Age | Commit message (Collapse) | Author |
|
Documentation for this patch is under
https://github.com/mkj/dropbear/commit/66bc1fcdee594c6cb1139df0ef8a6c9c5fc3fde3
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Integer Overflow vulnerability in mp_grow in libtom libtommath before
commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to
execute arbitrary code and cause a denial of service (DoS).
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36328
https://github.com/libtom/libtommath/pull/546
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Otherwise the SDK fails to build as the main openssh and dropbear packages
conflict with each other
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
|
Repo-wide replacement to use newer variable to represent systemd
system unitdir directory.
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This bug has been around for a long time (2011) but fix it to do
what was intended originally. The postrm is changed by classes but
those should append to existing entries.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage
[YOCTO #13471]
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Not provided by musl library
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
License-Update: changed date and added info about existence LICENSE files
in libtomcrypt and libtommath folders
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Refresh dropbear-disable-weak-ciphers.patch as some weak items
have been dropped upstream.
License-Update: curve25519 changed to public domain
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Enhances dropbear with a new feature "disable-weak-ciphers", on by default.
This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers in
the dropbear ssh server and client.
Disable this feature if you need to connect to the ssh server from older
clients. Additional customization can be done with local_options.h as usual.
Tested: On dropbear_2019.78.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- update dropbear to version 2019.77
- drop obsolete patch
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- localoptions.h is automatically searched in build directory
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Wait to fail invalid usernames to fix
CVE-2018-15599
Rework 0006-dropbear-configuration-file.patch
to fix fuzz warnings
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
configure tests crypt() existence with:
dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt
dnl but we don't want link all binaries to -lcrypt, just dropbear server.
dnl OS X doesn't need -lcrypt
AC_CHECK_FUNC(crypt, found_crypt_func=here)
AC_CHECK_LIB(crypt, crypt,
[
CRYPTLIB="-lcrypt"
found_crypt_func=here
])
AC_SUBST(CRYPTLIB)
if test "t$found_crypt_func" = there; then
AC_DEFINE(HAVE_CRYPT, 1, [crypt() function])
fi
but that silently fails with glibc-2.28 and a bit later do_compile fails with;
http://errors.yoctoproject.org/Errors/Details/185895/
../dropbear-2018.76/sysoptions.h:237:3: error: #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
#error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
^~~~~
Add dependency on virtual/crypt so that do_configure detects it correctly.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
root login is disabled by default for openssh and we can
enable it through IMAGE_FEATURES 'debug-tweaks' or
'allow-empty-password', so change to the same default
behavior for dropbear.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The origins of the patch date back to early 2005 (prior to the start
of git history in oe-core) to fix a hardcoded limit on the maximum
size of remote host keys:
http://familiar.handhelds.narkive.com/b1VGg2bI/problem-w-dropbear-ssh
The hardcoded limit was fixed upstream in dropbear 0.47:
https://github.com/mkj/dropbear/commit/736f370dce614b717193f45d084e9e009de723ce
The patch has therefore been obsolete since then. It went unnoticed
until now as the patch has continued to apply - it modifies a value
which is not used.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- update dropbear to version 2018.76
- refresh and drop obsolete patches
- add option to use localoptions.h header file
- do not use harden stuff, which leads to QA warning
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Dropbear will use system versions of libtommath and libtomcrypt if
available. To make builds deterministic, add a PACKAGECONFIG option
to choose system libs or force use of the bundled versions.
Note that currently there are no libtommath or libtomcrypt recipes
in oe-core, so default to using the bundled versions.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
To prevent build failures when using system libtom libraries and
linking with --as-needed, LIBTOM_LIBS should be in the order
-ltomcrypt -ltommath, not the other way around, ie libs should be
prepended to LIBTOM_LIBS as they are found, not appended.
Note that LIBTOM_LIBS is not used when linking with the bundled
libtom libs.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Openssh now installs the sftp-server binary as /usr/libexec/sftp-server,
whereas the dropbear recipe assumes a different path.
Dropbear uses the correct path by default, so it's no longer necessary
to override SFTPSERVER_PATH via CFLAGS.
This fixes SFTP access to systems using dropbear as the SSH server.
