<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/openssh, branch 2017.08</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2017.08</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2017.08'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2017-07-02T22:05:18+00:00</updated>
<entry>
<title>openssh: don't download patch from Github</title>
<updated>2017-07-02T22:05:18+00:00</updated>
<author>
<name>Thomas Petazzoni</name>
<email>thomas.petazzoni@free-electrons.com</email>
</author>
<published>2017-07-02T16:53:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=4e7522aacd4e76c0ab5e602ade9a60f5a4473939'/>
<id>urn:sha1:4e7522aacd4e76c0ab5e602ade9a60f5a4473939</id>
<content type='text'>
Patches downloaded from Github are not stable, so bring them in the
tree.

Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>openssh: fix sshd for MIPS64 n32</title>
<updated>2017-06-21T19:41:06+00:00</updated>
<author>
<name>Vicente Olivert Riera</name>
<email>Vincent.Riera@imgtec.com</email>
</author>
<published>2017-06-20T16:15:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=6da373798426e0080e2f910132a8e281b892d435'/>
<id>urn:sha1:6da373798426e0080e2f910132a8e281b892d435</id>
<content type='text'>
This patch backports two patches that have been sent upstream as a pull
request in order to fix sshd for MIPS64 n32.

The first patch adds support for detecting the MIPS ABI during the
configure phase.

The second patch sets the right value to seccomp_audit_arch taking into
account the MIPS64 ABI.

Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or
AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built
for MIPS64. However, that's only valid for n64 ABI. The right macros for
n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and
AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively.

Because of that an sshd built for MIPS64 n32 rejects connection attempts
and the output of strace reveals that the problem is related to seccomp
audit:

[pid   194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57,
filter=0x555d5da0}) = 0
[pid   194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ?
[pid   193] &lt;... poll resumed&gt; )        = 2 ([{fd=5, revents=POLLIN|POLLHUP},
{fd=6, revents=POLLHUP}])
[pid   194] +++ killed by SIGSYS +++

Pull request: https://github.com/openssh/openssh-portable/pull/71

Signed-off-by: Vicente Olivert Riera &lt;Vincent.Riera@imgtec.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: add support for HW SSL engines</title>
<updated>2017-05-03T21:07:57+00:00</updated>
<author>
<name>Gilad Ben-Yossef</name>
<email>gilad@benyossef.com</email>
</author>
<published>2017-04-18T13:03:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=634655b6281047f5fe2a2b09b95aa642144d23a1'/>
<id>urn:sha1:634655b6281047f5fe2a2b09b95aa642144d23a1</id>
<content type='text'>
Enable support for OpenSSH to use a hardware SSL engine if
cryptodev-linux is included. Without this, OpenSSH uses only
OpenSSL software crypto implementation.

Signed-off-by: Gilad Ben-Yossef &lt;gilad@benyossef.com&gt;
CC: Baruch Siach &lt;baruch@tkos.co.il&gt;
CC: Arnout Vandecappelle &lt;arnout@mind.be&gt;
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) &lt;arnout@mind.be&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>boot, package: use SPDX short identifier for BSD-2c</title>
<updated>2017-04-01T13:27:05+00:00</updated>
<author>
<name>Rahul Bedarkar</name>
<email>rahulbedarkar89@gmail.com</email>
</author>
<published>2017-03-30T13:43:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=96e9480fbc71a39d473be5d4f73b4d15b5029a8f'/>
<id>urn:sha1:96e9480fbc71a39d473be5d4f73b4d15b5029a8f</id>
<content type='text'>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-2c is BSD-2-Clause.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-2c/BSD-2-Clause/g'

Signed-off-by: Rahul Bedarkar &lt;rahulbedarkar89@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>boot, package: use SPDX short identifier for BSD-3c</title>
<updated>2017-04-01T13:26:57+00:00</updated>
<author>
<name>Rahul Bedarkar</name>
<email>rahulbedarkar89@gmail.com</email>
</author>
<published>2017-03-30T13:43:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=9f59b378a36ae81db2672b417a68c7358b41ccc3'/>
<id>urn:sha1:9f59b378a36ae81db2672b417a68c7358b41ccc3</id>
<content type='text'>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-3c is BSD-3-Clause.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-3c/BSD-3-Clause/g'

