CVS commit: pkgsrc/security/openssh

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Mon Oct  6 12:21:31 UTC 2025

Modified Files:
        pkgsrc/security/openssh: Makefile distinfo

Log Message:
openssh: update to 10.1p1.

Changes since OpenSSH 10.0
==========================

This release contains a minor security fix as well as a number of
feature improvements and bugfixes.

Security
========

* ssh(1): disallow control characters in usernames passed via the
  commandline or expanded using %-sequences from the configuration
  file, and disallow \0 characters in ssh:// URIs.

  If an ssh(1) commandline was constructed using usernames or URIs
  obtained from an untrusted source, and if a ProxyCommand that uses
  the %u expansion was configured, then it may be possible for an
  attacker to inject shell expressions that may be executed when the
  proxy command is started.

  We strongly recommend against using untrusted inputs to construct
  ssh(1) commandlines.

  This change also relaxes the validity checks in one small way:
  usernames supplied via the configuration file as literals (i.e.
  that have no % expansion characters) are not subject to these
  validity checks. This allows usernames that contain arbitrary
  characters to be used, but only via configuration files. This is
  done on the basis that ssh's configuration is trusted.

  This issue was reported by David Leadbeater.

New features
------------

 * ssh(1), sshd(8): add SIGINFO handlers to log active channel and
   session information.

 * sshd(8): when refusing a certificate for user authentication, log
   enough information to identify the certificate in addition to the
   reason why it was being denied. Makes debugging certificate
   authorisation problems a bit easier.

 * ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
   tokens.

 * ssh(1): add an ssh_config(5) RefuseConnection option that, when
   encountered while processing an active section in a
   configuration, terminates ssh(1) with an error message that
   contains the argument to the option.

   This may be useful for expressing reminders or warnings in config
   files, for example:

   Match host foo
            RefuseConnection "foo is deprecated, use splork instead"

 * sshd(8): make the X11 display number check relative to
   X11DisplayOffset. This will allow people to use X11DisplayOffset
   to configure much higher port ranges if they really want, while
   not changing the default behaviour.

 * unit tests: the unit test framework now includes some basic
   benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes"
   on OpenBSD or "make unit-bench" on Portable OpenSSH.

Bugfixes
--------

 * sshd(8): fix mistracking of MaxStartups process exits in some
   situations. At worst, this could cause all MaxStartups slots to
   fill and sshd to refuse new connections.

 * ssh(1): fix delay on X client startup when ObscureKeystrokeTiming
   is enabled. bz#3820

 * sshd(8): increase the maximum size of the supported configuration
   from 256KB to 4MB, which ought to be enough for anybody. Fail
   early and visibly when this limit is breached. bz3808

 * sftp(1): during sftp uploads, avoid a condition where a failed
   write could be ignored if a subsequent write succeeded. This is
   unlikely but technically possible because sftp servers are
   allowed to reorder requests.

 * sshd(8): avoid a race condition when the sshd-auth process exits
   that could cause a spurious error message to be logged.

 * sshd(8): log at level INFO when PerSourcePenalties actually
   blocks access to a source address range. Previously this was
   logged at level VERBOSE, which hid enforcement actions under
   default config settings.

 * sshd(8): GssStrictAcceptor was missing from sshd -T output; fix

 * sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
   first-match-wins as advertised. bz3859

 * ssh(1): fix an incorrect return value check in the local forward
   cancellation path that would cause failed cancellations not to be
   logged.

 * sshd(8): make "Match !final" not trigger a second parsing pass
   of ssh_config (unless hostname canonicalisation or a separate
   "Match final" does). bz3843

 * ssh(1): better debug diagnostics when loading keys. Will now list
   key fingerprint and algorithm (not just algorithm number) as well
   as making it explicit which keys didn't load.

 * All: fix a number of memory leaks found by LeakSanitizer,
   Coverity and manual inspection.

 * sshd(8): Output the current name for PermitRootLogin's
   "prohibit-password" in sshd -T instead of its deprecated alias
   "without-password".  bz#3788

 * ssh(1): make writing known_hosts lines more atomic by writing
   the entire line in one operation and using unbuffered stdio.

   Usually writes to this file are serialised on the "Are you sure
   you want to continue connecting?" prompt, but if host key
   checking is disabled and connections were being made with high
   concurrency then interleaved writes might have been possible.

Portability
-----------

 * sshd(8): check the username didn't change during the PAM
   transactions.

   PAM modules can change the user during their execution, but
   this is not supported by sshd(8). If such a case was incorrectly
   configured by the system administrator, then sshd(8) could end up
   using a different username to the one authorised by PAM.

 * sshd(8): don't log audit messages with UNKNOWN hostname to avoid
   slow DNS lookups in the audit subsystem.

