Updating OpenSSH Package

Hello,
I am using a VF50 with Toradex Linux V2.5.
I need to update the version of OpenSSH used. I am a little new to Yocto, so apologies, if this is an obvious question.
I have added a openssh_%.bbappend file to my recipe and specified the new OpenSSH version and checksums as follows:

PV = '7.4p1'
SRC_URI[md5sum] = "b2db2a83caf66a208bb78d6d287cdaa3"
SRC_URI[sha256sum] = "1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1"

However, when I attempt to build the new recipe, I get a number of patch errors.

Is this the correct way to update packages? If so, what am I doing wrong.

Thanks in advance, for any help provided.

For a new version you should create new bb file and port the patches. But recipe and patches for 7.4p1 are already available here http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-connectivity/openssh . If you require openSSH 7.5 you’ll need to port it by yourself.

That probably means that some patches from the original recipe do no longer apply to whatever newer version you are trying to build. It is very well possible that e.g. some fixes previously integrated as patches have made its way back into the regular upstream sources.

First I would look whether or not a newer version of said recipe does already exist e.g. here. As you can see that is the case and it is available in openembedded-core.

Now I would look at the history of resp. recipe and figure out what changes may be required to get from where you currently are to where you intend to go e.g. here. As you can see several CVE patches have been dropped and new ones added.

Now you could either cherry pick resp. openembedded-core commits directly or integrate the same into your bbappend file not forgetting to add resp. new patch files as well. While the former may sound easier at first it would require redoing if you ever plan to setup a new build environment e.g. on a new build machine. The later is therefore very much the preferred way to go.

I’ve downloaded the recipe and patches for 7.4p1 into my recipe in a openssh directory. However, when I run: MACHINE=colibri-vf bitbake openssh
I get a lot of errors:

NOTE: Error during finalise of /opt/TORADEX_COLIBRI_VF_V2.5/build/../stuff/meta-timetools/recipes-timetools/openssh/openssh_7.4p1.bb        | ETA:  --:--:--
ERROR: ExpansionError during parsing /opt/TORADEX_COLIBRI_VF_V2.5/build/../stuff/meta-timetools/recipes-timetools/openssh/openssh_7.4p1.bb: Failure expanding variable do_install: ExpansionError: Failure expanding variable do_install, expression was     autotools_do_install
	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
		install -D -m 0644 /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/sshd /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/pam.d/sshd
		sed -i -e 's:#UsePAM no:UsePAM yes:' /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config
	fi

	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
		sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config
	fi

	install -d /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/init.d
	install -m 0755 /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/init /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/init.d/sshd
	rm -f /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/usr/bin/slogin /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/usr/share/Ssh.bin
	rmdir /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/var/run/sshd /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/var/run /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/var
	install -d /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image//etc/default/volatiles
	install -m 644 /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/volatiles.99_sshd /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image//etc/default/volatiles/99_sshd
	install -m 0755 /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/openssh-7.4p1/contrib/ssh-copy-id /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/usr/bin

	# Create config files for read-only rootfs
	install -d /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh
	install -m 644 /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config_readonly
	sed -i '/HostKey/d' /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config_readonly
	echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config_readonly
	echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config_readonly
	echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config_readonly
	echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config_readonly

	install -d /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/lib/systemd/system
	install -c -m 0644 /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/sshd.socket /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/lib/systemd/system
	install -c -m 0644 /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/sshd@.service /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/lib/systemd/system
	install -c -m 0644 /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/sshdgenkeys.service /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/lib/systemd/system
	sed -i -e 's,@BASE_BINDIR@,/bin,g' \
		-e 's,@SBINDIR@,/usr/sbin,g' \
		-e 's,@BINDIR@,/usr/bin,g' \
		/opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/lib/systemd/system/sshd.socket /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/lib/systemd/system/*.service
	sed -i -e 's:^#PasswordAuthentication.*$:PasswordAuthentication no:g' /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config
    sed -i -e 's:^#UseDNS.*$:UseDNS no:g' /opt/TORADEX_COLIBRI_VF_V2.5/build/out-glibc/work/armv7at2hf-vfp-neon-angstrom-linux-gnueabi/openssh/7.4p1-r0/image/etc/ssh/sshd_config
 which triggered exception AttributeError: 'module' object has no attribute 'filter'

Since you’re using older BSP you’ll need to modity the receipe, replace:
if [ “${@bb.utils.filter(‘DISTRO_FEATURES’, ‘pam’, d)}” ]; then
and
if [ “${@bb.utils.filter(‘DISTRO_FEATURES’, ‘x11’, d)}” ]; then
with
if [ “${@bb.utils.contains(‘DISTRO_FEATURES’, ‘pam’, ‘pam’, ‘’, d)}” = “pam” ]; then
and
if [ “${@bb.utils.contains(‘DISTRO_FEATURES’, ‘x11’, ‘x11’, ‘’, d)}” = “x11” ]; then

I am also trying to update openssl. I have downloaded the recipe for openssl 1.0.2k from here:
http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-connectivity/openssl

Compile using: MACHINE=colibri-vf bitbake openssl

However, I get an error:
andrew@UbuntuLinux:/opt/TORADEX_COLIBRI_VF_V2.5/build$ MACHINE=colibri-vf bitbake openssl
Loading cache: 100% |#######################################################################################################################| ETA: 00:00:00
Loaded 2828 entries from dependency cache.
ERROR: ParseError at /opt/TORADEX_COLIBRI_VF_V2.5/build/…/stuff/meta-timetools/recipes-timetools/openssl/openssl.inc:31: Could not inherit file classes/relative_symlinks.bbclass

Summary: There was 1 ERROR message shown, returning a non-zero exit code.

Any help would be appreciated.

Is there a particular reason why you try to update those packages? If it is about security updates, just update the layer to top of branch, usually the OpenEmbedded developers update the packages to fix the security issues… (e.g. CVE-2017-3731, openembedded-core - OpenEmbedded Core layer)

I have an embedded application working and tested on Linux V2.5. I want to update the packages (SSH, SSL) for security without moving to a later BSP. However, the latest packages just will not compile or work with the Linux V2.5 release.

Ok, thanks for clarification.

In general, OpenEmbedded does maintenance of their older branches only for a certain time. You can find details here:
https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance

Our V2.5 release uses fido, which seems no longer under active maintenance…

You can fix security issues with two approaches:

  1. Update to the latest version which has the issue fixed
  2. Patch the current version with a fix

Distributions, including OpenEmbedded, usually take the second approach, and for good reasons: New versions might have new bugs, new dependencies or cause otherwise problems with integration (probably what you run into right now!).

I would suggest to follow that route too. First, I would make sure to use the latest version of the openembedded-core layer (fido branch). Then, check what fixes might be missing. The OpenSSL project maintains a well maintained list: /news/vulnerabilities.html