CVS commit: pkgsrc/net/sslh

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Sun Jun 15 14:46:20 UTC 2025

Modified Files:
        pkgsrc/net/sslh: Makefile PLIST distinfo
        pkgsrc/net/sslh/patches: patch-echosrv.c
Removed Files:
        pkgsrc/net/sslh/patches: patch-common.c patch-common.h
            patch-sslh-select.c

Log Message:
sslh: update to 2.2.4.

v2.2.4:
        Fix CVE-2025-46806 for "Misaligned Memory Accesses in `is_openvpn_protocol()`"

        Fix CVE-2025-46807 for "File Descriptor Exhaustion in sslh-select and sslh-ev"

        Fix potential parsing of undefined data in syslog
        probe (no CVE assigned)

        Thanks to Matthias Gerstner of the SUSE security
        team for the security review that found these
        defects!

v2.2.3:
        Reverse older commit: version.h cannot be included
        without breaking the build (everything recompiles
        every time) and the release archive creation (which
        relies on git tags).

v2.2.2:
        Fix potential vulnerability similar to CVE-2020-28935

v2.2.1:
        Added a boolean setting "is_unix" for listen and
        protocol entries. This will use the 'host' setting
        as a path name to a socket file, and connections
        (listening or connecting) will be performed on Unix
        socket instead of Internet sockets.

        Support HAProxy's proxyprotocol on the backend
        server side.

        Lots of documentation about a new, simpler way to
        perform transparent proxying.

        New "verbose" option that overrides all other
        verbose settings.

v2.1.3:
        Fix Landlock access to /etc/hosts.deny and
        /etc/hosts.allow.

v2.1.2:
        Fix inetd mode.

v2.1.1:
        Various minor fixes.

v2.1.0:
        Support for the Landlock LSM. After initial setup,
        sslh gives up all local file access rights.

        Reintroduced --ssl as an alias to --tls.

        Introduce autoconf to adapt to landlock presence.

        Close connexion without error message if remote
        client forcefully closes connexion, for Windows.

v2.0.1:
        Fix resolve_on_forward setting, which would crash
        sslh reliably.

v2.0.0:
v2.0:
        New sslh-ev: this is functionally equivalent to
        sslh-select (mono-process, only forks for specified
        protocols), but based on libev, which should make it
        scalable to large numbers of connections.

        New log system: instead of --verbose with arbitrary
        levels, there are now several message classes. Each
        message class can be set to go to stderr, syslog, or
        both. Classes are documented in example.cfg.

        UDP connections are now managed in a hash to avoid
        linear searches. The downside is that the number of
        UDP connections is a hard limit, configurable with
        the 'udp_max_connections', which defaults to 1024.
        Timeouts are managed with lists.

        inetd merges stderr output to what is sent to the
        client, which is a security issue as it might give
        information to an attacker. When inetd is activated,
        stderr is forcibly closed.

        New protocol-level option `resolve_on_forward`,
        requests that target names are resolved at each
        connection instead of at startup. Useful for dynamic
        DNS situations. (Paul Schroeder/milkpirate)

        New probe for MSRDP (akappner).


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 pkgsrc/net/sslh/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/sslh/PLIST
cvs rdiff -u -r1.14 -r1.15 pkgsrc/net/sslh/distinfo
cvs rdiff -u -r1.3 -r0 pkgsrc/net/sslh/patches/patch-common.c \
    pkgsrc/net/sslh/patches/patch-common.h
cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/sslh/patches/patch-echosrv.c
cvs rdiff -u -r1.2 -r0 pkgsrc/net/sslh/patches/patch-sslh-select.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/sslh/Makefile
diff -u pkgsrc/net/sslh/Makefile:1.18 pkgsrc/net/sslh/Makefile:1.19
--- pkgsrc/net/sslh/Makefile:1.18       Wed Aug  2 16:17:18 2023
+++ pkgsrc/net/sslh/Makefile    Sun Jun 15 14:46:20 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.18 2023/08/02 16:17:18 nia Exp $
+# $NetBSD: Makefile,v 1.19 2025/06/15 14:46:20 wiz Exp $
 
-DISTNAME=      sslh-1.22c
+DISTNAME=      sslh-2.2.4
 CATEGORIES=    net
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=yrutschle/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}
@@ -10,9 +10,7 @@ HOMEPAGE=     https://www.rutschle.net/tech/
 COMMENT=       Multiplex ssl, ssh, and other connections on the same port
 LICENSE=       gnu-gpl-v2
 
-# version.h created too late
-MAKE_JOBS_SAFE=        no
-
+GNU_CONFIGURE= yes
 USE_TOOLS+=    gmake gzip pod2man
 
 # error: 'for' loop initial declarations are only allowed in C99 mode
@@ -41,6 +39,7 @@ do-install:
        ${INSTALL_DATA} ${WRKSRC}/ChangeLog ${DESTDIR}${PREFIX}/${DOCDIR}
 
