CVS commit: pkgsrc/security/dropbear

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/dropbear
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Thu, 4 Apr 2024 12:13:28 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Apr  4 12:13:28 UTC 2024

Modified Files:
        pkgsrc/security/dropbear: Makefile distinfo
Added Files:
        pkgsrc/security/dropbear/patches: patch-src_default__options.h
Removed Files:
        pkgsrc/security/dropbear/patches: patch-cli-session.c
            patch-common-algo.c patch-common-kex.c patch-default__options.h
            patch-kex.h patch-process-packet.c patch-ssh.h patch-svr-session.c

Log Message:
dropbear: update to 2024.84.

2024.84 - 4 April 2024

Features and Changes:
  Note >> for compatibility/configuration changes

- >> Only use /etc/shadow when a user has :x: as the crypt in /etc/passwd.
  This is the documented behaviour of passwd(5) so should be consistent with
  other programs. Thanks to Paulo Cabral for the report.
  Note that any users without x as the crypt will not be able
  to log in with /etc/shadow, in cases were the existing configuration
  differs.

- Support -o StrictHostKeyChecking, patch from Sergey Ponomarev

- Support -o BatchMode, from Sergey Ponomarev and Hans Harder

- Support various other -o options compatible with OpenSSH, from
  Sergey Ponomarev. Includes -o PasswordAuthentication

- Add dbclient config file support, ~/.ssh/dropbear_config
  Thanks to tjkolev
  Disabled by default, set #define DROPBEAR_USE_SSH_CONFIG 1

- Add support for unix socket forwarding (destination) on
  the server, thanks to WangYi for the implementation

- Add option to bind to interface, from Diederik De Coninck

- Ignore unsupported arguments in dropbearkey, allow running
  binary as 'ssh-key'. From Sergey Ponomarev

- Save a public key file on generation with dropbearkey.
  -C can be used for a comment, and choose a default key
  type (ed25519 first preference).
  Thanks to Sergey Ponomarev

- Allow inetd to run in non-syslog modes. Thanks to Laurent Bercot
  for the report

- Allow user's own gid in PTY permissions, lets Dropbear work as non-root
  even if /dev/pts isn't mounted with gid=5

- src/distrooptions.h can now be used as another config file.
  This can be used by distributions for customisations (separate
  to the build directory's localoptions.h)

Fixes:

- "dbclient host >> output" would previously overwrite "output", instead of
  appending. Thanks for the report from eSotoIoT

- Add "Strict KEX" support. This mitigates a SSH protocol flaw which lets
  a MITM attacker silently remove packets immediately after the
  first key exchange. At present the flaw does not seem to reduce Dropbear's
  security (the only packet affected would be a server-sig-algs extension,
  which is used for compatibility not security).
  For Dropbear, chacha20-poly1305 is the only affected cipher.
  Both sides of the connection must support Strict KEX for it to be used.

  The protocol flaw is tracked as CVE-2023-48795, details
  at https://terrapin-attack.com . Thanks to the researchers Fabian Bäumer,
  Marcus Brinkmann, and Jörg Schwenk. Thanks to OpenSSH for specifying
  strict KEX mode.

- Fix blocking while closing forwarded TCP sessions. Noticable
  when many connections are being forwarded. Reported and
  tested by GektorUA. Github #230

- Don't offer RSA (then fail) if there is no RSA key. Regression in 2020.79
  Github #219

- Fix missing response to remote TCP requests when it is disabled.
  Patch from Justin Chen. Github #254

- Fix building with DROPBEAR_RSA disabled

- /proc/timer_list is no longer used for entropy, it was a bottleneck.
  Thanks to Aleksei Plotnikov for the report.

- Don't unconditionally enable DROPBEAR_DSS

- Make banner reading failure non-fatal

- Fix DROPBEAR_SVR_MULTIUSER. This appears to have been broken since when it
  was added in 2019. If you're using this let me know (it might be removed
  if I don't hear otherwise). Thanks to davidatrsp

- Fix Y2038 issues

Infrastructure:

- Move source files to src/ subdirectory. Thanks to tjkolev

- Remove more files with "make distclean"

- Add tests for disabled options


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 pkgsrc/security/dropbear/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/security/dropbear/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/security/dropbear/patches/patch-cli-session.c \
    pkgsrc/security/dropbear/patches/patch-common-algo.c \
    pkgsrc/security/dropbear/patches/patch-common-kex.c \
    pkgsrc/security/dropbear/patches/patch-default__options.h \
    pkgsrc/security/dropbear/patches/patch-kex.h \
    pkgsrc/security/dropbear/patches/patch-process-packet.c \
    pkgsrc/security/dropbear/patches/patch-ssh.h \
    pkgsrc/security/dropbear/patches/patch-svr-session.c
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/security/dropbear/patches/patch-src_default__options.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/dropbear/Makefile
diff -u pkgsrc/security/dropbear/Makefile:1.39 pkgsrc/security/dropbear/Makefile:1.40
--- pkgsrc/security/dropbear/Makefile:1.39      Wed Dec 20 17:09:35 2023
+++ pkgsrc/security/dropbear/Makefile   Thu Apr  4 12:13:27 2024
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.39 2023/12/20 17:09:35 wiz Exp $
+# $NetBSD: Makefile,v 1.40 2024/04/04 12:13:27 wiz Exp $
 
