[poky][dunfell][PATCH] openssh: Whitelist CVE-2008-3844 and CVE-2020-15778

[poky][dunfell][PATCH] openssh: Whitelist CVE-2008-3844 and CVE-2020-15778

[Sana Kazi]

Whitelisted below CVEs reported for openssh:

CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux
and certain packages may have been compromised and has been fixed
by Red Hat. This CVE is not applicable as our source is OpenBSD.
Hence, this CVE  is not reported for other distros and
can be whitelisted.
Links:
https://securitytracker.com/id?1020730
https://www.securityfocus.com/bid/30794

For CVE-2020-15778 OpenSSH through 8.3p1 is affected.
Hence, it can be whitelisted for 8.2p1
https://nvd.nist.gov/vuln/detail/CVE-2020-15778

Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
---
 meta/recipes-connectivity/openssh/openssh_8.2p1.bb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index fe94f30503..f8037db986 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -32,6 +32,20 @@ SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
 CVE_CHECK_WHITELIST += "CVE-2014-9278"

+# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux
+# and certain packages may have been compromised and has been fixed
+# by Red Hat. This CVE is not applicable as our source is OpenBSD.
+# Hence, this CVE  is not reported for other distros
+# and can be marked whitelisted.
+# https://securitytracker.com/id?1020730
+# https://www.securityfocus.com/bid/30794
+CVE_CHECK_WHITELIST += "CVE-2008-3844"
+
+# For CVE-2020-15778 OpenSSH through 8.3p1 is affected.
+# Hence, it can be whitelisted for 8.2p1
+# https://nvd.nist.gov/vuln/detail/CVE-2020-15778
+CVE_CHECK_WHITELIST += "CVE-2020-15778"
+
 PAM_SRC_URI = "file://sshd"

 inherit manpages useradd update-rc.d update-alternatives systemd
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Re: [OE-core] [poky][dunfell][PATCH] openssh: Whitelist CVE-2008-3844 and CVE-2020-15778

[Steve Sakoman]

On Mon, Apr 5, 2021 at 3:30 AM Sana Kazi <Sana.Kazi@kpit.com> wrote:
>
> Whitelisted below CVEs reported for openssh:
>
> CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux
> and certain packages may have been compromised and has been fixed
> by Red Hat. This CVE is not applicable as our source is OpenBSD.
> Hence, this CVE  is not reported for other distros and
> can be whitelisted.
> Links:
> https://securitytracker.com/id?1020730
> https://www.securityfocus.com/bid/30794
>
> For CVE-2020-15778 OpenSSH through 8.3p1 is affected.
> Hence, it can be whitelisted for 8.2p1

This explanation doesn't make sense to me!  If 8.2p1 is affected, why
are you proposing to whitelist it?

Steve

> https://nvd.nist.gov/vuln/detail/CVE-2020-15778
>
> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> ---
>  meta/recipes-connectivity/openssh/openssh_8.2p1.bb | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> index fe94f30503..f8037db986 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> @@ -32,6 +32,20 @@ SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff
>  # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
>  CVE_CHECK_WHITELIST += "CVE-2014-9278"
>
> +# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux
> +# and certain packages may have been compromised and has been fixed
> +# by Red Hat. This CVE is not applicable as our source is OpenBSD.
> +# Hence, this CVE  is not reported for other distros
> +# and can be marked whitelisted.
> +# https://securitytracker.com/id?1020730
> +# https://www.securityfocus.com/bid/30794
> +CVE_CHECK_WHITELIST += "CVE-2008-3844"
> +
> +# For CVE-2020-15778 OpenSSH through 8.3p1 is affected.
> +# Hence, it can be whitelisted for 8.2p1
> +# https://nvd.nist.gov/vuln/detail/CVE-2020-15778
> +CVE_CHECK_WHITELIST += "CVE-2020-15778"
> +
>  PAM_SRC_URI = "file://sshd"
>
>  inherit manpages useradd update-rc.d update-alternatives systemd
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>

Re: [OE-core] [poky][dunfell][PATCH] openssh: Whitelist CVE-2008-3844 and CVE-2020-15778

[Sana Kazi]

[-- Attachment #1: Type: text/plain, Size: 6293 bytes --]

Hi Steve,

Whitelisted CVE-2020-15778 because it is reflected in recent CVE metrics which you mailed on Sunday.

