Commit graph

309 commits

Author SHA1 Message Date
jperkin
becd113253 PKGREVISION bumps for the security/openssl 1.0.1d update. 2013-02-06 23:20:50 +00:00
jperkin
a2f14df810 Switch HPN patch site to the one FreeBSD uses, upstream have hidden it
behind a session-based page.
2013-01-11 12:41:16 +00:00
obache
64deda1dc9 recursive bump from cyrus-sasl libsasl2 shlib major bump. 2012-12-16 01:51:57 +00:00
asau
1a433eae91 Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. 2012-10-23 18:16:19 +00:00
wiz
8b5d49eb78 Bump all packages that use perl, or depend on a p5-* package, or
are called p5-*.

I hope that's all of them.
2012-10-03 21:53:53 +00:00
fhajny
2b5463c3bf Add back hashes for HPN, dropped in the last commit 2012-07-20 14:17:23 +00:00
imil
fb7c5aa408 Added support for OpenSSH-lpk
The OpenSSH LDAP Public Key patch provides an easy way of centralizing strong
user authentication by using an LDAP server for retrieving public keys instead
of ~/.ssh/authorized_keys.
2012-05-31 11:58:37 +00:00
manu
5a21fb4f27 Re-enable PAM support, as it works fine provided one does not mix multiple
versions of libcrypto in sshd. This can happen if OpenSSH is linked with
pkgsrc's OpenSSL and if using nss_ldap, which pulls base-system OpenSSL
through kerberos libraries. One needs to disable the krb5 of nss_ldap
in order to fix that.
2012-01-09 05:25:36 +00:00
shattered
85acbea9cf PR/38394 -- disable KAFS detection for mit-krb5 2011-09-01 19:24:01 +00:00
taca
eb19e34f91 I forgot to update distinfo about latest patch file addition
(patch-atomicio.c).  Noted by wiz@ via private mail.

Bump PKGREVISION.
2011-08-18 09:22:01 +00:00
taca
785f909b45 Add a patch to avoid SSP side effect as NetBSD current.
Bump PKGREVISION.
2011-08-10 15:21:02 +00:00
taca
580e7ecb84 Don't always try to create ecdsa key which depends on OpenSSL's version.
Bump PKGREVISION.
2011-05-17 03:26:52 +00:00
taca
d159b739ef Maintenance of openssh pacakge:
1. Add support for check and create ECDSA host key for SSH protocol
   version 2.

2. Disable use of strnvis(3) on NetBSD.  NetBSD current after 2011/03/12
   has strnvis(3), but it has different argument from OpenBSD (and other
   system).

Bump PKGREVISION.
2011-05-16 05:06:48 +00:00
taca
b834a6808d Update openssh package to 5.8.2 (5.8p2).
20110403
 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
   [contrib/suse/openssh.spec] Prepare for 5.8p2 release.
 - (djm) [version.h] crank version
 - Release 5.8p2

20110329
 - (djm) [entropy.c] closefrom() before running ssh-rand-helper; leftover fds
   noticed by tmraz AT redhat.com

20110221
 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
   Cygwin-specific service installer script ssh-host-config.  The actual
   functionality is the same, the revisited version is just more
   exact when it comes to check for problems which disallow to run
   certain aspects of the script.  So, part of this script and the also
   rearranged service helper script library "csih" is to check if all
   the tools required to run the script are available on the system.
   The new script also is more thorough to inform the user why the
   script failed.  Patch from vinschen at redhat com.

20110206
 - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in
   selinux code.  Patch from Leonardo Chiquitto
 - (dtucker) [contrib/cygwin/ssh-{host,user}-config]  Add ECDSA key
   generation and simplify.  Patch from Corinna Vinschen.
2011-05-15 04:17:15 +00:00
taca
6c6083c7f1 Update openssh package to 5.8.1 (5.8p1).
For changes from 5.5 to 5.7, please refer http://openssh.com/txt/release-5.7
and http://openssh.com/txt/release-5.6 in detail.

Changes since OpenSSH 5.7
=========================

Security:

 * Fix vulnerability in legacy certificate signing introduced in
   OpenSSH-5.6 and found by Mateusz Kocielski.

   Legacy certificates signed by OpenSSH 5.6 or 5.7 included data from
   the stack in place of a random nonce field. The contents of the stack
   do not appear to contain private data at this point, but this cannot
   be stated with certainty for all platform, library and compiler
   combinations. In particular, there exists a risk that some bytes from
   the privileged CA key may be accidentally included.

