pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/openssh Update openssh to 7.4.1 (7.4p1), incl...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/022cd99faf5a
branches:  trunk
changeset: 356350:022cd99faf5a
user:      taca <taca%pkgsrc.org@localhost>
date:      Fri Dec 30 04:43:16 2016 +0000

description:
Update openssh to 7.4.1 (7.4p1), including security fixes.

For full changes, please refer ChangeLog file.


Future deprecation notice
=========================

We plan on retiring more legacy cryptography in future releases,
specifically:

 * In approximately August 2017, removing remaining support for the
   SSH v.1 protocol (client-only and currently compile-time disabled).

 * In the same release, removing support for Blowfish and RC4 ciphers
   and the RIPE-MD160 HMAC. (These are currently run-time disabled).

 * Refusing all RSA keys smaller than 1024 bits (the current minimum
   is 768 bits)

 * The next release of OpenSSH will remove support for running sshd(8)
   with privilege separation disabled.

 * The next release of portable OpenSSH will remove support for
   OpenSSL version prior to 1.0.1.

This list reflects our current intentions, but please check the final
release notes for future releases.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * This release removes server support for the SSH v.1 protocol.

 * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
   block ciphers are not safe in 2016 and we don't want to wait until
   attacks like SWEET32 are extended to SSH. As 3des-cbc was the
   only mandatory cipher in the SSH RFCs, this may cause problems
   connecting to older devices using the default configuration,
   but it's highly likely that such devices already need explicit
   configuration for key exchange and hostkey algorithms already
   anyway.

 * sshd(8): Remove support for pre-authentication compression.
   Doing compression early in the protocol probably seemed reasonable
   in the 1990s, but today it's clearly a bad idea in terms of both
   cryptography (cf. multiple compression oracle attacks in TLS) and
   attack surface. Pre-auth compression support has been disabled by
   default for >10 years. Support remains in the client.

 * ssh-agent will refuse to load PKCS#11 modules outside a whitelist
   of trusted paths by default. The path whitelist may be specified
   at run-time.

 * sshd(8): When a forced-command appears in both a certificate and
   an authorized keys/principals command= restriction, sshd will now
   refuse to accept the certificate unless they are identical.
   The previous (documented) behaviour of having the certificate
   forced-command override the other could be a bit confusing and
   error-prone.

 * sshd(8): Remove the UseLogin configuration directive and support
   for having /bin/login manage login sessions.

Changes since OpenSSH 7.3
=========================

This is primarily a bugfix release.

Security
--------

 * ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
   outside a trusted whitelist (run-time configurable). Requests to
   load modules could be passed via agent forwarding and an attacker
   could attempt to load a hostile PKCS#11 module across the forwarded
   agent channel: PKCS#11 modules are shared libraries, so this would
   result in code execution on the system running the ssh-agent if the
   attacker has control of the forwarded agent-socket (on the host
   running the sshd server) and the ability to write to the filesystem
   of the host running ssh-agent (usually the host running the ssh
   client). Reported by Jann Horn of Project Zero.

 * sshd(8): When privilege separation is disabled, forwarded Unix-
   domain sockets would be created by sshd(8) with the privileges of
   'root' instead of the authenticated user. This release refuses
   Unix-domain socket forwarding when privilege separation is disabled
   (Privilege separation has been enabled by default for 14 years).
   Reported by Jann Horn of Project Zero.

 * sshd(8): Avoid theoretical leak of host private key material to
   privilege-separated child processes via realloc() when reading
   keys. No such leak was observed in practice for normal-sized keys,
   nor does a leak to the child processes directly expose key material
   to unprivileged users. Reported by Jann Horn of Project Zero.

 * sshd(8): The shared memory manager used by pre-authentication
   compression support had a bounds checks that could be elided by
   some optimising compilers. Additionally, this memory manager was
   incorrectly accessible when pre-authentication compression was
   disabled. This could potentially allow attacks against the
   privileged monitor process from the sandboxed privilege-separation
   process (a compromise of the latter would be required first).
   This release removes support for pre-authentication compression
   from sshd(8). Reported by Guido Vranken using the Stack unstable
   optimisation identification tool (http://css.csail.mit.edu/stack/)

 * sshd(8): Fix denial-of-service condition where an attacker who
   sends multiple KEXINIT messages may consume up to 128MB per
   connection. Reported by Shi Lei of Gear Team, Qihoo 360.

