Date: Thu, 5 Apr 2018 18:20:51 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r466577 - in head/security/openssh-portable: . files Message-ID: <201804051820.w35IKpi2062956@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Thu Apr 5 18:20:50 2018 New Revision: 466577 URL: https://svnweb.freebsd.org/changeset/ports/466577 Log: Update to 7.7p1 - Update x509 patch to 11.3 - Remove SCTP option as it has not had a patch available since 7.2. Changes: https://www.openssh.com/txt/release-7.7 Notable changes: * ssh(1)/sshd(8): Drop compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The support in question isn't necessary for RFC-compliant SSH implementations. Deleted: head/security/openssh-portable/files/patch-upstream-servconf.c Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/extra-patch-hpn-compat head/security/openssh-portable/files/extra-patch-tcpwrappers head/security/openssh-portable/files/extra-patch-x509-glue head/security/openssh-portable/files/patch-session.c Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Thu Apr 5 17:35:00 2018 (r466576) +++ head/security/openssh-portable/Makefile Thu Apr 5 18:20:50 2018 (r466577) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.6p1 -PORTREVISION= 3 +DISTVERSION= 7.7p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -31,7 +31,7 @@ BROKEN_SSL_REASON_openssl-devel= error: OpenSSL >= 1.1 OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ - SCTP LDNS NONECIPHER + LDNS NONECIPHER OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE @@ -41,7 +41,6 @@ KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support X509_DESC= x509 certificate patch -SCTP_DESC= SCTP support HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) @@ -62,18 +61,11 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 11.0 +X509_VERSION= 11.3 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue -X509_PATCHFILES= ${PORTNAME}-7.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 -# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 -# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 -#SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1 -SCTP_BROKEN= Does not apply to 7.6+ -SCTP_CONFIGURE_WITH= sctp -SCTP_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sctp:-p1 - MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal @@ -136,10 +128,6 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-adden BROKEN= X509 patch and HPN patch do not apply cleanly together . endif -. if ${PORT_OPTIONS:MSCTP} -BROKEN= X509 patch and SCTP patch do not apply cleanly together -. endif - . if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= X509 patch incompatible with KERB_GSSAPI patch . endif @@ -222,6 +210,7 @@ test: build TEST_SHELL=${SH} \ SUDO="${SUDO}" \ LOGNAME="${LOGNAME}" \ + TEST_SSH_TRACE=yes \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Thu Apr 5 17:35:00 2018 (r466576) +++ head/security/openssh-portable/distinfo Thu Apr 5 18:20:50 2018 (r466577) @@ -1,7 +1,5 @@ -TIMESTAMP = 1507833573 -SHA256 (openssh-7.6p1.tar.gz) = a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 -SIZE (openssh-7.6p1.tar.gz) = 1489788 -SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc -SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501 -SHA256 (openssh-7.6p1+x509-11.0.diff.gz) = bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e -SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219 +TIMESTAMP = 1522788732 +SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f +SIZE (openssh-7.7p1.tar.gz) = 1536900 +SHA256 (openssh-7.7p1+x509-11.3.diff.gz) = 57be0d0028863f1f690b8b4ccae7583c0f8dd8ed2c688a912b25832bf7f9b185 +SIZE (openssh-7.7p1+x509-11.3.diff.gz) = 488467 Modified: head/security/openssh-portable/files/extra-patch-hpn-compat ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn-compat Thu Apr 5 17:35:00 2018 (r466576) +++ head/security/openssh-portable/files/extra-patch-hpn-compat Thu Apr 5 18:20:50 2018 (r466577) @@ -33,10 +33,10 @@ r294563 was incomplete; re-add the client-side options }; --- servconf.c.orig 2017-10-02 12:34:26.000000000 -0700 +++ servconf.c 2017-10-12 12:20:19.089884000 -0700 -@@ -566,6 +566,10 @@ static struct { - { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, +@@ -618,6 +618,10 @@ static struct { { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, + { "rdomain", sRDomain, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, Modified: head/security/openssh-portable/files/extra-patch-tcpwrappers ============================================================================== --- head/security/openssh-portable/files/extra-patch-tcpwrappers Thu Apr 5 17:35:00 2018 (r466576) +++ head/security/openssh-portable/files/extra-patch-tcpwrappers Thu Apr 5 18:20:50 2018 (r466577) @@ -35,15 +35,15 @@ index 289e13d..e6a900b 100644 .Xr sshd_config 5 , diff --git sshd.c sshd.c index 0ade557..045f149 100644 ---- sshd.c -+++ sshd.c +--- sshd.c.orig 2018-04-04 15:34:54.865684000 -0700 ++++ sshd.c 2018-04-04 15:40:20.964130000 -0700 @@ -1,4 +1,4 @@ --/* $OpenBSD: sshd.c,v 1.421 2014/03/26 19:58:37 tedu Exp $ */ +-/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -123,6 +123,13 @@ +@@ -131,6 +131,13 @@ #include "version.h" #include "ssherr.h" @@ -57,10 +57,11 @@ index 0ade557..045f149 100644 /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -@@ -1971,6 +1978,24 @@ main(int ac, char **av) - #ifdef SSH_AUDIT_EVENTS - audit_connection_from(remote_ip, remote_port); +@@ -2072,6 +2079,25 @@ main(int ac, char **av) #endif + + rdomain = ssh_packet_rdomain_in(ssh); ++ +#ifdef LIBWRAP + allow_severity = options.log_facility|LOG_INFO; + deny_severity = options.log_facility|LOG_WARNING; Modified: head/security/openssh-portable/files/extra-patch-x509-glue ============================================================================== --- head/security/openssh-portable/files/extra-patch-x509-glue Thu Apr 5 17:35:00 2018 (r466576) +++ head/security/openssh-portable/files/extra-patch-x509-glue Thu Apr 5 18:20:50 2018 (r466577) @@ -1,6 +1,6 @@ --- session.c.orig 2017-10-12 11:52:52.953370000 -0700 +++ session.c 2017-10-12 11:53:40.793055000 -0700 -@@ -1045,36 +1045,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1062,36 +1062,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); @@ -34,114 +34,124 @@ -} -#endif - - /* Set custom environment options from RSA authentication. */ - while (custom_environment) { - struct envstring *ce = custom_environment; + /* Set custom environment options from pubkey authentication. */ + if (options.permit_user_env) { + for (n = 0 ; n < auth_opts->nenv; n++) { --- sshd_config.5.orig 2017-10-12 11:51:06.638814000 -0700 +++ sshd_config.5 2017-10-12 11:51:33.780459000 -0700 -@@ -1641,52 +1641,7 @@ is set to +@@ -1682,7 +1682,57 @@ is set to then the pre-authentication unprivileged process is subject to additional restrictions. The default is -.Cm sandbox . --.It Cm VACertificateFile --File with X.509 certificates in PEM format concatenated together. --In use when --.Cm VAType --is set to --.Cm ocspspec . --The default value is --.Sq --.. --(empty). --Certificates from that file explicitly trust --.Sq "OCSP Responder" --public key. --They are used as trusted certificates in addition to certificates from --.Cm CACertificateFile --and --.Cm CACertificatePath --to verify responder certificate. --.It Cm VAType --Specifies whether --.Sq "Online Certificate Status Protocol" --(OCSP) is used to validate X.509 certificates. --Accepted values are case insensitive: --.Bl -tag -offset indent -compact --.It none --do not use OCSP to validate certificates; --.It ocspcert --validate only certificates that specify --.Sq "OCSP Service Locator" --URL; --.It ocspspec --use specified in the configuration --.Sq "OCSP Responder" --to validate all certificates. --.El --The default is --.Cm none . --.It Cm VAOCSPResponderURL --.Sq "Access Location" --/ --.Sq "OCSP Service Locator" --URL of the OCSP provider. In use when --.Cm VAType --is set to --.Cm ocspspec . +.Cm no . - .It Cm VersionAddendum - Optionally specifies additional text to append to the SSH protocol banner - sent by the server upon connection. -@@ -1737,6 +1692,51 @@ the wildcard address. - By default, - sshd binds the forwarding server to the loopback address and sets the - hostname part of the -+.It Cm VACertificateFile -+File with X.509 certificates in PEM format concatenated together. -+In use when -+.Cm VAType -+is set to -+.Cm ocspspec . -+The default value is -+.Sq -+.. -+(empty). -+Certificates from that file explicitly trust -+.Sq "OCSP Responder" -+public key. -+They are used as trusted certificates in addition to certificates from -+.Cm CACertificateFile -+and -+.Cm CACertificatePath -+to verify responder certificate. -+.It Cm VAType -+Specifies whether -+.Sq "Online Certificate Status Protocol" -+(OCSP) is used to validate X.509 certificates. -+Accepted values are case insensitive: -+.Bl -tag -offset indent -compact -+.It none -+do not use OCSP to validate certificates; -+.It ocspcert -+validate only certificates that specify -+.Sq "OCSP Service Locator" -+URL; -+.It ocspspec -+use specified in the configuration -+.Sq "OCSP Responder" -+to validate all certificates. -+.El ++.It Cm VersionAddendum ++Optionally specifies additional text to append to the SSH protocol banner ++sent by the server upon connection. +The default is +.Cm none . -+.It Cm VAOCSPResponderURL -+.Sq "Access Location" -+/ -+.Sq "OCSP Service Locator" -+URL of the OCSP provider. In use when -+.Cm VAType -+is set to -+.Cm ocspspec . ++.It Cm X11DisplayOffset ++Specifies the first display number available for ++.Xr sshd 8 Ns 's ++X11 forwarding. ++This prevents sshd from interfering with real X11 servers. ++The default is 10. ++.It Cm X11Forwarding ++Specifies whether X11 forwarding is permitted. ++The argument must be ++.Cm yes ++or ++.Cm no . ++The default is ++.Cm no . ++.Pp ++When X11 forwarding is enabled, there may be additional exposure to ++the server and to client displays if the ++.Xr sshd 