   A full advisory for this issue is available at:
   http://www.openssh.com/txt/legacy-cert.adv

Portable OpenSSH Bugfixes:

 * Fix compilation failure when enableing SELinux support.

 * Do not attempt to call SELinux functions when SELinux is disabled.
   bz#1851
2011-02-16 17:45:08 +00:00
obache
93c1382df3 Fixes build on SUA.
* header file location of libbind is differ than SFU.
* treat all Interxi as same, not only interix3.
2011-02-06 11:31:18 +00:00
taca
b90020b8ef Add hpn-patch for OpenSSH 5.5p1.
No PKGREVISION bump since this option never worked
with OpenSSH 5.5p1 before.
2010-06-15 03:11:52 +00:00
martti
4e27aff6a3 Updated security/openssh to 5.5.1
Lots of changes, including

 * After a transition period of about 10 years, this release disables
   SSH protocol 1 by default. Clients and servers that need to use the
   legacy protocol must explicitly enable it in ssh_config / sshd_config
   or on the command-line.

 * Remove the libsectok/OpenSC-based smartcard code and add support for
   PKCS#11 tokens. This support is automatically enabled on all
   platforms that support dlopen(3) and was inspired by patches written
   by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages.

 * Add support for certificate authentication of users and hosts using a
   new, minimal OpenSSH certificate format (not X.509). Certificates
   contain a public key, identity information and some validity
   constraints and are signed with a standard SSH public key using
   ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
   or via a TrustedUserCAKeys option in sshd_config(5) (for user
   authentication), or in known_hosts (for host authentication).

   Documentation for certificate support may be found in ssh-keygen(1),
   sshd(8) and ssh(1) and a description of the protocol extensions in
   PROTOCOL.certkeys.

 * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects
   stdio on the client to a single port forward on the server. This
   allows, for example, using ssh as a ProxyCommand to route connections
   via intermediate servers. bz#1618
2010-06-11 20:41:41 +00:00
zafer
0c1c4ea190 remove pacnet mirror. service down. 2010-04-17 10:39:33 +00:00
martti
adc840d965 Regenerated some of the patches. 2010-02-19 10:17:33 +00:00
taca
167d1cdd3b Add checksum for hpn-patch. 2010-02-18 16:27:58 +00:00
martti
cd59ee0c20 Updated OpenSSH to 5.3.1 (pkg/42635 by Fredrik Pettai)
This is a bugfix release, no new features have been added.

Changes since OpenSSH 5.2
=========================

General Bugfixes:

 * Do not limit home directory paths to 256 characters. bz#1615

 * Several minor documentation and correctness fixes.

Portable OpenSSH Bugfixes:

 * This release removes for support for very old versions of Cygwin and
   for Windows 95/98/ME

 * Move the deletion of PAM credentials on logout to after the session
   close. bz#1534

 * Make PrintLastLog work on AIX. bz#1595

 * Avoid compile errors on FreeBSD from conflicts in glob.h. bz#1634

 * Delay dropping of root privileges on AIX so chroot and pam_open_session
   work correctly. bz#1249 and bz#1567

 * Increase client IO buffer on Cygwin to 64K, realising a significant
   performance improvement.

 * Roll back bz#1241 (better handling for expired passwords on Tru64).
   The change broke password logins on some configurations.

 * Accept ENOSYS as a fallback error when attempting atomic
   rename(). bz#1535

 * Fix passing of variables to recursive make(1) invocations on Solaris.
   bz#1505

 * Skip the tcgetattr call on the pty master on Solaris, since it never
   succeeds and can hang if large amounts of data is sent to the slave
   (eg a copy-paste). bz#1528

 * Fix detection of krb5-config. bz#1639

 * Fix test for server-assigned remote forwarding port for non-root users.
   bz#1578

 * Fix detection of libresolv on OSX 10.6.
2010-02-18 08:04:35 +00:00
wiz
579796a3e5 Recursive PKGREVISION bump for jpeg update to 8. 2010-01-17 12:02:03 +00:00
zafer
138f1611ac update master_sites. remove openbsd.uni-erlangen. out of service since 8/18/09 2009-09-06 22:36:33 +00:00
joerg
f0bbd1517d Remove @dirrm entries from PLISTs 2009-06-14 18:13:25 +00:00
taca
a57fbf5e7a Update openssh package to 5.2.1(5.2p1).
Changes since OpenSSH 5.1
=========================

Security:

 * This release changes the default cipher order to prefer the AES CTR
   modes and the revised "arcfour256" mode to CBC mode ciphers that are
   susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".

