kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

- Update to 8.4p1 (skipped 8.3)

Browse source 
- https://www.openssh.com/txt/release-8.3
 - https://www.openssh.com/txt/release-8.4

PR:		239807, 250319
Sponsored by:	Dell EMC
This commit is contained in:
Bryan Drewery 2020-11-16 19:39:34 +00:00
parent 4c20854241
commit b773b7cade
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=555512
4 changed files with 52 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
security/openssh-portable/Makefile
View file

@ -2,8 +2,8 @@
# $FreeBSD$ # $FreeBSD$
PORTNAME= openssh PORTNAME= openssh
DISTVERSION= 8.2p1 DISTVERSION= 8.4p1
PORTREVISION= 2 PORTREVISION= 0
PORTEPOCH= 1 PORTEPOCH= 1
CATEGORIES= security CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable MASTER_SITES= OPENBSD/OpenSSH/portable
@ -99,12 +99,12 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif . endif
# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
# pull from. # pull from.
GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-4 GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-2
# - Debian does not use a versioned filename so we trick fetch to make one for # - Debian does not use a versioned filename so we trick fetch to make one for
# us with the ?<anything>=/ trick. # us with the ?<anything>=/ trick.
PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
# Bump this when updating the patch location # Bump this when updating the patch location
GSSAPI_UPDATE_DATE= 20190719 GSSAPI_UPDATE_DATE= 20200607
PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
.endif .endif
@ -206,10 +206,11 @@ post-install:
test: build test: build
cd ${WRKSRC} && ${SETENV} -i \ cd ${WRKSRC} && ${SETENV} -i \
OBJ=${WRKDIR} ${MAKE_ENV} \ OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \
TEST_SHELL=${SH} \ TEST_SHELL=${SH} \
SUDO="${SUDO}" \ SUDO="${SUDO}" \
LOGNAME="${LOGNAME}" \ LOGNAME="${LOGNAME}" \
HOME="${HOME}" \
TEST_SSH_TRACE=yes \ TEST_SSH_TRACE=yes \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests

10
security/openssh-portable/distinfo
View file

@ -1,5 +1,5 @@
TIMESTAMP = 1584982081 TIMESTAMP = 1605552780
SHA256 (openssh-8.2p1.tar.gz) = 43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671 SHA256 (openssh-8.4p1.tar.gz) = 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24
SIZE (openssh-8.2p1.tar.gz) = 1701197 SIZE (openssh-8.4p1.tar.gz) = 1742201
SHA256 (openssh-8.2p1-gsskex-all-20141021-debian-rh-20190719.patch) = b035f62000190a2c77257db76b3751acf0e018dc20d55e07a8c3c9702de04989 SHA256 (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 15139c42894dd0ebd182608ecd7151a9eef6158aed30c676e7685e8407c6d1cb
SIZE (openssh-8.2p1-gsskex-all-20141021-debian-rh-20190719.patch) = 125954 SIZE (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 126748

