* [Buildroot] [PATCH] package/dropbear: bump to version 2020.79
@ 2020-06-22 7:39 Francois Perrad
2020-06-22 9:07 ` Peter Korsgaard
0 siblings, 1 reply; 9+ messages in thread
From: Francois Perrad @ 2020-06-22 7:39 UTC (permalink / raw)
To: buildroot
CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
LICENSE: curve25519-donna under BSD-3c was replaced by curve25519.c under Public domain
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
package/dropbear/dropbear.hash | 4 ++--
package/dropbear/dropbear.mk | 7 ++-----
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/package/dropbear/dropbear.hash b/package/dropbear/dropbear.hash
index aa0e80a20..ab53197f3 100644
--- a/package/dropbear/dropbear.hash
+++ b/package/dropbear/dropbear.hash
@@ -1,5 +1,5 @@
# From https://matt.ucc.asn.au/dropbear/releases/SHA256SUM.asc
-sha256 525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4 dropbear-2019.78.tar.bz2
+sha256 084f00546b1610a3422a0773e2c04cbe1a220d984209e033b548b49f379cc441 dropbear-2020.79.tar.bz2
# License file, locally computed
-sha256 cfa32d49e9022265375e533a4a5ef9e37d4aaa604119d612c46816aa1e59fe52 LICENSE
+sha256 2ac2be75a2232ec2473070dd791ee990253dffde6022d364809bbbcbc30f710e LICENSE
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 1070a410b..b32f39d64 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -4,10 +4,10 @@
#
################################################################################
-DROPBEAR_VERSION = 2019.78
+DROPBEAR_VERSION = 2020.79
DROPBEAR_SITE = https://matt.ucc.asn.au/dropbear/releases
DROPBEAR_SOURCE = dropbear-$(DROPBEAR_VERSION).tar.bz2
-DROPBEAR_LICENSE = MIT, BSD-2-Clause, BSD-3-Clause
+DROPBEAR_LICENSE = MIT, BSD-2-Clause, Public domain
DROPBEAR_LICENSE_FILES = LICENSE
DROPBEAR_TARGET_BINS = dropbearkey dropbearconvert scp
DROPBEAR_PROGRAMS = dropbear $(DROPBEAR_TARGET_BINS)
@@ -58,9 +58,6 @@ endif
ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
define DROPBEAR_DISABLE_LEGACY_CRYPTO
- echo '#define DROPBEAR_3DES 0' >> $(@D)/localoptions.h
- echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
- echo '#define DROPBEAR_SHA1_96_HMAC 0' >> $(@D)/localoptions.h
echo '#define DROPBEAR_DSS 0' >> $(@D)/localoptions.h
echo '#define DROPBEAR_DH_GROUP1 0' >> $(@D)/localoptions.h
endef
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] package/dropbear: bump to version 2020.79
2020-06-22 7:39 [Buildroot] [PATCH] package/dropbear: bump to version 2020.79 Francois Perrad
@ 2020-06-22 9:07 ` Peter Korsgaard
2020-06-22 10:51 ` Alexander Dahl
2020-08-04 10:15 ` Thomas De Schampheleire
0 siblings, 2 replies; 9+ messages in thread
From: Peter Korsgaard @ 2020-06-22 9:07 UTC (permalink / raw)
To: buildroot
>>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
> CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
Do we expect that to cause compatibility issues?
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] package/dropbear: bump to version 2020.79
2020-06-22 9:07 ` Peter Korsgaard
@ 2020-06-22 10:51 ` Alexander Dahl
2020-06-22 18:48 ` François Perrad
2020-06-23 6:19 ` Peter Korsgaard
2020-08-04 10:15 ` Thomas De Schampheleire
1 sibling, 2 replies; 9+ messages in thread
From: Alexander Dahl @ 2020-06-22 10:51 UTC (permalink / raw)
To: buildroot
Hei hei,
On Mon, Jun 22, 2020 at 11:07:36AM +0200, Peter Korsgaard wrote:
> >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
>
> > CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
>
> Do we expect that to cause compatibility issues?
I just looked in package/dropbear/dropbear.mk and those options are
explicitly disabled if DROPBEAR_DISABLE_LEGACY_CRYPTO is set. From a
quick glance I would say now there's no possibility to activate those
anymore.
Greets
Alex
--
/"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
\ / CAMPAIGN | speech censured, the first thought forbidden, the
X AGAINST | first freedom denied, chains us all irrevocably.?
