CVS commit: pkgsrc/security/openssh

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/openssh
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Thu, 16 Mar 2023 07:22:08 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Mar 16 07:22:08 UTC 2023

Modified Files:
        pkgsrc/security/openssh: Makefile distinfo

Log Message:
openssh: update to 9.3p1.

Changes since OpenSSH 9.2
=========================

This release fixes a number of security bugs.

Security
========

This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop desination constraints (ssh-add -h ...) added in OpenSSH
   8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This problem
   was reported by Luci Stanescu.

 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

New features
------------

 * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
   outputting SSHFP fingerprints to allow algorithm selection. bz3493

 * sshd(8): add a `sshd -G` option that parses and prints the
   effective configuration without attempting to load private keys
   and perform other checks. This allows usage of the option before
   keys have been generated and for configuration evaluation and
   verification by unprivileged users.

Bugfixes
--------

 * scp(1), sftp(1): fix progressmeter corruption on wide displays;
   bz3534

 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
   of private keys as some systems are starting to disable RSA/SHA1
   in libcrypto.

 * sftp-server(8): fix a memory leak. GHPR363

 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
   compatibility code and simplify what's left.

 * Fix a number of low-impact Coverity static analysis findings.
   These include several reported via bz2687

 * ssh_config(5), sshd_config(5): mention that some options are not
   first-match-wins.

 * Rework logging for the regression tests. Regression tests will now
   capture separate logs for each ssh and sshd invocation in a test.

 * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
   says it should; bz3532.

 * ssh(1): ensure that there is a terminating newline when adding a
   new entry to known_hosts; bz3529

Portability
-----------

 * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
   mmap(2), madvise(2) and futex(2) flags, removing some concerning
   kernel attack surface.

 * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
   bz3537


To generate a diff of this commit:
cvs rdiff -u -r1.275 -r1.276 pkgsrc/security/openssh/Makefile
cvs rdiff -u -r1.117 -r1.118 pkgsrc/security/openssh/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/openssh/Makefile
diff -u pkgsrc/security/openssh/Makefile:1.275 pkgsrc/security/openssh/Makefile:1.276
--- pkgsrc/security/openssh/Makefile:1.275      Thu Feb  2 13:31:12 2023
+++ pkgsrc/security/openssh/Makefile    Thu Mar 16 07:22:08 2023
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.275 2023/02/02 13:31:12 wiz Exp $
+# $NetBSD: Makefile,v 1.276 2023/03/16 07:22:08 wiz Exp $
 
-DISTNAME=              openssh-9.2p1
+DISTNAME=              openssh-9.3p1
 CATEGORIES=            security
 MASTER_SITES=          ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 

Index: pkgsrc/security/openssh/distinfo
diff -u pkgsrc/security/openssh/distinfo:1.117 pkgsrc/security/openssh/distinfo:1.118
--- pkgsrc/security/openssh/distinfo:1.117      Thu Feb  2 13:31:12 2023
+++ pkgsrc/security/openssh/distinfo    Thu Mar 16 07:22:08 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.117 2023/02/02 13:31:12 wiz Exp $
+$NetBSD: distinfo,v 1.118 2023/03/16 07:22:08 wiz Exp $
 
-BLAKE2s (openssh-9.2p1.tar.gz) = 3405455825bc23f1f76375e259704e189f5fd697d3745d5ce68fc3a26581e4cc
-SHA512 (openssh-9.2p1.tar.gz) = c4b79ef3a05b96bfc477ffb31f734635bffd5be213ab58e043111c3232dbe999ff24665fa1069518237cffa5126ded0dda8984e1b8f098f4f09b8c1dae20e604
-Size (openssh-9.2p1.tar.gz) = 1852380 bytes
+BLAKE2s (openssh-9.3p1.tar.gz) = 0581602f5c84803020324cd89aabddefaa8a911a5685e7b666c510c95fcb8e27
+SHA512 (openssh-9.3p1.tar.gz) = 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
+Size (openssh-9.3p1.tar.gz) = 1856839 bytes
 SHA1 (patch-Makefile.in) = 70d6ca9c803b6193d0e340cb0518936a00e57492
 SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
 SHA1 (patch-config.h.in) = 7d1050743da7264763254b57938775c546c3baa5

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index