diff options
author | Bryan Drewery <bdrewery@FreeBSD.org> | 2018-04-05 18:20:50 +0000 |
---|---|---|
committer | Bryan Drewery <bdrewery@FreeBSD.org> | 2018-04-05 18:20:50 +0000 |
commit | 804e4b49f3c7657b80a9585205f0cae8565897a7 (patch) | |
tree | a0dbf7e5881e386a4d2264b118005c59bd1cd469 /security | |
parent | 6b53aeb15f80bda7a098a0eee3f44cba73eb7943 (diff) | |
download | ports-804e4b49f3c7657b80a9585205f0cae8565897a7.tar.gz ports-804e4b49f3c7657b80a9585205f0cae8565897a7.zip |
Update to 7.7p1
- Update x509 patch to 11.3
- Remove SCTP option as it has not had a patch available since 7.2.
Changes: https://www.openssh.com/txt/release-7.7
Notable changes:
* ssh(1)/sshd(8): Drop compatibility support for some very old SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
versions were all released in or before 2001 and predate the final
SSH RFCs. The support in question isn't necessary for RFC-compliant
SSH implementations.
Notes
Notes:
svn path=/head/; revision=466577
Diffstat (limited to 'security')
-rw-r--r-- | security/openssh-portable/Makefile | 23 | ||||
-rw-r--r-- | security/openssh-portable/distinfo | 12 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn-compat | 4 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-tcpwrappers | 15 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-x509-glue | 210 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-session.c | 20 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-upstream-servconf.c | 44 |
7 files changed, 141 insertions, 187 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 53cf89817772..5ce3cc692f59 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.6p1 -PORTREVISION= 3 +DISTVERSION= 7.7p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -31,7 +31,7 @@ BROKEN_SSL_REASON_openssl-devel= error: OpenSSL >= 1.1.0 is not yet supported OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ - SCTP LDNS NONECIPHER + LDNS NONECIPHER OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE @@ -41,7 +41,6 @@ KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support X509_DESC= x509 certificate patch -SCTP_DESC= SCTP support HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) @@ -62,17 +61,10 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 11.0 +X509_VERSION= 11.3 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue -X509_PATCHFILES= ${PORTNAME}-7.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509 - -# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 -# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 -#SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1 -SCTP_BROKEN= Does not apply to 7.6+ -SCTP_CONFIGURE_WITH= sctp -SCTP_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sctp:-p1 +X509_PATCHFILES= ${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal @@ -136,10 +128,6 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum BROKEN= X509 patch and HPN patch do not apply cleanly together . endif -. if ${PORT_OPTIONS:MSCTP} -BROKEN= X509 patch and SCTP patch do not apply cleanly together -. endif - . if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= X509 patch incompatible with KERB_GSSAPI patch . endif @@ -222,6 +210,7 @@ test: build TEST_SHELL=${SH} \ SUDO="${SUDO}" \ LOGNAME="${LOGNAME}" \ + TEST_SSH_TRACE=yes \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 22bf6d8421e7..8ab91f2b30d1 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,7 +1,5 @@ -TIMESTAMP = 1507833573 -SHA256 (openssh-7.6p1.tar.gz) = a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 -SIZE (openssh-7.6p1.tar.gz) = 1489788 -SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc -SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501 -SHA256 (openssh-7.6p1+x509-11.0.diff.gz) = bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e -SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219 +TIMESTAMP = 1522788732 +SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f +SIZE (openssh-7.7p1.tar.gz) = 1536900 +SHA256 (openssh-7.7p1+x509-11.3.diff.gz) = 57be0d0028863f1f690b8b4ccae7583c0f8dd8ed2c688a912b25832bf7f9b185 +SIZE (openssh-7.7p1+x509-11.3.diff.gz) = 488467 diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index 