Date: Thu, 9 Sep 2021 19:09:42 GMT From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: a981593ecc06 - main - security/openssh-portable: Update to 8.7p1. Message-ID: <202109091909.189J9goW004185@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=a981593ecc06f124506f481e5dd0eee9ea6a70f8 commit a981593ecc06f124506f481e5dd0eee9ea6a70f8 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2021-09-08 16:55:19 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2021-09-09 19:09:40 +0000 security/openssh-portable: Update to 8.7p1. Changes: https://www.openssh.com/txt/release-8.7 --- security/openssh-portable/Makefile | 2 +- security/openssh-portable/distinfo | 6 +-- security/openssh-portable/files/extra-patch-hpn | 63 +++++++++++----------- security/openssh-portable/files/patch-sshd.8 | 10 ---- security/openssh-portable/files/patch-sshd_config | 24 ++++----- .../openssh-portable/files/patch-sshd_config.5 | 11 ---- 6 files changed, 45 insertions(+), 71 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index e9ac6fb39f13..3c072134a788 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,7 +1,7 @@ # Created by: dwcjr@inethouston.net PORTNAME= openssh -DISTVERSION= 8.6p1 +DISTVERSION= 8.7p1 PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 209322451613..45a643313a29 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1619547768 -SHA256 (openssh-8.6p1.tar.gz) = c3e6e4da1621762c850d03b47eed1e48dff4cc9608ddeb547202a234df8ed7ae -SIZE (openssh-8.6p1.tar.gz) = 1786328 +TIMESTAMP = 1631042634 +SHA256 (openssh-8.7p1.tar.gz) = 7ca34b8bb24ae9e50f33792b7091b3841d7e1b440ff57bc9fabddf01e2ed1e24 +SIZE (openssh-8.7p1.tar.gz) = 1814595 diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 258b36150078..ed7a78ab71a0 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -384,8 +384,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o void enable_compat13(void); void enable_compat20(void); ---- configure.ac.orig 2020-03-22 11:06:53.034550000 -0700 -+++ configure.ac 2020-03-22 11:07:10.017487000 -0700 +--- work/openssh/configure.ac.orig 2020-03-22 11:06:53.034550000 -0700 ++++ work/openssh/configure.ac 2020-03-22 11:07:10.017487000 -0700 @@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir], ] ) # maildir @@ -524,8 +524,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o #if !defined(WITH_OPENSSL) # undef BIGNUM # undef EC_KEY ---- work/openssh/readconf.c.orig 2021-04-28 13:58:36.413806000 -0700 -+++ work/openssh/readconf.c 2021-04-28 14:39:31.145856000 -0700 +--- work/openssh/readconf.c.orig 2021-09-08 09:56:20.567664000 -0700 ++++ work/openssh/readconf.c 2021-09-08 09:57:31.560617000 -0700 @@ -67,6 +67,9 @@ #include "uidswap.h" #include "myproposal.h" @@ -539,17 +539,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o @@ -168,6 +171,12 @@ typedef enum { oLocalCommand, oPermitLocalCommand, oRemoteCommand, oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, + oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull, +#ifdef HPN_ENABLED + oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, +#endif +#ifdef NONE_CIPHER_ENABLED + oNoneSwitch, oNoneEnabled, +#endif + oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, - oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, -@@ -312,6 +321,16 @@ static struct { +@@ -316,6 +325,16 @@ static struct { { "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */ { "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms }, { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */ @@ -566,7 +566,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o { "ignoreunknown", oIgnoreUnknown }, { "proxyjump", oProxyJump }, { "securitykeyprovider", oSecurityKeyProvider }, -@@ -1091,6 +1110,44 @@ parse_time: +@@ -1125,6 +1144,44 @@ parse_time: intptr = &options->check_host_ip; goto parse_flag; @@ -611,7 +611,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; multistate_ptr = multistate_yesnoask; -@@ -2262,6 +2319,16 @@ initialize_options(Options * options) +@@ -2386,6 +2443,16 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; @@ -625,10 +625,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + options->tcp_rcv_buf_poll = -1; + options->tcp_rcv_buf = -1; +#endif - options->proxy_use_fdpass = -1; - options->ignored_unknown = NULL; - options->num_canonical_domains = 0; -@@ -2432,6 +2499,34 @@ fill_default_options(Options * options) + options->session_type = -1; + options->stdin_null = -1; + options->fork_after_authentication = -1; +@@ -2557,6 +2624,34 @@ fill_default_options(Options * options) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; @@ -1119,8 +1119,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o sshpkt_fatal(ssh, r, "banner exchange"); /* Put the connection into non-blocking mode. */ ---- work/openssh/sshconnect2.