From: "Anuj Mittal" <anuj.mittal@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [hardknott][PATCH 10/10] rsync: fix CVE-2020-14387
Date: Thu, 29 Apr 2021 12:41:07 +0800 [thread overview]
Message-ID: <940111cefa459bc7a5fd9de1cf70b2040ffb5229.1619667368.git.anuj.mittal@intel.com> (raw)
In-Reply-To: <cover.1619667368.git.anuj.mittal@intel.com>
From: Chen Qi <Qi.Chen@windriver.com>
Backport patch to fix CVE-2020-14387.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5e7a536d07856630e4eb421614c8d823c67e0294)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
...-the-hostname-in-the-certificate-whe.patch | 31 +++++++++++++++++++
meta/recipes-devtools/rsync/rsync_3.2.3.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
diff --git a/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
new file mode 100644
index 0000000000..2d51ddf965
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
@@ -0,0 +1,31 @@
+From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001
+From: Matt McCutchen <matt@mattmccutchen.net>
+Date: Wed, 26 Aug 2020 12:16:08 -0400
+Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
+ openssl.
+
+CVE: CVE-2020-14387
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ rsync-ssl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rsync-ssl b/rsync-ssl
+index 8101975..46701af 100755
+--- a/rsync-ssl
++++ b/rsync-ssl
+@@ -129,7 +129,7 @@ function rsync_ssl_helper {
+ fi
+
+ if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+ elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
+ else
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/meta/recipes-devtools/rsync/rsync_3.2.3.bb
index 8b36a8ebde..cb18667755 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.3.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.3.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
file://rsyncd.conf \
file://makefile-no-rebuild.patch \
file://determism.patch \
+ file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \
"
SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e"
--
2.30.2
prev parent reply other threads:[~2021-04-29 4:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-29 4:40 [hardknott][PATCH 00/10] review request Anuj Mittal
2021-04-29 4:40 ` [hardknott][PATCH 01/10] glib-2.0: fix CVE-2021-28153 Anuj Mittal
2021-04-29 4:40 ` [hardknott][PATCH 02/10] libssh2: fix build failure with option no-ecdsa Anuj Mittal
2021-04-29 4:41 ` [hardknott][PATCH 03/10] yocto-check-layer: Avoid bug when iterating and autoadding dependencies Anuj Mittal
2021-04-29 4:41 ` [hardknott][PATCH 04/10] kernel-yocto.bbclass: chdir to ${WORKDIR} for do_kernel_checkout Anuj Mittal
2021-04-29 4:41 ` [hardknott][PATCH 05/10] cmake.bbclass: remove ${B} before cmake_do_configure Anuj Mittal
2021-04-29 4:41 ` [hardknott][PATCH 06/10] oeqa: tear down oeqa decorators if one of them raises an exception in setup Anuj Mittal
2021-04-29 4:41 ` [hardknott][PATCH 07/10] meta/lib/oeqa/core/tests/cases/timeout.py: add a testcase for the previous fix Anuj Mittal
2021-04-29 4:41 ` [hardknott][PATCH 08/10] weston: fix build failure due to race condition Anuj Mittal
2021-04-29 4:41 ` [hardknott][PATCH 09/10] patchelf: Backport fix from upstream for note section overlap error Anuj Mittal
2021-04-29 4:41 ` Anuj Mittal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=940111cefa459bc7a5fd9de1cf70b2040ffb5229.1619667368.git.anuj.mittal@intel.com \
--to=anuj.mittal@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.