 * sshd(8): Validate address ranges for AllowUser and DenyUsers
   directives at configuration load time and refuse to accept invalid
   ones. It was previously possible to specify invalid CIDR address
   ranges (e.g. user@127.1.2.3/55) and these would always match,
   possibly resulting in granting access where it was not intended.
   Reported by Laurence Parry.

diffstat:

 security/openssh/Makefile                                   |   4 +-
 security/openssh/distinfo                                   |  19 +++---
 security/openssh/options.mk                                 |  14 ++--
 security/openssh/patches/patch-auth1.c                      |  26 ---------
 security/openssh/patches/patch-clientloop.c                 |  14 ++--
 security/openssh/patches/patch-openbsd-compat_bsd-openpty.c |  18 ++----
 security/openssh/patches/patch-session.c                    |  26 ++++----
 security/openssh/patches/patch-sshd.c                       |  34 ++++++------
 8 files changed, 62 insertions(+), 93 deletions(-)

diffs (truncated from 364 to 300 lines):

diff -r 33bbe3619641 -r 022cd99faf5a security/openssh/Makefile
--- a/security/openssh/Makefile Fri Dec 30 03:21:19 2016 +0000
+++ b/security/openssh/Makefile Fri Dec 30 04:43:16 2016 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.249 2016/09/18 17:30:10 taca Exp $
+# $NetBSD: Makefile,v 1.250 2016/12/30 04:43:16 taca Exp $
 
-DISTNAME=              openssh-7.3p1
+DISTNAME=              openssh-7.4p1
 PKGNAME=               ${DISTNAME:S/p1/.1/}
 CATEGORIES=            security
 MASTER_SITES=          ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
diff -r 33bbe3619641 -r 022cd99faf5a security/openssh/distinfo
--- a/security/openssh/distinfo Fri Dec 30 03:21:19 2016 +0000
+++ b/security/openssh/distinfo Fri Dec 30 04:43:16 2016 +0000
@@ -1,32 +1,31 @@
-$NetBSD: distinfo,v 1.102 2016/09/18 17:30:10 taca Exp $
+$NetBSD: distinfo,v 1.103 2016/12/30 04:43:16 taca Exp $
 
-SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5
-RMD160 (openssh-7.3p1.tar.gz) = 823fc1e16c5d27a2361ed0b22f5ee24be11d2c13
-SHA512 (openssh-7.3p1.tar.gz) = 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801
-Size (openssh-7.3p1.tar.gz) = 1522617 bytes
+SHA1 (openssh-7.4p1.tar.gz) = 2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0
+RMD160 (openssh-7.4p1.tar.gz) = dff996c9f7ab697a04968fbd8924642253bc0e06
+SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
+Size (openssh-7.4p1.tar.gz) = 1511780 bytes
 SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
 SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7
 SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
 SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
-SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374
 SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
 SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c
-SHA1 (patch-clientloop.c) = 9b2db181d964b7720e1dc12724a9b9033f28d0e7
+SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
 SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
 SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2
 SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
 SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
 SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
-SHA1 (patch-openbsd-compat_bsd-openpty.c) = eaac72830e36e307c19a7b679e6018ece9aebaac
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
 SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
 SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee
 SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
 SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
 SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
-SHA1 (patch-session.c) = 850cef27299cf8af6a19987d5e070bf501cd57fb
+SHA1 (patch-session.c) = c67d649dc66a65ff39d701135a2f2dab6ba2fb93
 SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
 SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca
 SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
-SHA1 (patch-sshd.c) = cd23ce269bfb48b0caa901e62fc01d35ef0618ac
+SHA1 (patch-sshd.c) = a1ccf7e54275629965d80d9cf7cd8669d9f1f4cf
 SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
 SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e
diff -r 33bbe3619641 -r 022cd99faf5a security/openssh/options.mk
--- a/security/openssh/options.mk       Fri Dec 30 03:21:19 2016 +0000
+++ b/security/openssh/options.mk       Fri Dec 30 04:43:16 2016 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: options.mk,v 1.33 2016/07/10 10:41:38 rillig Exp $
+# $NetBSD: options.mk,v 1.34 2016/12/30 04:43:16 taca Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.openssh
-PKG_SUPPORTED_OPTIONS= hpn-patch kerberos openssl pam
+PKG_SUPPORTED_OPTIONS= kerberos openssl pam
 PKG_SUGGESTED_OPTIONS= openssl
 
