pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/openssh Update security/openssh to 7.5p1.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/a0867c6d7c39
branches:  trunk
changeset: 363056:a0867c6d7c39
user:      jperkin <jperkin%pkgsrc.org@localhost>
date:      Wed May 31 09:30:21 2017 +0000

description:
Update security/openssh to 7.5p1.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * This release deprecates the sshd_config UsePrivilegeSeparation
   option, thereby making privilege separation mandatory. Privilege
   separation has been on by default for almost 15 years and
   sandboxing has been on by default for almost the last five.

 * The format of several log messages emitted by the packet code has
   changed to include additional information about the user and
   their authentication state. Software that monitors ssh/sshd logs
   may need to account for these changes. For example:

   Connection closed by user x 1.1.1.1 port 1234 [preauth]
   Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
   Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]

   Affected messages include connection closure, timeout, remote
   disconnection, negotiation failure and some other fatal messages
   generated by the packet code.

 * [Portable OpenSSH only] This version removes support for building
   against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting
   versions prior to 1.0.1 over 12 months ago (i.e. they no longer
   receive fixes for security bugs).

Changes since OpenSSH 7.4
=========================

This is a bugfix release.

Security
--------

 * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
   that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
   Note that the OpenSSH client disables CBC ciphers by default, sshd
   offers them as lowest-preference options and will remove them by
   default entriely in the next release. Reported by Jean Paul
   Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
   Royal Holloway, University of London.

 * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
   a recursive file transfer could be maniuplated by a hostile server to
   perform a path-traversal attack. creating or modifying files outside
   of the intended target directory. Reported by Jann Horn of Google
   Project Zero.

New Features
------------

 * ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
   algorithm lists, e.g. Ciphers=-*cbc. bz#2671

Bugfixes
--------

 * sshd(1): Fix NULL dereference crash when key exchange start
   messages are sent out of sequence.

 * ssh(1), sshd(8): Allow form-feed characters to appear in
   configuration files.

 * sshd(8): Fix regression in OpenSSH 7.4 support for the
   server-sig-algs extension, where SHA2 RSA signature methods were
   not being correctly advertised. bz#2680

 * ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
   known_hosts processing. bz#2591 bz#2685

 * ssh(1): Allow ssh to use certificates accompanied by a private key
   file but no corresponding plain *.pub public key. bz#2617

 * ssh(1): When updating hostkeys using the UpdateHostKeys option,
   accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
   Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
   methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
   method. bz#2650

 * ssh(1): Detect and report excessively long configuration file
   lines. bz#2651

 * Merge a number of fixes found by Coverity and reported via Redhat
   and FreeBSD. Includes fixes for some memory and file descriptor
   leaks in error paths. bz#2687

 * ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692

 * ssh(1), sshd(8): When logging long messages to stderr, don't truncate
   "\r\n" if the length of the message exceeds the buffer. bz#2688

 * ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
   line; avoid confusion over IPv6 addresses and shells that treat
   square bracket characters specially.

 * ssh-keygen(1): Fix corruption of known_hosts when running
   "ssh-keygen -H" on a known_hosts containing already-hashed entries.

 * Fix various fallout and sharp edges caused by removing SSH protocol
   1 support from the server, including the server banner string being
   incorrectly terminated with only \n (instead of \r\n), confusing
   error messages from ssh-keyscan bz#2583 and a segfault in sshd
   if protocol v.1 was enabled for the client and sshd_config
   contained references to legacy keys bz#2686.

 * ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683

 * sshd(8): Fix Unix domain socket forwarding for root (regression in
   OpenSSH 7.4).

 * sftp(1): Fix division by zero crash in "df" output when server
   returns zero total filesystem blocks/inodes.

 * ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
   encountered during key loading to more meaningful error codes.
   bz#2522 bz#2523

 * ssh-keygen(1): Sanitise escape sequences in key comments sent to
   printf but preserve valid UTF-8 when the locale supports it;
   bz#2520

 * ssh(1), sshd(8): Return reason for port forwarding failures where
   feasible rather than always "administratively prohibited". bz#2674

 * sshd(8): Fix deadlock when AuthorizedKeysCommand or
   AuthorizedPrincipalsCommand produces a lot of output and a key is
   matched early. bz#2655

 * Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659

 * ssh(1): Fix typo in ~C error message for bad port forward
   cancellation. bz#2672

 * ssh(1): Show a useful error message when included config files
   can't be opened; bz#2653

 * sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
   (previously incorrectly) advertised. bz#2637

 * sshd_config(5): Repair accidentally-deleted mention of %k token
   in AuthorizedKeysCommand; bz#2656

 * sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665

 * ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
   common 32-bit compatibility library directories.

 * sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
   response handling.

 * ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
   keys. It was not possible to delete them except by specifying
   their full physical path. bz#2682

Portability
-----------

 * sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
   crypto coprocessor.

 * sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
   inspection.

 * ssh(1): Fix X11 forwarding on OSX where X11 was being started by
   launchd. bz#2341

 * ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
   contain non-printable characters where the codeset in use is ASCII.

 * build: Fix builds that attempt to link a kerberised libldns. bz#2603

 * build: Fix compilation problems caused by unconditionally defining
   _XOPEN_SOURCE in wide character detection.

 * sshd(8): Fix sandbox violations for clock_gettime VSDO syscall
   fallback on some Linux/X32 kernels. bz#2142

diffstat:

 security/openssh/Makefile                   |   4 +-
 security/openssh/distinfo                   |  13 +++---
 security/openssh/patches/patch-channels.c   |  51 -----------------------------
 security/openssh/patches/patch-configure.ac |  20 +++++-----
 4 files changed, 18 insertions(+), 70 deletions(-)

diffs (172 lines):

diff -r 1ba2e14fef60 -r a0867c6d7c39 security/openssh/Makefile
--- a/security/openssh/Makefile Wed May 31 08:59:31 2017 +0000
+++ b/security/openssh/Makefile Wed May 31 09:30:21 2017 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.251 2017/01/19 03:50:53 maya Exp $
+# $NetBSD: Makefile,v 1.252 2017/05/31 09:30:21 jperkin Exp $
 
-DISTNAME=              openssh-7.4p1
+DISTNAME=              openssh-7.5p1
 PKGNAME=               ${DISTNAME:S/p1/.1/}
 CATEGORIES=            security
 MASTER_SITES=          ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
diff -r 1ba2e14fef60 -r a0867c6d7c39 security/openssh/distinfo
--- a/security/openssh/distinfo Wed May 31 08:59:31 2017 +0000
+++ b/security/openssh/distinfo Wed May 31 09:30:21 2017 +0000
@@ -1,18 +1,17 @@
-$NetBSD: distinfo,v 1.103 2016/12/30 04:43:16 taca Exp $
+$NetBSD: distinfo,v 1.104 2017/05/31 09:30:21 jperkin Exp $
 