Signed-off-by: Rahul Bedarkar &lt;rahulbedarkar89@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: security bump to version 7.5</title>
<updated>2017-03-21T16:26:45+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-03-21T13:11:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=2204f4deb1c6c6ff4accd84b5aa2d42f5930b730'/>
<id>urn:sha1:2204f4deb1c6c6ff4accd84b5aa2d42f5930b730</id>
<content type='text'>
From the release notes (https://www.openssh.com/txt/release-7.5):

Security
--------

 * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
   that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
   Note that the OpenSSH client disables CBC ciphers by default, sshd
   offers them as lowest-preference options and will remove them by
   default entriely in the next release. Reported by Jean Paul
   Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
   Royal Holloway, University of London.

 * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
   a recursive file transfer could be maniuplated by a hostile server to
   perform a path-traversal attack. creating or modifying files outside
   of the intended target directory. Reported by Jann Horn of Google
   Project Zero.

[Peter: mention security fixes]
Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>openssh: Move key generation to the start function of init script.</title>
<updated>2017-02-26T13:37:54+00:00</updated>
<author>
<name>Ignacy Gawędzki</name>
<email>ignacy.gawedzki@green-communications.fr</email>
</author>
<published>2017-02-24T14:26:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=92b770cd825915d56ea8d92d063aebdf7ef270a1'/>
<id>urn:sha1:92b770cd825915d56ea8d92d063aebdf7ef270a1</id>
<content type='text'>
Since there's not much point in generating missing host keys when the
init script is called with "stop", the call to ssh-keygen should not
be done inconditionally, but in the start function instead.

Signed-off-by: Ignacy Gawędzki &lt;ignacy.gawedzki@green-communications.fr&gt;
Acked-by: "Yann E. MORIN" &lt;yann.morin.1998@free.fr&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>packages: improve license type lists</title>
<updated>2017-02-20T21:16:01+00:00</updated>
<author>
<name>Danomi Manchego</name>
<email>danomimanchego123@gmail.com</email>
</author>
<published>2017-02-18T05:38:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=a3a2dbc409a950823c3a1547392943d2067a8311'/>
<id>urn:sha1:a3a2dbc409a950823c3a1547392943d2067a8311</id>
<content type='text'>
Make license type lists more uniform:

* put content license applies to in parenthesis; ex: "GPLv2+ (programs)"
* use commas to separate types listed without conjuction; ex: "GPLv2, LGPLv2"

No attempt was made to validate the claimed licenses.  This is just a tweak
to increase uniformity of the _LICENSE variables.

Signed-off-by: Danomi Manchego &lt;danomimanchego123@gmail.com&gt;
Reviewed-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
[Thomas: replace semi-colons by commas in LIBURCU_LICENSE.]
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: security bump to version 7.4p1</title>
<updated>2016-12-19T19:53:24+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2016-12-19T16:27:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=ae58da71111c9a9825fa8dab1338831ff38dc320'/>
<id>urn:sha1:ae58da71111c9a9825fa8dab1338831ff38dc320</id>
<content type='text'>
Fixes:
CVE-2016-10009 - ssh-agent(1): Will now refuse to load PKCS#11 modules
from paths outside a trusted whitelist
CVE-2016-10010 - sshd(8): When privilege separation is disabled,
forwarded Unix-domain sockets would be created by sshd(8) with the
privileges of 'root'
CVE-2016-10011 - sshd(8): Avoid theoretical leak of host private key
material to privilege-separated child processes via realloc()
CVE-2016-10012 - sshd(8): The shared memory manager used by
pre-authentication compression support had a bounds checks that could be
elided by some optimising compilers

http://seclists.org/oss-sec/2016/q4/708

Drop upstream patch.

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>openssh: add upstream security fix</title>
<updated>2016-11-15T11:58:20+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2016-11-15T06:34:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=aae80e71b6ce75bdf73cc9b84ec96c92ed13aa58'/>
<id>urn:sha1:aae80e71b6ce75bdf73cc9b84ec96c92ed13aa58</id>
<content type='text'>
Fixes CVE-2016-8858: Memory exhaustion, up to 128MB, of unauthenticated peer.

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
</feed>
