pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2016Q4]: pkgsrc/security/openssh Pullup ticket #5178 - request...
details: https://anonhg.NetBSD.org/pkgsrc/rev/d391ac355d2a
branches: pkgsrc-2016Q4
changeset: 408700:d391ac355d2a
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Sun Jan 08 11:05:07 2017 +0000
description:
Pullup ticket #5178 - requested by taca
security/openssh: security fix
Revisions pulled up:
- security/openssh/Makefile 1.250
- security/openssh/distinfo 1.103
- security/openssh/options.mk 1.34
- security/openssh/patches/patch-auth1.c deleted
- security/openssh/patches/patch-clientloop.c 1.5
- security/openssh/patches/patch-openbsd-compat_bsd-openpty.c 1.4
- security/openssh/patches/patch-session.c 1.8
- security/openssh/patches/patch-sshd.c 1.8
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Dec 30 04:43:16 UTC 2016
Modified Files:
pkgsrc/security/openssh: Makefile distinfo options.mk
pkgsrc/security/openssh/patches: patch-clientloop.c
patch-openbsd-compat_bsd-openpty.c patch-session.c patch-sshd.c
Removed Files:
pkgsrc/security/openssh/patches: patch-auth1.c
Log Message:
Update openssh to 7.4.1 (7.4p1), including security fixes.
For full changes, please refer ChangeLog file.
Future deprecation notice
=========================
We plan on retiring more legacy cryptography in future releases,
specifically:
* In approximately August 2017, removing remaining support for the
SSH v.1 protocol (client-only and currently compile-time disabled).
* In the same release, removing support for Blowfish and RC4 ciphers
and the RIPE-MD160 HMAC. (These are currently run-time disabled).
* Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)
* The next release of OpenSSH will remove support for running sshd(8)
with privilege separation disabled.
* The next release of portable OpenSSH will remove support for
OpenSSL version prior to 1.0.1.
This list reflects our current intentions, but please check the final
release notes for future releases.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* This release removes server support for the SSH v.1 protocol.
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
only mandatory cipher in the SSH RFCs, this may cause problems
connecting to older devices using the default configuration,
but it's highly likely that such devices already need explicit
configuration for key exchange and hostkey algorithms already
anyway.
* sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist
of trusted paths by default. The path whitelist may be specified
at run-time.
* sshd(8): When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, sshd will now
refuse to accept the certificate unless they are identical.
The previous (documented) behaviour of having the certificate
forced-command override the other could be a bit confusing and
error-prone.
* sshd(8): Remove the UseLogin configuration directive and support
for having /bin/login manage login sessions.
Changes since OpenSSH 7.3
=========================
This is primarily a bugfix release.
Security
--------
* ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
outside a trusted whitelist (run-time configurable). Requests to
load modules could be passed via agent forwarding and an attacker
could attempt to load a hostile PKCS#11 module across the forwarded
agent channel: PKCS#11 modules are shared libraries, so this would
result in code execution on the system running the ssh-agent if the
attacker has control of the forwarded agent-socket (on the host
running the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the ssh
client). Reported by Jann Horn of Project Zero.
* sshd(8): When privilege separation is disabled, forwarded Unix-
domain sockets would be created by sshd(8) with the privileges of
'root' instead of the authenticated user. This release refuses
Unix-domain socket forwarding when privilege separation is disabled
(Privilege separation has been enabled by default for 14 years).
Reported by Jann Horn of Project Zero.
* sshd(8): Avoid theoretical leak of host private key material to
privilege-separated child processes via realloc() when reading
keys. No such leak was observed in practice for normal-sized keys,
nor does a leak to the child processes directly expose key material
to unprivileged users. Reported by Jann Horn of Project Zero.
* sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided by
some optimising compilers. Additionally, this memory manager was
incorrectly accessible when pre-authentication compression was
disabled. This could potentially allow attacks against the
privileged monitor process from the sandboxed privilege-separation
process (a compromise of the latter would be required first).
This release removes support for pre-authentication compression
from sshd(8). Reported by Guido Vranken using the Stack unstable
optimisation identification tool (http://css.csail.mit.edu/stack/)
* sshd(8): Fix denial-of-service condition where an attacker who
sends multiple KEXINIT messages may consume up to 128MB per
connection. Reported by Shi Lei of Gear Team, Qihoo 360.
* sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept invalid
ones. It was previously possible to specify invalid CIDR address
ranges (e.g. user@127.1.2.3/55) and these would always match,
possibly resulting in granting access where it was not intended.
Reported by Laurence Parry.
diffstat:
security/openssh/Makefile | 4 +-
security/openssh/distinfo | 19 +++---
security/openssh/options.mk | 14 ++--
security/openssh/patches/patch-auth1.c | 26 ---------
security/openssh/patches/patch-clientloop.c | 14 ++--
security/openssh/patches/patch-openbsd-compat_bsd-openpty.c | 18 ++----
security/openssh/patches/patch-session.c | 26 ++++----
security/openssh/patches/patch-sshd.c | 34 ++++++------
8 files changed, 62 insertions(+), 93 deletions(-)
diffs (truncated from 364 to 300 lines):
diff -r f8457c4ce149 -r d391ac355d2a security/openssh/Makefile
--- a/security/openssh/Makefile Mon Jan 02 14:41:31 2017 +0000
+++ b/security/openssh/Makefile Sun Jan 08 11:05:07 2017 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.249 2016/09/18 17:30:10 taca Exp $
+# $NetBSD: Makefile,v 1.249.4.1 2017/01/08 11:05:07 bsiegert Exp $
-DISTNAME= openssh-7.3p1
+DISTNAME= openssh-7.4p1
PKGNAME= ${DISTNAME:S/p1/.1/}
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
diff -r f8457c4ce149 -r d391ac355d2a security/openssh/distinfo
--- a/security/openssh/distinfo Mon Jan 02 14:41:31 2017 +0000
+++ b/security/openssh/distinfo Sun Jan 08 11:05:07 2017 +0000
@@ -1,32 +1,31 @@
-$NetBSD: distinfo,v 1.102 2016/09/18 17:30:10 taca Exp $
+$NetBSD: distinfo,v 1.102.4.1 2017/01/08 11:05:07 bsiegert Exp $
-SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5
-RMD160 (openssh-7.3p1.tar.gz) = 823fc1e16c5d27a2361ed0b22f5ee24be11d2c13
-SHA512 (openssh-7.3p1.tar.gz) = 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801
-Size (openssh-7.3p1.tar.gz) = 1522617 bytes
+SHA1 (openssh-7.4p1.tar.gz) = 2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0
+RMD160 (openssh-7.4p1.tar.gz) = dff996c9f7ab697a04968fbd8924642253bc0e06
+SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
+Size (openssh-7.4p1.tar.gz) = 1511780 bytes
SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7
SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
-SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374
SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c
-SHA1 (patch-clientloop.c) = 9b2db181d964b7720e1dc12724a9b9033f28d0e7
+SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2
SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
-SHA1 (patch-openbsd-compat_bsd-openpty.c) = eaac72830e36e307c19a7b679e6018ece9aebaac
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee
SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
-SHA1 (patch-session.c) = 850cef27299cf8af6a19987d5e070bf501cd57fb
+SHA1 (patch-session.c) = c67d649dc66a65ff39d701135a2f2dab6ba2fb93
SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca
SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
-SHA1 (patch-sshd.c) = cd23ce269bfb48b0caa901e62fc01d35ef0618ac
+SHA1 (patch-sshd.c) = a1ccf7e54275629965d80d9cf7cd8669d9f1f4cf
SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e
diff -r f8457c4ce149 -r d391ac355d2a security/openssh/options.mk
--- a/security/openssh/options.mk Mon Jan 02 14:41:31 2017 +0000
+++ b/security/openssh/options.mk Sun Jan 08 11:05:07 2017 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: options.mk,v 1.33 2016/07/10 10:41:38 rillig Exp $
+# $NetBSD: options.mk,v 1.33.4.1 2017/01/08 11:05:07 bsiegert Exp $
.include "../../mk/bsd.prefs.mk"
PKG_OPTIONS_VAR= PKG_OPTIONS.openssh
-PKG_SUPPORTED_OPTIONS= hpn-patch kerberos openssl pam
+PKG_SUPPORTED_OPTIONS= kerberos openssl pam
PKG_SUGGESTED_OPTIONS= openssl
.include "../../mk/bsd.options.mk"
@@ -23,11 +23,11 @@
. endif
.endif
-.if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
-PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
-PATCH_DIST_STRIP= -p1
-.endif
+#.if !empty(PKG_OPTIONS:Mhpn-patch)
+#PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
+#PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
+#PATCH_DIST_STRIP= -p1
+#.endif
PLIST_VARS+= pam
diff -r f8457c4ce149 -r d391ac355d2a security/openssh/patches/patch-auth1.c
--- a/security/openssh/patches/patch-auth1.c Mon Jan 02 14:41:31 2017 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-$NetBSD: patch-auth1.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
-
-Replace uid 0 with ROOTUID macro
-
---- auth1.c.orig 2015-08-21 04:49:03.000000000 +0000
-+++ auth1.c
-@@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt)
-
- #ifndef HAVE_CYGWIN
- /* Special handling for root */
-- if (authenticated && authctxt->pw->pw_uid == 0 &&
-+ if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
- !auth_root_allowed(meth->name)) {
- authenticated = 0;
- # ifdef SSH_AUDIT_EVENTS
-@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt)
- * If we are not running as root, the user must have the same uid as
- * the server.