 .include "../../mk/bsd.options.mk"
@@ -23,11 +23,11 @@
 .  endif
 .endif
 
-.if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES=            openssh-7.1p1-hpn-20150822.diff.bz2
-PATCH_SITES=           ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
-PATCH_DIST_STRIP=      -p1
-.endif
+#.if !empty(PKG_OPTIONS:Mhpn-patch)
+#PATCHFILES=           openssh-7.1p1-hpn-20150822.diff.bz2
+#PATCH_SITES=          ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
+#PATCH_DIST_STRIP=     -p1
+#.endif
 
 PLIST_VARS+=   pam
 
diff -r 33bbe3619641 -r 022cd99faf5a security/openssh/patches/patch-auth1.c
--- a/security/openssh/patches/patch-auth1.c    Fri Dec 30 03:21:19 2016 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-$NetBSD: patch-auth1.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
-
-Replace uid 0 with ROOTUID macro
-
---- auth1.c.orig       2015-08-21 04:49:03.000000000 +0000
-+++ auth1.c
-@@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt)
- 
- #ifndef HAVE_CYGWIN
-               /* Special handling for root */
--              if (authenticated && authctxt->pw->pw_uid == 0 &&
-+              if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
-                   !auth_root_allowed(meth->name)) {
-                       authenticated = 0;
- # ifdef SSH_AUDIT_EVENTS
-@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt)
-        * If we are not running as root, the user must have the same uid as
-        * the server.
-        */
--#ifndef HAVE_CYGWIN
--      if (!use_privsep && getuid() != 0 && authctxt->pw &&
-+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
-+      if (!use_privsep && getuid() != ROOTUID && authctxt->pw &&
-           authctxt->pw->pw_uid != getuid())
-               packet_disconnect("Cannot change user when server not running as root.");
- #endif
diff -r 33bbe3619641 -r 022cd99faf5a security/openssh/patches/patch-clientloop.c
--- a/security/openssh/patches/patch-clientloop.c       Fri Dec 30 03:21:19 2016 +0000
+++ b/security/openssh/patches/patch-clientloop.c       Fri Dec 30 04:43:16 2016 +0000
@@ -1,12 +1,12 @@
-$NetBSD: patch-clientloop.c,v 1.4 2016/03/15 20:54:07 bsiegert Exp $
+$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
 
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 
 https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
 
---- clientloop.c.orig  2016-03-09 18:04:48.000000000 +0000
+--- clientloop.c.orig  2016-12-19 04:59:41.000000000 +0000
 +++ clientloop.c
-@@ -313,6 +313,10 @@ client_x11_get_proto(const char *display
+@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
        struct stat st;
        u_int now, x11_timeout_real;
  
@@ -17,7 +17,7 @@
        *_proto = proto;
        *_data = data;
        proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
-@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display
+@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
        }
  
        if (xauth_path != NULL) {
@@ -51,9 +51,9 @@
                /*
                 * Handle FamilyLocal case where $DISPLAY does
                 * not match an authorization entry.  For this we
-@@ -438,6 +469,9 @@ client_x11_get_proto(const char *display
-       if (!got_data) {
-               u_int32_t rnd = 0;
+@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
+               u_int8_t rnd[16];
+               u_int i;
  
 +#if __APPLE__
 +              if (!is_path_to_socket)
diff -r 33bbe3619641 -r 022cd99faf5a security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
--- a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c       Fri Dec 30 03:21:19 2016 +0000
+++ b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c       Fri Dec 30 04:43:16 2016 +0000
@@ -1,25 +1,21 @@
-$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
 
 Interix support
 
---- openbsd-compat/bsd-openpty.c.orig  2015-08-21 04:49:03.000000000 +0000
+--- openbsd-compat/bsd-openpty.c.orig  2016-12-19 04:59:41.000000000 +0000
 +++ openbsd-compat/bsd-openpty.c
-@@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char 
+@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char 
                return (-1);
        }
  
 +#if !defined(HAVE_INTERIX)
        /*
-        * Try to push the appropriate streams modules, as described 
+        * Try to push the appropriate streams modules, as described
         * in Solaris pts(7).
-        */
-       ioctl(*aslave, I_PUSH, "ptem");
-       ioctl(*aslave, I_PUSH, "ldterm");
--# ifndef __hpux
-+  # ifndef __hpux
+@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char 
+ # ifndef __hpux
        ioctl(*aslave, I_PUSH, "ttcompat");
--# endif /* __hpux */
-+  # endif /* __hpux */
+ # endif /* __hpux */
 +#endif /* !HAVE_INTERIX */
  
        return (0);
diff -r 33bbe3619641 -r 022cd99faf5a security/openssh/patches/patch-session.c
--- a/security/openssh/patches/patch-session.c  Fri Dec 30 03:21:19 2016 +0000
+++ b/security/openssh/patches/patch-session.c  Fri Dec 30 04:43:16 2016 +0000
@@ -1,10 +1,10 @@
-$NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $
+$NetBSD: patch-session.c,v 1.8 2016/12/30 04:43:16 taca Exp $
 
 * Interix support.
 