53
security/openssh-portable/files/extra-patch-hpn
View file

@ -685,12 +685,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
int64_t rekey_limit; int64_t rekey_limit;
int rekey_interval; int rekey_interval;
int no_host_authentication_for_localhost; int no_host_authentication_for_localhost;
--- work/openssh/scp.c.orig 2019-12-20 18:52:08.907088000 -0800 --- work/openssh/scp.c.orig 2020-09-27 00:25:01.000000000 -0700
+++ work/openssh-8.1p1/scp.c 2019-12-20 18:51:55.186005000 -0800 +++ work/openssh/scp.c 2020-11-10 10:31:03.060729000 -0800
@@ -1239,7 +1239,7 @@ sink(int argc, char **argv, const char *src) @@ -1246,7 +1246,7 @@ sink(int argc, char **argv, const char *src)
off_t size, statbytes; off_t size, statbytes;
unsigned long long ull; unsigned long long ull;
int setimes, targisdir, wrerrno = 0; int setimes, targisdir, wrerr;
- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
+ char ch, *cp, *np, *targ, *why, *vect[1], buf[COPY_BUFLEN], visbuf[COPY_BUFLEN]; + char ch, *cp, *np, *targ, *why, *vect[1], buf[COPY_BUFLEN], visbuf[COPY_BUFLEN];
char **patterns = NULL; char **patterns = NULL;
@ -1079,9 +1079,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
#define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */ #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
#define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */ #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
#define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */ #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
--- work/openssh/sshconnect.c.orig 2018-10-16 17:01:20.000000000 -0700 --- work/openssh/sshconnect.c.orig 2020-09-27 00:25:01.000000000 -0700
+++ work/openssh/sshconnect.c 2018-11-12 09:04:24.340706000 -0800 +++ work/openssh/sshconnect.c 2020-11-10 21:35:40.945330000 -0800
@@ -355,7 +355,32 @@ check_ifaddrs(const char *ifname, int af, const struct @@ -361,7 +361,32 @@ check_ifaddrs(const char *ifname, int af, const struct
} }
#endif #endif
@ -1114,7 +1114,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
* Creates a socket for use as the ssh connection. * Creates a socket for use as the ssh connection.
*/ */
static int static int
@@ -377,6 +402,11 @@ ssh_create_socket(struct addrinfo *ai) @@ -383,6 +408,11 @@ ssh_create_socket(struct addrinfo *ai)
} }
fcntl(sock, F_SETFD, FD_CLOEXEC); fcntl(sock, F_SETFD, FD_CLOEXEC);
@ -1126,14 +1126,14 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* Bind the socket to an alternative local IP address */ /* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && options.bind_interface == NULL) if (options.bind_address == NULL && options.bind_interface == NULL)
return sock; return sock;
@@ -1280,7 +1310,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const @@ -1289,7 +1319,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const
lowercase(host); lowercase(host);
/* Exchange protocol version identification strings with the server. */ /* Exchange protocol version identification strings with the server. */
- if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0) - if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
+ if (kex_exchange_identification(ssh, timeout_ms, NULL, + if ((r = kex_exchange_identification(ssh, timeout_ms, NULL,
+ options.hpn_disabled) != 0) + options.hpn_disabled)) != 0)
cleanup_exit(255); /* error already logged */ sshpkt_fatal(ssh, r, "banner exchange");
/* Put the connection into non-blocking mode. */ /* Put the connection into non-blocking mode. */
--- sshconnect2.c.orig 2020-02-13 16:40:54.000000000 -0800 --- sshconnect2.c.orig 2020-02-13 16:40:54.000000000 -0800
@ -1204,9 +1204,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
debug("Authentication succeeded (%s).", authctxt.method->name); debug("Authentication succeeded (%s).", authctxt.method->name);
} }
--- work/openssh-7.7p1/sshd.c.orig 2018-04-01 22:38:28.000000000 -0700 --- work/openssh/sshd.c.orig 2020-11-10 21:36:31.340159000 -0800
+++ work/openssh-7.7p1/sshd.c 2018-06-27 17:13:03.176633000 -0700 +++ work/openssh/sshd.c 2020-11-10 21:37:10.097038000 -0800
@@ -957,6 +957,10 @@ listen_on_addrs(struct listenaddr *la) @@ -1065,6 +1065,10 @@ listen_on_addrs(struct listenaddr *la)
int ret, listen_sock; int ret, listen_sock;
struct addrinfo *ai; struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV]; char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
for (ai = la->addrs; ai; ai = ai->ai_next) { for (ai = la->addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -1002,6 +1006,13 @@ listen_on_addrs(struct listenaddr *la) @@ -1110,6 +1114,13 @@ listen_on_addrs(struct listenaddr *la)
debug("Bind to port %s on %s.", strport, ntop); debug("Bind to port %s on %s.", strport, ntop);
@ -1229,9 +1229,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif +#endif
+ +
/* Bind the socket to the desired port. */ /* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.", error("Bind to port %s on %s failed: %.200s.",
@@ -1645,6 +1656,15 @@ main(int ac, char **av) @@ -1753,6 +1764,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */ /* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options); fill_default_server_options(&options);
@ -1247,7 +1247,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* challenge-response is implemented via keyboard interactive */ /* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication) if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1; options.kbd_interactive_authentication = 1;
@@ -2090,6 +2110,11 @@ main(int ac, char **av) @@ -2220,6 +2240,11 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\""); rdomain == NULL ? "" : "\"");
free(laddr); free(laddr);
@ -1259,17 +1259,16 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* /*
* We don't want to listen forever unless the other side * We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is * successfully authenticates itself. So we set up an alarm which is
@@ -2102,7 +2127,8 @@ main(int ac, char **av) @@ -2233,7 +2258,7 @@ main(int ac, char **av)
if (!debug_flag)
alarm(options.login_grace_time); alarm(options.login_grace_time);
- if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0) if ((r = kex_exchange_identification(ssh, -1,
+ if (kex_exchange_identification(ssh, -1, options.version_addendum, - options.version_addendum)) != 0)
+ options.hpn_disabled) != 0) + options.version_addendum, options.hpn_disabled)) != 0)
cleanup_exit(255); /* error already logged */ sshpkt_fatal(ssh, r, "banner exchange");
ssh_packet_set_nonblocking(ssh); ssh_packet_set_nonblocking(ssh);
@@ -2264,6 +2290,11 @@ do_ssh2_kex(struct ssh *ssh) @@ -2397,6 +2422,11 @@ do_ssh2_kex(struct ssh *ssh)
char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
struct kex *kex; struct kex *kex;
int r; int r;

