pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/dropbear
Module Name: pkgsrc
Committed By: wiz
Date: Thu Apr 4 12:13:28 UTC 2024
Modified Files:
pkgsrc/security/dropbear: Makefile distinfo
Added Files:
pkgsrc/security/dropbear/patches: patch-src_default__options.h
Removed Files:
pkgsrc/security/dropbear/patches: patch-cli-session.c
patch-common-algo.c patch-common-kex.c patch-default__options.h
patch-kex.h patch-process-packet.c patch-ssh.h patch-svr-session.c
Log Message:
dropbear: update to 2024.84.
2024.84 - 4 April 2024
Features and Changes:
Note >> for compatibility/configuration changes
- >> Only use /etc/shadow when a user has :x: as the crypt in /etc/passwd.
This is the documented behaviour of passwd(5) so should be consistent with
other programs. Thanks to Paulo Cabral for the report.
Note that any users without x as the crypt will not be able
to log in with /etc/shadow, in cases were the existing configuration
differs.
- Support -o StrictHostKeyChecking, patch from Sergey Ponomarev
- Support -o BatchMode, from Sergey Ponomarev and Hans Harder
- Support various other -o options compatible with OpenSSH, from
Sergey Ponomarev. Includes -o PasswordAuthentication
- Add dbclient config file support, ~/.ssh/dropbear_config
Thanks to tjkolev
Disabled by default, set #define DROPBEAR_USE_SSH_CONFIG 1
- Add support for unix socket forwarding (destination) on
the server, thanks to WangYi for the implementation
- Add option to bind to interface, from Diederik De Coninck
- Ignore unsupported arguments in dropbearkey, allow running
binary as 'ssh-key'. From Sergey Ponomarev
- Save a public key file on generation with dropbearkey.
-C can be used for a comment, and choose a default key
type (ed25519 first preference).
Thanks to Sergey Ponomarev
- Allow inetd to run in non-syslog modes. Thanks to Laurent Bercot
for the report
- Allow user's own gid in PTY permissions, lets Dropbear work as non-root
even if /dev/pts isn't mounted with gid=5
- src/distrooptions.h can now be used as another config file.
This can be used by distributions for customisations (separate
to the build directory's localoptions.h)
Fixes:
- "dbclient host >> output" would previously overwrite "output", instead of
appending. Thanks for the report from eSotoIoT
- Add "Strict KEX" support. This mitigates a SSH protocol flaw which lets
a MITM attacker silently remove packets immediately after the
first key exchange. At present the flaw does not seem to reduce Dropbear's
security (the only packet affected would be a server-sig-algs extension,
which is used for compatibility not security).
For Dropbear, chacha20-poly1305 is the only affected cipher.
Both sides of the connection must support Strict KEX for it to be used.
The protocol flaw is tracked as CVE-2023-48795, details
at https://terrapin-attack.com . Thanks to the researchers Fabian Bäumer,
Marcus Brinkmann, and Jörg Schwenk. Thanks to OpenSSH for specifying
strict KEX mode.
- Fix blocking while closing forwarded TCP sessions. Noticable
when many connections are being forwarded. Reported and
tested by GektorUA. Github #230
- Don't offer RSA (then fail) if there is no RSA key. Regression in 2020.79
Github #219
- Fix missing response to remote TCP requests when it is disabled.
Patch from Justin Chen. Github #254
- Fix building with DROPBEAR_RSA disabled
- /proc/timer_list is no longer used for entropy, it was a bottleneck.
Thanks to Aleksei Plotnikov for the report.
- Don't unconditionally enable DROPBEAR_DSS
- Make banner reading failure non-fatal
- Fix DROPBEAR_SVR_MULTIUSER. This appears to have been broken since when it
was added in 2019. If you're using this let me know (it might be removed
if I don't hear otherwise). Thanks to davidatrsp
- Fix Y2038 issues
Infrastructure:
- Move source files to src/ subdirectory. Thanks to tjkolev
- Remove more files with "make distclean"
- Add tests for disabled options
To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 pkgsrc/security/dropbear/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/security/dropbear/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/security/dropbear/patches/patch-cli-session.c \
pkgsrc/security/dropbear/patches/patch-common-algo.c \
pkgsrc/security/dropbear/patches/patch-common-kex.c \
pkgsrc/security/dropbear/patches/patch-default__options.h \
pkgsrc/security/dropbear/patches/patch-kex.h \
pkgsrc/security/dropbear/patches/patch-process-packet.c \
pkgsrc/security/dropbear/patches/patch-ssh.h \
pkgsrc/security/dropbear/patches/patch-svr-session.c
cvs rdiff -u -r0 -r1.1 \
pkgsrc/security/dropbear/patches/patch-src_default__options.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/dropbear/Makefile
diff -u pkgsrc/security/dropbear/Makefile:1.39 pkgsrc/security/dropbear/Makefile:1.40
--- pkgsrc/security/dropbear/Makefile:1.39 Wed Dec 20 17:09:35 2023
+++ pkgsrc/security/dropbear/Makefile Thu Apr 4 12:13:27 2024
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.39 2023/12/20 17:09:35 wiz Exp $
+# $NetBSD: Makefile,v 1.40 2024/04/04 12:13:27 wiz Exp $
-DISTNAME= dropbear-2022.83
-PKGREVISION= 1
+DISTNAME= dropbear-2024.84
CATEGORIES= security
MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/
EXTRACT_SUFX= .tar.bz2
@@ -36,7 +35,7 @@ OWN_DIRS+= ${PKG_SYSCONFDIR}/dropbear
SUBST_CLASSES+= config
SUBST_MESSAGE.config= Fixing path to config directory.
