remove merged patches.
LICENSE diff:
- Copyright (c) 2002-2015 Matt Johnston
+ Copyright (c) 2002-2020 Matt Johnston
- LibTomCrypt and LibTomMath are written by Tom St Denis, and are Public Domain.
+ LibTomCrypt and LibTomMath are written by Tom St Denis and others, see
+ libtomcrypt/LICENSE and libtommath/LICENSE.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Acked-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
this package allows to use optionally bundled libraries (which is exceptional in BR).
so, license infos must be conditional.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
LICENSE: curve25519-donna under BSD-3c was replaced by curve25519.c under
Public domain
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop patches as they are now upstream. Add a hash for the license file.
Verified that runtime test still works:
./support/testing/run-tests -o tests.package.test_dropbear
20:42:44 TestDropbear Starting
20:42:45 TestDropbear Building
20:44:18 TestDropbear Building done
20:44:24 TestDropbear Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 100.727s
OK
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
with this new version:
- "configure --enable-static" should now be used instead of
"make STATIC=1"
- any customised options should be put in localoptions.h
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
- CVE-2017-9078: A double-free in the server could be triggered by an
authenticated user if dropbear is running with -a (Allow connections to
forwarded ports from any host) This could potentially allow arbitrary code
execution as root by an authenticated user. Affects versions 2013.56 to
2016.74. Thanks to Mark Shepard for reporting the crash.
- CVE-2017-9079: Dropbear parsed authorized_keys as root, even if it were a
symlink. The fix is to switch to user permissions when opening
authorized_keys.
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file. This information disclosure is to an already
authenticated user. Thanks to Jann Horn of Google Project Zero for
reporting this.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
According to https://matt.ucc.asn.au/dropbear/CHANGES there were some
severe security issues fixed.
Signed-off-by: Alexander Dahl <post@lespocky.de>
Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
some new runtime options, minor fixes, and fixes for issues found by
various code analyze and lintian tools.
Signed-off-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016.72 - 9 March 2016
- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
found by github.com/tintinweb. Thanks to Damien Miller for a patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a port-forwarding regression in 2015.68
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Switch sed options around since defaults have changed.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>