Re: [Buildroot] [git commit] package/openssh: security bump to version 9.6p1

From: Peter Seiderer via buildroot <buildroot@buildroot.org>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [git commit] package/openssh: security bump to version 9.6p1
Date: Thu, 21 Dec 2023 17:11:37 +0100	[thread overview]
Message-ID: <20231221171137.3876fce7@gmx.net> (raw)
In-Reply-To: <20231220105004.ED87487BE7@busybox.osuosl.org>

Hello *,

On Wed, 20 Dec 2023 11:42:06 +0100, Peter Korsgaard <peter@korsgaard.com> wrote:

> commit: https://git.buildroot.net/buildroot/commit/?id=3c047ea463e27ceaafde76d64406862c3322daa0
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> 
> OpenSSH 9.6 was released on 2023-12-18.
> 
> This release contains fixes for a newly-discovered weakness in the
> SSH transport protocol (the "Terrapin" attack), a logic error relating
> to constrained PKCS#11 keys in ssh-agent(1) and countermeasures for
> programs that invoke ssh(1) with user or hostnames containing invalid
> characters.
> 
> https://www.openssh.com/txt/release-9.6
> 
> Signed-off-by: Christian Stewart <christian@aperture.us>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/openssh/openssh.hash | 2 +-
>  package/openssh/openssh.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/openssh/openssh.hash b/package/openssh/openssh.hash
> index 4060b95e9b..618b13133d 100644
> --- a/package/openssh/openssh.hash
> +++ b/package/openssh/openssh.hash
> @@ -1,4 +1,4 @@
>  # From https://www.openssh.com/txt/release-9.4p1
> -sha256  3608fd9088db2163ceb3e600c85ab79d0de3d221e59192ea1923e23263866a85  openssh-9.4p1.tar.gz
> +sha256  910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c  openssh-9.6p1.tar.gz

Comment/URL does not longer match with the version...., but:

- 0eb397d30e package/openssh: bump to version 9.4p1

  -# From https://www.openssh.com/txt/release-9.3p2
  -sha256  200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8  openssh-9.3p2.tar.gz
  +# From https://www.openssh.com/txt/release-9.4p1
  +sha256  3608fd9088db2163ceb3e600c85ab79d0de3d221e59192ea1923e23263866a85  openssh-9.4p1.tar.gz

	$ wget https://www.openssh.com/txt/release-9.3p2
	[...]
	2023-12-21 17:06:05 (17,0 KB/s) - ‘release-9.3p2.3’ saved [2592/2592]

	$ wget https://www.openssh.com/txt/release-9.4.p1
	--2023-12-21 17:05:50--  https://www.openssh.com/txt/release-9.4.p1
	Resolving www.openssh.com (www.openssh.com)... 2620:3d:c000:178::80, 199.185.178.80
	Connecting to www.openssh.com (www.openssh.com)|2620:3d:c000:178::80|:443... connected.
	HTTP request sent, awaiting response... 404 Not Found
	2023-12-21 17:05:51 ERROR 404: Not Found.

So 'https://www.openssh.com/txt/release-9.4.p1' seems already incorrect, for the current
release 'https://www.openssh.com/txt/release-9.6' is the correct/working URL...

Regards,
Peter

>  # Locally calculated
>  sha256  05c30446ba738934b3f1efa965b454c122ca26cc4b268e5ae6843f58ccd1b16d  LICENCE
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 358ef42b6e..ec9e6613b0 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -OPENSSH_VERSION_MAJOR = 9.4
> +OPENSSH_VERSION_MAJOR = 9.6
>  OPENSSH_VERSION_MINOR = p1
>  OPENSSH_VERSION = $(OPENSSH_VERSION_MAJOR)$(OPENSSH_VERSION_MINOR)
>  OPENSSH_CPE_ID_VERSION = $(OPENSSH_VERSION_MAJOR)
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot