<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/openssh, branch 2017.05</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2017.05</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2017.05'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2017-05-03T21:07:57+00:00</updated>
<entry>
<title>openssh: add support for HW SSL engines</title>
<updated>2017-05-03T21:07:57+00:00</updated>
<author>
<name>Gilad Ben-Yossef</name>
<email>gilad@benyossef.com</email>
</author>
<published>2017-04-18T13:03:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=634655b6281047f5fe2a2b09b95aa642144d23a1'/>
<id>urn:sha1:634655b6281047f5fe2a2b09b95aa642144d23a1</id>
<content type='text'>
Enable support for OpenSSH to use a hardware SSL engine if
cryptodev-linux is included. Without this, OpenSSH uses only
OpenSSL software crypto implementation.

Signed-off-by: Gilad Ben-Yossef &lt;gilad@benyossef.com&gt;
CC: Baruch Siach &lt;baruch@tkos.co.il&gt;
CC: Arnout Vandecappelle &lt;arnout@mind.be&gt;
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) &lt;arnout@mind.be&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>boot, package: use SPDX short identifier for BSD-2c</title>
<updated>2017-04-01T13:27:05+00:00</updated>
<author>
<name>Rahul Bedarkar</name>
<email>rahulbedarkar89@gmail.com</email>
</author>
<published>2017-03-30T13:43:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=96e9480fbc71a39d473be5d4f73b4d15b5029a8f'/>
<id>urn:sha1:96e9480fbc71a39d473be5d4f73b4d15b5029a8f</id>
<content type='text'>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-2c is BSD-2-Clause.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-2c/BSD-2-Clause/g'

Signed-off-by: Rahul Bedarkar &lt;rahulbedarkar89@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>boot, package: use SPDX short identifier for BSD-3c</title>
<updated>2017-04-01T13:26:57+00:00</updated>
<author>
<name>Rahul Bedarkar</name>
<email>rahulbedarkar89@gmail.com</email>
</author>
<published>2017-03-30T13:43:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=9f59b378a36ae81db2672b417a68c7358b41ccc3'/>
<id>urn:sha1:9f59b378a36ae81db2672b417a68c7358b41ccc3</id>
<content type='text'>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-3c is BSD-3-Clause.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-3c/BSD-3-Clause/g'

Signed-off-by: Rahul Bedarkar &lt;rahulbedarkar89@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: security bump to version 7.5</title>
<updated>2017-03-21T16:26:45+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-03-21T13:11:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=2204f4deb1c6c6ff4accd84b5aa2d42f5930b730'/>
<id>urn:sha1:2204f4deb1c6c6ff4accd84b5aa2d42f5930b730</id>
<content type='text'>
From the release notes (https://www.openssh.com/txt/release-7.5):

Security
--------

 * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
   that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
   Note that the OpenSSH client disables CBC ciphers by default, sshd
   offers them as lowest-preference options and will remove them by
   default entriely in the next release. Reported by Jean Paul
   Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
   Royal Holloway, University of London.

 * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
   a recursive file transfer could be maniuplated by a hostile server to
   perform a path-traversal attack. creating or modifying files outside
   of the intended target directory. Reported by Jann Horn of Google
   Project Zero.

[Peter: mention security fixes]
Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>openssh: Move key generation to the start function of init script.</title>
<updated>2017-02-26T13:37:54+00:00</updated>
<author>
<name>Ignacy Gawędzki</name>
<email>ignacy.gawedzki@green-communications.fr</email>
</author>
<published>2017-02-24T14:26:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=92b770cd825915d56ea8d92d063aebdf7ef270a1'/>
<id>urn:sha1:92b770cd825915d56ea8d92d063aebdf7ef270a1</id>
<content type='text'>
Since there's not much point in generating missing host keys when the
init script is called with "stop", the call to ssh-keygen should not
be done inconditionally, but in the start function instead.