-DISTNAME=      dropbear-2022.83
-PKGREVISION=   1
+DISTNAME=      dropbear-2024.84
 CATEGORIES=    security
 MASTER_SITES=  https://matt.ucc.asn.au/dropbear/releases/
 EXTRACT_SUFX=  .tar.bz2
@@ -36,7 +35,7 @@ OWN_DIRS+=            ${PKG_SYSCONFDIR}/dropbear
 SUBST_CLASSES+=                config
 SUBST_MESSAGE.config=  Fixing path to config directory.
 SUBST_STAGE.config=    post-build
-SUBST_FILES.config=    dropbear.8 dropbearkey.1
+SUBST_FILES.config=    manpages/dropbear.8 manpages/dropbearkey.1
 SUBST_SED.config=      -e "s,/etc/dropbear/,"${PKG_SYSCONFDIR:Q}"/dropbear/,g"
 
 # needed by dbscp

Index: pkgsrc/security/dropbear/distinfo
diff -u pkgsrc/security/dropbear/distinfo:1.30 pkgsrc/security/dropbear/distinfo:1.31
--- pkgsrc/security/dropbear/distinfo:1.30      Wed Dec 20 17:09:35 2023
+++ pkgsrc/security/dropbear/distinfo   Thu Apr  4 12:13:27 2024
@@ -1,14 +1,7 @@
-$NetBSD: distinfo,v 1.30 2023/12/20 17:09:35 wiz Exp $
+$NetBSD: distinfo,v 1.31 2024/04/04 12:13:27 wiz Exp $
 
-BLAKE2s (dropbear-2022.83.tar.bz2) = 71657e1f82711df54fc15b4aedf48e4bc6f3b79dc67e1016aec6711863e09fb1
-SHA512 (dropbear-2022.83.tar.bz2) = c63afa615d64b0c8c5e739c758eb8ae277ecc36a4223b766bf562702de69910904cbc3ea98d22989df478ae419e1f81057fe1ee09616c80cb859f58f44175422
-Size (dropbear-2022.83.tar.bz2) = 2322904 bytes
-SHA1 (patch-cli-session.c) = c994f83283c38ae966a32cb97432305d2ae61ec5
-SHA1 (patch-common-algo.c) = aca565c1bb2329466fa3e06c4602ae7750744099
-SHA1 (patch-common-kex.c) = dfa5fdec1e62913db6475ba656f92cd4df46be78
+BLAKE2s (dropbear-2024.84.tar.bz2) = 150b9d697a571dfc42fbd76430cb7324c3eed3e462871731606b9541296eb165
+SHA512 (dropbear-2024.84.tar.bz2) = 254daea819c5aeaa65bb43449386fb964f4aa13e3b3037fe11064120205c6e265925e7ef2d84f7ebe66c6a00cf0a22e6010314c065ed49a3815f47137b7aca44
+Size (dropbear-2024.84.tar.bz2) = 2306278 bytes
 SHA1 (patch-configure) = b17f647043b212adda53aad7fb8dc7e639be9494
-SHA1 (patch-default__options.h) = ef38d09e20b9d74abdd118901a4fc30459eb0dcb
-SHA1 (patch-kex.h) = 5a59be28ca209d8da26554fdeb2fdb5b84ddaf7c
-SHA1 (patch-process-packet.c) = 5f9a2c7e150786cb1cf974ffe3a294891e3b3e3e
-SHA1 (patch-ssh.h) = 9e830d59e26d5411713629fb4e716265eee85efe
-SHA1 (patch-svr-session.c) = 8cefae13d159e48b0834885167dfde79cd36e216
+SHA1 (patch-src_default__options.h) = af60ea91516639e055266b3dd74f100aa6100f0d

Added files:

Index: pkgsrc/security/dropbear/patches/patch-src_default__options.h
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-src_default__options.h:1.1
--- /dev/null   Thu Apr  4 12:13:28 2024
+++ pkgsrc/security/dropbear/patches/patch-src_default__options.h       Thu Apr  4 12:13:28 2024
@@ -0,0 +1,16 @@
+$NetBSD: patch-src_default__options.h,v 1.1 2024/04/04 12:13:28 wiz Exp $
+
+comment out the path to the dropbear ssh client
+- this is passed through CFLAGS
+
+--- src/default_options.h.orig 2024-04-04 14:30:00.000000000 +0000
++++ src/default_options.h
+@@ -324,7 +324,7 @@ group1 in Dropbear server too */
+ 
+ /* This is used by the scp binary when used as a client binary. If you're
+  * not using the Dropbear client, you'll need to change it */
+-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
++/*#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"*/
+ 
+ /* Whether to log commands executed by a client. This only logs the
+  * (single) command sent to the server, not what a user did in a

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index