Date: Thu, 16 Feb 2023 19:24:21 GMT From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 10491773d880 - main - security/openssh-portable: Upgrade to 9.2p1 Message-ID: <202302161924.31GJOLrG002193@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=10491773d88012fe81d9c039cbbba647bde9ebc9 commit 10491773d88012fe81d9c039cbbba647bde9ebc9 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2023-02-15 19:43:18 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2023-02-16 19:23:04 +0000 security/openssh-portable: Upgrade to 9.2p1 Changes: https://www.openssh.com/txt/release-9.2 --- security/openssh-portable/Makefile | 5 ++-- security/openssh-portable/distinfo | 10 +++---- security/openssh-portable/files/extra-patch-hpn | 32 +++++++++++----------- .../openssh-portable/files/extra-patch-hpn-compat | 18 ++++++------ .../files/patch-platform-tracing.c | 21 -------------- security/openssh-portable/files/patch-ssh-agent.c | 24 ++++++++-------- 6 files changed, 45 insertions(+), 65 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 1b31a37aa422..4c0c4a940024 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,5 +1,5 @@ PORTNAME= openssh -DISTVERSION= 9.1p1 +DISTVERSION= 9.2p1 PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security @@ -108,7 +108,8 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. -GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-2 +GSSAPI_DEBIAN_VERSION= 9.2p1 +GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-2 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?<anything>=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 5b2a5590e2a5..fbd9733b60d3 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1675460254 -SHA256 (openssh-9.1p1.tar.gz) = 19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288 -SIZE (openssh-9.1p1.tar.gz) = 1838747 -SHA256 (openssh-9.1p1-gsskex-all-20141021-debian-rh-20220203.patch) = 98202e8c36d7a2fd75b6247c22e44267f3812e83d8d22789f7ed1e142f4aa771 -SIZE (openssh-9.1p1-gsskex-all-20141021-debian-rh-20220203.patch) = 127232 +TIMESTAMP = 1676575062 +SHA256 (openssh-9.2p1.tar.gz) = 3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46 +SIZE (openssh-9.2p1.tar.gz) = 1852380 +SHA256 (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = acf9b12d68eeeae047d1042954473f859c10a7c2a4b5d9dc54fcbbd5e30a3a58 +SIZE (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = 131618 diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 907775d94642..1f25a207b00b 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + (tasota@gmail.com) an NSF REU grant recipient for 2013. + This work was financed, in part, by Cisco System, Inc., the National + Library of Medicine, and the National Science Foundation. ---- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700 -@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann +--- channels.c.orig 2023-02-02 04:21:54.000000000 -0800 ++++ channels.c 2023-02-03 10:45:34.136793000 -0800 +@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels * /* Setup helper */ static void channel_handler_init(struct ssh_channels *sc); @@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* -- channel core */ void -@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in +@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in c->local_window = window; c->local_window_max = window; c->local_maxpacket = maxpack; @@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c->remote_name = xstrdup(remote_name); c->ctl_chan = -1; c->delayed = 1; /* prevent call to channel_post handler */ -@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, - FD_SET(c->sock, writeset); +@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int + fatal_fr(r, "channel %i", c->self); } +#ifdef HPN_ENABLED @@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif + static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) -@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c) + channel_pre_listener(struct ssh *ssh, Channel *c) + { +@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { @@ -220,7 +220,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c->local_consumed = 0; } return 1; -@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis +@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis return addr; } @@ -238,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o static int channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, struct Forward *fwd, int *allocated_listen_port, -@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int +@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int } /* Allocate a channel number for the socket. */ @@ -248,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + * window size. + */ + if (!hpn_disabled) -+ c = channel_new(ssh, "port listener", type, sock, sock, -1, -+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, ++ c = channel_new(ssh, "port listener", type, sock, sock, ++ -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); + else +#endif - c = channel_new(ssh, "port listener", type, sock, sock, -1, + c = channel_new(ssh, "port-listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "port listener", 1); -@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ +@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; @@ -268,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + 0, "X11 inet listener", 1); + else +#endif - nc = channel_new(ssh, "x11 listener", + nc = channel_new(ssh, "x11-listener", SSH_CHANNEL_X11_LISTENER, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, --- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700 diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index d78aa1821e49..6f6a0e1aa358 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ ---- readconf.c.orig 2022-10-04 08:57:04.041419000 -0700 -+++ readconf.c 2022-10-04 08:57:56.915474000 -0700 -@@ -321,6 +321,12 @@ static struct { - { "securitykeyprovider", oSecurityKeyProvider }, +--- readconf.c.orig 2023-02-03 11:17:45.506822000 -0800 ++++ readconf.c 2023-02-03 11:30:14.894959000 -0800 +@@ -323,6 +323,12 @@ static struct { { "knownhostscommand", oKnownHostsCommand }, { "requiredrsasize", oRequiredRSASize }, + { "enableescapecommandline", oEnableEscapeCommandline }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, @@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well. { NULL, oBadOption } }; ---- servconf.c.orig 2022-10-03 07:51:42.000000000 -0700 -+++ servconf.c 2022-10-04 08:58:21.118208000 -0700 -@@ -681,6 +681,10 @@ static struct { - { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, - { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, +--- servconf.c.orig 2023-02-02 04:21:54.000000000 -0800 ++++ servconf.c 2023-02-03 11:31:00.387624000 -0800 +@@ -695,6 +695,10 @@ static struct { { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, + { "channeltimeout", sChannelTimeout, SSHCFG_ALL }, + { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, diff --git a/security/openssh-portable/files/patch-platform-tracing.c b/security/openssh-portable/files/patch-platform-tracing.c deleted file mode 100644 index 160def21ac3e..000000000000 --- a/security/openssh-portable/files/patch-platform-tracing.c +++ /dev/null @@ -1,21 +0,0 @@ ---- platform-tracing.c.orig 2022-03-07 14:48:27.152541000 -0800 -+++ platform-tracing.c 2022-03-07 14:56:33.402458000 -0800 -@@ -32,6 +32,9 @@ - #include <stdarg.h> - #include <stdio.h> - #include <string.h> -+#if defined(HAVE_PROCCTL) -+#include <unistd.h> -+#endif - - #include "log.h" - -@@ -42,7 +45,7 @@ platform_disable_tracing(int strict) - /* On FreeBSD, we should make this process untraceable */ - int disable_trace = PROC_TRACE_CTL_DISABLE; - -- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict) -+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict) - fatal("unable to make the process untraceable: %s", - strerror(errno)); - #endif diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index 2937b4a7d2f9..9fc1abc0dfab 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2022-02-23 03:31:11.000000000 -0800 -+++ ssh-agent.c 2022-03-02 12:50:47.745853000 -0800 -@@ -189,11 +189,28 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; +--- ssh-agent.c.orig 2023-02-02 04:21:54.000000000 -0800 ++++ ssh-agent.c 2023-02-03 10:55:34.277561000 -0800 +@@ -188,11 +188,28 @@ static int restrict_websafe = 1; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; @@ -39,7 +39,7 @@ disconnected. close(e->fd); sshbuf_free(e->input); sshbuf_free(e->output); -@@ -206,6 +223,8 @@ close_socket(SocketEntry *e) +@@ -205,6 +222,8 @@ close_socket(SocketEntry *e) memset(e, '\0', sizeof(*e)); e->fd = -1; e->type = AUTH_UNUSED; @@ -48,7 +48,7 @@ disconnected. } static void -@@ -1707,6 +1726,10 @@ new_socket(sock_type type, int fd) +@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd) debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); @@ -59,16 +59,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1999,7 +2022,7 @@ static void +@@ -1990,7 +2013,7 @@ usage(void) usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" - " [-P allowed_providers] [-t life]\n" - " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" - " [-t life] command [arg ...]\n" -@@ -2033,6 +2056,7 @@ main(int ac, char **av) + " [-O option] [-P allowed_providers] [-t life]\n" + " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" + " [-P allowed_providers] [-t life] command [arg ...]\n" +@@ -2024,6 +2047,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -76,7 +76,7 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -2044,7 +2068,7 @@ main(int ac, char **av) +@@ -2035,7 +2059,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); @@ -85,7 +85,7 @@ disconnected. switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -2093,6 +2117,9 @@ main(int ac, char **av) +@@ -2084,6 +2108,9 @@ main(int ac, char **av) fprintf(stderr, "Invalid lifetime\n"); usage(); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302161924.31GJOLrG002193>