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ work/openssh/sshconnect2.c 2021-04-28 14:51:57.237202000 -0700 +--- work/openssh/sshconnect2.c.orig 2021-08-19 21:03:49.000000000 -0700 ++++ work/openssh/sshconnect2.c 2021-09-08 10:02:03.037982000 -0700 @@ -84,7 +84,13 @@ extern char *client_version_string; extern char *server_version_string; @@ -1157,7 +1157,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) fatal_f("kex_names_cat"); myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); -@@ -489,6 +497,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, +@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, if (!authctxt.success) fatal("Authentication failed."); @@ -1184,13 +1184,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + } + } +#endif -+ - debug("Authentication succeeded (%s).", authctxt.method->name); - } - ---- work/openssh/sshd.c.orig 2020-11-10 21:36:31.340159000 -0800 -+++ work/openssh/sshd.c 2020-11-10 21:37:10.097038000 -0800 -@@ -1065,6 +1065,10 @@ listen_on_addrs(struct listenaddr *la) + if (ssh_packet_connection_is_on_socket(ssh)) { + verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host, + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), +--- work/openssh/sshd.c.orig 2021-09-08 10:00:01.411822000 -0700 ++++ work/openssh/sshd.c 2021-09-08 10:03:02.820813000 -0700 +@@ -1042,6 +1042,10 @@ listen_on_addrs(struct listenaddr *la) int ret, listen_sock; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; @@ -1201,7 +1200,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o for (ai = la->addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -1110,6 +1114,13 @@ listen_on_addrs(struct listenaddr *la) +@@ -1087,6 +1091,13 @@ listen_on_addrs(struct listenaddr *la) debug("Bind to port %s on %s.", strport, ntop); @@ -1215,7 +1214,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { error("Bind to port %s on %s failed: %.200s.", -@@ -1753,6 +1764,15 @@ main(int ac, char **av) +@@ -1760,6 +1771,15 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); @@ -1228,10 +1227,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + } +#endif + - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; -@@ -2220,6 +2240,11 @@ main(int ac, char **av) + /* Check that options are sensible */ + if (options.authorized_keys_command_user == NULL && + (options.authorized_keys_command != NULL && +@@ -2216,6 +2236,11 @@ main(int ac, char **av) rdomain == NULL ? "" : "\""); free(laddr); @@ -1243,7 +1242,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2233,7 +2258,7 @@ main(int ac, char **av) +@@ -2229,7 +2254,7 @@ main(int ac, char **av) alarm(options.login_grace_time); if ((r = kex_exchange_identification(ssh, -1, @@ -1252,7 +1251,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o sshpkt_fatal(ssh, r, "banner exchange"); ssh_packet_set_nonblocking(ssh); -@@ -2397,6 +2422,11 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2392,6 +2417,11 @@ do_ssh2_kex(struct ssh *ssh) char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; struct kex *kex; int r; @@ -1262,7 +1261,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + debug ("WARNING: None cipher enabled"); +#endif - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, options.kex_algorithms); --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8 index edb5c8cb6498..4d2a477899c6 100644 --- a/security/openssh-portable/files/patch-sshd.8 +++ b/security/openssh-portable/files/patch-sshd.8 @@ -24,13 +24,3 @@ Document FreeBSD/port-specific paths (unless root). .It Changes to run with normal user privileges. -@@ -407,7 +408,8 @@ - exists, runs it; else if - .Pa /etc/ssh/sshrc - exists, runs --it; otherwise runs xauth. -+it; otherwise runs -+.Xr xauth 1 . - The - .Dq rc - files are given the X11 diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index 57cff284b725..b582ac8f3691 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,5 +1,5 @@ ---- sshd_config.orig 2013-02-11 18:02:09.000000000 UTC -+++ sshd_config 2013-05-13 06:46:45.153627197 -0500 +--- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700 ++++ sshd_config 2021-09-07 12:34:49.372652000 -0700 @@ -10,6 +10,9 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -10,7 +10,7 @@ #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -50,8 +53,7 @@ +@@ -37,8 +40,7 @@ #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 @@ -20,34 +20,30 @@ #AuthorizedPrincipalsFile none -@@ -68,11 +70,11 @@ +@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -+# Change to yes to enable built-in password authentication. ++# To enable tunneled clear text passwords, change to yes here! +#PasswordAuthentication no #PermitEmptyPasswords no --# Change to no to disable s/key passwords -+# Change to no to disable PAM authentication - #ChallengeResponseAuthentication yes - - # Kerberos options -@@ -85,7 +87,7 @@ + # Change to no to disable s/key passwords +@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -# Set this to 'yes' to enable PAM authentication, account processing, +# Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will - # be allowed through the ChallengeResponseAuthentication and + # be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -@@ -94,12 +96,12 @@ +@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. + # and KbdInteractiveAuthentication to 'no'. -#UsePAM no +#UsePAM yes diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 90c3940cf02c..442225160130 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,16 +1,5 @@ --- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700 +++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700 -@@ -373,7 +373,9 @@ By default, no banner is displayed. - .It Cm ChallengeResponseAuthentication - Specifies whether challenge-response authentication is allowed (e.g. via - PAM or through authentication styles supported in --.Xr login.conf 5 ) -+.Xr login.conf 5 ) . -+See also -+.Cm UsePAM . - The default is - .Cm yes . - .It Cm ChrootDirectory @@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa The list of available key types may also be obtained using .Qq ssh -Q key .
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109091909.189J9goW004185>