pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/dropbear dropbear: Update to 2019.78



details:   https://anonhg.NetBSD.org/pkgsrc/rev/81e6eae5fde5
branches:  trunk
changeset: 396811:81e6eae5fde5
user:      nia <nia%pkgsrc.org@localhost>
date:      Mon Jun 10 13:44:35 2019 +0000

description:
dropbear: Update to 2019.78

Changes:

2019.78 - 27 March 2019

- Fix dbclient regression in 2019.77. After exiting the terminal would be left
  in a bad state. Reported by Ryan Woodsmall

2019.77 - 23 March 2019

- Fix server -R option with ECDSA - only advertise one key size which will be accepted.
  Reported by Peter Krefting, 2018.76 regression.

- Fix server regression in 2018.76 where multiple client -R forwards were all forwarded
  to the first destination. Reported by Iddo Samet.

- Make failure delay more consistent to avoid revealing valid usernames, set server password
  limit of 100 characters. Problem reported by usd responsible disclosure team

- Change handling of failed authentication to avoid disclosing valid usernames,
  CVE-2018-15599.

- Fix dbclient to reliably return the exit code from the remote server.
  Reported by W. Mike Petullo

- Fix export of 521-bit ECDSA keys, from Christian Hohnst??dt

- Add -o Port=xxx option to work with sshfs, from xcko

- Merged fuzzing code, see FUZZER-NOTES.md

- Add a DROPBEAR_SVR_MULTIUSER=0 compile option to run on
  single-user Linux kernels (CONFIG_MULTIUSER disabled). From Patrick Stewart

- Increase allowed username to 100 characters, reported by W. Mike Petullo

- Update config.sub and config.guess, should now work with RISC-V

- Cygwin compile fix from karel-m

- Don't require GNU sed (accidentally in 2018.76), reported by Samuel Hsu

- Fix for IRIX and writev(), reported by Kazuo Kuroi

- Other fixes and cleanups from Fran??ois Perrad, Andre McCurdy, Konstantin Demin,
  Michael Jones, Pawel Rapkiewicz


2018.76 - 27 February 2018

> > > Configuration/compatibility changes
  IMPORTANT
  Custom configuration is now specified in localoptions.h rather than options.h
  Available options and defaults can be seen in default_options.h

  To migrate your configuration, compare your customised options.h against the
  upstream options.h from your relevant version. Any customised options should
  be put in localoptions.h in the build directory.

- "configure --enable-static" should now be used instead of "make STATIC=1"
  This will avoid 'hardened build' flags that conflict with static binaries

- Set 'hardened build' flags by default if supported by the compiler.
  These can be disabled with configure --disable-harden if needed.
  -Wl,-pie
  -Wl,-z,now -Wl,-z,relro
  -fstack-protector-strong
  -D_FORTIFY_SOURCE=2
  # spectre v2 mitigation
  -mfunction-return=thunk
  -mindirect-branch=thunk

  Spectre patch from Loganaden Velvindron

- "dropbear -r" option for hostkeys no longer attempts to load the default
  hostkey paths as well. If desired these can be specified manually.
  Patch from CamVan Nguyen

- group1-sha1 key exchange is disabled in the server by default since
  the fixed 1024-bit group may be susceptible to attacks

- twofish ciphers are now disabled in the default configuration

- Default generated ECDSA key size is now 256 (rather than 521)
  for better interoperability

- Minimum RSA key length has been increased to 1024 bits

> > > Other features and fixes

- Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant

- Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket.
  See dbclient manpage for a socat example. Patch from Harald Becker

- Add "-c forced_command" option. Patch from Jeremy Kerr

- Restricted group -G option added with patch from stellarpower

- Support server-chosen TCP forwarding ports, patch from houseofkodai

- Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port]
  Patch from houseofkodai

- Makefile will now rebuild object files when header files are modified

- Add group14-256 and group16 key exchange options

- curve25519-sha256 also supported without @libssh.org suffix

- Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
  This fixes building with some recent versions of clang

- Set PAM_RHOST which is needed by modules such as pam_abl

- Improvements to DSS and RSA public key validation, found by OSS-Fuzz.

- Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz

- Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz

- Numerous code cleanups and small issues fixed by Francois Perrad

- Test for pkt_sched.h rather than SO_PRIORITY which was problematic with some musl
  platforms. Reported by Oliver Schneider and Andrew Bainbridge

