mirror of
https://github.com/godotengine/buildroot.git
synced 2026-01-19 00:51:35 +03:00
df0c78d61e
From the release notes (https://www.openssh.com/txt/release-7.5):
Security
--------
* ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
Note that the OpenSSH client disables CBC ciphers by default, sshd
offers them as lowest-preference options and will remove them by
default entriely in the next release. Reported by Jean Paul
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
Royal Holloway, University of London.
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
a recursive file transfer could be maniuplated by a hostile server to
perform a path-traversal attack. creating or modifying files outside
of the intended target directory. Reported by Jann Horn of Google
Project Zero.
[Peter: mention security fixes]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2204f4deb1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
66 lines
1.9 KiB
Makefile
66 lines
1.9 KiB
Makefile
################################################################################
|
|
#
|
|
# openssh
|
|
#
|
|
################################################################################
|
|
|
|
OPENSSH_VERSION = 7.5p1
|
|
OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
|
|
OPENSSH_LICENSE = BSD-3c, BSD-2c, Public Domain
|
|
OPENSSH_LICENSE_FILES = LICENCE
|
|
OPENSSH_CONF_ENV = LD="$(TARGET_CC)" LDFLAGS="$(TARGET_CFLAGS)"
|
|
OPENSSH_CONF_OPTS = \
|
|
--sysconfdir=/etc/ssh \
|
|
--disable-lastlog \
|
|
--disable-utmp \
|
|
--disable-utmpx \
|
|
--disable-wtmp \
|
|
--disable-wtmpx \
|
|
--disable-strip
|
|
|
|
define OPENSSH_USERS
|
|
sshd -1 sshd -1 * - - - SSH drop priv user
|
|
endef
|
|
|
|
ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
|
|
OPENSSH_CONF_OPTS += --without-pie
|
|
endif
|
|
|
|
OPENSSH_DEPENDENCIES = zlib openssl
|
|
|
|
ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
|
|
define OPENSSH_INSTALL_PAM_CONF
|
|
$(INSTALL) -D -m 644 $(@D)/contrib/sshd.pam.generic $(TARGET_DIR)/etc/pam.d/sshd
|
|
$(SED) '\%password required /lib/security/pam_cracklib.so%d' $(TARGET_DIR)/etc/pam.d/sshd
|
|
$(SED) 's/\#UsePAM no/UsePAM yes/' $(TARGET_DIR)/etc/ssh/sshd_config
|
|
endef
|
|
|
|
OPENSSH_DEPENDENCIES += linux-pam
|
|
OPENSSH_CONF_OPTS += --with-pam
|
|
OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_PAM_CONF
|
|
else
|
|
OPENSSH_CONF_OPTS += --without-pam
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
|
|
OPENSSH_DEPENDENCIES += libselinux
|
|
OPENSSH_CONF_OPTS += --with-selinux
|
|
else
|
|
OPENSSH_CONF_OPTS += --without-selinux
|
|
endif
|
|
|
|
define OPENSSH_INSTALL_INIT_SYSTEMD
|
|
$(INSTALL) -D -m 644 package/openssh/sshd.service \
|
|
$(TARGET_DIR)/usr/lib/systemd/system/sshd.service
|
|
mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
|
|
ln -fs ../../../../usr/lib/systemd/system/sshd.service \
|
|
$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/sshd.service
|
|
endef
|
|
|
|
define OPENSSH_INSTALL_INIT_SYSV
|
|
$(INSTALL) -D -m 755 package/openssh/S50sshd \
|
|
$(TARGET_DIR)/etc/init.d/S50sshd
|
|
endef
|
|
|
|
$(eval $(autotools-package))
|