Subject: PR/32780 CVS commit: [pkgsrc-2005Q4] pkgsrc/security/openssh
To: None <salo@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,>
From: Stoned Elipot <seb@netbsd.org>
List: pkgsrc-bugs
Date: 02/12/2006 01:55:02
The following reply was made to PR pkg/32780; it has been noted by GNATS.

From: Stoned Elipot <seb@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: PR/32780 CVS commit: [pkgsrc-2005Q4] pkgsrc/security/openssh
Date: Sun, 12 Feb 2006 01:53:44 +0000 (UTC)

 Module Name:	pkgsrc
 Committed By:	seb
 Date:		Sun Feb 12 01:53:44 UTC 2006
 
 Modified Files:
 	pkgsrc/security/openssh [pkgsrc-2005Q4]: Makefile distinfo options.mk
 	pkgsrc/security/openssh/patches [pkgsrc-2005Q4]: patch-aa patch-ab
 	    patch-ac patch-ae patch-ag patch-am patch-an patch-ao patch-ap
 	    patch-at patch-av
 
 Log Message:
 Pullup ticket 1118 - requested by Lubomir Sedlacik
 update security/openssh including security fix
 
 Revisions pulled up:
 - pkgsrc/security/openssh/Makefile                            1.164
 - pkgsrc/security/openssh/distinfo                            1.51
 - pkgsrc/security/openssh/options.mk                          1.8
 - pkgsrc/security/openssh/patches/patch-aa                    1.41
 - pkgsrc/security/openssh/patches/patch-ab                    1.23
 - pkgsrc/security/openssh/patches/patch-ac                    1.15
 - pkgsrc/security/openssh/patches/patch-ae                    1.11
 - pkgsrc/security/openssh/patches/patch-ag                    1.8
 - pkgsrc/security/openssh/patches/patch-ao                    1.8
 - pkgsrc/security/openssh/patches/patch-am                    1.6
 - pkgsrc/security/openssh/patches/patch-an                    1.7
 - pkgsrc/security/openssh/patches/patch-ap                    1.7
 - pkgsrc/security/openssh/patches/patch-at                    1.3
 - pkgsrc/security/openssh/patches/patch-av                    1.4
 
    Module Name:	pkgsrc
    Committed By:	salo
    Date:		Sun Feb 12 00:13:55 UTC 2006
 
    Modified Files:
    	pkgsrc/security/openssh: Makefile distinfo options.mk
    	pkgsrc/security/openssh/patches: patch-aa patch-ab patch-ac patch-ae
    	    patch-ag patch-am patch-an patch-ao patch-ap patch-at patch-av
 
    Log Message:
    Update to version 3.4p1
 
    From Jason White via PR pkg/32780
 
    Changes:
 
    Security bugs resolved in this release:
 
     * CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
       subshell to perform local to local, and remote to remote copy
       operations. This subshell exposed filenames to shell expansion
       twice; allowing a local attacker to create filenames containing
       shell metacharacters that, if matched by a wildcard, could lead
       to execution of attacker-specified commands with the privilege of
       the user running scp (Bugzilla #1094)
 
    This is primarily a bug-fix release, only one new feature has been
    added:
 
     * Add support for tunneling arbitrary network packets over a
       connection between an OpenSSH client and server via tun(4) virtual
       network interfaces. This allows the use of OpenSSH (4.3+) to create
       a true VPN between the client and server providing real network
       connectivity at layer 2 or 3. This feature is experimental and is
       currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and
       FreeBSD. Other operating systems with tun/tap interface capability
       may be added in future portable OpenSSH releases. Please refer to
       the README.tun file in the source distribution for further details
       and usage examples.
 
    Some of the other bugs resolved and internal improvements are:
 
     * Reduce default key length for new DSA keys generated by ssh-keygen
       back to 1024 bits. DSA is not specified for longer lengths and does
       not fully benefit from simply making keys longer. As per FIPS 186-2
       Change Notice 1, ssh-keygen will refuse to generate a new DSA key
       smaller or larger than 1024 bits
 
     * Fixed X forwarding failing to start when a the X11 client is executed
       in background at the time of session exit (Bugzilla #1086)
 
     * Change ssh-keygen to generate a protocol 2 RSA key when invoked
       without arguments (Bugzilla #1064)
 
     * Fix timing variance for valid vs. invalid accounts when attempting
       Kerberos authentication (Bugzilla #975)
 
     * Ensure that ssh always returns code 255 on internal error (Bugzilla
       #1137)
 
     * Cleanup wtmp files on SIGTERM when not using privsep (Bugzilla #1029)
 
     * Set SO_REUSEADDR on X11 listeners to avoid problems caused by
       lingering sockets from previous session (X11 applications can
       sometimes not connect to 127.0.0.1:60xx) (Bugzilla #1076)
 
     * Ensure that fds 0, 1 and 2 are always attached in all programs, by
       duping /dev/null to them if necessary.
 