30
security/openssh-portable/files/patch-ssh-agent.c
View file

@ -8,11 +8,11 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected. disconnected.
--- ssh-agent.c.orig 2020-02-13 16:40:54.000000000 -0800 --- ssh-agent.c.orig 2020-09-27 00:25:01.000000000 -0700
+++ ssh-agent.c 2020-03-21 17:04:44.305866000 -0700 +++ ssh-agent.c 2020-11-09 09:07:10.924940000 -0800
@@ -167,15 +167,34 @@ static long lifetime = 0; @@ -171,15 +171,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int fingerprint_hash = SSH_FP_HASH_DEFAULT; static int restrict_websafe = 1;
+/* +/*
+ * Client connection count; incremented in new_socket() and decremented in + * Client connection count; incremented in new_socket() and decremented in
@ -45,7 +45,7 @@ disconnected.
} }
static void static void
@@ -875,6 +894,10 @@ new_socket(sock_type type, int fd) @@ -961,6 +980,10 @@ new_socket(sock_type type, int fd)
{ {
u_int i, old_alloc, new_alloc; u_int i, old_alloc, new_alloc;
@ -56,16 +56,16 @@ disconnected.
set_nonblock(fd); set_nonblock(fd);
if (fd > max_fd) if (fd > max_fd)
@@ -1170,7 +1193,7 @@ static void @@ -1261,7 +1284,7 @@ static void
usage(void) usage(void)
{ {
fprintf(stderr, fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
" [-P provider_whitelist] [-t life] [command [arg ...]]\n" " [-P allowed_providers] [-t life]\n"
" ssh-agent [-c | -s] -k\n"); " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
exit(1); " [-t life] command [arg ...]\n"
@@ -1202,6 +1225,7 @@ main(int ac, char **av) @@ -1295,6 +1318,7 @@ main(int ac, char **av)
/* drop */ /* drop */
setegid(getgid()); setegid(getgid());
setgid(getgid()); setgid(getgid());
@ -73,16 +73,16 @@ disconnected.
platform_disable_tracing(0); /* strict=no */ platform_disable_tracing(0); /* strict=no */
@@ -1213,7 +1237,7 @@ main(int ac, char **av) @@ -1306,7 +1330,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
seed_rng(); seed_rng();
- while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) { - while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
+ while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) { + while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) {
switch (ch) { switch (ch) {
case 'E': case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg); fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -1256,6 +1280,9 @@ main(int ac, char **av) @@ -1355,6 +1379,9 @@ main(int ac, char **av)
fprintf(stderr, "Invalid lifetime\n"); fprintf(stderr, "Invalid lifetime\n");
usage(); usage();
} }