- Fix some platform portability problems, from Ben Gardner

- Add EXEEXT filename suffix for building dropbearmulti, from William Foster

- Support --enable-<option> properly for configure, from Stefan Hauser

- configure have_openpty result can be cached, from Eric B??nard

- handle platforms that return close() < -1 on failure, from Marco Wenzel

- Build and configuration cleanups from Michael Witten

- Fix libtomcrypt/libtommath linking order, from Andre McCurdy

- Fix old Linux platforms that have SYS_clock_gettime but not CLOCK_MONOTONIC

- Update curve25519-donna implementation to current version

diffstat:

 security/dropbear/Makefile                         |   8 ++--
 security/dropbear/distinfo                         |  14 ++++----
 security/dropbear/patches/patch-aa                 |  34 +++++----------------
 security/dropbear/patches/patch-ab                 |  16 ----------
 security/dropbear/patches/patch-default__options.h |  16 ++++++++++
 5 files changed, 35 insertions(+), 53 deletions(-)

diffs (141 lines):

diff -r c2b832a1f607 -r 81e6eae5fde5 security/dropbear/Makefile
--- a/security/dropbear/Makefile        Mon Jun 10 13:33:02 2019 +0000
+++ b/security/dropbear/Makefile        Mon Jun 10 13:44:35 2019 +0000
@@ -1,12 +1,12 @@
-# $NetBSD: Makefile,v 1.35 2018/07/04 13:40:33 jperkin Exp $
+# $NetBSD: Makefile,v 1.36 2019/06/10 13:44:35 nia Exp $
 
-DISTNAME=      dropbear-2017.75
+DISTNAME=      dropbear-2019.78
 CATEGORIES=    security
-MASTER_SITES=  http://matt.ucc.asn.au/dropbear/releases/
+MASTER_SITES=  https://matt.ucc.asn.au/dropbear/releases/
 EXTRACT_SUFX=  .tar.bz2
 
 MAINTAINER=    snj%NetBSD.org@localhost
-HOMEPAGE=      http://matt.ucc.asn.au/dropbear/dropbear.html
+HOMEPAGE=      https://matt.ucc.asn.au/dropbear/dropbear.html
 COMMENT=       Small SSH2 server and client, aimed at embedded market
 LICENSE=       modified-bsd
 
diff -r c2b832a1f607 -r 81e6eae5fde5 security/dropbear/distinfo
--- a/security/dropbear/distinfo        Mon Jun 10 13:33:02 2019 +0000
+++ b/security/dropbear/distinfo        Mon Jun 10 13:44:35 2019 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.25 2017/11/09 19:00:25 snj Exp $
+$NetBSD: distinfo,v 1.26 2019/06/10 13:44:35 nia Exp $
 
-SHA1 (dropbear-2017.75.tar.bz2) = c30c64dda9db228592e3a97313078ca71d9d283f
-RMD160 (dropbear-2017.75.tar.bz2) = 4ad8fafe8a5dd30066bec27af66a8e98bd6db7ed
-SHA512 (dropbear-2017.75.tar.bz2) = 9c2f2a5e718339f83abc0ad7719bda12bfc75e5bcb87a7c0eec0afefc743e5c0a1575d290d5fde152ff2100b0f0e6fd5ef4431f7bbcb5ca9a332d93c20f5a8f4
-Size (dropbear-2017.75.tar.bz2) = 1623392 bytes
-SHA1 (patch-aa) = d23b69458c54933a4cafa6146ca2167c80453523
-SHA1 (patch-ab) = 8595e4c65d8aa78c8d34af70619ced02f807e77b
+SHA1 (dropbear-2019.78.tar.bz2) = 820ec2b8c869edbcf5ad1138777fc0f54349505c
+RMD160 (dropbear-2019.78.tar.bz2) = a6b00e7aa6482b8ca2aa68443306b58be816d80e
+SHA512 (dropbear-2019.78.tar.bz2) = f667ba8dae17ea89c118642b566f2c134c71bfd0b8bacea5cf7ec87d75ac79bd7cd1864a8788367a89d30ee35427d389ef6416375adff6e83caae30ff3e0549f
+Size (dropbear-2019.78.tar.bz2) = 2708659 bytes
+SHA1 (patch-aa) = 2f1ff3a9e3bccab9852d05ee7c0a68484be3f0c3
 SHA1 (patch-configure) = 95c82b951d16a5cca92a3d4d7ef67b7eb5f47540
+SHA1 (patch-default__options.h) = ef38d09e20b9d74abdd118901a4fc30459eb0dcb
diff -r c2b832a1f607 -r 81e6eae5fde5 security/dropbear/patches/patch-aa
--- a/security/dropbear/patches/patch-aa        Mon Jun 10 13:33:02 2019 +0000
+++ b/security/dropbear/patches/patch-aa        Mon Jun 10 13:44:35 2019 +0000
@@ -1,32 +1,14 @@
-$NetBSD: patch-aa,v 1.11 2017/05/16 21:54:21 snj Exp $
+$NetBSD: patch-aa,v 1.12 2019/06/10 13:44:35 nia Exp $
 
 use pkgsrc macros to install programs and man pages
 set up dropbear default key locations correctly
 
