Unregister the KEXINIT handler after message has been
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn
Security: CVE-2016-8858
- X509: Unbreak and update to 9.0
- SCTP: Mark BROKEN
- KERB_GSSAPI: Unbreak and update from Debian's patch
Release notes: http://www.openssh.com/txt/release-7.3
There's no reason to regenerate these for the sake of having 'UTC' in the patch
and it also considers patches with comments to be invalid.
WARN: /root/svn/ports/security/openssh-portable/files/patch-auth.c: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-auth2.c: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-readconf.c: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-regress__test-exec.sh: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-servconf.c: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-session.c: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh-agent.1: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh-agent.c: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh.c: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh_config: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh_config.5: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshconnect.c: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshd.8: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshd.c: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshd_config: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshd_config.5: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' when you need to [re-]generate a patch to ensure proper patch format.
longer supported by default since 7.0. [1]
I do plan to make this configurable based on PR 202169 [2] soon.
PR: 202792 [1]
PR: 202169 [2]
Submitted by: chrysalis@chrysalisnet.org [1]
Patches must not be changed by the vcs, this includes the
svn:keyword expansion. Set fbsd:nokeywords to a couple of patches.
With hat: portmgr
Sponsored by: Absolight
This was due to the patch not being needed in the snapshot version
which I based the 6.9 update off of. The default is changed in
the upcoming 7.0 release
upstream; it was fixed upstream comprehensively a few weeks ago in
77199d6ec8986d470487e66f8ea8f4cf43d2e20c.
PR: 200241
Patch by: Hanno Böck <hanno@hboeck.de>
Obtained from: http://www.openwall.com/lists/oss-security/2015/05/16/3
- Replace ${MASTER_SITE_FOO} with FOO.
- Merge MASTER_SITE_SUBDIR into MASTER_SITES when possible. (This means 99.9%
of the time.)
- Remove occurrences of MASTER_SITE_LOCAL when no subdirectory was present and
no hint of what it should be was present.
- Fix some logic.
- And generally, make things more simple and easy to understand.
While there, add magic values to the FESTIVAL, GENTOO, GIMP, GNUPG, QT and
SAMBA macros.
Also, replace some EXTRACT_SUFX occurences with USES=tar:*.
Checked by: make fetch-urlall-list
With hat: portmgr
Sponsored by: Absolight
when the NONECIPHER option is selected but not the HPN option. The server
banner was improperly sending a NULL byte after the newline causing confusion
on the client. This was an error in my own modifications to the HPN patch
in r383231.
This may have occurred with stale builds as well, such as running
'make configure' then 'portsnap update' and then 'make build'.
Pointyhat to: bdrewery
Reported by: many
PR: 199352
1. There's no need to patch the xauth(1) location as the OpenSSH build already
does so based on the --with-xauth path provided. It also updates manpages.
2. Don't modify manpage for shosts location as it was wrong. The proper
LOCALBASE path is now used due to OpenSSH's build already handling it
properly.
3. Remove confusing UsePrivilegeSeparation change in sshd_config. The default
upstream is to have it disabled by default. The sshd_config line is in
upstream to enable it by default in new installations. We always enable
it though. So remove the sshd_config change which makes it look like
we don't use it; it was not a needed difference with upstream.
From discussion with: TJ <tj@mrsk.me>
- Fix 'make test'
- HPN:
- NONECIPHER is no longer default. This is not default in base and should not
be default here as it introduces security holes.
- HPN: I've audited the patch and included it in the port directory for
transparency. I identified several bugs and submitted them to the new
upstream: https://github.com/rapier1/openssh-portable/pull/2
- HPN: The entire patch is now ifdef'd to ensure various bits are properly
removed depending on the OPTIONS selected.
- AES_THREADED is removed. It has questionable benefit on modern HW and is not
stable.
- The "enhanced logging" was removed from the patch as it is too
intrusive and difficult to maintain in the port.
- The progress meter "peak throughput" patch was removed.
- Fixed HPN version showing in client/server version string when HPN
was disabled in the config.
- KERB_GSSAPI is currently BROKEN as it does not apply.
- Update X509 to 8.3
Changelog: http://www.openssh.com/txt/release-6.8
TCP_WRAPPERS: /usr/include/tcpd.h is always installed by the base system.
It is only libwrap.so that is conditional on WITH_TCP_WRAPPERS.
PAM: /usr/include/security/pam_modules.h is always installed.
This fixes FreshPorts claiming this port is ignored.
The port now uses VersionAddendum in the sshd_config to allow overriding
this value. Using "none" allows disabling the default of the port
version string. The default is kept to show the port version string to
remain close to the base version.
Support for the client VersionAddendum may be added soon as well to better
match base and not give surprises when switching from base to the port.
PR: 193127
Requested by: many, including myself when this was broken years ago.
