diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-06-24 16:36:18 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-06-24 16:38:35 +0300 |
commit | c8f4712845034714fed763414987305bacafe1fd (patch) | |
tree | 076fa034dbf82e26eeb4be701ff70e4fb8f66881 /poky/meta/recipes-core/dropbear | |
parent | 0bd2291397ecbeae3b2e29a25d7184177b094f25 (diff) | |
download | openbmc-c8f4712845034714fed763414987305bacafe1fd.tar.xz |
subtree updates
poky: 50d272863d..0b3e371116:
Alistair Francis (1):
recipes-bsp/opensbi: Fix the u-boot payload name
Changqing Li (2):
update-rc.d: update SRCREV and license checksum
update-rc.d: support enable/disable options
Chen Qi (2):
context.py: avoid skipping tests by meaningless command argument
oeqa: avoid class setup method to run when skipping the whole class
Joe Slater (1):
glib-2.0: Fix CVE-2019-12450
Jonathan Rajotte (1):
lttng-tools: update to 2.10.7
Joseph Reynolds (1):
dropbear: new feature: disable-weak-ciphers
Joshua Watt (4):
perl: Improve ptest package reproducibility
python3: Reformat sysconfig
perl: Reproducible build fixes
bash: Remove .build files for reproducible builds
Martin Jansa (1):
gcc-runtime.inc: create the correct directory before creating the symlinks in it
Ricardo Ribalda Delgado (1):
go: avoid host contamination by GOCACHE
Ross Burton (1):
pigz: bump alternative priority
Tim Orling (1):
ptest-packagelists.inc: add libmodule-build-perl-ptest
meta-openembedded: 3b245e4fe8..64974b8779:
Adrian Bunk (9):
libauthen-radius-perl: Remove manual RDEPENDS from PN-ptest to PN package
network-manager-applet: Remove obsolete dbus-glib and libnm-glib dependencies
ndctl: Remove the unnecessary dependency on virtual/kernel
tipcutils: Remove the unnecessary dependency on virtual/kernel
xl2tpd: Remove the old 1.3.6 version
gpsd: Force using python-scons-native for now
efibootmgr: Remove, was moved to oe-core
efivar: Remove, was moved to oe-core
wireless-regdb: Remove, was moved to oe-core
Andrey Zhizhikin (1):
cpuburn-arm: add aarch64 machine and build configuration
Ankit Navik (1):
safec: Add Safe C license
Bartosz Golaszewski (1):
libgpiod: upgrade to v1.4
Hongxu Jia (1):
dracut: fix generated initramfs boot failure under bash 5
Kai Kang (1):
xfce4-screensaver: 0.1.4 -> 0.1.5
Khem Raj (5):
stressapptest: Fix build with libc++
stressapptest: Implement reading sysfs and use it if sysconf is not there
stressapptest: Use git SHA instead of git archive
gmime: Add recipe
pidgin-sipe: Depend on gmime
Maciej Pijanowski (1):
recipes-benchmark/stressapptest_1.0.9.bb: add recipe
Mingli Yu (3):
mariadb: Upgrade to 10.3.16
mozjs: Fix do_patch error for mips64-n32
python-lxml: replace -Og with -O for mips64-32
Naveen Saini (1):
pm-graph: fix multilib build failure
Nicola Lunghi (1):
libp11: No need to delete *.la anymore
Oleksandr Kravchuk (1):
openconnect: update to 8.03
Pascal Bach (3):
protobuf: 3.6.1 -> 3.8.0
protobuf-c: add patch for protobuf 3 compatibility
python3-protobuf, python-protobuf: 3.6.1 -> 3.8.0
Persian Prince (1):
blueman_%.bbappend: Avoid PAK archive (application/x-pak)
Saikiran Madugula (1):
gitver: Pass git directory argument to gitrev_run
Tim Orling (1):
libmodule-build-perl: drop, has moved to oe-core
Yi Zhao (1):
snort: upgrade 2.9.11.1 -> 2.9.13
Zang Ruochen (3):
python-twisted: upgrade 19.2.0 -> 19.2.1
python-wrapt: upgrade 1.11.1 -> 1.11.2
python-certifi: upgrade 2019.3.9 -> 2019.6.16
Change-Id: I0c3385628e0382c56c94fa27ba4d14e301c2e558
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-core/dropbear')
-rw-r--r-- | poky/meta/recipes-core/dropbear/dropbear.inc | 6 | ||||
-rw-r--r-- | poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch | 44 |
2 files changed, 48 insertions, 2 deletions
diff --git a/poky/meta/recipes-core/dropbear/dropbear.inc b/poky/meta/recipes-core/dropbear/dropbear.inc index b74d186cd..dcbda741c 100644 --- a/poky/meta/recipes-core/dropbear/dropbear.inc +++ b/poky/meta/recipes-core/dropbear/dropbear.inc @@ -20,7 +20,8 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://dropbear@.service \ file://dropbear.socket \ file://dropbear.default \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} " + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} " PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ file://0006-dropbear-configuration-file.patch \ @@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert" BINCOMMANDS = "dbclient ssh scp" EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' -PACKAGECONFIG ?= "" +PACKAGECONFIG ?= "disable-weak-ciphers" PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" +PACKAGECONFIG[disable-weak-ciphers] = "" EXTRA_OECONF += "\ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" diff --git a/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch new file mode 100644 index 000000000..e48a34bac --- /dev/null +++ b/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch @@ -0,0 +1,44 @@ +This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers +in the dropbear ssh server and client since they're considered weak ciphers +and we want to support the stong algorithms. + +Upstream-Status: Inappropriate [configuration] +Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> + +Index: dropbear-2019.78/default_options.h +=================================================================== +--- dropbear-2019.78.orig/default_options.h ++++ dropbear-2019.78/default_options.h +@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE 1 ++#define DROPBEAR_ENABLE_CBC_MODE 0 + + /* Enable "Counter Mode" for ciphers. This is more secure than + * CBC mode against certain attacks. It is recommended for security +@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma + /* Message integrity. sha2-256 is recommended as a default, + sha1 for compatibility */ + #define DROPBEAR_SHA1_HMAC 1 +-#define DROPBEAR_SHA1_96_HMAC 1 ++#define DROPBEAR_SHA1_96_HMAC 0 + #define DROPBEAR_SHA2_256_HMAC 1 + + /* Hostkey/public key algorithms - at least one required, these are used +@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma + * Small systems should generally include either curve25519 or ecdh for performance. + * curve25519 is less widely supported but is faster + */ +-#define DROPBEAR_DH_GROUP14_SHA1 1 ++#define DROPBEAR_DH_GROUP14_SHA1 0 + #define DROPBEAR_DH_GROUP14_SHA256 1 + #define DROPBEAR_DH_GROUP16 0 + #define DROPBEAR_CURVE25519 1 + #define DROPBEAR_ECDH 1 +-#define DROPBEAR_DH_GROUP1 1 ++#define DROPBEAR_DH_GROUP1 0 + + /* When group1 is enabled it will only be allowed by Dropbear client + not as a server, due to concerns over its strength. Set to 0 to allow |