---- Makefile.in.orig   2016-07-21 08:17:09.000000000 -0700
-+++ Makefile.in        2017-05-16 14:04:51.556137923 -0700
-@@ -75,6 +75,7 @@ datarootdir = @datarootdir@
- bindir=@bindir@
- sbindir=@sbindir@
- mandir=@mandir@
-+sysconfdir=@sysconfdir@
- 
- CC=@CC@
- AR=@AR@
-@@ -98,6 +99,9 @@ ifneq (,$(strip $(foreach prog, $(PROGRA
-       CFLAGS+= -DDROPBEAR_CLIENT
- endif
- 
-+CFLAGS+=-DDSS_PRIV_FILENAME=\"$(sysconfdir)/dropbear/dropbear_dss_host_key\"
-+CFLAGS+=-DRSA_PRIV_FILENAME=\"$(sysconfdir)/dropbear/dropbear_rsa_host_key\"
-+CFLAGS+=-DECDSA_PRIV_FILENAME=\"$(sysconfdir)/dropbear/dropbear_ecdsa_host_key\"
- 
- # these are exported so that libtomcrypt's makefile will use them
- export CC
-@@ -127,31 +131,30 @@ strip: $(TARGETS)
+--- Makefile.in.orig   2019-06-10 12:46:46.830428737 +0000
++++ Makefile.in
+@@ -154,31 +154,30 @@ strip: $(TARGETS)
  install: $(addprefix inst_, $(TARGETS))
  
- insmultidropbear: dropbearmulti
+ insmultidropbear: dropbearmulti$(EXEEXT)
 -      $(INSTALL) -d $(DESTDIR)$(sbindir)
 +      $(BSD_INSTALL_PROGRAM_DIR) $(DESTDIR)$(sbindir)
        -rm -f $(DESTDIR)$(sbindir)/dropbear$(EXEEXT)
@@ -36,7 +18,7 @@
 +      $(BSD_INSTALL_MAN_DIR) $(DESTDIR)$(mandir)/man8
 +      $(BSD_INSTALL_MAN) $(srcdir)/dropbear.8  $(DESTDIR)$(mandir)/man8/dropbear.8
  
- insmulti%: dropbearmulti
+ insmulti%: dropbearmulti$(EXEEXT)
 -      $(INSTALL) -d $(DESTDIR)$(bindir)
 -      -rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) 
 +      $(BSD_INSTALL_PROGRAM_DIR) $(DESTDIR)$(bindir)
@@ -64,8 +46,8 @@
 -      if test -e $*.1; then $(INSTALL) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi
 +      $(BSD_INSTALL_PROGRAM_DIR) $(DESTDIR)$(bindir)
 +      $(BSD_INSTALL_PROGRAM) $*$(EXEEXT) $(DESTDIR)$(bindir)
-+      $(BSD_INSTALL_MAN_DIR) $(DESTDIR)$(mandir)/man1
-+      if test -e $*.1; then $(BSD_INSTALL_MAN) $*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi
++      $(BSD_INSTALL_MAN_DIR) -d $(DESTDIR)$(mandir)/man1
++      if test -e $*.1; then $(BSD_INSTALL_MAN) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi
  
  inst_dropbearmulti: $(addprefix insmulti, $(PROGRAMS)) 
  
diff -r c2b832a1f607 -r 81e6eae5fde5 security/dropbear/patches/patch-ab
--- a/security/dropbear/patches/patch-ab        Mon Jun 10 13:33:02 2019 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,16 +0,0 @@
-$NetBSD: patch-ab,v 1.9 2017/05/16 21:54:21 snj Exp $
-
-comment out the path to the dropbear ssh client
-- this is passed through CFLAGS
-
---- options.h.orig     2016-07-21 08:17:09.000000000 -0700
-+++ options.h  2017-03-18 00:25:05.000000000 -0700
-@@ -305,7 +305,7 @@ Homedir is prepended unless path begins 
- 
- /* This is used by the scp binary when used as a client binary. If you're
-  * not using the Dropbear client, you'll need to change it */
--#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
-+/*#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"*/
- 
- /* Whether to log commands executed by a client. This only logs the 
-  * (single) command sent to the server, not what a user did in a 
diff -r c2b832a1f607 -r 81e6eae5fde5 security/dropbear/patches/patch-default__options.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/dropbear/patches/patch-default__options.h        Mon Jun 10 13:44:35 2019 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-default__options.h,v 1.1 2019/06/10 13:44:35 nia Exp $
+
+comment out the path to the dropbear ssh client
+- this is passed through CFLAGS
+
+--- default_options.h.orig     2019-03-27 14:15:23.000000000 +0000
++++ default_options.h
+@@ -259,7 +259,7 @@ Homedir is prepended unless path begins 
+ 
+ /* This is used by the scp binary when used as a client binary. If you're
+  * not using the Dropbear client, you'll need to change it */
+-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
++/*#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"*/
+ 
+ /* Whether to log commands executed by a client. This only logs the 
+  * (single) command sent to the server, not what a user did in a 



Home | Main Index | Thread Index | Old Index