Date: Tue, 8 Oct 2024 18:14:50 GMT From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 778644b31730 - main - security/openssh-portable: Update to 9.9p1 Message-ID: <202410081814.498IEoBH091031@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=778644b31730434e01eadfbe3a13101ea5cb4156 commit 778644b31730434e01eadfbe3a13101ea5cb4156 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2024-10-08 18:05:43 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2024-10-08 18:14:10 +0000 security/openssh-portable: Update to 9.9p1 --- security/openssh-portable/Makefile | 10 ++-- security/openssh-portable/distinfo | 10 ++-- .../openssh-portable/files/extra-patch-hpn-compat | 8 +-- .../openssh-portable/files/patch-FreeBSD-logincap | 69 ---------------------- 4 files changed, 14 insertions(+), 83 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 97ba9e01adf9..69edba17e8cc 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,6 +1,6 @@ PORTNAME= openssh -DISTVERSION= 9.8p1 -PORTREVISION= 1 +DISTVERSION= 9.9p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -109,13 +109,13 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. -GSSAPI_DEBIAN_VERSION= 9.8p1 -GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-3 +GSSAPI_DEBIAN_VERSION= 9.9p1 +GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?<anything>=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location -GSSAPI_DISTVERSION= 9.8p1 +GSSAPI_DISTVERSION= 9.9p1 PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 11c1f02429d4..41138b4167db 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1722605239 -SHA256 (openssh-9.8p1.tar.gz) = dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3 -SIZE (openssh-9.8p1.tar.gz) = 1910393 -SHA256 (openssh-9.8p1-gsskex-all-debian-rh-9.8p1.patch) = f5b93bf8076aa386afa63e98bb5b39b6e477b8ccb24d2d4b700f6cd685be6f78 -SIZE (openssh-9.8p1-gsskex-all-debian-rh-9.8p1.patch) = 125084 +TIMESTAMP = 1728410939 +SHA256 (openssh-9.9p1.tar.gz) = b343fbcdbff87f15b1986e6e15d6d4fc9a7d36066be6b7fb507087ba8f966c02 +SIZE (openssh-9.9p1.tar.gz) = 1964864 +SHA256 (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = b8b590024137d54394fd46ebfe32f2b081d0744abdcdcacf6dd30d1c91339864 +SIZE (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = 125233 diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index 2460c27491fa..ab7617663feb 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well. { NULL, oBadOption } }; ---- servconf.c.orig 2024-06-30 21:36:28.000000000 -0700 -+++ servconf.c 2024-07-01 13:29:27.091708000 -0700 -@@ -739,6 +739,10 @@ static struct { - { "channeltimeout", sChannelTimeout, SSHCFG_ALL }, +--- servconf.c.orig 2024-09-19 15:20:48.000000000 -0700 ++++ servconf.c 2024-10-07 20:18:18.259726000 -0700 +@@ -746,6 +746,10 @@ static struct { { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL }, + { "refuseconnection", sRefuseConnection, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap deleted file mode 100644 index 78d772e8a024..000000000000 --- a/security/openssh-portable/files/patch-FreeBSD-logincap +++ /dev/null @@ -1,69 +0,0 @@ -(pulled from the PR) - -commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8 -Author: Ed Maste <emaste@FreeBSD.org> -Date: Tue Aug 31 15:30:50 2021 -0400 - - openssh: simplify login class restrictions - - Login class-based restrictions were introduced in 5b400a39b8ad. The - code was adapted for sshd's Capsicum sandbox and received many changes - over time, including at least fc3c19a9fcee, bd393de91cc3, and - e8c56fba2926. - - During an attempt to upstream the work a much simpler approach was - suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with - future updates. - - Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) - Obtained from: https://github.com/openssh/openssh-portable/pull/262 - Reviewed by: allanjude, kevans - MFC after: 2 weeks - Differential Revision: https://reviews.freebsd.org/D31760 - - ---- auth.c -+++ auth.c -@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user) - { - #ifdef HAVE_LOGIN_CAP - extern login_cap_t *lc; -+#ifdef HAVE_AUTH_HOSTOK -+ const char *from_host, *from_ip; -+#endif - #ifdef BSD_AUTH - auth_session_t *as; - #endif -@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user) - debug("unable to get login class: %s", user); - return (NULL); - } -+#ifdef HAVE_AUTH_HOSTOK -+ from_host = auth_get_canonical_hostname(ssh, options.use_dns); -+ from_ip = ssh_remote_ipaddr(ssh); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ debug("Denied connection for %.200s from %.200s [%.200s].", -+ pw->pw_name, from_host, from_ip); -+ return (NULL); -+ } -+#endif /* HAVE_AUTH_HOSTOK */ -+#ifdef HAVE_AUTH_TIMEOK -+ if (!auth_timeok(lc, time(NULL))) { -+ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name); -+ return (NULL); -+ } -+#endif /* HAVE_AUTH_TIMEOK */ - #ifdef BSD_AUTH - if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || - auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { ---- configure.ac -+++ configure.ac -@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG]) - - dnl Checks for library functions. Please keep in alphabetical order - AC_CHECK_FUNCS([ \ -+ auth_hostok \ -+ auth_timeok \ - Blowfish_initstate \ - Blowfish_expandstate \ - Blowfish_expand0state \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202410081814.498IEoBH091031>