Signed-off-by: Ignacy Gawędzki &lt;ignacy.gawedzki@green-communications.fr&gt;
Acked-by: "Yann E. MORIN" &lt;yann.morin.1998@free.fr&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>packages: improve license type lists</title>
<updated>2017-02-20T21:16:01+00:00</updated>
<author>
<name>Danomi Manchego</name>
<email>danomimanchego123@gmail.com</email>
</author>
<published>2017-02-18T05:38:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=a3a2dbc409a950823c3a1547392943d2067a8311'/>
<id>urn:sha1:a3a2dbc409a950823c3a1547392943d2067a8311</id>
<content type='text'>
Make license type lists more uniform:

* put content license applies to in parenthesis; ex: "GPLv2+ (programs)"
* use commas to separate types listed without conjuction; ex: "GPLv2, LGPLv2"

No attempt was made to validate the claimed licenses.  This is just a tweak
to increase uniformity of the _LICENSE variables.

Signed-off-by: Danomi Manchego &lt;danomimanchego123@gmail.com&gt;
Reviewed-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
[Thomas: replace semi-colons by commas in LIBURCU_LICENSE.]
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: security bump to version 7.4p1</title>
<updated>2016-12-19T19:53:24+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2016-12-19T16:27:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=ae58da71111c9a9825fa8dab1338831ff38dc320'/>
<id>urn:sha1:ae58da71111c9a9825fa8dab1338831ff38dc320</id>
<content type='text'>
Fixes:
CVE-2016-10009 - ssh-agent(1): Will now refuse to load PKCS#11 modules
from paths outside a trusted whitelist
CVE-2016-10010 - sshd(8): When privilege separation is disabled,
forwarded Unix-domain sockets would be created by sshd(8) with the
privileges of 'root'
CVE-2016-10011 - sshd(8): Avoid theoretical leak of host private key
material to privilege-separated child processes via realloc()
CVE-2016-10012 - sshd(8): The shared memory manager used by
pre-authentication compression support had a bounds checks that could be
elided by some optimising compilers

http://seclists.org/oss-sec/2016/q4/708

Drop upstream patch.

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>openssh: add upstream security fix</title>
<updated>2016-11-15T11:58:20+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2016-11-15T06:34:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=aae80e71b6ce75bdf73cc9b84ec96c92ed13aa58'/>
<id>urn:sha1:aae80e71b6ce75bdf73cc9b84ec96c92ed13aa58</id>
<content type='text'>
Fixes CVE-2016-8858: Memory exhaustion, up to 128MB, of unauthenticated peer.

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: bump version to 7.3p1</title>
<updated>2016-08-01T20:11:31+00:00</updated>
<author>
<name>Vicente Olivert Riera</name>
<email>Vincent.Riera@imgtec.com</email>
</author>
<published>2016-08-01T13:19:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=b0e524be37856dc433b48103cf17ac6f8983445f'/>
<id>urn:sha1:b0e524be37856dc433b48103cf17ac6f8983445f</id>
<content type='text'>
Signed-off-by: Vicente Olivert Riera &lt;Vincent.Riera@imgtec.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>toolchain: add hidden symbol for PIE support</title>
<updated>2016-07-24T19:44:22+00:00</updated>
<author>
<name>Waldemar Brodkorb</name>
<email>wbx@openadk.org</email>
</author>
<published>2016-07-11T14:35:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=3c93901bcd2f77232581ca82a3a5f741aa9e6345'/>
<id>urn:sha1:3c93901bcd2f77232581ca82a3a5f741aa9e6345</id>
<content type='text'>
uClibc-ng does not support PIE for some architectures as
arc and m68k. It isn't implemented in the static linking case, too.
With musl toolchains you might have static PIE support with little
patching of gcc. Static linking for GNU libc isn't enabled in
buildroot. Fixup any package using special treatment of PIE.
(grep -ir pie package/*/*.mk)

Signed-off-by: Waldemar Brodkorb &lt;wbx@openadk.org&gt;
[Thomas: use positive logic.]
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
</feed>
