openembedded-core.git/meta/recipes-core/dropbear, branch krogoth Mirror of openembedded-core dropbear: fix multiple CVEs 2016-11-08T23:03:18+00:00 Sona Sarmadi sona.sarmadi@enea.com 2016-11-02T09:52:11+00:00 cca372506522c1d588f9ebc66c6051089743d2a9 CVE-2016-7406 CVE-2016-7407 CVE-2016-7408 CVE-2016-7409 References: https://matt.ucc.asn.au/dropbear/CHANGES http://seclists.org/oss-sec/2016/q3/504 [YOCTO #10443] Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
CVE-2016-7406
CVE-2016-7407
CVE-2016-7408
CVE-2016-7409

References:
https://matt.ucc.asn.au/dropbear/CHANGES
http://seclists.org/oss-sec/2016/q3/504

[YOCTO #10443]

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
dropbear: upgrade to 2016.72 2016-09-23T14:26:30+00:00 Sona Sarmadi sona.sarmadi@enea.com 2016-09-14T12:34:38+00:00 5ebac39d1d6dcf041e05002c0b8bf18bfb38e6d3 The upgrade addresses CVE-2016-3116: - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116 References: https://matt.ucc.asn.au/dropbear/CHANGES https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3116 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
The upgrade addresses CVE-2016-3116:

- Validate X11 forwarding input. Could allow bypass of
  authorized_keys command= restrictions,
  found by github.com/tintinweb.
  Thanks for Damien Miller for a patch. CVE-2016-3116

References:
https://matt.ucc.asn.au/dropbear/CHANGES
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3116

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
dropbear: Remove incorrect SFTPSERVER_PATH from CFLAGS 2016-07-27T07:32:37+00:00 Dominic Sacré dominic.sacre@gmx.de 2016-05-25T11:13:44+00:00 e9bbced4da1f13951abdd298590a3577f377866e Openssh now installs the sftp-server binary as /usr/libexec/sftp-server, whereas the dropbear recipe assumes a different path. Dropbear uses the correct path by default, so it's no longer necessary to override SFTPSERVER_PATH via CFLAGS. This fixes SFTP access to systems using dropbear as the SSH server. (From OE-Core rev: df798bca330583103b2301678236cc841cc861dd) Signed-off-by: Dominic Sacré <dominic.sacre@gmx.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Openssh now installs the sftp-server binary as /usr/libexec/sftp-server,
whereas the dropbear recipe assumes a different path.
Dropbear uses the correct path by default, so it's no longer necessary
to override SFTPSERVER_PATH via CFLAGS.

This fixes SFTP access to systems using dropbear as the SSH server.

(From OE-Core rev: df798bca330583103b2301678236cc841cc861dd)

Signed-off-by: Dominic Sacré <dominic.sacre@gmx.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
dropbear.inc: drop legacy CFLAGS and LD tweaks 2015-12-12T23:31:42+00:00 Andre McCurdy armccurdy@gmail.com 2015-12-08T21:42:50+00:00 4b17606fbca63a17cafbc285e3efe48c4c54a266 The CFLAGS and LD tweaks in dropbear.inc date back to 2005/2006 and whatever issue they worked around back then seems to have been fixed in the latest versions of dropbear. Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The CFLAGS and LD tweaks in dropbear.inc date back to 2005/2006 and
whatever issue they worked around back then seems to have been fixed
in the latest versions of dropbear.

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
dropbear: update 2015.70 -> 2015.71 2015-12-12T23:31:42+00:00 Andre McCurdy armccurdy@gmail.com 2015-12-08T21:42:49+00:00 d0658e0e9efcf2c995e92a61af0e5300ebcdce82 2015.71 - 3 December 2015 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 - Fix crash on exit when -p address:port is used, broke in 2015.68 - Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev - Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert, broke in 2015.70 - Fix server race condition that could cause sessions to hang on exit, https://github.com/robotframework/SSHLibrary/issues/128 Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
2015.71 - 3 December 2015

- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69

- Fix crash on exit when -p address:port is used, broke in 2015.68

- Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev

- Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert,
  broke in 2015.70

- Fix server race condition that could cause sessions to hang on exit,
  https://github.com/robotframework/SSHLibrary/issues/128

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
dropbear: Upgrade 2015.68 -> 2015.70 2015-12-12T23:31:40+00:00 Jussi Kukkonen jussi.kukkonen@intel.com 2015-12-02T12:11:38+00:00 9116a9346556837328a42059bd8af02ea17d081b Tweak a pam patch to make it apply on current source. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Tweak a pam patch to make it apply on current source.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
dropbear: fix key generation when systemd is in use and rootfs is readonly 2015-10-01T06:40:36+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2015-09-30T12:53:18+00:00 7e13fc603aa86219bf15e355ca9ea9275308cca5 Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dropbear: update to 2015.68 2015-08-31T11:33:41+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2015-08-28T12:18:52+00:00 30e791e9bb2e28119e74c22af742957fc470b2de LICENSE checksum has changed because the copyright year was changed from 2014 to 2015 in it: https://github.com/mkj/dropbear/commit/19e1afbd1ca6d306166ce74bcd6c6889f8d196f3 Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
LICENSE checksum has changed because the copyright year was changed
from 2014 to 2015 in it:
https://github.com/mkj/dropbear/commit/19e1afbd1ca6d306166ce74bcd6c6889f8d196f3

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dropbear: 2014.66 -> 2015.67 2015-06-11T22:55:43+00:00 Robert Yang liezhi.yang@windriver.com 2015-06-08T02:51:08+00:00 6733f760f7a581e30b783e41c62d1534d0f480d5 Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
dropbear: upgrade to 2014.66 2015-01-07T23:33:02+00:00 Paul Eggleton paul.eggleton@linux.intel.com 2015-01-02T10:05:39+00:00 78f388e81cad5dfb6aea52da68f9b4523c88c5ad * Upgrade to upstream 2014.66; incorporates several minor bugfix releases. * LIC_FILES_CHKSUM changed because the copyright year changed; there was no change to the license text itself. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> 
* Upgrade to upstream 2014.66; incorporates several minor bugfix
  releases.
* LIC_FILES_CHKSUM changed because the copyright year changed; there was
  no change to the license text itself.

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>