Date: Mon, 27 Apr 2026 02:12:57 +0000 From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 899a7de9a078 - main - security/openssh-portable: Update to 10.3p1 Message-ID: <69eec629.32afc.3a1fd496@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=899a7de9a0782fd50caaffdb2e86a29ac9848ae6 commit 899a7de9a0782fd50caaffdb2e86a29ac9848ae6 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2026-04-25 23:57:40 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2026-04-27 02:12:24 +0000 security/openssh-portable: Update to 10.3p1 Release notes: https://www.openssh.org/txt/release-10.3 --- security/openssh-portable/Makefile | 8 ++-- security/openssh-portable/distinfo | 10 ++-- .../openssh-portable/files/extra-patch-blacklistd | 55 +++++++++++++--------- security/openssh-portable/files/extra-patch-hpn | 26 +++++----- .../files/extra-patch-hpn-gss-glue | 7 ++- security/openssh-portable/files/patch-servconf.c | 8 ---- security/openssh-portable/files/patch-session.c | 27 ++++++----- 7 files changed, 71 insertions(+), 70 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 0b2b33626d6e..abbc35b5a7ca 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,6 +1,6 @@ PORTNAME= openssh -DISTVERSION= 10.2p1 -PORTREVISION= 6 +DISTVERSION= 10.3p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -115,13 +115,13 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. -GSSAPI_DEBIAN_VERSION= 10.2p1 +GSSAPI_DEBIAN_VERSION= 10.3p1 GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?<anything>=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location -GSSAPI_DISTVERSION= 10.2p1 +GSSAPI_DISTVERSION= 10.3p1 PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 6aa27b76a8c8..14b3b9a55b8d 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1760240447 -SHA256 (openssh-10.2p1.tar.gz) = ccc42c0419937959263fa1dbd16dafc18c56b984c03562d2937ce56a60f798b2 -SIZE (openssh-10.2p1.tar.gz) = 1974519 -SHA256 (openssh-10.2p1-gsskex-all-debian-rh-10.2p1.patch) = a02ab012657477a85dc7e4dca90a568ff5f13199221cda888608e9d0290454a0 -SIZE (openssh-10.2p1-gsskex-all-debian-rh-10.2p1.patch) = 126336 +TIMESTAMP = 1777161775 +SHA256 (openssh-10.3p1.tar.gz) = 56682a36bb92dcf4b4f016fd8ec8e74059b79a8de25c15d670d731e7d18e45f4 +SIZE (openssh-10.3p1.tar.gz) = 2007369 +SHA256 (openssh-10.3p1-gsskex-all-debian-rh-10.3p1.patch) = 58f2d59009442572107f6e02c43145676d4ee6461907f719820c77b07adb6612 +SIZE (openssh-10.3p1-gsskex-all-debian-rh-10.3p1.patch) = 126667 diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd index 698c109ccfe6..70c6efd8c6ab 100644 --- a/security/openssh-portable/files/extra-patch-blacklistd +++ b/security/openssh-portable/files/extra-patch-blacklistd @@ -337,17 +337,17 @@ int client_alive_interval; /* * poke the client this often to * see if it's still there ---- sshd-session.c.orig 2025-10-02 12:00:00.000000000 -+++ sshd-session.c 2025-10-02 12:00:00.000000000 -@@ -102,6 +102,7 @@ +--- sshd-session.c.orig 2026-04-02 01:09:03.000000000 -0700 ++++ sshd-session.c 2026-04-25 16:49:54.889134000 -0700 +@@ -95,6 +95,7 @@ #include "sk-api.h" #include "srclimit.h" #include "dh.h" +#include "blacklist_client.h" - #ifdef LIBWRAP - #include <tcpd.h> -@@ -1175,6 +1176,8 @@ + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) +@@ -1147,6 +1148,8 @@ main(int ac, char **av) ssh_signal(SIGQUIT, SIG_DFL); ssh_signal(SIGCHLD, SIG_DFL); ssh_signal(SIGINT, SIG_DFL); @@ -356,30 +356,19 @@ /* * Register our connection. This turns encryption off because we do -@@ -1249,8 +1271,10 @@ - } - - if ((r = kex_exchange_identification(ssh, -1, -- options.version_addendum)) != 0) -+ options.version_addendum)) != 