 * This release also adds countermeasures to mitigate CPNI-957037-style
   attacks against the SSH protocol's use of CBC-mode ciphers. Upon
   detection of an invalid packet length or Message Authentication
   Code, ssh/sshd will continue reading up to the maximum supported
   packet length rather than immediately terminating the connection.
   This eliminates most of the known differences in behaviour that
   leaked information about the plaintext of injected data which formed
   the basis of this attack. We believe that these attacks are rendered
   infeasible by these changes.

New features:

 * Added a -y option to ssh(1) to force logging to syslog rather than
   stderr, which is useful when running daemonised (ssh -f)

 * The sshd_config(5) ForceCommand directive now accepts commandline
   arguments for the internal-sftp server.

 * The ssh(1) ~C escape commandline now support runtime creation of
   dynamic (-D) port forwards.

 * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
   (bz#1482)

 * Support remote port forwarding with a listen port of '0'. This
   informs the server that it should dynamically allocate a listen
   port and report it back to the client. (bz#1003)

 * sshd(8) now supports setting PermitEmptyPasswords and
   AllowAgentForwarding in Match blocks

Bug and documentation fixes

 * Repair a ssh(1) crash introduced in openssh-5.1 when the client is
   sent a zero-length banner (bz#1496)

 * Due to interoperability problems with certain
   broken SSH implementations, the eow@openssh.com and
   no-more-sessions@openssh.com protocol extensions are now only sent
   to peers that identify themselves as OpenSSH.

 * Make ssh(1) send the correct channel number for
   SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
   avoid triggering 'Non-public channel' error messages on sshd(8) in
   openssh-5.1.

 * Avoid printing 'Non-public channel' warnings in sshd(8), since the
   ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
   a behaviour introduced in openssh-5.1).

 * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)

 * Correct fail-on-error behaviour in sftp(1) batchmode for remote
   stat operations. (bz#1541)

 * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
   connections. (bz#1543)

 * Avoid hang in ssh(1) when attempting to connect to a server that
   has MaxSessions=0 set.

 * Multiple fixes to sshd(8) configuration test (-T) mode

 * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
   1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540

 * Many manual page improvements.
2009-05-21 03:22:29 +00:00
zafer
d1cf32c54e update mirrors and add a few more from the mirror list. 2009-05-01 14:27:34 +00:00
taca
847296952e Update openssh package to 5.1.1 (5.1p1)
Changes from OpenSSH 5.0 is huge to write here, please refer its
release note: http://www.openssh.com/txt/release-5.1.
I quote only Security section from the release note.

Security:

 * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
   other platforms) when X11UseLocalhost=no

   When attempting to bind(2) to a port that has previously been bound
   with SO_REUSEADDR set, most operating systems check that either the
   effective user-id matches the previous bind (common on BSD-derived
   systems) or that the bind addresses do not overlap (Linux and
   Solaris).

   Some operating systems, such as HP/UX, do not perform these checks
   and are vulnerable to an X11 man-in-the-middle attack when the
   sshd_config(5) option X11UseLocalhost has been set to "no" - an
   attacker may establish a more-specific bind, which will be used in
   preference to sshd's wildcard listener.

   Modern BSD operating systems, Linux, OS X and Solaris implement the
   above checks and are not vulnerable to this attack, nor are systems
   where the X11UseLocalhost has been left at the default value of
   "yes".

   Portable OpenSSH 5.1 avoids this problem for all operating systems
   by not setting SO_REUSEADDR when X11UseLocalhost is set to no.

   This vulnerability was reported by sway2004009 AT hotmail.com.
2008-09-16 12:53:08 +00:00
tnn
53324c97e5 Add patch from OpenSSH 5.1 that fixes an X11 fwd security issue on HP-UX.
Bump PKGREVISION.
2008-07-24 16:25:47 +00:00
tnn
351ceffa01 Update to OpenSSH 5.0p1.
Changes since 4.7:
- fix two security issues
- chroot support for sshd(8)
- sftp server internalized in sshd(8)
- assorted bug fixes
2008-04-27 00:34:27 +00:00
taca
87c3f03083 Fix build problem with hpn-patch option enabled. 2008-04-08 06:36:47 +00:00
tonnerre
2442cc7499 Fix two vulnerabilities in OpenSSH:
- X11 forwarding information disclosure (CVE-2008-1483)
 - ForceCommand bypass vulnerability
2008-04-03 07:59:08 +00:00
tnn
ad6ceadd25 Per the process outlined in revbump(1), perform a recursive revbump
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
2008-01-18 05:06:18 +00:00
wiz
499dbfee47 Remove ftp7.usa.openbsd.org from MASTER_SITES, doesn't resolve.
From Zafer Aydogan in PR 37331.
2007-11-12 00:06:06 +00:00
taca
1ee28b58ab Use DIST_SUBDIR for changed distfiles noted by wiz@ with private mail.
Bump PKGREVISION.
2007-09-19 13:42:01 +00:00
taca
05fb160b50 openssh-4.7p1-hpn12v18.diff.gz has updated without change file name.
It seems that it corrected SSH_HPN definition to "-hpn12v18".
2007-09-19 09:08:05 +00:00
jlam
07dd3147c6 Convert packages that test and use USE_INET6 to use the options framework
and to support the "inet6" option instead.