     * Xauth list invocation had bogus "." argument (Bugzilla #1082)
 
     * Remove internal assumptions on key exchange hash algorithm and output
       length, preparing OpenSSH for KEX methods with alternate hashes.
 
     * Ignore junk sent by a server before it sends the "SSH-" banner
       (Bugzilla #1067)
 
     * The manpages has been significantly improves and rearranged, in
       addition to other specific manpage fixes:
       #1037 - Man page entries for -L and -R should mention -g.
       #1077 - Descriptions for "ssh -D" and DynamicForward should mention
               they can specify "bind_address" optionally.
       #1088 - Incorrect descriptions in ssh_config man page for
               ControlMaster=no.
       #1121 - Several corrections for ssh_agent manpages
 
     * Lots of cleanups, including fixes to memory leaks on error paths
       (Bugzilla #1109, #1110, #1111 and more) and possible crashes (#1092)
 
     * Portable OpenSSH-specific fixes:
 
       - Pass random seed during re-exec for each connection: speeds up
         processing of new connections on platforms using the OpenSSH's
         builtin entropy collector (ssh-rand-helper)
 
       - PAM fixes and improvements:
         #1045 - Missing option for ignoring the /etc/nologin file
         #1087 - Show PAM password expiry message from LDAP on login
         #1028 - Forward final non-query conversations to client
         #1126 - Prevent user from being forced to change an expired
                 password repeatedly on AIX in some PAM configurations.
         #1045 - Do not check /etc/nologin when PAM is enabled, instead
                 allow PAM to handle it. Note that on platforms using
                 PAM, the pam_nologin module should be used in sshd's
                 session stack in order to maintain past behaviour
 
       - Portability-related fixes:
         #989 - Fix multiplexing regress test on Solaris
         #1097 - Cross-compile fixes.
         #1096 - ssh-keygen broken on HPUX.
         #1098 - $MAIL being set incorrectly for HPUX server login.
         #1104 - Compile error on Tru64 Unix 4.0f
         #1106 - Updated .spec file and startup for SuSE.
         #1122 - Use _GNU_SOURCE define in favor of __USE_GNU, fixing
                 compilation problems on glibc 2.4
 
 
 To generate a diff of this commit:
 cvs rdiff -r1.162 -r1.162.2.1 pkgsrc/security/openssh/Makefile
 cvs rdiff -r1.50 -r1.50.2.1 pkgsrc/security/openssh/distinfo
 cvs rdiff -r1.7 -r1.7.2.1 pkgsrc/security/openssh/options.mk
 cvs rdiff -r1.40 -r1.40.2.1 pkgsrc/security/openssh/patches/patch-aa
 cvs rdiff -r1.22 -r1.22.2.1 pkgsrc/security/openssh/patches/patch-ab
 cvs rdiff -r1.14 -r1.14.2.1 pkgsrc/security/openssh/patches/patch-ac
 cvs rdiff -r1.10 -r1.10.4.1 pkgsrc/security/openssh/patches/patch-ae
 cvs rdiff -r1.7 -r1.7.4.1 pkgsrc/security/openssh/patches/patch-ag \
     pkgsrc/security/openssh/patches/patch-ao
 cvs rdiff -r1.5 -r1.5.4.1 pkgsrc/security/openssh/patches/patch-am
 cvs rdiff -r1.6 -r1.6.4.1 pkgsrc/security/openssh/patches/patch-an \
     pkgsrc/security/openssh/patches/patch-ap
 cvs rdiff -r1.2 -r1.2.4.1 pkgsrc/security/openssh/patches/patch-at
 cvs rdiff -r1.3 -r1.3.2.1 pkgsrc/security/openssh/patches/patch-av
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.