Date: Thu, 12 Oct 2017 19:40:58 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r451927 - in head: . security/openssh-portable security/openssh-portable/files Message-ID: <201710121940.v9CJewkg058757@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Thu Oct 12 19:40:58 2017 New Revision: 451927 URL: https://svnweb.freebsd.org/changeset/ports/451927 Log: Update to 7.6p1 - Update x509 patch to 11.0 - HPN/NONECIPHER do not apply currently and are disabled by default, same as the base sshd. A compatibility patch is applied if these options are disabled to prevent startup failures; the options are kept as deprecated. - SCTP patch does not apply. Changes: https://www.openssh.com/txt/release-7.6 Notable changes: - SSH version 1 support dropped. - Dropped support for hmac-ripemd160 MAC. - Dropped support for the ciphers arcfour, blowfish and CAST. - RSA keys less than 1024 bits are refused. Added: head/security/openssh-portable/files/extra-patch-hpn-compat (contents, props changed) Modified: head/UPDATING head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/extra-patch-x509-glue head/security/openssh-portable/files/patch-configure.ac head/security/openssh-portable/files/patch-ssh-agent.c Modified: head/UPDATING ============================================================================== --- head/UPDATING Thu Oct 12 19:30:51 2017 (r451926) +++ head/UPDATING Thu Oct 12 19:40:58 2017 (r451927) @@ -5,7 +5,22 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. -20171006: +20171012: + AFFECTS: users of security/openssh-portable + AUTHOR: bdrewery@FreeBSD.org + + OpenSSH has been upgraded to 7.6p1 which has removed several deprecated + features: + + - SSH version 1 support dropped. + - Dropped support for hmac-ripemd160 MAC. + - Dropped support for the ciphers arcfour, blowfish and CAST. + - RSA keys less than 1024 bits are refused. + + The HPN option is currently disabled by default, and does not build, + in the package. This follows what happened in base as well. + + 20171006: AFFECTS: users of graphics/netpbm AUTHOR: tobik@FreeBSD.org Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Thu Oct 12 19:30:51 2017 (r451926) +++ head/security/openssh-portable/Makefile Thu Oct 12 19:40:58 2017 (r451927) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.5p1 -PORTREVISION= 1 +DISTVERSION= 7.6p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -30,7 +30,7 @@ BROKEN_SSL_REASON_openssl-devel= incomplete definition OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ OVERWRITE_BASE SCTP LDNS NONECIPHER -OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS +OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support @@ -61,14 +61,15 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 10.1 +X509_VERSION= 11.0 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue -X509_PATCHFILES= ${PORTNAME}-7.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-7.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 #SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1 +SCTP_BROKEN= Does not apply to 7.6+ SCTP_CONFIGURE_WITH= sctp SCTP_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sctp:-p1 @@ -95,7 +96,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} -BROKEN= No patch for 7.5 yet. +BROKEN= No patch for 7.6 yet. # Patch from: # http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch # which was originally based on 5.7 patch from @@ -110,12 +111,16 @@ PATCHFILES+= openssh-7.4p1-gsskex-all-20141021-debian- # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} +BROKEN= Not yet updated for 7.6+ and disabled in base PORTDOCS+= HPN-README HPN_VERSION= 14v5 HPN_DISTVERSION= 6.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 +.elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} +# Apply compatibility patch +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif CONFIGURE_LIBS+= -lutil Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Thu Oct 12 19:30:51 2017 (r451926) +++ head/security/openssh-portable/distinfo Thu Oct 12 19:40:58 2017 (r451927) @@ -1,9 +1,7 @@ -TIMESTAMP = 1484161900 -SHA256 (openssh-7.5p1.tar.gz) = 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 -SIZE (openssh-7.5p1.tar.gz) = 1510857 +TIMESTAMP = 1507833573 +SHA256 (openssh-7.6p1.tar.gz) = a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 +SIZE (openssh-7.6p1.tar.gz) = 1489788 SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501 -SHA256 (openssh-7.5p1+x509-10.1.diff.gz) = e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2 -SIZE (openssh-7.5p1+x509-10.1.diff.gz) = 460721 -SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b -SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091 +SHA256 (openssh-7.6p1+x509-11.0.diff.gz) = bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e +SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219 Added: head/security/openssh-portable/files/extra-patch-hpn-compat ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-hpn-compat Thu Oct 12 19:40:58 2017 (r451927) @@ -0,0 +1,46 @@ +------------------------------------------------------------------------ +r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines +Changed paths: + M /head/crypto/openssh/servconf.c + +Instead of removing the NoneEnabled option, mark it as unsupported. +(should have done this in r291198, but didn't think of it until now) + +------------------------------------------------------------------------ +------------------------------------------------------------------------ +r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines +Changed paths: + M /head/crypto/openssh/readconf.c + +r294563 was incomplete; re-add the client-side options as well. + +------------------------------------------------------------------------ + +--- readconf.c.orig 2017-10-12 12:18:59.927293000 -0700 ++++ readconf.c 2017-10-12 12:19:45.048532000 -0700 +@@ -305,6 +305,12 @@ static struct { + { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, + { "ignoreunknown", oIgnoreUnknown }, + { "proxyjump", oProxyJump }, ++ { "hpndisabled", oDeprecated }, ++ { "hpnbuffersize", oDeprecated }, ++ { "tcprcvbufpoll", oDeprecated }, ++ { "tcprcvbuf", oDeprecated }, ++ { "noneenabled", oUnsupported }, ++ { "noneswitch", oUnsupported }, + + { NULL, oBadOption } + }; +--- servconf.c.orig 2017-10-02 12:34:26.000000000 -0700 ++++ servconf.c 2017-10-12 12:20:19.089884000 -0700 +@@ -566,6 +566,10 @@ static struct { + { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, + { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, + { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, ++ { "noneenabled", sUnsupported, SSHCFG_ALL }, ++ { "hpndisabled", sDeprecated, SSHCFG_ALL }, ++ { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, ++ { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL }, + { NULL, sBadOption, 0 } + }; + Modified: head/security/openssh-portable/files/extra-patch-x509-glue ============================================================================== --- head/security/openssh-portable/files/extra-patch-x509-glue Thu Oct 12 19:30:51 2017 (r451926) +++ head/security/openssh-portable/files/extra-patch-x509-glue Thu Oct 12 19:40:58 2017 (r451927) @@ -1,6 +1,6 @@ ---- session.c.orig 2017-01-12 11:58:30.754769000 -0800 -+++ session.c 2017-01-12 11:58:35.360654000 -0800 -@@ -1252,36 +1252,6 @@ do_setup_env(Session *s, const char *she +--- session.c.orig 2017-10-12 11:52:52.953370000 -0700 ++++ session.c 2017-10-12 11:53:40.793055000 -0700 +@@ -1045,36 +1045,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); @@ -37,3 +37,111 @@ /* Set custom environment options from RSA authentication. */ while (custom_environment) { struct envstring *ce = custom_environment; +--- sshd_config.5.orig 2017-10-12 11:51:06.638814000 -0700 ++++ sshd_config.5 2017-10-12 11:51:33.780459000 -0700 +@@ -1641,52 +1641,7 @@ is set to + then the pre-authentication unprivileged process is subject to additional + restrictions. + The default is +-.Cm sandbox . +-.It Cm VACertificateFile +-File with X.509 certificates in PEM format concatenated together. +-In use when +-.Cm VAType +-is set to +-.Cm ocspspec . +-The default value is +-.Sq +-.. +-(empty). +-Certificates from that file explicitly trust +-.Sq "OCSP Responder" +-public key. +-They are used as trusted certificates in addition to certificates from +-.Cm CACertificateFile +-and +-.Cm CACertificatePath +-to verify responder certificate. +-.It Cm VAType +-Specifies whether +-.Sq "Online Certificate Status Protocol" +-(OCSP) is used to validate X.509 certificates. +-Accepted values are case insensitive: +-.Bl -tag -offset indent -compact +-.It none +-do not use OCSP to validate certificates; +-.It ocspcert +-validate only certificates that specify +-.Sq "OCSP Service Locator" +-URL; +-.It