97644213a647..a036a09c938c 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -33,10 +33,10 @@ r294563 was incomplete; re-add the client-side options as well. }; --- servconf.c.orig 2017-10-02 12:34:26.000000000 -0700 +++ servconf.c 2017-10-12 12:20:19.089884000 -0700 -@@ -566,6 +566,10 @@ static struct { - { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, +@@ -618,6 +618,10 @@ static struct { { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, + { "rdomain", sRDomain, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index 14a0452bdefa..ad552ca607d1 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -35,15 +35,15 @@ index 289e13d..e6a900b 100644 .Xr sshd_config 5 , diff --git sshd.c sshd.c index 0ade557..045f149 100644 ---- sshd.c -+++ sshd.c +--- sshd.c.orig 2018-04-04 15:34:54.865684000 -0700 ++++ sshd.c 2018-04-04 15:40:20.964130000 -0700 @@ -1,4 +1,4 @@ --/* $OpenBSD: sshd.c,v 1.421 2014/03/26 19:58:37 tedu Exp $ */ +-/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -123,6 +123,13 @@ +@@ -131,6 +131,13 @@ #include "version.h" #include "ssherr.h" @@ -57,10 +57,11 @@ index 0ade557..045f149 100644 /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -@@ -1971,6 +1978,24 @@ main(int ac, char **av) - #ifdef SSH_AUDIT_EVENTS - audit_connection_from(remote_ip, remote_port); +@@ -2072,6 +2079,25 @@ main(int ac, char **av) #endif + + rdomain = ssh_packet_rdomain_in(ssh); ++ +#ifdef LIBWRAP + allow_severity = options.log_facility|LOG_INFO; + deny_severity = options.log_facility|LOG_WARNING; diff --git a/security/openssh-portable/files/extra-patch-x509-glue b/security/openssh-portable/files/extra-patch-x509-glue index c7057ec24704..5ff2eefcbf4d 100644 --- a/security/openssh-portable/files/extra-patch-x509-glue +++ b/security/openssh-portable/files/extra-patch-x509-glue @@ -1,6 +1,6 @@ --- session.c.orig 2017-10-12 11:52:52.953370000 -0700 +++ session.c 2017-10-12 11:53:40.793055000 -0700 -@@ -1045,36 +1045,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1062,36 +1062,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); @@ -34,114 +34,124 @@ -} -#endif - - /* Set custom environment options from RSA authentication. */ - while (custom_environment) { - struct envstring *ce = custom_environment; + /* Set custom environment options from pubkey authentication. */ + if (options.permit_user_env) { + for (n = 0 ; n < auth_opts->nenv; n++) { --- sshd_config.5.orig 2017-10-12 11:51:06.638814000 -0700 +++ sshd_config.5 2017-10-12 11:51:33.780459000 -0700 -@@ -1641,52 +1641,7 @@ is set to +@@ -1682,7 +1682,57 @@ is set to then the pre-authentication unprivileged process is subject to additional restrictions. The default is -.Cm sandbox . --.It Cm VACertificateFile --File with X.509 certificates in PEM format concatenated together. --In use when --.Cm VAType --is set to --.Cm ocspspec . --The default value is --.Sq --.. --(empty). --Certificates from that file explicitly trust --.Sq "OCSP Responder" --public key. --They are used as trusted certificates in addition to certificates from --.Cm CACertificateFile --and --.Cm CACertificatePath --to verify responder certificate. --.It Cm VAType --Specifies whether --.Sq "Online Certificate Status Protocol" --(OCSP) is used to validate X.509 certificates. --Accepted values are case insensitive: --.Bl -tag -offset indent -compact --.It none --do not use OCSP to validate certificates; --.It ocspcert --validate only certificates that specify --.Sq "OCSP Service Locator" --URL; --.It ocspspec --use specified in the configuration --.Sq "OCSP Responder" --to validate all certificates. --.El --The default is --.Cm none . --.It Cm VAOCSPResponderURL --.Sq "Access Location" --/ --.Sq "OCSP Service Locator" --URL of the OCSP provider. In use when --.Cm VAType --is set to --.Cm ocspspec . +.Cm no . - .It Cm VersionAddendum - Optionally specifies additional text to append to the SSH protocol banner - sent by the server upon connection. -@@ -1737,6 +1692,51 @@ the wildcard address. - By default, - sshd binds the forwarding server to the loopback address and sets the - hostname part of the -+.It Cm VACertificateFile -+File with X.509 certificates in PEM format