pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/openssh Update security/openssh to 7.5p1.
details: https://anonhg.NetBSD.org/pkgsrc/rev/a0867c6d7c39
branches: trunk
changeset: 363056:a0867c6d7c39
user: jperkin <jperkin%pkgsrc.org@localhost>
date: Wed May 31 09:30:21 2017 +0000
description:
Update security/openssh to 7.5p1.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* This release deprecates the sshd_config UsePrivilegeSeparation
option, thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.
* The format of several log messages emitted by the packet code has
changed to include additional information about the user and
their authentication state. Software that monitors ssh/sshd logs
may need to account for these changes. For example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal messages
generated by the packet code.
* [Portable OpenSSH only] This version removes support for building
against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting
versions prior to 1.0.1 over 12 months ago (i.e. they no longer
receive fixes for security bugs).
Changes since OpenSSH 7.4
=========================
This is a bugfix release.
Security
--------
* ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
Note that the OpenSSH client disables CBC ciphers by default, sshd
offers them as lowest-preference options and will remove them by
default entriely in the next release. Reported by Jean Paul
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
Royal Holloway, University of London.
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
a recursive file transfer could be maniuplated by a hostile server to
perform a path-traversal attack. creating or modifying files outside
of the intended target directory. Reported by Jann Horn of Google
Project Zero.
New Features
------------
* ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
algorithm lists, e.g. Ciphers=-*cbc. bz#2671
Bugfixes
--------
* sshd(1): Fix NULL dereference crash when key exchange start
messages are sent out of sequence.
* ssh(1), sshd(8): Allow form-feed characters to appear in
configuration files.
* sshd(8): Fix regression in OpenSSH 7.4 support for the
server-sig-algs extension, where SHA2 RSA signature methods were
not being correctly advertised. bz#2680
* ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
known_hosts processing. bz#2591 bz#2685
* ssh(1): Allow ssh to use certificates accompanied by a private key
file but no corresponding plain *.pub public key. bz#2617
* ssh(1): When updating hostkeys using the UpdateHostKeys option,
accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
method. bz#2650
* ssh(1): Detect and report excessively long configuration file
lines. bz#2651
* Merge a number of fixes found by Coverity and reported via Redhat
and FreeBSD. Includes fixes for some memory and file descriptor
leaks in error paths. bz#2687
* ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692
* ssh(1), sshd(8): When logging long messages to stderr, don't truncate
"\r\n" if the length of the message exceeds the buffer. bz#2688
* ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
line; avoid confusion over IPv6 addresses and shells that treat
square bracket characters specially.
* ssh-keygen(1): Fix corruption of known_hosts when running
"ssh-keygen -H" on a known_hosts containing already-hashed entries.
* Fix various fallout and sharp edges caused by removing SSH protocol
1 support from the server, including the server banner string being
incorrectly terminated with only \n (instead of \r\n), confusing
error messages from ssh-keyscan bz#2583 and a segfault in sshd
if protocol v.1 was enabled for the client and sshd_config
contained references to legacy keys bz#2686.
* ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
* sshd(8): Fix Unix domain socket forwarding for root (regression in
OpenSSH 7.4).
* sftp(1): Fix division by zero crash in "df" output when server
returns zero total filesystem blocks/inodes.
* ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
encountered during key loading to more meaningful error codes.
bz#2522 bz#2523
* ssh-keygen(1): Sanitise escape sequences in key comments sent to
printf but preserve valid UTF-8 when the locale supports it;
bz#2520
* ssh(1), sshd(8): Return reason for port forwarding failures where
feasible rather than always "administratively prohibited". bz#2674
* sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a key is
matched early. bz#2655
* Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659
* ssh(1): Fix typo in ~C error message for bad port forward
cancellation. bz#2672
* ssh(1): Show a useful error message when included config files
can't be opened; bz#2653
* sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
(previously incorrectly) advertised. bz#2637
* sshd_config(5): Repair accidentally-deleted mention of %k token
in AuthorizedKeysCommand; bz#2656
* sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665
* ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
common 32-bit compatibility library directories.
* sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
response handling.
* ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
keys. It was not possible to delete them except by specifying
their full physical path. bz#2682
Portability
-----------
* sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
crypto coprocessor.
* sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
inspection.
* ssh(1): Fix X11 forwarding on OSX where X11 was being started by
launchd. bz#2341
* ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
contain non-printable characters where the codeset in use is ASCII.
* build: Fix builds that attempt to link a kerberised libldns. bz#2603
* build: Fix compilation problems caused by unconditionally defining
_XOPEN_SOURCE in wide character detection.