ocspspec +-use specified in the configuration +-.Sq "OCSP Responder" +-to validate all certificates. +-.El +-The default is +-.Cm none . +-.It Cm VAOCSPResponderURL +-.Sq "Access Location" +-/ +-.Sq "OCSP Service Locator" +-URL of the OCSP provider. In use when +-.Cm VAType +-is set to +-.Cm ocspspec . ++.Cm no . + .It Cm VersionAddendum + Optionally specifies additional text to append to the SSH protocol banner + sent by the server upon connection. +@@ -1737,6 +1692,51 @@ the wildcard address. + By default, + sshd binds the forwarding server to the loopback address and sets the + hostname part of the ++.It Cm VACertificateFile ++File with X.509 certificates in PEM format concatenated together. ++In use when ++.Cm VAType ++is set to ++.Cm ocspspec . ++The default value is ++.Sq ++.. ++(empty). ++Certificates from that file explicitly trust ++.Sq "OCSP Responder" ++public key. ++They are used as trusted certificates in addition to certificates from ++.Cm CACertificateFile ++and ++.Cm CACertificatePath ++to verify responder certificate. ++.It Cm VAType ++Specifies whether ++.Sq "Online Certificate Status Protocol" ++(OCSP) is used to validate X.509 certificates. ++Accepted values are case insensitive: ++.Bl -tag -offset indent -compact ++.It none ++do not use OCSP to validate certificates; ++.It ocspcert ++validate only certificates that specify ++.Sq "OCSP Service Locator" ++URL; ++.It ocspspec ++use specified in the configuration ++.Sq "OCSP Responder" ++to validate all certificates. ++.El ++The default is ++.Cm none . ++.It Cm VAOCSPResponderURL ++.Sq "Access Location" ++/ ++.Sq "OCSP Service Locator" ++URL of the OCSP provider. In use when ++.Cm VAType ++is set to ++.Cm ocspspec . + .Ev DISPLAY + environment variable to + .Cm localhost . Modified: head/security/openssh-portable/files/patch-configure.ac ============================================================================== --- head/security/openssh-portable/files/patch-configure.ac Thu Oct 12 19:30:51 2017 (r451926) +++ head/security/openssh-portable/files/patch-configure.ac Thu Oct 12 19:40:58 2017 (r451927) @@ -1,13 +1,5 @@ --- configure.ac.orig 2017-04-08 02:15:16 UTC +++ configure.ac -@@ -1486,6 +1486,7 @@ AC_ARG_WITH(ldns, - else - LIBS="$LIBS `$LDNSCONFIG --libs`" - CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`" -+ ldns=yes - fi - elif test "x$withval" != "xno" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" @@ -1544,7 +1545,7 @@ AC_ARG_WITH([libedit], LIBEDIT=`$PKGCONFIG --libs libedit` CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" Modified: head/security/openssh-portable/files/patch-ssh-agent.c ============================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.c Thu Oct 12 19:30:51 2017 (r451926) +++ head/security/openssh-portable/files/patch-ssh-agent.c Thu Oct 12 19:40:58 2017 (r451927) @@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500 -+++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500 -@@ -157,15 +157,34 @@ static long lifetime = 0; +--- ssh-agent.c.orig 2017-10-02 12:34:26.000000000 -0700 ++++ ssh-agent.c 2017-10-12 11:31:40.908737000 -0700 +@@ -162,15 +162,34 @@ static long lifetime = 0; static int fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -45,7 +45,7 @@ disconnected. } static void -@@ -963,6 +982,10 @@ new_socket(sock_type type, int fd) +@@ -745,6 +764,10 @@ new_socket(sock_type type, int fd) { u_int i, old_alloc, new_alloc; @@ -56,7 +56,7 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1190,7 +1213,7 @@ static void +@@ -1007,7 +1030,7 @@ static void usage(void) { fprintf(stderr, @@ -65,7 +65,7 @@ disconnected. " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); -@@ -1222,6 +1245,7 @@ main(int ac, char **av) +@@ -1039,6 +1062,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -73,7 +73,7 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -1232,7 +1256,7 @@ main(int ac, char **av) +@@ -1049,7 +1073,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); @@ -82,13 +82,13 @@ disconnected. switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1276,6 +1300,9 @@ main(int ac, char **av) +@@ -1092,6 +1116,9 @@ main(int ac, char **av) + fprintf(stderr, "Invalid lifetime\n"); usage(); } - break; ++ break; + case 'x': + xcount = 0; -+ break; + break; default: usage(); - }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710121940.v9CJewkg058757>