summaryrefslogtreecommitdiff
path: root/package/network/services/dropbear/patches
Commit message (Collapse)AuthorAgeFilesLines
* dropbear: disable MD5 HMAC and switch to sha1 fingerprintsMartin Schiller2017-12-121-2/+4
| | | | | | | | | | | | As MD5 is known weak for many years and more and more penetration test tools complain about enabled MD5 HMAC I think it's time to drop it. By disabling the MD5 HMAC support dropbear will also automatically use SHA1 for fingerprints. This shouldn't be a problem too. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* dropbear: server support option '-T' max auth triesKevin Darbyshire-Bryant2017-06-282-2/+132
| | | | | | | | | | | | Add support for '-T n' for a run-time specification for maximum number of authentication attempts where 'n' is between 1 and compile time option MAX_AUTH_TRIES. A default number of tries can be specified at compile time using 'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for backwards compatibility. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dropbear: bump to 2017.75Kevin Darbyshire-Bryant2017-05-211-14/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | - Security: Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. Thanks to Jann Horn of Google Project Zero for reporting this. CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123 Refresh patches, rework 100-pubkey_path.patch to work with new authorized_keys validation. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dropbear: enable SHA256 HMACsJoseph C. Sible2017-02-101-3/+2
| | | | | | | The only HMACs currently available use MD5 and SHA1, both of which have known weaknesses. We already compile in the SHA256 code since we use Curve25519 by default, so there's no significant size penalty to enabling this. Signed-off-by: Joseph C. Sible <josephcsible@users.noreply.github.com>
* dropbear: clean up default PATH handling in makefileDario Ernst2016-12-141-12/+0
| | | | | | | | Harmonise handling of DEFAULT_PATH by removing the patch introducing #ifndef guards around the path, and only using one means to set the path in the makefile. Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
* dropbear: update to 2016.73Jo-Philipp Wich2016-05-135-25/+15
| | | | | | | | | | | | | Update the dropbear package to version 2016.73, refresh patches. The measured .ipk sizes on an x86_64 build are: 94588 dropbear_2015.71-3_x86_64.ipk 95316 dropbear_2016.73-1_x86_64.ipk This is an increase of roughly 700 bytes after compression. Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dropbear: honor CONFIG_TARGET_INIT_PATHJo-Philipp Wich2016-02-081-3/+4
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48679
* dropbear: update version to 2015.71Felix Fietkau2016-01-154-6/+6
| | | | | | | | | Update dropbear to version 2015.71, released on 3 Dec 2015. Refresh patches. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> SVN-Revision: 48243
* dropbear: disable 3des, cbc mode, dss support, saves about 5k gzippedFelix Fietkau2015-09-081-1/+20
| | | | | | | | | While technically required by the RFC, they are usually completely unused (DSA), or have security issues (3DES, CBC) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 46814
* Disable telnet in favor of passwordless SSHSteven Barth2015-09-073-0/+40
| | | | | | | | | | This enables passworldless login for root via SSH whenever no root password is set (e.g. after reset, flashing without keeping config or in failsafe) and removes telnet support alltogether. Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46809
* dropbear: bump to 2015.68Steven Barth2015-09-026-10/+10
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46769
* dropbear: update to 2015.67Steven Barth2015-04-186-411/+13
| | | | | | | | | | | fixes dbclient login into OpenSSH 6.8p1 error: "Bad hostkey signature" reported on irc, replicated with Arch Linux Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de> SVN-Revision: 45493
* dropbear: fix keepalive moreJonas Gorski2014-08-211-0/+333
| | | | | | | | | | | Add a further upstream commit to more closely match the keepalive to OpenSSH. Should now really fix #17523. Signed-off-by: Jonas Gorski <jogo@openwrt.org> SVN-Revision: 42249
* dropbear: fix keepalive with puttyJonas Gorski2014-08-131-0/+58
| | | | | | | | | | | Don't send SSH_MSG_UNIMPLEMENTED for keepalive responses, which broke at least putty. Fixes #17522 / #17523. Signed-off-by: Jonas Gorski <jogo@openwrt.org> SVN-Revision: 42162
* dropbear: update to 2014.65Steven Barth2014-08-114-8/+8
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 42131
* dropbear: update to 2014.63Felix Fietkau2014-03-295-50/+12
| | | | | | | | | | | | | | | | | Upstream changelog: https://matt.ucc.asn.au/dropbear/CHANGES This adds elliptic curve cryptography (ECC) support as an option, disabled by default. dropbear mips 34kc uClibc binary size: before: 161,672 bytes after, without ECC (default): 164,968 after, with ECC: 198,008 Signed-off-by: Catalin Patulea <cat@vv.carleton.ca> SVN-Revision: 40297
* dropbear: update to 2013.59 (released 4 october 2013)Jo-Philipp Wich2013-10-107-33/+18
| | | | | | | | | | | - drop mirror www.mirrors.wiretapped.net (not working anymore) - drop patch 300-ipv6_addr_port_split.patch, included upstream - refresh patches - various upstream changes: http://matt.ucc.asn.au/dropbear/CHANGES Signed-off-by: Catalin Patulea <cat@vv.carleton.ca> SVN-Revision: 38356
* dropbear: update to 2012.55 and refresh patchesFlorian Fainelli2012-12-044-94/+8
| | | | | | | | | | | | | | | | | Upstream has a few code cleanups, more eagerly burns sensitive memory and includes the fix for CVE-2012-0920. Full changelog: https://matt.ucc.asn.au/dropbear/CHANGES Local changes: - Removed PKG_MULTI which is no longer in options.h (even before 2011.54) - Merged DO_HOST_LOOKUP into 120-openwrt_options.patch - Removed LD from make opts (now included in TARGET_CONFIGURE_OPTS) - Removed 400-CVE-2012-0920.patch which is included in 2012.55 Signed-off-by: Catalin Patulea <cat@vv.carleton.ca> Signed-off-by: Florian Fainelli <florian@openwrt.org> SVN-Revision: 34496
* packages: sort network related packages into package/network/Felix Fietkau2012-10-1010-0/+367
SVN-Revision: 33688