From 836dc076189cb7b63192b15c7f8944a0d9eef027 Mon Sep 17 00:00:00 2001 From: Andrei Gherzan Date: Fri, 31 Aug 2018 10:46:09 +0100 Subject: [PATCH] dropbear/krogoth: Enhanced security options We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. Fixes #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - krogoth Signed-off-by: Andrei Gherzan --- .../dropbear/dropbear_2016.72.bbappend | 4 ++ .../0001-Secure-configuration-options.patch | 53 +++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 meta-resin-krogoth/recipes-core/dropbear/dropbear_2016.72.bbappend create mode 100644 meta-resin-krogoth/recipes-core/dropbear/files/0001-Secure-configuration-options.patch diff --git a/meta-resin-krogoth/recipes-core/dropbear/dropbear_2016.72.bbappend b/meta-resin-krogoth/recipes-core/dropbear/dropbear_2016.72.bbappend new file mode 100644 index 0000000000..b40fc91888 --- /dev/null +++ b/meta-resin-krogoth/recipes-core/dropbear/dropbear_2016.72.bbappend @@ -0,0 +1,4 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +SRC_URI += " \ + file://0001-Secure-configuration-options.patch \ + " diff --git a/meta-resin-krogoth/recipes-core/dropbear/files/0001-Secure-configuration-options.patch b/meta-resin-krogoth/recipes-core/dropbear/files/0001-Secure-configuration-options.patch new file mode 100644 index 0000000000..92fd8d6061 --- /dev/null +++ b/meta-resin-krogoth/recipes-core/dropbear/files/0001-Secure-configuration-options.patch @@ -0,0 +1,53 @@ +From 4d870472eaa5df7eedff35c16a04c2ccb6095c91 Mon Sep 17 00:00:00 2001 +From: Andrei Gherzan +Date: Thu, 30 Aug 2018 12:33:08 +0100 +Subject: [PATCH] Secure configuration options + +We deactivate various configuration knobs which have security concerns: + +* DROPBEAR_X11FWD - no need to run X over ssh +* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is + reported by OpenVAS as a low severity security issue. +* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow + an attacker to obtain plaintext from a block of cyphertext. + +Signed-off-by: Andrei Gherzan +Upstream-status: Inappropriate [configuration] +--- + options.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/options.h b/options.h +index 94261f6..926952a 100644 +--- a/options.h ++++ b/options.h +@@ -55,7 +55,7 @@ much traffic. */ + #define DROPBEAR_SMALL_CODE + + /* Enable X11 Forwarding - server only */ +-#define ENABLE_X11FWD ++/* #define ENABLE_X11FWD */ + + /* Enable TCP Fowarding */ + /* 'Local' is "-L" style (client listening port forwarded via server) +@@ -100,7 +100,7 @@ much traffic. */ + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE ++/* #define DROPBEAR_ENABLE_CBC_MODE */ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. It is recommended for security +@@ -131,7 +131,7 @@ If you test it please contact the Dropbear author */ + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC ++/* #define DROPBEAR_SHA1_96_HMAC */ + #define DROPBEAR_SHA2_256_HMAC + #define DROPBEAR_SHA2_512_HMAC + #define DROPBEAR_MD5_HMAC +-- +2.7.4 +