 Thanks & Regards,

 Sana Kazi
 KPIT Technologies Limited

________________________________
From: Steve Sakoman <sakoman@gmail.com>
Sent: Tuesday, April 6, 2021 4:05 AM
To: Sana Kazi <Sana.Kazi@kpit.com>
Cc: Patches and discussions about the oe-core layer <Openembedded-core@lists.openembedded.org>; Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Purushottam Choudhary <Purushottam.Choudhary@kpit.com>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
Subject: Re: [OE-core] [poky][dunfell][PATCH] openssh: Whitelist CVE-2008-3844 and CVE-2020-15778

On Mon, Apr 5, 2021 at 3:30 AM Sana Kazi <Sana.Kazi@kpit.com> wrote:
>
> Whitelisted below CVEs reported for openssh:
>
> CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux
> and certain packages may have been compromised and has been fixed
> by Red Hat. This CVE is not applicable as our source is OpenBSD.
> Hence, this CVE  is not reported for other distros and
> can be whitelisted.
> Links:
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritytracker.com%2Fid%3F1020730&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=AGj3kr88jZBCf2UPTYmok1x2orsmrY6AuLMBoTAmKSI%3D&amp;reserved=0
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securityfocus.com%2Fbid%2F30794&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=CNOSXhh%2BTAlkWkrnEpxS3v2p7JTwQH%2BL5idJyir1GOE%3D&amp;reserved=0
>
> For CVE-2020-15778 OpenSSH through 8.3p1 is affected.
> Hence, it can be whitelisted for 8.2p1

This explanation doesn't make sense to me!  If 8.2p1 is affected, why
are you proposing to whitelist it?

Steve

> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2020-15778&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OwC%2Flt6FcUUdt6aCUIk7mxk8a0QSC5%2F%2BLCX99yqZG2w%3D&amp;reserved=0
>
> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> ---
>  meta/recipes-connectivity/openssh/openssh_8.2p1.bb | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> index fe94f30503..f8037db986 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> @@ -32,6 +32,20 @@ SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff
>  # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
>  CVE_CHECK_WHITELIST += "CVE-2014-9278"
>
> +# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux
> +# and certain packages may have been compromised and has been fixed
> +# by Red Hat. This CVE is not applicable as our source is OpenBSD.
> +# Hence, this CVE  is not reported for other distros
> +# and can be marked whitelisted.
> +# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritytracker.com%2Fid%3F1020730&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=AGj3kr88jZBCf2UPTYmok1x2orsmrY6AuLMBoTAmKSI%3D&amp;reserved=0
> +# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securityfocus.com%2Fbid%2F30794&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=CNOSXhh%2BTAlkWkrnEpxS3v2p7JTwQH%2BL5idJyir1GOE%3D&amp;reserved=0
> +CVE_CHECK_WHITELIST += "CVE-2008-3844"
> +
> +# For CVE-2020-15778 OpenSSH through 8.3p1 is affected.
> +# Hence, it can be whitelisted for 8.2p1
> +# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2020-15778&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OwC%2Flt6FcUUdt6aCUIk7mxk8a0QSC5%2F%2BLCX99yqZG2w%3D&amp;reserved=0
> +CVE_CHECK_WHITELIST += "CVE-2020-15778"
> +
>  PAM_SRC_URI = "file://sshd"
>
>  inherit manpages useradd update-rc.d update-alternatives systemd
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 12344 bytes --]

Re: [OE-core] [poky][dunfell][PATCH] openssh: Whitelist CVE-2008-3844 and CVE-2020-15778

[Steve Sakoman]

On Mon, Apr 5, 2021 at 7:07 PM Sana Kazi <Sana.Kazi@kpit.com> wrote:
>
> Hi Steve,
>
> Whitelisted CVE-2020-15778 because it is reflected in recent CVE metrics which you mailed on Sunday.