concatenated together. -+In use when -+.Cm VAType -+is set to -+.Cm ocspspec . -+The default value is -+.Sq -+.. -+(empty). -+Certificates from that file explicitly trust -+.Sq "OCSP Responder" -+public key. -+They are used as trusted certificates in addition to certificates from -+.Cm CACertificateFile -+and -+.Cm CACertificatePath -+to verify responder certificate. -+.It Cm VAType -+Specifies whether -+.Sq "Online Certificate Status Protocol" -+(OCSP) is used to validate X.509 certificates. -+Accepted values are case insensitive: -+.Bl -tag -offset indent -compact -+.It none -+do not use OCSP to validate certificates; -+.It ocspcert -+validate only certificates that specify -+.Sq "OCSP Service Locator" -+URL; -+.It ocspspec -+use specified in the configuration -+.Sq "OCSP Responder" -+to validate all certificates. -+.El ++.It Cm VersionAddendum ++Optionally specifies additional text to append to the SSH protocol banner ++sent by the server upon connection. +The default is +.Cm none . -+.It Cm VAOCSPResponderURL -+.Sq "Access Location" -+/ -+.Sq "OCSP Service Locator" -+URL of the OCSP provider. In use when -+.Cm VAType -+is set to -+.Cm ocspspec . ++.It Cm X11DisplayOffset ++Specifies the first display number available for ++.Xr sshd 8 Ns 's ++X11 forwarding. ++This prevents sshd from interfering with real X11 servers. ++The default is 10. ++.It Cm X11Forwarding ++Specifies whether X11 forwarding is permitted. ++The argument must be ++.Cm yes ++or ++.Cm no . ++The default is ++.Cm no . ++.Pp ++When X11 forwarding is enabled, there may be additional exposure to ++the server and to client displays if the ++.Xr sshd 8 ++proxy display is configured to listen on the wildcard address (see ++.Cm X11UseLocalhost ) , ++though this is not the default. ++Additionally, the authentication spoofing and authentication data ++verification and substitution occur on the client side. ++The security risk of using X11 forwarding is that the client's X11 ++display server may be exposed to attack when the SSH client requests ++forwarding (see the warnings for ++.Cm ForwardX11 ++in ++.Xr ssh_config 5 ) . ++A system administrator may have a stance in which they want to ++protect clients that may expose themselves to attack by unwittingly ++requesting X11 forwarding, which can warrant a ++.Cm no ++setting. ++.Pp ++Note that disabling X11 forwarding does not prevent users from ++forwarding X11 traffic, as users can always install their own forwarders. ++.It Cm X11UseLocalhost ++Specifies whether ++.Xr sshd 8 ++should bind the X11 forwarding server to the loopback address or to ++the wildcard address. ++By default, ++sshd binds the forwarding server to the loopback address and sets the ++hostname part of the + .It Cm VACertificateFile + File with X.509 certificates in PEM format concatenated together. + In use when +@@ -1735,56 +1785,6 @@ URL of the OCSP provider. In use when + .Cm VAType + is set to + .Cm ocspspec . +-.It Cm VersionAddendum +-Optionally specifies additional text to append to the SSH protocol banner +-sent by the server upon connection. +-The default is +-.Cm none . +-.It Cm X11DisplayOffset +-Specifies the first display number available for +-.Xr sshd 8 Ns 's +-X11 forwarding. +-This prevents sshd from interfering with real X11 servers. +-The default is 10. +-.It Cm X11Forwarding +-Specifies whether X11 forwarding is permitted. +-The argument must be +-.Cm yes +-or +-.Cm no . +-The default is +-.Cm no . +-.Pp +-When X11 forwarding is enabled, there may be additional exposure to +-the server and to client displays if the +-.Xr sshd 8 +-proxy display is configured to listen on the wildcard address (see +-.Cm X11UseLocalhost ) , +-though this is not the default. +-Additionally, the authentication spoofing and authentication data +-verification and substitution occur on the client side. +-The security risk of using X11 forwarding is that the client's X11 +-display server may be exposed to attack when the SSH client requests +-forwarding (see the warnings for +-.Cm ForwardX11 +-in +-.Xr ssh_config 5 ) . +-A system administrator may have a stance in which they want to +-protect clients that may expose themselves to