-SHA1 (openssh-7.4p1.tar.gz) = 2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0
-RMD160 (openssh-7.4p1.tar.gz) = dff996c9f7ab697a04968fbd8924642253bc0e06
-SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
-Size (openssh-7.4p1.tar.gz) = 1511780 bytes
+SHA1 (openssh-7.5p1.tar.gz) = 5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd
+RMD160 (openssh-7.5p1.tar.gz) = c1b176a1fe92495d056edda0c5db54efcfb8764a
+SHA512 (openssh-7.5p1.tar.gz) = 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
+Size (openssh-7.5p1.tar.gz) = 1510857 bytes
 SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
 SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7
 SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
 SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
 SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
-SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c
 SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
 SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
-SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2
+SHA1 (patch-configure.ac) = 8ff27fcf7391722732386a574e3a4d41c4209222
 SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
 SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
 SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
diff -r 1ba2e14fef60 -r a0867c6d7c39 security/openssh/patches/patch-channels.c
--- a/security/openssh/patches/patch-channels.c Wed May 31 08:59:31 2017 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-$NetBSD: patch-channels.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
-
-Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
-
-https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
-
---- channels.c.orig    2015-08-21 04:49:03.000000000 +0000
-+++ channels.c
-@@ -4037,15 +4037,35 @@ x11_connect_display(void)
-        * connection to the real X server.
-        */
- 
--      /* Check if the display is from launchd. */
- #ifdef __APPLE__
--      if (strncmp(display, "/tmp/launch", 11) == 0) {
--              sock = connect_local_xsocket_path(display);
--              if (sock < 0)
--                      return -1;
-+      /* Check if the display is a path to a socket (as set by launchd). */
-+      {
-+              char path[PATH_MAX];
-+              struct stat sbuf;
-+              int is_path_to_socket = 0;
-+
-+              strlcpy(path, display, sizeof(path));
-+              if (0 == stat(path, &sbuf)) {
-+                      is_path_to_socket = 1;
-+              } else {
-+                      char *dot = strrchr(path, '.');
-+                      if (dot) {
-+                              *dot = '\0';
-+                              /* screen = atoi(dot + 1); */
-+                              if (0 == stat(path, &sbuf)) {
-+                                      is_path_to_socket=1;
-+                              }
-+                      }
-+              }
- 
--              /* OK, we now have a connection to the display. */
--              return sock;
-+              if (is_path_to_socket) {
-+                      sock = connect_local_xsocket_path(path);
-+                      if (sock < 0)
-+                              return -1;
-+
-+                      /* OK, we now have a connection to the display. */
-+                      return sock;
-+              }
-       }
- #endif
-       /*
diff -r 1ba2e14fef60 -r a0867c6d7c39 security/openssh/patches/patch-configure.ac
--- a/security/openssh/patches/patch-configure.ac       Wed May 31 08:59:31 2017 +0000
+++ b/security/openssh/patches/patch-configure.ac       Wed May 31 09:30:21 2017 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $
 
 * Various fixes regarding portability
 * Revive tcp_wrappers support.
 
---- configure.ac.orig  2015-08-21 04:49:03.000000000 +0000
+--- configure.ac.orig  2017-03-20 02:39:27.000000000 +0000
 +++ configure.ac
-@@ -316,6 +316,9 @@ AC_ARG_WITH([rpath],
+@@ -306,6 +306,9 @@ AC_ARG_WITH([rpath],
        ]
  )
  
@@ -15,7 +15,7 @@
  # Allow user to specify flags
  AC_ARG_WITH([cflags],
        [  --with-cflags           Specify additional flags to pass to compiler],
-@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
+@@ -379,6 +382,7 @@ AC_CHECK_HEADERS([ \
        maillock.h \
        ndir.h \
        net/if_tun.h \
@@ -23,7 +23,7 @@
        netdb.h \
        netgroup.h \
        pam/pam_appl.h \
-@@ -696,6 +700,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -695,6 +699,15 @@ main() { if (NSVersionOfRunTimeLibrary("
                ;;
        esac
        ;;
@@ -39,7 +39,7 @@
  *-*-irix5*)
        PATH="$PATH:/usr/etc"
        AC_DEFINE([BROKEN_INET_NTOA], [1],
-@@ -1424,6 +1437,62 @@ AC_ARG_WITH([skey],
+@@ -1470,6 +1483,62 @@ AC_ARG_WITH([skey],
        ]
  )
  
@@ -102,7 +102,7 @@
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -4816,9 +4885,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -4979,9 +5048,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
  ])
  if test -z "$conf_wtmpx_location"; then
        if test x"$system_wtmpx_path" = x"no" ; then
@@ -122,7 +122,7 @@
        AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
                [Define if you want to specify the path to your wtmpx file])
  fi
-@@ -4905,7 +4982,7 @@ echo "OpenSSH has been configured with t
+@@ -5069,7 +5146,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
@@ -131,11 +131,11 @@
  echo "                      Manual pages: $F"
  echo "                          PID file: $G"
  echo "  Privilege separation chroot path: $H"
-@@ -4929,6 +5006,7 @@ echo "                 KerberosV support
+@@ -5093,6 +5170,7 @@ echo "                 KerberosV support
  echo "                   SELinux support: $SELINUX_MSG"
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
  echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
+ echo "                   libldns support: $LDNS_MSG"



Home | Main Index | Thread Index | Old Index