/ \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200622/a0658326/attachment.asc>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] package/dropbear: bump to version 2020.79
2020-06-22 10:51 ` Alexander Dahl
@ 2020-06-22 18:48 ` François Perrad
2020-06-23 6:24 ` Peter Korsgaard
2020-06-23 6:19 ` Peter Korsgaard
1 sibling, 1 reply; 9+ messages in thread
From: François Perrad @ 2020-06-22 18:48 UTC (permalink / raw)
To: buildroot
Le lun. 22 juin 2020 ? 12:52, Alexander Dahl <post@lespocky.de> a ?crit :
> Hei hei,
>
> On Mon, Jun 22, 2020 at 11:07:36AM +0200, Peter Korsgaard wrote:
> > >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
> >
> > > CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
> >
> > Do we expect that to cause compatibility issues?
>
> I just looked in package/dropbear/dropbear.mk and those options are
> explicitly disabled if DROPBEAR_DISABLE_LEGACY_CRYPTO is set. From a
> quick glance I would say now there's no possibility to activate those
> anymore.
>
>
BR2_PACKAGE_DROPBEAR_LOCALOPTIONS_FILE allows to build any custom configuration.
maybe we can remove BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO (which is less
versatile) ?
see https://git.busybox.net/buildroot/commit/package/dropbear/Config.in?id=72d4d098b0dbb10d3904868acc11c97acafa8d80
see https://git.busybox.net/buildroot/commit/package/dropbear/Config.in?id=26708469adc3f5e4194f176fa51f1ce280b0b357
Fran?ois
Greets
> Alex
>
> --
> /"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
> \ / CAMPAIGN | speech censured, the first thought forbidden, the
> X AGAINST | first freedom denied, chains us all irrevocably.?
> / \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie)
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200622/8b9d6a48/attachment.html>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] package/dropbear: bump to version 2020.79
2020-06-22 10:51 ` Alexander Dahl
2020-06-22 18:48 ` François Perrad
@ 2020-06-23 6:19 ` Peter Korsgaard
1 sibling, 0 replies; 9+ messages in thread
From: Peter Korsgaard @ 2020-06-23 6:19 UTC (permalink / raw)
To: buildroot
>>>>> "Alexander" == Alexander Dahl <post@lespocky.de> writes:
> Hei hei,
> On Mon, Jun 22, 2020 at 11:07:36AM +0200, Peter Korsgaard wrote:
>> >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
>>
>> > CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
>>
>> Do we expect that to cause compatibility issues?
> I just looked in package/dropbear/dropbear.mk and those options are
> explicitly disabled if DROPBEAR_DISABLE_LEGACY_CRYPTO is set. From a
You mean NOT set (ifndef).
> quick glance I would say now there's no possibility to activate those
> anymore.
Indeed. Presumably we need to handle the case where the option is set to
ensure you end up with the configuration as described in the help text:
Enable legacy and possibly insecure algorithms:
3DES encryption
SHA1-96 message integrity
CBC encryption mode
DSA public keys
Diffie-Hellman Group1 key exchange
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] package/dropbear: bump to version 2020.79
2020-06-22 18:48 ` François Perrad
@ 2020-06-23 6:24 ` Peter Korsgaard
0 siblings, 0 replies; 9+ messages in thread
From: Peter Korsgaard @ 2020-06-23 6:24 UTC (permalink / raw)
To: buildroot
>>>>> "Fran?ois" == Fran?ois Perrad <francois.perrad@gadz.org> writes:
> Le lun. 22 juin 2020 ? 12:52, Alexander Dahl <post@lespocky.de> a ?crit :
>> Hei hei,
>>
>> On Mon, Jun 22, 2020 at 11:07:36AM +0200, Peter Korsgaard wrote:
>> > >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
>> >
>> > > CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
>> >
>> > Do we expect that to cause compatibility issues?
>>
>> I just looked in package/dropbear/dropbear.mk and those options are
>> explicitly disabled if DROPBEAR_DISABLE_LEGACY_CRYPTO is set. From a
>> quick glance I would say now there's no possibility to activate those
>> anymore.
>>
>>
> BR2_PACKAGE_DROPBEAR_LOCALOPTIONS_FILE allows to build any custom configuration.
> maybe we can remove BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO (which is less
> versatile) ?
> see https://git.busybox.net/buildroot/commit/package/dropbear/Config.in?id=72d4d098b0dbb10d3904868acc11c97acafa8d80
> see https://git.busybox.net/buildroot/commit/package/dropbear/Config.in?id=26708469adc3f5e4194f176fa51f1ce280b0b357
We could, but then we would end up changing the configuration for
everyone not using such a file (E.G. DROPBEAR_DSS /
DROPBEAR_DH_GROUP1).
