package/openssh: security bump to version 8.4p1

Fixes CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection in
the scp.c toremote function, as demonstrated by backtick characters in the
destination argument. NOTE: the vendor reportedly has stated that they
intentionally omit validation of "anomalous argument transfers" because that
could "stand a great chance of breaking existing workflows."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/openssh/openssh.hash b/package/openssh/openssh.hash
index 1d7dc14fb62be5c1eaddf748a19e5efbc16ddb26..840467f50acf68d1cf3a5bfb9570f614835cde8e 100644 (file)
--- a/package/openssh/openssh.hash
+++ b/package/openssh/openssh.hash
@@ -1,4 +1,4 @@
-# From https://www.openssh.com/txt/release-8.3 (base64 encoded)
-sha256  f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2  openssh-8.3p1.tar.gz
+# From https://www.openssh.com/txt/release-8.4 (base64 encoded)
+sha256  5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24  openssh-8.4p1.tar.gz
 # Locally calculated
 sha256  73d0db766229670c7b4e1ec5e6baed54977a0694a565e7cc878c45ee834045d7  LICENCE

diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index edcbfc2f62ba2bd5479097eb300926c188be4a64..64e3084ca1450695eebcb987b36f4d83378bd921 100644 (file)
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-OPENSSH_VERSION = 8.3p1
-OPENSSH_CPE_ID_VERSION = 8.3
+OPENSSH_VERSION = 8.4p1
+OPENSSH_CPE_ID_VERSION = 8.4
 OPENSSH_CPE_ID_UPDATE = p1
 OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
 OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain