new file mode 100644
@@ -0,0 +1,71 @@
+From afedc6d8e518e4675be55557322710136a9e17a4 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 26 Feb 2026 14:34:07 +0100
+Subject: [PATCH] fix CVE-2024-54662
+
+This patch fixes CVE-2024-54662.
+
+Description: Dante 1.4.0 through 1.4.3 (fixed in 1.4.4) has incorrect
+access control for some sockd.conf configurations involving socksmethod.
+
+CVE: CVE-2024-54662
+Upstream-Status: Backport [https://www.inet.no/dante/advisory-2024-12-16.patch]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ sockd/sockd_protocol.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/sockd/sockd_protocol.c b/sockd/sockd_protocol.c
+index d7b9405..1ea973a 100644
+--- a/sockd/sockd_protocol.c
++++ b/sockd/sockd_protocol.c
+@@ -428,6 +428,7 @@ recv_v4req (s, request, state)
+ request_t *request;
+ negotiate_state_t *state;
+ {
++ rule_t *crule;
+
+ /*
+ * v4 request:
+@@ -440,6 +441,26 @@ recv_v4req (s, request, state)
+ /*
+ * No methods supported in v4.
+ */
++
++ SASSERTX(state->crule != NULL);
++
++ crule = (rule_t *)state->crule;
++
++ if (crule->state.smethodc > 0
++ && crule->state.smethodv[0] != AUTHMETHOD_NONE) {
++ snprintf(state->emsg, sizeof(state->emsg),
++ "client-rule overrides prefered SOCKS authentication to use for "
++ "matching clients to be %s\"%s\", but connected client "
++ "is using SOCKS v4, which does not support any authentication",
++ crule->state.smethodc == 1 ? "" : "one of ",
++ methods2string(crule->state.smethodc,
++ crule->state.smethodv,
++ NULL,
++ 0));
++
++ return NEGOTIATE_ERROR;
++ }
++
+ request->auth->method = AUTHMETHOD_NONE;
+
+ /* CD */
+@@ -555,10 +576,10 @@ recv_methods(s, request, state)
+ default: {
+ /*
+ * Socks-methods that can be decided for use before we receive
+- * the actual request. Normally only gssapi, but if the
+- * rule has singleauth enabled and the client matches the
+- * criteria for it, the socks-method will also have been
+- * chosen already (should be NONE).
++ * the actual request. Normally only gssapi, but if the rule has
++ * singleauth enabled and the client matches the criteria for it,
++ * the socks-method will also have been chosen already (should be
++ * NONE).
+ */
+ size_t i;
+
@@ -12,7 +12,8 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=221118dda731fe93a85d0ed973467249"
SRC_URI = "https://www.inet.no/dante/files/dante-${PV}.tar.gz \
- "
+ file://CVE-2024-54662.patch \
+ "
SRC_URI[md5sum] = "68c2ce12119e12cea11a90c7a80efa8f"
SRC_URI[sha256sum] = "b6d232bd6fefc87d14bf97e447e4fcdeef4b28b16b048d804b50b48f261c4f53"
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-54662 This backported patch was taken from upstream's website[1], where they identify it as the solution for this vulnerability [1]: https://www.inet.no/dante/ (bottom, "advisories" section) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../dante/dante/CVE-2024-54662.patch | 71 +++++++++++++++++++ .../recipes-protocols/dante/dante_1.4.1.bb | 3 +- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-protocols/dante/dante/CVE-2024-54662.patch