8 ++proxy display is configured to listen on the wildcard address (see ++.Cm X11UseLocalhost ) , ++though this is not the default. ++Additionally, the authentication spoofing and authentication data ++verification and substitution occur on the client side. ++The security risk of using X11 forwarding is that the client's X11 ++display server may be exposed to attack when the SSH client requests ++forwarding (see the warnings for ++.Cm ForwardX11 ++in ++.Xr ssh_config 5 ) . ++A system administrator may have a stance in which they want to ++protect clients that may expose themselves to attack by unwittingly ++requesting X11 forwarding, which can warrant a ++.Cm no ++setting. ++.Pp ++Note that disabling X11 forwarding does not prevent users from ++forwarding X11 traffic, as users can always install their own forwarders. ++.It Cm X11UseLocalhost ++Specifies whether ++.Xr sshd 8 ++should bind the X11 forwarding server to the loopback address or to ++the wildcard address. ++By default, ++sshd binds the forwarding server to the loopback address and sets the ++hostname part of the + .It Cm VACertificateFile + File with X.509 certificates in PEM format concatenated together. + In use when +@@ -1735,56 +1785,6 @@ URL of the OCSP provider. In use when + .Cm VAType + is set to + .Cm ocspspec . +-.It Cm VersionAddendum +-Optionally specifies additional text to append to the SSH protocol banner +-sent by the server upon connection. +-The default is +-.Cm none . +-.It Cm X11DisplayOffset +-Specifies the first display number available for +-.Xr sshd 8 Ns 's +-X11 forwarding. +-This prevents sshd from interfering with real X11 servers. +-The default is 10. +-.It Cm X11Forwarding +-Specifies whether X11 forwarding is permitted. +-The argument must be +-.Cm yes +-or +-.Cm no . +-The default is +-.Cm no . +-.Pp +-When X11 forwarding is enabled, there may be additional exposure to +-the server and to client displays if the +-.Xr sshd 8 +-proxy display is configured to listen on the wildcard address (see +-.Cm X11UseLocalhost ) , +-though this is not the default. +-Additionally, the authentication spoofing and authentication data +-verification and substitution occur on the client side. +-The security risk of using X11 forwarding is that the client's X11 +-display server may be exposed to attack when the SSH client requests +-forwarding (see the warnings for +-.Cm ForwardX11 +-in +-.Xr ssh_config 5 ) . +-A system administrator may have a stance in which they want to +-protect clients that may expose themselves to attack by unwittingly +-requesting X11 forwarding, which can warrant a +-.Cm no +-setting. +-.Pp +-Note that disabling X11 forwarding does not prevent users from +-forwarding X11 traffic, as users can always install their own forwarders. +-.It Cm X11UseLocalhost +-Specifies whether +-.Xr sshd 8 +-should bind the X11 forwarding server to the loopback address or to +-the wildcard address. +-By default, +-sshd binds the forwarding server to the loopback address and sets the +-hostname part of the .Ev DISPLAY environment variable to .Cm localhost . Modified: head/security/openssh-portable/files/patch-session.c ============================================================================== --- head/security/openssh-portable/files/patch-session.c Thu Apr 5 17:35:00 2018 (r466576) +++ head/security/openssh-portable/files/patch-session.c Thu Apr 5 18:20:50 2018 (r466577) @@ -10,9 +10,9 @@ Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c 2013-03-14 19:22:37 UTC -+++ session.c -@@ -985,6 +985,9 @@ do_setup_env(Session *s, const char *she +--- session.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ session.c 2018-04-03 13:56:49.599400000 -0700 +@@ -982,6 +982,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -22,7 +22,7 @@ Sponsored by: DARPA, NAI Labs #endif /* Initialize the environment. */ -@@ -1006,6 +1009,9 @@ do_setup_env(Session *s, const char *she +@@ -1003,6 +1006,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * } #endif @@ -32,7 +32,7 @@ Sponsored by: DARPA, NAI Labs #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1023,11 +1029,21 @@ do_setup_env(Session *s, const char *she +@@ -1020,11 +1026,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -58,7 +58,7 @@ Sponsored by: DARPA, NAI Labs #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1047,15 +1063,9 @@ do_setup_env(Session *s, const char *she +@@ -1044,15 +1060,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -71,10 +71,10 @@ Sponsored by: DARPA, NAI Labs - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - - /* Set custom environment options from RSA authentication. */ - while (custom_environment) { - struct envstring *ce = custom_environment; -@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw) + /* Set custom environment options from pubkey authentication. */ + if (options.permit_user_env) { + for (n = 0 ; n < auth_opts->nenv; n++) { +@@ -1331,7 +1341,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804051820.w35IKpi2062956>