<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/openssh, branch 2018.02</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2018.02</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2018.02'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2017-12-18T08:22:54+00:00</updated>
<entry>
<title>package/*/Config.in: fix help text check-package warnings</title>
<updated>2017-12-18T08:22:54+00:00</updated>
<author>
<name>Thomas Petazzoni</name>
<email>thomas.petazzoni@free-electrons.com</email>
</author>
<published>2017-12-18T08:21:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=2277fdeca8c94f8ea8fe8afebcdbb176c6b1531d'/>
<id>urn:sha1:2277fdeca8c94f8ea8fe8afebcdbb176c6b1531d</id>
<content type='text'>
This commit fixes the warnings reported by check-package on the help
text of all package Config.in files, related to the formatting of the
help text: should start with a tab, then 2 spaces, then at most 62
characters.

The vast majority of warnings fixed were caused by too long lines. A
few warnings were related to spaces being used instead of a tab to
indent the help text.

Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: fix getpagesize() related static linking issue</title>
<updated>2017-11-01T09:46:29+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-30T22:45:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=cc856401e8ac6a2c7a8767737b73dde933a5798a'/>
<id>urn:sha1:cc856401e8ac6a2c7a8767737b73dde933a5798a</id>
<content type='text'>
Fixes:
http://autobuild.buildroot.net/results/8cc/8cc30818a400c7a392a3de787cabc9cd8425495f/

The configure script checks for getpagesize() and sets HAVE_GETPAGESIZE in
config.h, but bsd-getpagesize.c forgot to include includes.h (which
indirectly includes config.h) so the checks always fails, causing linker
issues when linking statically on systems with getpagesize().

Fix it by including includes.h.

Patch submitted upstream:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-October/036413.html

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: security bump to version 7.6p1</title>
<updated>2017-10-27T11:49:02+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-26T12:52:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=70663a9a4fcb9211fcef7668a8a35de11cc54775'/>
<id>urn:sha1:70663a9a4fcb9211fcef7668a8a35de11cc54775</id>
<content type='text'>
Fixes CVE-2017-15906 - The process_open function in sftp-server.c in OpenSSH
before 7.6 does not properly prevent write operations in readonly mode,
which allows attackers to create zero-length files.

For more details, see the release notes:
https://www.openssh.com/txt/release-7.6

Also add a hash for the license file while we're at it.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>openssh: don't download patch from Github</title>
<updated>2017-07-02T22:05:18+00:00</updated>
<author>
<name>Thomas Petazzoni</name>
<email>thomas.petazzoni@free-electrons.com</email>
</author>
<published>2017-07-02T16:53:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=4e7522aacd4e76c0ab5e602ade9a60f5a4473939'/>
<id>urn:sha1:4e7522aacd4e76c0ab5e602ade9a60f5a4473939</id>
<content type='text'>
Patches downloaded from Github are not stable, so bring them in the
tree.

Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>openssh: fix sshd for MIPS64 n32</title>
<updated>2017-06-21T19:41:06+00:00</updated>
<author>
<name>Vicente Olivert Riera</name>
<email>Vincent.Riera@imgtec.com</email>
</author>
<published>2017-06-20T16:15:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=6da373798426e0080e2f910132a8e281b892d435'/>
<id>urn:sha1:6da373798426e0080e2f910132a8e281b892d435</id>
<content type='text'>
This patch backports two patches that have been sent upstream as a pull
request in order to fix sshd for MIPS64 n32.

The first patch adds support for detecting the MIPS ABI during the
configure phase.

The second patch sets the right value to seccomp_audit_arch taking into
account the MIPS64 ABI.

Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or
AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built
for MIPS64. However, that's only valid for n64 ABI. The right macros for
n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and
AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively.