---- session.c.orig     2016-07-27 22:54:27.000000000 +0000
+--- session.c.orig     2016-12-19 04:59:41.000000000 +0000
 +++ session.c
-@@ -1120,7 +1120,7 @@ read_etc_default_login(char ***env, u_in
+@@ -934,7 +934,7 @@ read_etc_default_login(char ***env, u_in
        if (tmpenv == NULL)
                return;
  
@@ -13,16 +13,16 @@
                var = child_get_env(tmpenv, "SUPATH");
        else
                var = child_get_env(tmpenv, "PATH");
-@@ -1230,7 +1230,7 @@ do_setup_env(Session *s, const char *she
+@@ -1042,7 +1042,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
-               if (path == NULL || *path == '\0') {
-                       child_set_env(&env, &envsize, "PATH",
--                          s->pw->pw_uid == 0 ?
-+                          s->pw->pw_uid == ROOTUID ?
-                               SUPERUSER_PATH : _PATH_STDPATH);
-               }
+       if (path == NULL || *path == '\0') {
+               child_set_env(&env, &envsize, "PATH",
+-                  s->pw->pw_uid == 0 ?  SUPERUSER_PATH : _PATH_STDPATH);
++                  s->pw->pw_uid == ROOTUID ?  SUPERUSER_PATH : _PATH_STDPATH);
+       }
  # endif /* HAVE_CYGWIN */
-@@ -1346,6 +1346,18 @@ do_setup_env(Session *s, const char *she
+ #endif /* HAVE_LOGIN_CAP */
+@@ -1154,6 +1154,18 @@ do_setup_env(Session *s, const char *she
                    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
                read_environment_file(&env, &envsize, buf);
        }
@@ -41,7 +41,7 @@
        if (debug_flag) {
                /* dump the environment */
                fprintf(stderr, "Environment:\n");
-@@ -1537,11 +1549,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1345,11 +1357,13 @@ do_setusercontext(struct passwd *pw)
                        perror("setgid");
                        exit(1);
                }
@@ -55,7 +55,7 @@
                endgrent();
  #endif
  
-@@ -2388,7 +2402,7 @@ session_pty_cleanup2(Session *s)
+@@ -2148,7 +2162,7 @@ session_pty_cleanup2(Session *s)
                record_logout(s->pid, s->tty, s->pw->pw_name);
  
        /* Release the pseudo-tty. */
diff -r 33bbe3619641 -r 022cd99faf5a security/openssh/patches/patch-sshd.c
--- a/security/openssh/patches/patch-sshd.c     Fri Dec 30 03:21:19 2016 +0000
+++ b/security/openssh/patches/patch-sshd.c     Fri Dec 30 04:43:16 2016 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
+$NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $
 
 * Interix support
 * Revive tcp_wrappers support.
 
---- sshd.c.orig        2016-03-09 18:04:48.000000000 +0000
+--- sshd.c.orig        2016-12-19 04:59:41.000000000 +0000
 +++ sshd.c
-@@ -125,6 +125,13 @@
+@@ -123,6 +123,13 @@
  #include "version.h"
  #include "ssherr.h"
  
@@ -16,10 +16,10 @@
 +int deny_severity;
 +#endif /* LIBWRAP */
 +
- #ifndef O_NOCTTY
- #define O_NOCTTY      0
- #endif
-@@ -236,7 +243,11 @@ int *startup_pipes = NULL;
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD  (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD                (STDERR_FILENO + 2)
+@@ -220,7 +227,11 @@ int *startup_pipes = NULL;
  int startup_pipe;             /* in child */
  
  /* variables used for privilege separation */
@@ -31,7 +31,7 @@
  struct monitor *pmonitor = NULL;
  int privsep_is_preauth = 1;
  
-@@ -632,7 +643,7 @@ privsep_preauth_child(void)
+@@ -541,7 +552,7 @@ privsep_preauth_child(void)
        demote_sensitive_data();
  
        /* Demote the child */
@@ -40,7 +40,7 @@
                /* Change our root directory */



Home | Main Index | Thread Index | Old Index