Yes, it is in the CVE metrics report because the openssh version in
dunfell has the vulnerability.

You haven't explained why we should whitelist it, i.e. an explanation
similar to what you did with CVE-2008-3844.

>  Thanks & Regards,
>
>  Sana Kazi
>  KPIT Technologies Limited
>
>
> ________________________________
> From: Steve Sakoman <sakoman@gmail.com>
> Sent: Tuesday, April 6, 2021 4:05 AM
> To: Sana Kazi <Sana.Kazi@kpit.com>
> Cc: Patches and discussions about the oe-core layer <Openembedded-core@lists.openembedded.org>; Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Purushottam Choudhary <Purushottam.Choudhary@kpit.com>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
> Subject: Re: [OE-core] [poky][dunfell][PATCH] openssh: Whitelist CVE-2008-3844 and CVE-2020-15778
>
> On Mon, Apr 5, 2021 at 3:30 AM Sana Kazi <Sana.Kazi@kpit.com> wrote:
> >
> > Whitelisted below CVEs reported for openssh:
> >
> > CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux
> > and certain packages may have been compromised and has been fixed
> > by Red Hat. This CVE is not applicable as our source is OpenBSD.
> > Hence, this CVE  is not reported for other distros and
> > can be whitelisted.
> > Links:
> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritytracker.com%2Fid%3F1020730&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=AGj3kr88jZBCf2UPTYmok1x2orsmrY6AuLMBoTAmKSI%3D&amp;reserved=0
> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securityfocus.com%2Fbid%2F30794&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=CNOSXhh%2BTAlkWkrnEpxS3v2p7JTwQH%2BL5idJyir1GOE%3D&amp;reserved=0
> >
> > For CVE-2020-15778 OpenSSH through 8.3p1 is affected.
> > Hence, it can be whitelisted for 8.2p1
>
> This explanation doesn't make sense to me!  If 8.2p1 is affected, why
> are you proposing to whitelist it?
>
> Steve
>
> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2020-15778&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OwC%2Flt6FcUUdt6aCUIk7mxk8a0QSC5%2F%2BLCX99yqZG2w%3D&amp;reserved=0
> >
> > Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> > ---
> >  meta/recipes-connectivity/openssh/openssh_8.2p1.bb | 14 ++++++++++++++
> >  1 file changed, 14 insertions(+)
> >
> > diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> > index fe94f30503..f8037db986 100644
> > --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> > +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> > @@ -32,6 +32,20 @@ SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff
> >  # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
> >  CVE_CHECK_WHITELIST += "CVE-2014-9278"
> >
> > +# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux
> > +# and certain packages may have been compromised and has been fixed
> > +# by Red Hat. This CVE is not applicable as our source is OpenBSD.
> > +# Hence, this CVE  is not reported for other distros
> > +# and can be marked whitelisted.
> > +# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritytracker.com%2Fid%3F1020730&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=AGj3kr88jZBCf2UPTYmok1x2orsmrY6AuLMBoTAmKSI%3D&amp;reserved=0
> > +# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securityfocus.com%2Fbid%2F30794&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=CNOSXhh%2BTAlkWkrnEpxS3v2p7JTwQH%2BL5idJyir1GOE%3D&amp;reserved=0
> > +CVE_CHECK_WHITELIST += "CVE-2008-3844"
> > +
> > +# For CVE-2020-15778 OpenSSH through 8.3p1 is affected.
> > +# Hence, it can be whitelisted for 8.2p1
> > +# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2020-15778&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C8b8ab31f2f0142adf52e08d8f88323ea%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637532589452091655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OwC%2Flt6FcUUdt6aCUIk7mxk8a0QSC5%2F%2BLCX99yqZG2w%3D&amp;reserved=0
> > +CVE_CHECK_WHITELIST += "CVE-2020-15778"
> > +
> >  PAM_SRC_URI = "file://sshd"
> >
> >  inherit manpages useradd update-rc.d update-alternatives systemd
> > --
> > 2.17.1
> >
> > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
> >
> >
> >
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>