Remaining usage of USE_INET6 was solely for the benefit of the scripts
that generate the README.html files.  Replace:

	BUILD_DEFS+=	USE_INET6
with
	BUILD_DEFS+=	IPV6_READY

and teach the README-generation tools to look for that instead.

This nukes USE_INET6 from pkgsrc proper.  We leave a tiny bit of code
to continue to support USE_INET6 for pkgsrc-wip until it has been nuked
from there as well.
2007-09-07 22:12:10 +00:00
taca
67217a21ce Update openssh package to 4.7.1 (4.7p1).
Changes since OpenSSH 4.6:
============================

Security bugs resolved in this release:

 * Prevent ssh(1) from using a trusted X11 cookie if creation of an
   untrusted cookie fails; found and fixed by Jan Pechanec.

Other changes, new functionality and fixes in this release:

 * sshd(8) in new installations defaults to SSH Protocol 2 only.
   Existing installations are unchanged.

 * The SSH channel window size has been increased, and both ssh(1)
   sshd(8) now send window updates more aggressively. These improves
   performance on high-BDP (Bandwidth Delay Product) networks.

 * ssh(1) and sshd(8) now preserve MAC contexts between packets, which
   saves 2 hash calls per packet and results in 12-16% speedup for
   arcfour256/hmac-md5.

 * A new MAC algorithm has been added, UMAC-64 (RFC4418) as
   "umac-64@openssh.com". UMAC-64 has been measured to be
   approximately 20% faster than HMAC-MD5.

 * A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes

 * Failure to establish a ssh(1) TunnelForward is now treated as a
   fatal error when the ExitOnForwardFailure option is set.

 * ssh(1) returns a sensible exit status if the control master goes
   away without passing the full exit status. (bz #1261)

 * The following bugs have been fixed in this release:

   - When using a ProxyCommand in ssh(1), set the outgoing hostname with
     gethostname(2), allowing hostbased authentication to work (bz #616)
   - Make scp(1) skip FIFOs rather than hanging (bz #856)
   - Encode non-printing characters in scp(1) filenames.
     these could cause copies to be aborted with a "protocol error"
     (bz #891)
   - Handle SIGINT in sshd(8) privilege separation child process to
     ensure that wtmp and lastlog records are correctly updated
     (bz #1196)
   - Report GSSAPI mechanism in errors, for libraries that support
     multiple mechanisms (bz #1220)
   - Improve documentation for ssh-add(1)'s -d option (bz #1224)
   - Rearrange and tidy GSSAPI code, removing server-only code being
     linked into the client. (bz #1225)
   - Delay execution of ssh(1)'s LocalCommand until after all forwadings
     have been established. (bz #1232)
   - In scp(1), do not truncate non-regular files (bz #1236)
   - Improve exit message from ControlMaster clients. (bz #1262)
   - Prevent sftp-server(8) from reading until it runs out of buffer
     space, whereupon it would exit with a fatal error. (bz #1286)

 * Portable OpenSSH bugs fixed:

   - Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243)
   - Implement getpeereid for Solaris using getpeerucred. Solaris
     systems will now refuse ssh-agent(1) and ssh(1) ControlMaster
     clients from different, non-root users (bz #1287)
   - Fix compilation warnings by including string.h if found. (bz #1294)
   - Remove redefinition of _res in getrrsetbyname.c for platforms that
     already define it. (bz #1299)
   - Fix spurious "chan_read_failed for istate 3" errors from sshd(8),
     a side-effect of the "hang on exit" fix introduced in 4.6p1.
     (bz #1306)
   - pam_end() was not being called if authentication failed (bz #1322)
   - Fix SELinux support when SELinux is in permissive mode. Previously
     sshd(8) was treating SELinux errors as always fatal. (bz #1325)
   - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before
     pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys.
     (bz #1339)
   - Fix privilege separation on QNX - pre-auth only, this platform does
     not support file descriptior passing needed for post-auth privilege
     separation. (bz #1343)
2007-09-07 10:41:11 +00:00
taca
56cb208f61 Add a patch from https://bugzilla.mindrot.org/show_bug.cgi?id=1306.
Fix nasty "error: channel 0: chan_read_failed for istate 3" message.