- */
--#ifndef HAVE_CYGWIN
-- if (!use_privsep && getuid() != 0 && authctxt->pw &&
-+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
-+ if (!use_privsep && getuid() != ROOTUID && authctxt->pw &&
- authctxt->pw->pw_uid != getuid())
- packet_disconnect("Cannot change user when server not running as root.");
- #endif
diff -r f8457c4ce149 -r d391ac355d2a security/openssh/patches/patch-clientloop.c
--- a/security/openssh/patches/patch-clientloop.c Mon Jan 02 14:41:31 2017 +0000
+++ b/security/openssh/patches/patch-clientloop.c Sun Jan 08 11:05:07 2017 +0000
@@ -1,12 +1,12 @@
-$NetBSD: patch-clientloop.c,v 1.4 2016/03/15 20:54:07 bsiegert Exp $
+$NetBSD: patch-clientloop.c,v 1.4.8.1 2017/01/08 11:05:07 bsiegert Exp $
Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
---- clientloop.c.orig 2016-03-09 18:04:48.000000000 +0000
+--- clientloop.c.orig 2016-12-19 04:59:41.000000000 +0000
+++ clientloop.c
-@@ -313,6 +313,10 @@ client_x11_get_proto(const char *display
+@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
struct stat st;
u_int now, x11_timeout_real;
@@ -17,7 +17,7 @@
*_proto = proto;
*_data = data;
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
-@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display
+@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
}
if (xauth_path != NULL) {
@@ -51,9 +51,9 @@
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
-@@ -438,6 +469,9 @@ client_x11_get_proto(const char *display
- if (!got_data) {
- u_int32_t rnd = 0;
+@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
+ u_int8_t rnd[16];
+ u_int i;
+#if __APPLE__
+ if (!is_path_to_socket)
diff -r f8457c4ce149 -r d391ac355d2a security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
--- a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c Mon Jan 02 14:41:31 2017 +0000
+++ b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c Sun Jan 08 11:05:07 2017 +0000
@@ -1,25 +1,21 @@
-$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3.8.1 2017/01/08 11:05:07 bsiegert Exp $
Interix support
---- openbsd-compat/bsd-openpty.c.orig 2015-08-21 04:49:03.000000000 +0000
+--- openbsd-compat/bsd-openpty.c.orig 2016-12-19 04:59:41.000000000 +0000
+++ openbsd-compat/bsd-openpty.c
-@@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char
+@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char
return (-1);
}
+#if !defined(HAVE_INTERIX)
/*
- * Try to push the appropriate streams modules, as described
+ * Try to push the appropriate streams modules, as described
* in Solaris pts(7).
- */
- ioctl(*aslave, I_PUSH, "ptem");
- ioctl(*aslave, I_PUSH, "ldterm");
--# ifndef __hpux
-+ # ifndef __hpux
+@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char
+ # ifndef __hpux
ioctl(*aslave, I_PUSH, "ttcompat");
--# endif /* __hpux */
-+ # endif /* __hpux */
+ # endif /* __hpux */
+#endif /* !HAVE_INTERIX */
return (0);
diff -r f8457c4ce149 -r d391ac355d2a security/openssh/patches/patch-session.c
--- a/security/openssh/patches/patch-session.c Mon Jan 02 14:41:31 2017 +0000
+++ b/security/openssh/patches/patch-session.c Sun Jan 08 11:05:07 2017 +0000
@@ -1,10 +1,10 @@
-$NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $
+$NetBSD: patch-session.c,v 1.7.4.1 2017/01/08 11:05:07 bsiegert Exp $
* Interix support.
