[dunfell,02/12] openssh: Whitelist CVE-2021-36368

Message ID	179b862e97d95ef57f8ee847e54a78b5f3f52ee7.1655667170.git.steve@sakoman.com
State	Accepted, archived
Commit	179b862e97d95ef57f8ee847e54a78b5f3f52ee7
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.173, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 02/12] openssh: Whitelist CVE-2021-36368 Date: Sun, 19 Jun 2022 09:34:56 -1000 Message-Id: <179b862e97d95ef57f8ee847e54a78b5f3f52ee7.1655667170.git.steve@sakoman.com> In-Reply-To: <cover.1655667170.git.steve@sakoman.com> References: <cover.1655667170.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/12] cups: fix CVE-2022-26691 \| expand [dunfell,01/12] cups: fix CVE-2022-26691 [dunfell,02/12] openssh: Whitelist CVE-2021-36368 [dunfell,03/12] vim: Upgrade 8.2.5034 -> 8.2.5083 [dunfell,04/12] kernel-yocto.bbclass: Reset to exiting on non-zero return code at end of task [dunfell,05/12] alsa-plugins: fix libavtp vs. avtp packageconfig [dunfell,06/12] license.bbclass: Bound beginline and endline in copy_license_files() [dunfell,07/12] rootfs.py: close kernel_abi_ver_file [dunfell,08/12] archiver: use bb.note instead of echo [dunfell,09/12] oescripts: change compare logic in OEListPackageconfigTests [dunfell,10/12] e2fsprogs: add alternatives handling of lsattr as well [dunfell,11/12] gcc-source: Fix incorrect task dependencies from ${B} [dunfell,12/12] archiver: don't use machine variables in shared recipes

Message ID

179b862e97d95ef57f8ee847e54a78b5f3f52ee7.1655667170.git.steve@sakoman.com

State

Accepted, archived

Commit

179b862e97d95ef57f8ee847e54a78b5f3f52ee7

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 02/12] openssh: Whitelist CVE-2021-36368
Date: Sun, 19 Jun 2022 09:34:56 -1000
Message-Id: 
 <179b862e97d95ef57f8ee847e54a78b5f3f52ee7.1655667170.git.steve@sakoman.com>
In-Reply-To: <cover.1655667170.git.steve@sakoman.com>
References: <cover.1655667170.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/12] cups: fix CVE-2022-26691 | expand

Commit Message

Steve Sakoman June 19, 2022, 7:34 p.m. UTC

From: Pawan Badganchi <badganchipv@gmail.com>

As per debian, the issue is fixed by a feature called
"agent restriction" in openssh 8.9.
Urgency is unimportant as per debian, Hence this CVE is whitelisting.
Link:
https://security-tracker.debian.org/tracker/CVE-2021-36368
https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2
https://docs.ssh-mitm.at/trivialauth.html

Signed-off-by: Pawan Badganchi <badganchipv@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-connectivity/openssh/openssh_8.2p1.bb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index ddc9ed0b32..eaec26cac0 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -60,6 +60,13 @@  CVE_CHECK_WHITELIST += "CVE-2008-3844"
 # https://ubuntu.com/security/CVE-2016-20012
 CVE_CHECK_WHITELIST += "CVE-2016-20012"
 
+# As per debian, the issue is fixed by a feature called "agent restriction" in openssh 8.9
+# Urgency is unimportant as per debian, Hence this CVE is whitelisting.
+# https://security-tracker.debian.org/tracker/CVE-2021-36368
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2
+# https://docs.ssh-mitm.at/trivialauth.html
+CVE_CHECK_WHITELIST += "CVE-2021-36368"
+
 PAM_SRC_URI = "file://sshd"
 
 inherit manpages useradd update-rc.d update-alternatives systemd

[dunfell,02/12] openssh: Whitelist CVE-2021-36368

Commit Message

Patch