diff options
author | jeff <jhatch@multitech.com> | 2023-01-24 09:37:57 -0600 |
---|---|---|
committer | jeff <jhatch@multitech.com> | 2023-01-24 09:37:57 -0600 |
commit | c94c9986362ebf4084734a3963415c5d894cf3a6 (patch) | |
tree | 1f5d79df115e23318d93bfc9e99dddecf9be8748 /recipes-connectivity/openssh/openssh_8.4p1.bb | |
parent | 8400520cffdd3c133c684eac60ab438a7ecaa050 (diff) | |
parent | 2eaa3fd064097eb221b56d5df0e7136ba705a0cd (diff) | |
download | meta-mlinux-c94c9986362ebf4084734a3963415c5d894cf3a6.tar.gz meta-mlinux-c94c9986362ebf4084734a3963415c5d894cf3a6.tar.bz2 meta-mlinux-c94c9986362ebf4084734a3963415c5d894cf3a6.zip |
Merge branch 'md/cve-fixes2-squashed' into 6
Diffstat (limited to 'recipes-connectivity/openssh/openssh_8.4p1.bb')
-rw-r--r-- | recipes-connectivity/openssh/openssh_8.4p1.bb | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/recipes-connectivity/openssh/openssh_8.4p1.bb b/recipes-connectivity/openssh/openssh_8.4p1.bb index a65ab70..0cadaf9 100644 --- a/recipes-connectivity/openssh/openssh_8.4p1.bb +++ b/recipes-connectivity/openssh/openssh_8.4p1.bb @@ -27,13 +27,40 @@ SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.ta file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ file://0f90440ca70abab947acbd77795e9f130967956c.patch \ + file://CVE-2021-28041.patch \ + file://CVE-2021-41617.patch \ " SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24" +# This CVE is specific to OpenSSH with the pam opie which we don't build/use here +CVE_CHECK_WHITELIST += "CVE-2007-2768" + # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded CVE_CHECK_WHITELIST += "CVE-2014-9278" +# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and +# certain packages may have been compromised. This CVE is not applicable +# as our source is OpenBSD. https://securitytracker.com/id?1020730 +# https://www.securityfocus.com/bid/30794 +CVE_CHECK_WHITELIST += "CVE-2008-3844" + +# openssh-ssh1 is provided for compatibility with old devices that +# cannot be upgraded to modern protocols. Thus they may not provide security +# support for this package because doing so would prevent access to equipment. +# The upstream OpenSSH developers see this as an important +# security feature and do not intend to 'fix' it. +# https://security-tracker.debian.org/tracker/CVE-2016-20012 +# https://ubuntu.com/security/CVE-2016-20012 +CVE_CHECK_WHITELIST += "CVE-2016-20012" + +# As per debian, the issue is fixed by a feature called "agent restriction" in openssh 8.9 +# Urgency is unimportant as per debian, Hence this CVE is whitelisting. +# https://security-tracker.debian.org/tracker/CVE-2021-36368 +# https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2 +# https://docs.ssh-mitm.at/trivialauth.html +CVE_CHECK_WHITELIST += "CVE-2021-36368" + PAM_SRC_URI = "file://sshd" inherit manpages useradd update-rc.d update-alternatives systemd |