* sshd(8): Fix sandbox violations for clock_gettime VSDO syscall
fallback on some Linux/X32 kernels. bz#2142
diffstat:
security/openssh/Makefile | 4 +-
security/openssh/distinfo | 13 +++---
security/openssh/patches/patch-channels.c | 51 -----------------------------
security/openssh/patches/patch-configure.ac | 20 +++++-----
4 files changed, 18 insertions(+), 70 deletions(-)
diffs (172 lines):
diff -r 1ba2e14fef60 -r a0867c6d7c39 security/openssh/Makefile
--- a/security/openssh/Makefile Wed May 31 08:59:31 2017 +0000
+++ b/security/openssh/Makefile Wed May 31 09:30:21 2017 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.251 2017/01/19 03:50:53 maya Exp $
+# $NetBSD: Makefile,v 1.252 2017/05/31 09:30:21 jperkin Exp $
-DISTNAME= openssh-7.4p1
+DISTNAME= openssh-7.5p1
PKGNAME= ${DISTNAME:S/p1/.1/}
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
diff -r 1ba2e14fef60 -r a0867c6d7c39 security/openssh/distinfo
--- a/security/openssh/distinfo Wed May 31 08:59:31 2017 +0000
+++ b/security/openssh/distinfo Wed May 31 09:30:21 2017 +0000
@@ -1,18 +1,17 @@
-$NetBSD: distinfo,v 1.103 2016/12/30 04:43:16 taca Exp $
+$NetBSD: distinfo,v 1.104 2017/05/31 09:30:21 jperkin Exp $
-SHA1 (openssh-7.4p1.tar.gz) = 2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0
-RMD160 (openssh-7.4p1.tar.gz) = dff996c9f7ab697a04968fbd8924642253bc0e06
-SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
-Size (openssh-7.4p1.tar.gz) = 1511780 bytes
+SHA1 (openssh-7.5p1.tar.gz) = 5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd
+RMD160 (openssh-7.5p1.tar.gz) = c1b176a1fe92495d056edda0c5db54efcfb8764a
+SHA512 (openssh-7.5p1.tar.gz) = 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
+Size (openssh-7.5p1.tar.gz) = 1510857 bytes
SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7
SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
-SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c
SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
-SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2
+SHA1 (patch-configure.ac) = 8ff27fcf7391722732386a574e3a4d41c4209222
SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
diff -r 1ba2e14fef60 -r a0867c6d7c39 security/openssh/patches/patch-channels.c
--- a/security/openssh/patches/patch-channels.c Wed May 31 08:59:31 2017 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-$NetBSD: patch-channels.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
-
-Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
-
-https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
-
---- channels.c.orig 2015-08-21 04:49:03.000000000 +0000
-+++ channels.c
-@@ -4037,15 +4037,35 @@ x11_connect_display(void)
- * connection to the real X server.
- */
-
-- /* Check if the display is from launchd. */
- #ifdef __APPLE__
-- if (strncmp(display, "/tmp/launch", 11) == 0) {
-- sock = connect_local_xsocket_path(display);
-- if (sock < 0)
-- return -1;
-+ /* Check if the display is a path to a socket (as set by launchd). */
-+ {
-+ char path[PATH_MAX];
-+ struct stat sbuf;
-+ int is_path_to_socket = 0;
-+
-+ strlcpy(path, display, sizeof(path));
-+ if (0 == stat(path, &sbuf)) {
-+ is_path_to_socket = 1;
-+ } else {
-+ char *dot = strrchr(path, '.');
-+ if (dot) {
-+ *dot = '\0';
-+ /* screen = atoi(dot + 1); */
-+ if (0 == stat(path, &sbuf)) {
-+ is_path_to_socket=1;
-+ }
-+ }
-+ }
-
-- /* OK, we now have a connection to the display. */
-- return sock;
-+ if (is_path_to_socket) {
-+ sock = connect_local_xsocket_path(path);
-+ if (sock < 0)
-+ return -1;
-+
-+ /* OK, we now have a connection to the display. */
-+ return sock;
-+ }
- }
- #endif
- /*
diff -r 1ba2e14fef60 -r a0867c6d7c39 security/openssh/patches/patch-configure.ac
--- a/security/openssh/patches/patch-configure.ac Wed May 31 08:59:31 2017 +0000
+++ b/security/openssh/patches/patch-configure.ac Wed May 31 09:30:21 2017 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $
* Various fixes regarding portability
* Revive tcp_wrappers support.
---- configure.ac.orig 2015-08-21 04:49:03.000000000 +0000
+--- configure.ac.orig 2017-03-20 02:39:27.000000000 +0000
+++ configure.ac
-@@ -316,6 +316,9 @@ AC_ARG_WITH([rpath],
+@@ -306,6 +306,9 @@ AC_ARG_WITH([rpath],
]
)
@@ -15,7 +15,7 @@
# Allow user to specify flags
AC_ARG_WITH([cflags],
[ --with-cflags Specify additional flags to pass to compiler],
-@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
+@@ -379,6 +382,7 @@ AC_CHECK_HEADERS([ \
maillock.h \
ndir.h \
net/if_tun.h \
@@ -23,7 +23,7 @@
netdb.h \
netgroup.h \
pam/pam_appl.h \
-@@ -696,6 +700,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -695,6 +699,15 @@ main() { if (NSVersionOfRunTimeLibrary("
;;
esac
;;
@@ -39,7 +39,7 @@
*-*-irix5*)
PATH="$PATH:/usr/etc"
AC_DEFINE([BROKEN_INET_NTOA], [1],
-@@ -1424,6 +1437,62 @@ AC_ARG_WITH([skey],
+@@ -1470,6 +1483,62 @@ AC_ARG_WITH([skey],
]
)
@@ -102,7 +102,7 @@
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
-@@ -4816,9 +4885,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -4979,9 +5048,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
])
if test -z "$conf_wtmpx_location"; then
if test x"$system_wtmpx_path" = x"no" ; then
@@ -122,7 +122,7 @@
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
[Define if you want to specify the path to your wtmpx file])
fi
-@@ -4905,7 +4982,7 @@ echo "OpenSSH has been configured with t
+@@ -5069,7 +5146,7 @@ echo "OpenSSH has been configured with t
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
@@ -131,11 +131,11 @@
echo " Manual pages: $F"
echo " PID file: $G"
echo " Privilege separation chroot path: $H"
-@@ -4929,6 +5006,7 @@ echo " KerberosV support
+@@ -5093,6 +5170,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
- echo " Solaris process contract support: $SPC_MSG"
+ echo " libldns support: $LDNS_MSG"
Home |
Main Index |
Thread Index |
Old Index