From: Chen Qi <qi.c...@windriver.com> Backport patch to fix CVE-2020-14387.
Signed-off-by: Chen Qi <qi.c...@windriver.com> Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org> (cherry picked from commit 5e7a536d07856630e4eb421614c8d823c67e0294) Signed-off-by: Anuj Mittal <anuj.mit...@intel.com> --- ...-the-hostname-in-the-certificate-whe.patch | 31 +++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.2.3.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch diff --git a/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch new file mode 100644 index 0000000000..2d51ddf965 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch @@ -0,0 +1,31 @@ +From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001 +From: Matt McCutchen <m...@mattmccutchen.net> +Date: Wed, 26 Aug 2020 12:16:08 -0400 +Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using + openssl. + +CVE: CVE-2020-14387 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414] + +Signed-off-by: Chen Qi <qi.c...@windriver.com> +--- + rsync-ssl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync-ssl b/rsync-ssl +index 8101975..46701af 100755 +--- a/rsync-ssl ++++ b/rsync-ssl +@@ -129,7 +129,7 @@ function rsync_ssl_helper { + fi + + if [[ $RSYNC_SSL_TYPE == openssl ]]; then +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port + else +-- +2.17.1 + diff --git a/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/meta/recipes-devtools/rsync/rsync_3.2.3.bb index 8b36a8ebde..cb18667755 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.3.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.3.bb @@ -14,6 +14,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://rsyncd.conf \ file://makefile-no-rebuild.patch \ file://determism.patch \ + file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \ " SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151091): https://lists.openembedded.org/g/openembedded-core/message/151091 Mute This Topic: https://lists.openembedded.org/mt/82448559/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
