summaryrefslogtreecommitdiff
path: root/recipes-connectivity/openssh/openssh_8.4p1.bb
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-connectivity/openssh/openssh_8.4p1.bb')
-rw-r--r--recipes-connectivity/openssh/openssh_8.4p1.bb27
1 files changed, 27 insertions, 0 deletions
diff --git a/recipes-connectivity/openssh/openssh_8.4p1.bb b/recipes-connectivity/openssh/openssh_8.4p1.bb
index a65ab70..0cadaf9 100644
--- a/recipes-connectivity/openssh/openssh_8.4p1.bb
+++ b/recipes-connectivity/openssh/openssh_8.4p1.bb
@@ -27,13 +27,40 @@ SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.ta
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
file://0f90440ca70abab947acbd77795e9f130967956c.patch \
+ file://CVE-2021-28041.patch \
+ file://CVE-2021-41617.patch \
"
SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24"
+# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
+CVE_CHECK_WHITELIST += "CVE-2007-2768"
+
# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
CVE_CHECK_WHITELIST += "CVE-2014-9278"
+# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and
+# certain packages may have been compromised. This CVE is not applicable
+# as our source is OpenBSD. https://securitytracker.com/id?1020730
+# https://www.securityfocus.com/bid/30794
+CVE_CHECK_WHITELIST += "CVE-2008-3844"
+
+# openssh-ssh1 is provided for compatibility with old devices that
+# cannot be upgraded to modern protocols. Thus they may not provide security
+# support for this package because doing so would prevent access to equipment.
+# The upstream OpenSSH developers see this as an important
+# security feature and do not intend to 'fix' it.
+# https://security-tracker.debian.org/tracker/CVE-2016-20012
+# https://ubuntu.com/security/CVE-2016-20012
+CVE_CHECK_WHITELIST += "CVE-2016-20012"
+
+# As per debian, the issue is fixed by a feature called "agent restriction" in openssh 8.9
+# Urgency is unimportant as per debian, Hence this CVE is whitelisting.
+# https://security-tracker.debian.org/tracker/CVE-2021-36368
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2
+# https://docs.ssh-mitm.at/trivialauth.html
+CVE_CHECK_WHITELIST += "CVE-2021-36368"
+
PAM_SRC_URI = "file://sshd"
inherit manpages useradd update-rc.d update-alternatives systemd
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 10:12:27 +0000