 * All: when making a copy of struct passwd, ensure struct fields are
   non-NULL. Android libc can return NULL pw_gecos, for example.

 * All: Remove status bits from OpenSSL >=3 version check.

 * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun
   forwarding from other OSes fails as soon as the first IPv6 message
   is sent by the other side (which is usually a Router Solicitation
   ICMPv6 message which is sent as soon as the interface is up).

 * ssh(1), ssh-agent(8): check for nlist function presence before
   attempting to use it instead of relying on the presence of the
   nlist.h header.  Mac OS X, for example, has the header but not
   the function in the 64bit libraries.

 * All: fill in missing system header files.

   Create replacement header files inside openbsd-compat for common
   headers that are missing on a given platform. Usually these are
   just empty, but in some cases they'll include the equivalent file.
   This avoids having to wrap those includes in '#ifdef HAVE_FOO_H'
   and reduces the diff between Portable OpenSSH and OpenBSD.

 * sshd(8): handle futex_time64 properly in seccomp sandbox
   Previously we only allowed __NR_futex, but some 32-bit systems
   apparently support __NR_futex_time64. We had support for this
   in the sandbox, but because of a macro error only __NR_futex was
   allowlisted.

 * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.

 * sshd(8): let ga_init() fail gracefully if getgrouplist does.
   Apparently getgrouplist() can fail on OSX when passed a
   non-existent group name. Other platforms seem to return a group
   list consisting of the numeric gid passed to the function. bz3848

 * ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
   preventing a graceful shutdown of an agent via systemd from
   incorrectly marking the service as "failed".

 * build: wrap some autoconf macros in AC_CACHE_CHECK.

   This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and
   OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler
   or linker flags. E.g.

     $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
     [...]
     checking if cc supports compile flag -fzero-call-used-regs=used
     and linking succeeds... (cached) no


To generate a diff of this commit:
cvs rdiff -u -r1.289 -r1.290 pkgsrc/security/openssh/Makefile
cvs rdiff -u -r1.127 -r1.128 pkgsrc/security/openssh/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/openssh/Makefile
diff -u pkgsrc/security/openssh/Makefile:1.289 pkgsrc/security/openssh/Makefile:1.290
--- pkgsrc/security/openssh/Makefile:1.289      Sun Apr 20 19:15:42 2025
+++ pkgsrc/security/openssh/Makefile    Mon Oct  6 12:21:31 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.289 2025/04/20 19:15:42 wiz Exp $
+# $NetBSD: Makefile,v 1.290 2025/10/06 12:21:31 wiz Exp $
 
-DISTNAME=              openssh-10.0p1
+DISTNAME=              openssh-10.1p1
 CATEGORIES=            security
 MASTER_SITES=          ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 

Index: pkgsrc/security/openssh/distinfo
diff -u pkgsrc/security/openssh/distinfo:1.127 pkgsrc/security/openssh/distinfo:1.128
--- pkgsrc/security/openssh/distinfo:1.127      Sun Apr 20 19:15:42 2025
+++ pkgsrc/security/openssh/distinfo    Mon Oct  6 12:21:31 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.127 2025/04/20 19:15:42 wiz Exp $
+$NetBSD: distinfo,v 1.128 2025/10/06 12:21:31 wiz Exp $
 
-BLAKE2s (openssh-10.0p1.tar.gz) = a004afb1db82689d6d20ff70d046ae26512c8a1c5a6a990e4634bcb6744f528e
-SHA512 (openssh-10.0p1.tar.gz) = 2daa1fcf95793b23810142077e68ddfabdf3732b207ef4f033a027f72d733d0e9bcdb6f757e7f3a5934b972de05bfaae3baae381cfc7a400cd8ab4d4e277a0ed
-Size (openssh-10.0p1.tar.gz) = 1972675 bytes
+BLAKE2s (openssh-10.1p1.tar.gz) = 9003b848b10bc23ea63d1cf166f2b500aa3321cb0f4964cfc2bc34ad5622f25e
+SHA512 (openssh-10.1p1.tar.gz) = 9b88ac5b84461a0d4f6022b4dee294964487ea36d5ba5cb9c35d2edcba49a687c609ea30f272ebf924270a025cf2cd82677d0917e5d37334534cd5bee93452d9
+Size (openssh-10.1p1.tar.gz) = 1972831 bytes
 SHA1 (patch-Makefile.in) = d58adac52e169f25f0b0c3a321f154b44b0475e6
 SHA1 (patch-configure.ac) = 10894c1b98298a1672ec151a223f6180bf841fa4
 SHA1 (patch-defines.h) = c1dbb18076b4fa399b0f791bb543ef1e5cb0408e