SUBST_STAGE.config= post-build
-SUBST_FILES.config= dropbear.8 dropbearkey.1
+SUBST_FILES.config= manpages/dropbear.8 manpages/dropbearkey.1
SUBST_SED.config= -e "s,/etc/dropbear/,"${PKG_SYSCONFDIR:Q}"/dropbear/,g"
# needed by dbscp
Index: pkgsrc/security/dropbear/distinfo
diff -u pkgsrc/security/dropbear/distinfo:1.30 pkgsrc/security/dropbear/distinfo:1.31
--- pkgsrc/security/dropbear/distinfo:1.30 Wed Dec 20 17:09:35 2023
+++ pkgsrc/security/dropbear/distinfo Thu Apr 4 12:13:27 2024
@@ -1,14 +1,7 @@
-$NetBSD: distinfo,v 1.30 2023/12/20 17:09:35 wiz Exp $
+$NetBSD: distinfo,v 1.31 2024/04/04 12:13:27 wiz Exp $
-BLAKE2s (dropbear-2022.83.tar.bz2) = 71657e1f82711df54fc15b4aedf48e4bc6f3b79dc67e1016aec6711863e09fb1
-SHA512 (dropbear-2022.83.tar.bz2) = c63afa615d64b0c8c5e739c758eb8ae277ecc36a4223b766bf562702de69910904cbc3ea98d22989df478ae419e1f81057fe1ee09616c80cb859f58f44175422
-Size (dropbear-2022.83.tar.bz2) = 2322904 bytes
-SHA1 (patch-cli-session.c) = c994f83283c38ae966a32cb97432305d2ae61ec5
-SHA1 (patch-common-algo.c) = aca565c1bb2329466fa3e06c4602ae7750744099
-SHA1 (patch-common-kex.c) = dfa5fdec1e62913db6475ba656f92cd4df46be78
+BLAKE2s (dropbear-2024.84.tar.bz2) = 150b9d697a571dfc42fbd76430cb7324c3eed3e462871731606b9541296eb165
+SHA512 (dropbear-2024.84.tar.bz2) = 254daea819c5aeaa65bb43449386fb964f4aa13e3b3037fe11064120205c6e265925e7ef2d84f7ebe66c6a00cf0a22e6010314c065ed49a3815f47137b7aca44
+Size (dropbear-2024.84.tar.bz2) = 2306278 bytes
SHA1 (patch-configure) = b17f647043b212adda53aad7fb8dc7e639be9494
-SHA1 (patch-default__options.h) = ef38d09e20b9d74abdd118901a4fc30459eb0dcb
-SHA1 (patch-kex.h) = 5a59be28ca209d8da26554fdeb2fdb5b84ddaf7c
-SHA1 (patch-process-packet.c) = 5f9a2c7e150786cb1cf974ffe3a294891e3b3e3e
-SHA1 (patch-ssh.h) = 9e830d59e26d5411713629fb4e716265eee85efe
-SHA1 (patch-svr-session.c) = 8cefae13d159e48b0834885167dfde79cd36e216
+SHA1 (patch-src_default__options.h) = af60ea91516639e055266b3dd74f100aa6100f0d
Added files:
Index: pkgsrc/security/dropbear/patches/patch-src_default__options.h
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-src_default__options.h:1.1
--- /dev/null Thu Apr 4 12:13:28 2024
+++ pkgsrc/security/dropbear/patches/patch-src_default__options.h Thu Apr 4 12:13:28 2024
@@ -0,0 +1,16 @@
+$NetBSD: patch-src_default__options.h,v 1.1 2024/04/04 12:13:28 wiz Exp $
+
+comment out the path to the dropbear ssh client
+- this is passed through CFLAGS
+
+--- src/default_options.h.orig 2024-04-04 14:30:00.000000000 +0000
++++ src/default_options.h
+@@ -324,7 +324,7 @@ group1 in Dropbear server too */
+
+ /* This is used by the scp binary when used as a client binary. If you're
+ * not using the Dropbear client, you'll need to change it */
+-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
++/*#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"*/
+
+ /* Whether to log commands executed by a client. This only logs the
+ * (single) command sent to the server, not what a user did in a
Home |
Main Index |
Thread Index |
Old Index