mtk-20170518/package/network/services/dropbear, branch master MTK 20170518 : Mediatek SDK based on OpenWRT Barrier Breaker dropbear: backport upstream fix for CVE-2018-15599 2018-08-24T13:25:26+00:00 Hans Dedecker dedeckeh@gmail.com 2018-08-24T13:02:24+00:00 2211ee0037764e1c6b1576fe7a0975722cd4acdc CVE description : The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> 
CVE description :
The recv_msg_userauth_request function in svr-auth.c in Dropbear through
2018.76 is prone to a user enumeration vulnerability because username
validity affects how fields in SSH_MSG_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
dropbear: close all active clients on shutdown 2018-07-16T06:40:51+00:00 Christian Schoenebeck christian.schoenebeck@gmail.com 2018-07-12T02:36:03+00:00 1e177844bc814d3846312c91cd0f7a54df4f32b9 Override the default shutdown action (stop) and close all processes of dropbear Since commit 498fe85, the stop action only closes the process that's listening for new connections, maintaining the ones with existing clients. This poses a problem when restarting or shutting-down a device, because the connections with existing SSH clients, like OpenSSH, are not properly closed, causing them to hang. This situation can be avoided by closing all dropbear processes when shutting-down the system, which closes properly the connections with current clients. Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com> [Luis: Rework commit message] Signed-off-by: Luis Araneda <luaraneda@gmail.com> 
Override the default shutdown action (stop) and close all processes
of dropbear

Since commit 498fe85, the stop action only closes the process
that's listening for new connections, maintaining the ones with
existing clients.
This poses a problem when restarting or shutting-down a device,
because the connections with existing SSH clients, like OpenSSH,
are not properly closed, causing them to hang.

This situation can be avoided by closing all dropbear processes when
shutting-down the system, which closes properly the connections with
current clients.

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
[Luis: Rework commit message]
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
dropbear: compile with LTO enabled 2018-07-13T15:22:53+00:00 Felix Fietkau nbd@nbd.name 2018-07-11T17:28:54+00:00 47b42137ce1e931ae5871952b1f98438396f5e07 Reduces size of the .ipk on MIPS from 87k to 84k Signed-off-by: Felix Fietkau <nbd@nbd.name> 
Reduces size of the .ipk on MIPS from 87k to 84k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
dropbear: let opkg manage symlinks of ssh, scp 2018-06-25T07:21:24+00:00 Yousong Zhou yszhou4tech@gmail.com 2018-06-25T05:16:09+00:00 c4aadbdaf69bad3fbb3ef54601a3629ba24a6e9b Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
dropbear: add option to set receive window size 2018-02-18T01:59:57+00:00 Stijn Tintel stijn@linux-ipv6.be 2018-02-18T00:15:58+00:00 1c308bbbf598e09e463f67686ff4b7dafcb98ae6 The default receive window size in dropbear is hardcoded to 24576 byte to limit memory usage. This value was chosen for 100Mbps networks, and limits the throughput of scp on faster networks. It also severely limits scp throughput on high-latency links. Add an option to set the receive window size so that people can improve performance without having to recompile dropbear. Setting the window size to the highest value supported by dropbear improves throughput from my build machine to an APU2 on the same LAN from 7MB/s to 7.9MB/s, and to an APU2 over a link with ~65ms latency from 320KB/s to 7.5MB/s. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> 
The default receive window size in dropbear is hardcoded to 24576 byte
to limit memory usage. This value was chosen for 100Mbps networks, and
limits the throughput of scp on faster networks. It also severely limits
scp throughput on high-latency links.

Add an option to set the receive window size so that people can improve
performance without having to recompile dropbear.

Setting the window size to the highest value supported by dropbear
improves throughput from my build machine to an APU2 on the same LAN
from 7MB/s to 7.9MB/s, and to an APU2 over a link with ~65ms latency
from 320KB/s to 7.5MB/s.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
dropbear: disable MD5 HMAC and switch to sha1 fingerprints 2017-12-12T21:24:17+00:00 Martin Schiller ms@dev.tdt.de 2017-11-22T12:39:51+00:00 65d62b5f4ffcb481994f6865d0e03d0e9ad58b2b As MD5 is known weak for many years and more and more penetration test tools complain about enabled MD5 HMAC I think it's time to drop it. By disabling the MD5 HMAC support dropbear will also automatically use SHA1 for fingerprints. This shouldn't be a problem too. Signed-off-by: Martin Schiller <ms@dev.tdt.de> 
As MD5 is known weak for many years and more and more
penetration test tools complain about enabled MD5 HMAC
I think it's time to drop it.

By disabling the MD5 HMAC support dropbear  will also
automatically use SHA1 for fingerprints.
This shouldn't be a problem too.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
add PKG_CPE_ID ids to package and tools 2017-11-17T01:24:35+00:00 Alexander Couzens lynxis@fe80.eu 2017-09-28T02:55:46+00:00 c61a2395140d92cdd37d3d6ee43a765427e8e318 CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu> 
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/

Thanks to swalker for CPE to package mapping and
keep tracking CVEs.

Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
dropbear: fix PKG_CONFIG_DEPENDS 2017-10-06T07:38:00+00:00 Hans Dedecker dedeckeh@gmail.com 2017-10-06T07:21:35+00:00 834c93e00bee4f7253a5c64d1a9c8202b1082b1a Add CONFIG_DROPBEAR_UTMP, CONFIG_DROPBEAR_PUTUTLINE to PKG_CONFIG_DEPENDS Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> 
Add CONFIG_DROPBEAR_UTMP, CONFIG_DROPBEAR_PUTUTLINE to PKG_CONFIG_DEPENDS

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
dropbear: make ssh compression support configurable 2017-09-28T19:47:16+00:00 Marcin Jurkowski marcin1j@gmail.com 2017-06-30T11:13:50+00:00 a816e1eac761bfdac720d00d15feb18b7b9fd1e3 Adds config option to enable compression support which is usefull when using a terminal sessions over a slow link. Impact on binary size is negligible but additional 60 kB (uncompressed) is needed for a shared zlib library. Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com> 
Adds config option to enable compression support which is usefull
when using a terminal sessions over a slow link. Impact on binary
size is negligible but additional 60 kB (uncompressed) is needed for
a shared zlib library.

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
Revert "dropbear: Link ssh and scp command to /bin instead of /usr/bin" 2017-08-31T19:09:13+00:00 John Crispin john@phrozen.org 2017-08-31T19:09:05+00:00 12930fc0453ac019e3f9a9cde50699914f7ba1d0 This reverts commit f7528ed0a8586434e18e9007b1bf0d05a18d6418. Signed-off-by: John Crispin <john@phrozen.org> 
This reverts commit f7528ed0a8586434e18e9007b1bf0d05a18d6418.

Signed-off-by: John Crispin <john@phrozen.org>