attack by unwittingly +-requesting X11 forwarding, which can warrant a +-.Cm no +-setting. +-.Pp +-Note that disabling X11 forwarding does not prevent users from +-forwarding X11 traffic, as users can always install their own forwarders. +-.It Cm X11UseLocalhost +-Specifies whether +-.Xr sshd 8 +-should bind the X11 forwarding server to the loopback address or to +-the wildcard address. +-By default, +-sshd binds the forwarding server to the loopback address and sets the +-hostname part of the .Ev DISPLAY environment variable to .Cm localhost . diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index cb99bbc1bfee..cf6a50c65c0d 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -10,9 +10,9 @@ Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c 2013-03-14 19:22:37 UTC -+++ session.c -@@ -985,6 +985,9 @@ do_setup_env(Session *s, const char *she +--- session.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ session.c 2018-04-03 13:56:49.599400000 -0700 +@@ -982,6 +982,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -22,7 +22,7 @@ Sponsored by: DARPA, NAI Labs #endif /* Initialize the environment. */ -@@ -1006,6 +1009,9 @@ do_setup_env(Session *s, const char *she +@@ -1003,6 +1006,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * } #endif @@ -32,7 +32,7 @@ Sponsored by: DARPA, NAI Labs #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1023,11 +1029,21 @@ do_setup_env(Session *s, const char *she +@@ -1020,11 +1026,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -58,7 +58,7 @@ Sponsored by: DARPA, NAI Labs #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1047,15 +1063,9 @@ do_setup_env(Session *s, const char *she +@@ -1044,15 +1060,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -71,10 +71,10 @@ Sponsored by: DARPA, NAI Labs - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - - /* Set custom environment options from RSA authentication. */ - while (custom_environment) { - struct envstring *ce = custom_environment; -@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw) + /* Set custom environment options from pubkey authentication. */ + if (options.permit_user_env) { + for (n = 0 ; n < auth_opts->nenv; n++) { +@@ -1331,7 +1341,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, diff --git a/security/openssh-portable/files/patch-upstream-servconf.c b/security/openssh-portable/files/patch-upstream-servconf.c deleted file mode 100644 index 2937550161a9..000000000000 --- a/security/openssh-portable/files/patch-upstream-servconf.c +++ /dev/null @@ -1,44 +0,0 @@ -commit 7c9613fac3371cf65fb07739212cdd1ebf6575da -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Oct 4 18:49:30 2017 +0000 - - upstream commit - - fix (another) problem in PermitOpen introduced during the - channels.c refactor: the third and subsequent arguments to PermitOpen were - being silently ignored; ok markus@ - - Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd - -diff --git servconf.c servconf.c -index 2c321a4a..95686295 100644 ---- servconf.c -+++ servconf.c -@@ -1,5 +1,5 @@ - --/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */ -+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */ - /* - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland - * All rights reserved -@@ -1663,9 +1663,9 @@ process_server_config_line(ServerOptions *options, char *line, - if (!arg || *arg == '\0') - fatal("%s line %d: missing PermitOpen specification", - filename, linenum); -- i = options->num_permitted_opens; /* modified later */ -+ value = options->num_permitted_opens; /* modified later */ - if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { -- if (*activep && i == 0) { -+ if (*activep && value == 0) { - options->num_permitted_opens = 1; - options->permitted_opens = xcalloc(1, - sizeof(*options->permitted_opens)); -@@ -1683,7 +1683,7 @@ process_server_config_line(ServerOptions *options, char *line, - if (arg == NULL || ((port = permitopen_port(arg)) < 0)) - fatal("%s line %d: bad port number in " - "PermitOpen", filename, linenum); -- if (*activep && i == 0) { -+ if (*activep && value == 0) { - options->permitted_opens = xrecallocarray( - options->permitted_opens, - options->num_permitted_opens, |