0) { -+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); - sshpkt_fatal(ssh, r, "banner exchange"); -+ } - - ssh_packet_set_nonblocking(ssh); - -@@ -1395,7 +1419,10 @@ +@@ -1361,8 +1364,11 @@ cleanup_exit(int i) audit_event(the_active_state, SSH_CONNECTION_ABANDON); #endif /* Override default fatal exit value when auth was attempted */ -- if (i == 255 && auth_attempted) -+ if (i == 255 && auth_attempted) { +- if (i == 255 && monitor_auth_attempted()) ++ if (i == 255 && monitor_auth_attempted()) { + BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL, + "Fatal exit"); _exit(EXIT_AUTH_ATTEMPTED); + } + if (i == 255 && monitor_invalid_user()) + _exit(EXIT_INVALID_USER); _exit(i); - } --- sshd_config.5.orig 2025-10-02 12:00:00.000000000 +++ sshd_config.5 2025-10-02 12:00:00.000000000 @@ -2009,6 +2009,20 @@ @@ -413,3 +402,25 @@ #VersionAddendum none # no default banner path +--- sshd-auth.c.orig 2026-04-25 16:47:09.675535000 -0700 ++++ sshd-auth.c 2026-04-25 16:48:05.928839000 -0700 +@@ -96,6 +96,7 @@ + #include "srclimit.h" + #include "ssh-sandbox.h" + #include "dh.h" ++#include "blacklist_client.h" + + /* Privsep fds */ + #define PRIVSEP_MONITOR_FD (STDERR_FILENO + 1) +@@ -812,8 +813,10 @@ do_ssh2_kex(struct ssh *ssh) + free(hkalgs); + + if ((r = kex_exchange_identification(ssh, -1, +- options.version_addendum)) != 0) ++ options.version_addendum)) != 0) { ++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); + sshpkt_fatal(ssh, r, "banner exchange"); ++ } + mm_sshkey_setcompat(ssh); /* tell monitor */ + + if ((ssh->compat & SSH_BUG_NOREKEY)) diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 037930f981b4..6601e745cdf9 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -1233,17 +1233,6 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. We don't ---- work/openssh/sshd-session.c.orig 2025-10-11 10:19:18.935826000 -0700 -+++ work/openssh/sshd-session.c 2025-10-11 10:20:11.460279000 -0700 -@@ -1281,7 +1281,7 @@ main(int ac, char **av) - } - - if ((r = kex_exchange_identification(ssh, -1, -- options.version_addendum)) != 0) { -+ options.version_addendum, options.hpn_disabled)) != 0) { - BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); - sshpkt_fatal(ssh, r, "banner exchange"); - } --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 @@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -1285,9 +1274,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o struct kex *kex_new(void); int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); ---- work/openssh/sshd-auth.c.orig 2025-04-10 22:36:29.699636000 -0700 -+++ work/openssh/sshd-auth.c 2025-04-10 22:36:33.770235000 -0700 -@@ -827,6 +827,14 @@ do_ssh2_kex(struct ssh *ssh) +--- work/openssh/sshd-auth.c.orig 2026-04-25 16:58:23.868827000 -0700 ++++ work/openssh/sshd-auth.c 2026-04-25 16:59:29.116215000 -0700 +@@ -799,6 +799,14 @@ do_ssh2_kex(struct ssh *ssh) struct kex *kex; int r; @@ -1302,3 +1291,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o if (options.rekey_limit || options.rekey_interval) ssh_packet_set_rekey_limits(ssh, options.rekey_limit, options.rekey_interval); +@@ -813,7 +821,7 @@ do_ssh2_kex(struct ssh *ssh) + free(hkalgs); + + if ((r = kex_exchange_identification(ssh, -1, +- options.version_addendum)) != 0) { ++ options.version_addendum, options.hpn_disabled)) != 0) { + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); + sshpkt_fatal(ssh, r, "banner exchange"); + } diff --git a/security/openssh-portable/files/extra-patch-hpn-gss-glue b/security/openssh-portable/files/extra-patch-hpn-gss-glue index 3924a57f9d67..81ee7e0e4250 100644 --- a/security/openssh-portable/files/extra-patch-hpn-gss-glue +++ b/security/openssh-portable/files/extra-patch-hpn-gss-glue @@ -22,15 +22,14 @@ if (options.gss_keyex) { /* Add the GSSAPI mechanisms currently supported on this * client to the key exchange algorithm proposal */ ---- readconf.c.orig 2025-10-08 15:36:47.220504000 -0700 -+++ readconf.c 2025-10-08 15:38:09.729314000 -0700 -@@ -60,11 +60,11 @@ +--- readconf.c.orig 2026-04-25 17:03:05.811011000 -0700 ++++ readconf.c 2026-04-25 17:03:28.148581000 -0700 +@@ -53,10 +53,10 @@ #include "readconf.h" #include "match.h" #include "kex.h" +#include "ssh-gss.h" #include "mac.h" - #include "uidswap.h" #include "myproposal.h" #include "digest.h" -#include "ssh-gss.h" diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c index 8061e4c76386..cba3768c1507 100644 --- a/security/openssh-portable/files/patch-servconf.c +++ b/security/openssh-portable/files/patch-servconf.c @@ -8,14 +8,6 @@ Apply FreeBSD's configuration defaults. --- servconf.c.orig 2026-04-25 16:05:26.936844000 -0700 +++ servconf.c 2026-04-25 16:18:06.486288000 -0700 -@@ -44,6 +44,7 @@ - # include "openbsd-compat/glob.h" - #endif - -+#include "version.h" - #include "openbsd-compat/sys-queue.h" - #include "xmalloc.h" - #include "ssh.h" @@ -298,7 +299,11 @@ fill_default_server_options(ServerOptions *options) /* Portable-specific options */ diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index da35125897b5..511b989893a4 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -13,9 +13,9 @@ to the child process. Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ session.c 2021-04-27 13:11:13.515917000 -0700 -@@ -939,6 +939,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +--- session.c.orig 2026-04-02 01:09:03.000000000 -0700 ++++ session.c 2026-04-25 16:52:16.015940000 -0700 +@@ -940,6 +940,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -25,7 +25,7 @@ Sponsored by: DARPA, NAI Labs #endif /* Initialize the environment. */ -@@ -960,6 +963,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -961,6 +964,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * } #endif @@ -35,7 +35,7 @@ Sponsored by: DARPA, NAI Labs #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the child's environment as they see fit -@@ -977,11 +983,30 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -978,11 +984,30 @@ do_setup_env(struct ssh *ssh, Session *s, const char * child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -70,25 +70,26 @@ Sponsored by: DARPA, NAI Labs #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1001,17 +1026,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1001,18 +1026,10 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + } # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ - +- - if (!options.use_pam) { - snprintf(buf, sizeof buf, "%.200s/%.50s", - _PATH_MAILDIR, pw->pw_name); - child_set_env(&env, &envsize, "MAIL", buf); - } -- + /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - if (s->term) - child_set_env(&env, &envsize, "TERM", s->term); - if (s->display) -@@ -1225,7 +1242,8 @@ do_nologin(struct passwd *pw) + #ifdef HAVE_LOGIN_CAP + if (getenv("XDG_RUNTIME_DIR")) { + child_set_env(&env, &envsize, "XDG_RUNTIME_DIR", +@@ -1232,7 +1249,8 @@ do_nologin(struct passwd *pw) do_nologin(struct passwd *pw) { FILE *f = NULL; @@ -98,7 +99,7 @@ Sponsored by: DARPA, NAI Labs struct stat sb; #ifdef HAVE_LOGIN_CAP -@@ -1315,7 +1333,7 @@ do_setusercontext(struct passwd *pw) +@@ -1322,7 +1340,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid,home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69eec629.32afc.3a1fd496>