Because of that an sshd built for MIPS64 n32 rejects connection attempts
and the output of strace reveals that the problem is related to seccomp
audit:

[pid   194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57,
filter=0x555d5da0}) = 0
[pid   194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ?
[pid   193] &lt;... poll resumed&gt; )        = 2 ([{fd=5, revents=POLLIN|POLLHUP},
{fd=6, revents=POLLHUP}])
[pid   194] +++ killed by SIGSYS +++

Pull request: https://github.com/openssh/openssh-portable/pull/71

Signed-off-by: Vicente Olivert Riera &lt;Vincent.Riera@imgtec.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: add support for HW SSL engines</title>
<updated>2017-05-03T21:07:57+00:00</updated>
<author>
<name>Gilad Ben-Yossef</name>
<email>gilad@benyossef.com</email>
</author>
<published>2017-04-18T13:03:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=634655b6281047f5fe2a2b09b95aa642144d23a1'/>
<id>urn:sha1:634655b6281047f5fe2a2b09b95aa642144d23a1</id>
<content type='text'>
Enable support for OpenSSH to use a hardware SSL engine if
cryptodev-linux is included. Without this, OpenSSH uses only
OpenSSL software crypto implementation.

Signed-off-by: Gilad Ben-Yossef &lt;gilad@benyossef.com&gt;
CC: Baruch Siach &lt;baruch@tkos.co.il&gt;
CC: Arnout Vandecappelle &lt;arnout@mind.be&gt;
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) &lt;arnout@mind.be&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>boot, package: use SPDX short identifier for BSD-2c</title>
<updated>2017-04-01T13:27:05+00:00</updated>
<author>
<name>Rahul Bedarkar</name>
<email>rahulbedarkar89@gmail.com</email>
</author>
<published>2017-03-30T13:43:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=96e9480fbc71a39d473be5d4f73b4d15b5029a8f'/>
<id>urn:sha1:96e9480fbc71a39d473be5d4f73b4d15b5029a8f</id>
<content type='text'>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-2c is BSD-2-Clause.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-2c/BSD-2-Clause/g'

Signed-off-by: Rahul Bedarkar &lt;rahulbedarkar89@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>boot, package: use SPDX short identifier for BSD-3c</title>
<updated>2017-04-01T13:26:57+00:00</updated>
<author>
<name>Rahul Bedarkar</name>
<email>rahulbedarkar89@gmail.com</email>
</author>
<published>2017-03-30T13:43:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=9f59b378a36ae81db2672b417a68c7358b41ccc3'/>
<id>urn:sha1:9f59b378a36ae81db2672b417a68c7358b41ccc3</id>
<content type='text'>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-3c is BSD-3-Clause.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-3c/BSD-3-Clause/g'

Signed-off-by: Rahul Bedarkar &lt;rahulbedarkar89@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>openssh: security bump to version 7.5</title>
<updated>2017-03-21T16:26:45+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-03-21T13:11:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=2204f4deb1c6c6ff4accd84b5aa2d42f5930b730'/>
<id>urn:sha1:2204f4deb1c6c6ff4accd84b5aa2d42f5930b730</id>
<content type='text'>
From the release notes (https://www.openssh.com/txt/release-7.5):

Security
--------

 * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
   that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
   Note that the OpenSSH client disables CBC ciphers by default, sshd
   offers them as lowest-preference options and will remove them by
   default entriely in the next release. Reported by Jean Paul
   Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
   Royal Holloway, University of London.

 * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
   a recursive file transfer could be maniuplated by a hostile server to
   perform a path-traversal attack. creating or modifying files outside
   of the intended target directory. Reported by Jann Horn of Google
   Project Zero.

[Peter: mention security fixes]
Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>openssh: Move key generation to the start function of init script.</title>
<updated>2017-02-26T13:37:54+00:00</updated>
<author>
<name>Ignacy Gawędzki</name>
<email>ignacy.gawedzki@green-communications.fr</email>
</author>
<published>2017-02-24T14:26:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=92b770cd825915d56ea8d92d063aebdf7ef270a1'/>
<id>urn:sha1:92b770cd825915d56ea8d92d063aebdf7ef270a1</id>
<content type='text'>
Since there's not much point in generating missing host keys when the
init script is called with "stop", the call to ssh-keygen should not
be done inconditionally, but in the start function instead.

Signed-off-by: Ignacy Gawędzki &lt;ignacy.gawedzki@green-communications.fr&gt;
Acked-by: "Yann E. MORIN" &lt;yann.morin.1998@free.fr&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
</feed>