 .include "../../devel/libconfig/buildlink3.mk"
+.include "../../devel/libev/buildlink3.mk"
 .include "../../devel/libgetopt/buildlink3.mk"
 .include "../../devel/pcre2/buildlink3.mk"
 .include "../../security/tcp_wrappers/buildlink3.mk"

Index: pkgsrc/net/sslh/PLIST
diff -u pkgsrc/net/sslh/PLIST:1.6 pkgsrc/net/sslh/PLIST:1.7
--- pkgsrc/net/sslh/PLIST:1.6   Sun Jun 13 12:04:21 2021
+++ pkgsrc/net/sslh/PLIST       Sun Jun 15 14:46:20 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.6 2021/06/13 12:04:21 rhialto Exp $
+@comment $NetBSD: PLIST,v 1.7 2025/06/15 14:46:20 wiz Exp $
 man/man8/sslh.8
 sbin/sslh
 sbin/sslh-select
@@ -6,9 +6,11 @@ share/doc/sslh/ChangeLog
 share/doc/sslh/README.md
 share/examples/sslh/basic.cfg
 share/examples/sslh/example.cfg
+share/examples/sslh/scripts/etc-init.d-sslh-debian-modified.sslh
 share/examples/sslh/scripts/etc.init.d.sslh
 share/examples/sslh/scripts/etc.rc.d.init.d.sslh.centos
 share/examples/sslh/scripts/etc.sysconfig.sslh
 share/examples/sslh/scripts/fail2ban/jail.conf
 share/examples/sslh/scripts/fail2ban/sslh-ssh.conf
-share/examples/sslh/scripts/systemd.sslh.service
+share/examples/sslh/scripts/systemd.sslh-select@.service
+share/examples/sslh/scripts/systemd.sslh@.service

Index: pkgsrc/net/sslh/distinfo
diff -u pkgsrc/net/sslh/distinfo:1.14 pkgsrc/net/sslh/distinfo:1.15
--- pkgsrc/net/sslh/distinfo:1.14       Sat Jan  1 16:47:20 2022
+++ pkgsrc/net/sslh/distinfo    Sun Jun 15 14:46:20 2025
@@ -1,9 +1,6 @@
-$NetBSD: distinfo,v 1.14 2022/01/01 16:47:20 rhialto Exp $
+$NetBSD: distinfo,v 1.15 2025/06/15 14:46:20 wiz Exp $
 
-BLAKE2s (sslh-1.22c.tar.gz) = 81e3a9d77b7c0030e4cf8edf3344f3e4fd06736952939aa66c55b0d6aa0176e2
-SHA512 (sslh-1.22c.tar.gz) = f13560fbe74b5b08e9b360985d6afd27f2c7e157d220919162e354f3711b90f43bb81f9bda341fb21fef2651acd488f52e9a04dc2da28861540f579e7ca798c4
-Size (sslh-1.22c.tar.gz) = 146954 bytes
-SHA1 (patch-common.c) = e5aa0cc38e9c62a765400b08ed700e9d2f08f2db
-SHA1 (patch-common.h) = d89c6ce3f9a4f2b4b4c734adcafd0eed6abca84e
+BLAKE2s (sslh-2.2.4.tar.gz) = cd3b79f8d3e627b210519fb35c84d8af8c45db7d89e3068ac213291b53fde5cd
+SHA512 (sslh-2.2.4.tar.gz) = e017cd86fb2f97b90f2d2ffc81684c545fa19eb973456f07f04ec6ec5af1eb39b8f3355a520bd3cd7f202a0626cc0b9462f637c0d7d1ddd78318a4a2236643db
+Size (sslh-2.2.4.tar.gz) = 514918 bytes
 SHA1 (patch-echosrv.c) = 96832c2391ff63cd96efa8e65270be6845f4a306
-SHA1 (patch-sslh-select.c) = ea07bf85d6ccdcd3815d49bb0131439573152502

Index: pkgsrc/net/sslh/patches/patch-echosrv.c
diff -u pkgsrc/net/sslh/patches/patch-echosrv.c:1.3 pkgsrc/net/sslh/patches/patch-echosrv.c:1.4
--- pkgsrc/net/sslh/patches/patch-echosrv.c:1.3 Sat Jan  1 16:47:21 2022
+++ pkgsrc/net/sslh/patches/patch-echosrv.c     Sun Jun 15 14:46:20 2025
@@ -1,4 +1,4 @@
-$NetBSD: patch-echosrv.c,v 1.2 2014/11/28 10:45:28 bsiegert Exp 
+$NetBSD: patch-echosrv.c,v 1.4 2025/06/15 14:46:20 wiz Exp $
 
 Provide allow_severity and deny_severity for libwrap.