.7.9.5
114


diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb index abc302b90f..19093fc992 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
@@ -11,11 +11,9 @@ DEPENDS = "zlib openssl"
11	DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"	11	DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
12		12
13	SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \	13	SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
14	file://nostrip.patch \
15	file://sshd_config \	14	file://sshd_config \
16	file://ssh_config \	15	file://ssh_config \
17	file://init \	16	file://init \
18	file://openssh-CVE-2011-4327.patch \
19	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	17	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
20	file://sshd.socket \	18	file://sshd.socket \
21	file://sshd@.service \	19	file://sshd@.service \
@@ -23,13 +21,12 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
23	file://volatiles.99_sshd \	21	file://volatiles.99_sshd \
24	file://add-test-support-for-busybox.patch \	22	file://add-test-support-for-busybox.patch \
25	file://run-ptest \	23	file://run-ptest \
26	file://openssh-CVE-2014-2653.patch \
27	file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"	24	file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
28		25
29	PAM_SRC_URI = "file://sshd"	26	PAM_SRC_URI = "file://sshd"
30		27
31	SRC_URI[md5sum] = "3e9800e6bca1fbac0eea4d41baa7f239"	28	SRC_URI[md5sum] = "3246aa79317b1d23cae783a3bf8275d6"
32	SRC_URI[sha256sum] = "48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb"	29	SRC_URI[sha256sum] = "b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507"
33		30
34	inherit useradd update-rc.d update-alternatives systemd	31	inherit useradd update-rc.d update-alternatives systemd
35		32
@@ -42,9 +39,6 @@ INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
42	SYSTEMD_PACKAGES = "${PN}-sshd"	39	SYSTEMD_PACKAGES = "${PN}-sshd"
43	SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"	40	SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
44		41
45	PACKAGECONFIG ??= "tcp-wrappers"
46	PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
47
48	inherit autotools-brokensep ptest	42	inherit autotools-brokensep ptest
49		43
50	# LFS support:	44	# LFS support:
@@ -56,7 +50,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
56	--without-zlib-version-check \	50	--without-zlib-version-check \
57	--with-privsep-path=/var/run/sshd \	51	--with-privsep-path=/var/run/sshd \
58	--sysconfdir=${sysconfdir}/ssh \	52	--sysconfdir=${sysconfdir}/ssh \
59	--with-xauth=/usr/bin/xauth"	53	--with-xauth=/usr/bin/xauth \
		54	--disable-strip \
		55	"
60		56
61	# Since we do not depend on libbsd, we do not want configure to use it	57	# Since we do not depend on libbsd, we do not want configure to use it
62	# just because it finds libutil.h. But, specifying --disable-libutil	58	# just because it finds libutil.h. But, specifying --disable-libutil