Signed-off-by: Dominic Sacré <dominic.sacre@gmx.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The CFLAGS and LD tweaks in dropbear.inc date back to 2005/2006 and
whatever issue they worked around back then seems to have been fixed
in the latest versions of dropbear.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
LICENSE checksum has changed because the copyright year was changed
from 2014 to 2015 in it:
https://github.com/mkj/dropbear/commit/19e1afbd1ca6d306166ce74bcd6c6889f8d196f3
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* Upgrade to upstream 2014.66; incorporates several minor bugfix
releases.
* LIC_FILES_CHKSUM changed because the copyright year changed; there was
no change to the license text itself.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
If pam distro feature enabled, dropbear will need below pam rpms
to work:
* libpam-runtime
* pam-plugin-deny
* pam-plugin-permit
* pam-plugin-unix
Just add the runtime dependencies explicitly.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Replace:
cat <file> | sed -e xxx
By:
sed -e xxx <file>
+ fix indentation
Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The base_contains is kept as a compatibility method and we ought to
not use it in OE-Core so we can remove it from base metadata in
future.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Drop 0002-static_build_fix.patch since an equivalent fix has been merged
upstream.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch mainly comes from meta-systemd with a few modifications.
The purpose is to get rid of the LSB init scripts in systemd images.
[YOCTO #4420]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
LIC_FILES_CHKSUM has changed with the introduction of a BSD-3-Clause
algorithm (curve25519-donna); this has prompted a re-evaluation of the
LICENSE value which should now reflect the licenses declared in the
upstream documentation. Thanks to Beth Flanagan for helping with this.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Using the contains function results in more optimal sstate checksums
resulting in better cache reuse as we as more consistent code.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
update to latest version 2013.60
Update 0006-dropbear-configuration-file.patch for 2013.60
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The default value of SFTPSERVER_PATH is "/usr/libexec/sftp-server" defined in
dropbear-2013.58/option.h, but after commit 406bd38b423[bitbake.conf: change
libexecdir to ${libdir}/${BPN}], sftp-server is provided by openssh package,
and is installed into ${libdir}/openssh, so we pass it explicitly.
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This commit fixes runtime hang of 'dropbearkey' utility, built for a x32
target abi system. The hang was observed while generating ssh keys, with
this command:
dropbearkey -t dss -f private
The issue is fixed by changing the code, where 'long' in x86_64 mode is
assumed as 64bit quantity. With the x32 abi, the processor is in x86_64
mode, but the 'long' is a 32bit quantity. Hence the fix uses 'long long'
instead of 'long' to define/access 64bit data variables.
Fixes bug:
[YOCTO #4496]
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
- patches updated
- nopw-option.patch dropped as the option is integrated since 2013.56
- compile tested for ARMv5 target
Signed-off-by: Eric Bénard <eric@eukrea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Dropbear does not start when the host key is empty and it is possible
that a device is switched off before the host key is generated. This
is possible because the dropbearkey code doesn't create a temporary
file first. Detect truncated keys and then remove them which will lead
to the re-generation. This way the dropbear process will always start.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Instead of using IMAGE_FEATURES to control something within a recipe,
allow this to be set at runtime, avoiding the need to rebuild dropbear
when we want to change this option.
First half of the fix for [YOCTO #2578].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Steffen Sledz <sledz@dresearch-fe.de>
|
|
Re-running the debug_patch task would cause the build to fail. This patch
moves the extra patch handling directly into SRC_URI and removes the need
for the separate task, allowing safe re-execution of each task.
[YOCTO #2194]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Mei Lei <lei.mei@intel.com>
|
|
file for dropbear
dropbear will check "/etc/pam.d/sshd" which comes from package "openssh" \
When enabling pam supporting. But if we only install dropbear \
package without package "openssh", then "dropbear" will not \
find a configuration file.
The changes are as follow for fixing this bug:
- Change the path to find configuration file (/etc/pam.d/sshd --> /etc/pam.d/dropbear)
- Add a configuration file "/etc/pam.d/dropbear"
Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
I make a patch and some changes in dropbear.inc for supporting pam.
- Enable pam in configure
- Modify file option.h to open pam supporting
Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
|