[202205] Update OpenSSH to 1:8.4p1-5+deb11u2 (#17027)

* [baseimage]: Update openssh to 1:8.4p1-5+deb11u2 (#16826) Openssh in Debian Bullseye has been updated to 1:8.4p1-5+deb11u2 to fix CVE-2023-38408. Since we're building openssh with some patches, we need to update our version as well. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com> * Remove main deb installation for derived deb build (#16859) * Don't install dependencies of derived debs When "building" a derived deb package, don't install the dependencies of the package into the container. It's not needed at this stage. * Re-add openssh-client and openssh-sftp-server as derived debs Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com> --------- Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com> * Re-add missing dependency for derived debs. (#16896) * Re-add missing dependency for derived debs. My previous changed removed the whole dependency on the main deb existing, not just the installation of the main deb. Fix this by readding a dependency on the main deb being built/pulled from cache. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com> * Add the kernel and initramfs as dependencies for RFS build Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com> --------- Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com> --------- Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-10-26 22:37:30 -07:00 · 2023-10-26 22:37:30 -07:00 · 4b38216e97
commit 4b38216e97
parent cb840c101d
4 changed files with 14 additions and 4 deletions
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@ -340,7 +340,7 @@ sudo chmod 755 $FILESYSTEM_ROOT/usr/bin/restart_service
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install smartmontools=7.2-1

 # Install custom-built openssh sshd
-sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_${OPENSSH_VERSION}_*.deb
+sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_${OPENSSH_VERSION}_*.deb $debs_path/openssh-client_${OPENSSH_VERSION}_*.deb $debs_path/openssh-sftp-server_${OPENSSH_VERSION}_*.deb

 {% if sonic_asic_platform == 'broadcom' %}
 # Install custom-built flashrom
--- a/rules/openssh.mk
+++ b/rules/openssh.mk
@ -1,6 +1,6 @@
 # openssh package

-OPENSSH_VERSION = 8.4p1-5+deb11u1
+OPENSSH_VERSION = 8.4p1-5+deb11u2

 export OPENSSH_VERSION

@ -9,6 +9,12 @@ $(OPENSSH_SERVER)_SRC_PATH = $(SRC_PATH)/openssh
 $(OPENSSH_SERVER)_DEPENDS +=  $(LIBNL3_DEV) $(LIBNL_ROUTE3_DEV)
 SONIC_MAKE_DEBS += $(OPENSSH_SERVER)

+OPENSSH_CLIENT = openssh-client_$(OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
+$(eval $(call add_derived_package,$(OPENSSH_SERVER),$(OPENSSH_CLIENT)))
+
+OPENSSH_SFTP_SERVER = openssh-sftp-server_$(OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
+$(eval $(call add_derived_package,$(OPENSSH_SERVER),$(OPENSSH_SFTP_SERVER)))
+
 # The .c, .cpp, .h & .hpp files under src/{$DBG_SRC_ARCHIVE list}
 # are archived into debug one image to facilitate debugging.
 #
--- a/slave.mk
+++ b/slave.mk
@ -654,7 +654,7 @@ SONIC_TARGET_LIST += $(addprefix $(DEBS_PATH)/, $(SONIC_DPKG_DEBS))
 # we depend on it and move our deb to other targets
 # Add new dev package:
 #     $(eval $(call add_derived_package,$(ORIGINAL_DEB),derived_deb_file.deb))
-$(addprefix $(DEBS_PATH)/, $(SONIC_DERIVED_DEBS)) : $(DEBS_PATH)/% : .platform $$(addsuffix -install,$$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS)))
+$(addprefix $(DEBS_PATH)/, $(SONIC_DERIVED_DEBS)) : $(DEBS_PATH)/% : .platform $$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS))
 	$(HEADER)
 	# All noise takes place in main deb recipe, so we are just telling that
 	# we depend on it
--- a/src/openssh/Makefile
+++ b/src/openssh/Makefile
@ -3,7 +3,11 @@ SHELL = /bin/bash
 .SHELLFLAGS += -e

 MAIN_TARGET = openssh-server_$(OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
-DERIVED_TARGETS = openssh-server-dbgsym_$(OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
+DERIVED_TARGETS = openssh-server-dbgsym_$(OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb \
+				  openssh-client_$(OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb \
+				  openssh-client-dbgsym_$(OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb \
+				  openssh-sftp-server_$(OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb \
+				  openssh-sftp-server-dbgsym_$(OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb

 $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	# Obtain openssh: https://salsa.debian.org/ssh-team/openssh/-/tree/debian/1%258.4p1-5