We already do a bunch of fixups in localoptions.h, so I think just
correcting BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO to do what it is supposed
to do after the version bump is nicer.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] package/dropbear: bump to version 2020.79
2020-06-22 9:07 ` Peter Korsgaard
2020-06-22 10:51 ` Alexander Dahl
@ 2020-08-04 10:15 ` Thomas De Schampheleire
2020-08-04 11:40 ` Peter Korsgaard
1 sibling, 1 reply; 9+ messages in thread
From: Thomas De Schampheleire @ 2020-08-04 10:15 UTC (permalink / raw)
To: buildroot
Hi Peter,
El lun., 22 jun. 2020 a las 11:07, Peter Korsgaard (<peter@korsgaard.com>)
escribi?:
> >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
>
> > CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
>
> Do we expect that to cause compatibility issues?
>
> Committed, thanks.
>
I just want to notify you that this dropbear release 2020.79 also contains
a security fix: (from the CHANGES file):
- scp fix for CVE-2018-20685 where a server could modify name of
output files
and as such this update (or the later one to update to 2020.80) should also
be applied on the LTS branch.
Thanks,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200804/3396567d/attachment.html>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] package/dropbear: bump to version 2020.79
2020-08-04 10:15 ` Thomas De Schampheleire
@ 2020-08-04 11:40 ` Peter Korsgaard
2020-08-04 13:24 ` Thomas De Schampheleire
0 siblings, 1 reply; 9+ messages in thread
From: Peter Korsgaard @ 2020-08-04 11:40 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com> writes:
> Hi Peter,
> El lun., 22 jun. 2020 a las 11:07, Peter Korsgaard (<peter@korsgaard.com>)
> escribi?:
>> >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
>>
>> > CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
>>
>> Do we expect that to cause compatibility issues?
>>
>> Committed, thanks.
>>
> I just want to notify you that this dropbear release 2020.79 also contains
> a security fix: (from the CHANGES file):
> - scp fix for CVE-2018-20685 where a server could modify name of
> output files
> and as such this update (or the later one to update to 2020.80) should also
> be applied on the LTS branch.
Ahh yes, true. 2020.79 does bring quite some new features / changes
though, would a backport of the scp fix be feasible?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] package/dropbear: bump to version 2020.79
2020-08-04 11:40 ` Peter Korsgaard
@ 2020-08-04 13:24 ` Thomas De Schampheleire
0 siblings, 0 replies; 9+ messages in thread
From: Thomas De Schampheleire @ 2020-08-04 13:24 UTC (permalink / raw)
To: buildroot
Hi Peter,
El mar., 4 ago. 2020 a las 13:40, Peter Korsgaard (<peter@korsgaard.com>)
escribi?:
> >>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com>
> writes:
>
> > Hi Peter,
> > El lun., 22 jun. 2020 a las 11:07, Peter Korsgaard (<
> peter at korsgaard.com>)
> > escribi?:
>
> >> >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
> >>
> >> > CBC ciphers, 3DES and hmac-sha1-96 are now disabled by default.
> >>
> >> Do we expect that to cause compatibility issues?
> >>
> >> Committed, thanks.
> >>
>
>
> > I just want to notify you that this dropbear release 2020.79 also
> contains
> > a security fix: (from the CHANGES file):
>
> > - scp fix for CVE-2018-20685 where a server could modify name
> of
> > output files
>
> > and as such this update (or the later one to update to 2020.80) should
> also
> > be applied on the LTS branch.
>
> Ahh yes, true. 2020.79 does bring quite some new features / changes
> though, would a backport of the scp fix be feasible?
>
Seems it would, the fix is a simple patch that applies cleanly on top of
2019.78.
https://hg.ucc.asn.au/dropbear/changeset/3080aed32bf1
I can send a patch.
Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200804/c147c7ff/attachment.html>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-08-04 13:24 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-22 7:39 [Buildroot] [PATCH] package/dropbear: bump to version 2020.79 Francois Perrad
2020-06-22 9:07 ` Peter Korsgaard
2020-06-22 10:51 ` Alexander Dahl
2020-06-22 18:48 ` François Perrad
2020-06-23 6:24 ` Peter Korsgaard
2020-06-23 6:19 ` Peter Korsgaard
2020-08-04 10:15 ` Thomas De Schampheleire
2020-08-04 11:40 ` Peter Korsgaard
2020-08-04 13:24 ` Thomas De Schampheleire
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.