---- session.c.orig 2016-07-27 22:54:27.000000000 +0000
+--- session.c.orig 2016-12-19 04:59:41.000000000 +0000
+++ session.c
-@@ -1120,7 +1120,7 @@ read_etc_default_login(char ***env, u_in
+@@ -934,7 +934,7 @@ read_etc_default_login(char ***env, u_in
if (tmpenv == NULL)
return;
@@ -13,16 +13,16 @@
var = child_get_env(tmpenv, "SUPATH");
else
var = child_get_env(tmpenv, "PATH");
-@@ -1230,7 +1230,7 @@ do_setup_env(Session *s, const char *she
+@@ -1042,7 +1042,7 @@ do_setup_env(Session *s, const char *she
# endif /* HAVE_ETC_DEFAULT_LOGIN */
- if (path == NULL || *path == '\0') {
- child_set_env(&env, &envsize, "PATH",
-- s->pw->pw_uid == 0 ?
-+ s->pw->pw_uid == ROOTUID ?
- SUPERUSER_PATH : _PATH_STDPATH);
- }
+ if (path == NULL || *path == '\0') {
+ child_set_env(&env, &envsize, "PATH",
+- s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
++ s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH);
+ }
# endif /* HAVE_CYGWIN */
-@@ -1346,6 +1346,18 @@ do_setup_env(Session *s, const char *she
+ #endif /* HAVE_LOGIN_CAP */
+@@ -1154,6 +1154,18 @@ do_setup_env(Session *s, const char *she
strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
read_environment_file(&env, &envsize, buf);
}
@@ -41,7 +41,7 @@
if (debug_flag) {
/* dump the environment */
fprintf(stderr, "Environment:\n");
-@@ -1537,11 +1549,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1345,11 +1357,13 @@ do_setusercontext(struct passwd *pw)
perror("setgid");
exit(1);
}
@@ -55,7 +55,7 @@
endgrent();
#endif
-@@ -2388,7 +2402,7 @@ session_pty_cleanup2(Session *s)
+@@ -2148,7 +2162,7 @@ session_pty_cleanup2(Session *s)
record_logout(s->pid, s->tty, s->pw->pw_name);
/* Release the pseudo-tty. */
diff -r f8457c4ce149 -r d391ac355d2a security/openssh/patches/patch-sshd.c
--- a/security/openssh/patches/patch-sshd.c Mon Jan 02 14:41:31 2017 +0000
+++ b/security/openssh/patches/patch-sshd.c Sun Jan 08 11:05:07 2017 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
+$NetBSD: patch-sshd.c,v 1.7.8.1 2017/01/08 11:05:07 bsiegert Exp $
* Interix support
* Revive tcp_wrappers support.
---- sshd.c.orig 2016-03-09 18:04:48.000000000 +0000
+--- sshd.c.orig 2016-12-19 04:59:41.000000000 +0000
+++ sshd.c
-@@ -125,6 +125,13 @@
+@@ -123,6 +123,13 @@
#include "version.h"
#include "ssherr.h"
@@ -16,10 +16,10 @@
+int deny_severity;
+#endif /* LIBWRAP */
+
- #ifndef O_NOCTTY
- #define O_NOCTTY 0
- #endif
-@@ -236,7 +243,11 @@ int *startup_pipes = NULL;
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
+@@ -220,7 +227,11 @@ int *startup_pipes = NULL;
int startup_pipe; /* in child */
/* variables used for privilege separation */
@@ -31,7 +31,7 @@
struct monitor *pmonitor = NULL;
int privsep_is_preauth = 1;
-@@ -632,7 +643,7 @@ privsep_preauth_child(void)
+@@ -541,7 +552,7 @@ privsep_preauth_child(void)
demote_sensitive_data();
/* Demote the child */
@@ -40,7 +40,7 @@
/* Change our root directory */
Home |
Main Index |
Thread Index |
Old Index