Bump PKGREVISION.
2007-07-31 02:29:38 +00:00
jlam
4390d56940 Make it easier to build and install packages "unprivileged", where
the owner of all installed files is a non-root user.  This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.

(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
    unprivileged.mk.  These two variables are lists of other bmake
    variables that define package-specific users and groups.  Packages
    that have user-settable variables for users and groups, e.g. apache
    and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
    etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
    so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
    and ${UNPRIVILEGED_GROUP}.

(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
2007-07-04 20:54:31 +00:00
taca
93ca72a887 Update openssh pacakge to 4.6.1.
Changes since OpenSSH 4.5:
============================

 * sshd now allows the enabling and disabling of authentication
   methods on a per user, group, host and network basis via the
   Match directive in sshd_config.

 * The following bugs have been fixed in this release:

   - Clear SIGALRM when restarting due to SIGHUP. Prevents stray
     signal from taking down sshd if a connection was pending at
     the time SIGHUP was received
   - sftp returned a zero exit status when upload failed due to write
     errors (bugzilla #1252)
   - fixed an inconsistent check for a terminal when displaying scp
     progress meter (bugzilla #1265)
   - Parsing of time values in Match blocks was incorrectly applied
     to the global configuration (bugzilla #1275)
   - Allow multiple forwarding options to work when specified in a
     PermitOpen directive (bugzilla #1267)
   - Interoperate with ssh.com versions that do not support binding
     remote port forwarding sessions to a hostname (bugzilla #1019)

 * Portable OpenSSH bugs fixed:

   - "hang on exit" when background processes are running at the time
     of exit on a ttyful/login session (bugzilla #52)
   - Fix typos in the ssh-rand-helper(8) man page (bugzilla #1259)
   - Check that some SIG records have been returned in getrrsetbyname
     (bugzilla #1281)
   - Fix contrib/findssl for platforms that lack "which" (bugzilla
     #1237)
   - Work around bug in OpenSSL 0.9.8e that broke aes256-ctr,
     aes192-ctr, arcfour256 (bugzilla #1291)
2007-03-18 12:38:44 +00:00
cjs
40d179625e Bring in patch suggested in http://bugzilla.mindrot.org/show_bug.cgi?id=1299 .
This fixes the issue that, when "options edns0" is turned on (usually in
/etc/resolv.conf), ssh doesn't see it, and thus fails to request a DNSSEC
response, which in turn leads to SSHFP records being considered insecure.
2007-03-16 05:46:06 +00:00
wiz
601583c320 Whitespace cleanup, courtesy of pkglint.
Patch provided by Sergey Svishchev in private mail.
2007-02-22 19:26:05 +00:00
schwarz
dabfb3562f * added a patch to ensure compatibility with IRIX 5 (Changes says it is al-
ready included with that release of OpenSSH, but in fact it is not)
* removed hacks.mk which is no longer necessary with that version of OpenSSH
2007-01-27 22:57:35 +00:00
taca
c1cf735115 Update hpn-patch; openssh-4.4p1-hpn12v13 to openssh-4.5p1-hpn12v14.
Accurate changes are unknown.

Bump PKGREVISION.
2007-01-20 10:03:39 +00:00
tv
569889ebf2 Add explicit IOV_MAX for Interix -- openssh tries to use _XOPEN_IOV_MAX
in an autoarray, but on Interix that is the same as INT_MAX[!].
2006-11-21 17:47:53 +00:00
tv
53c87eaf2f regen for patches 2006-11-21 17:44:53 +00:00
tv
d576320b00 fix variable name in Interix part of patch 2006-11-21 17:43:56 +00:00
taca
c69a611a66 Update openssh package to 4.5.1 (openssh-4.5p1).
Changes:

Security bugs resolved in this release:

 * Fix a bug in the sshd privilege separation monitor that weakened its
   verification of successful authentication. This bug is not known to
   be exploitable in the absence of additional vulnerabilities.

This release includes the following non-security fixes:

 * Several compilation fixes for portable OpenSSH

 * Fixes to Solaris SMF/process contract support (bugzilla #1255)
2006-11-08 01:49:22 +00:00
taca
066403d616 Update hpn-patch to hpn12v13 since old one has gone.
Bump PKGREVISION.
2006-11-07 07:08:26 +00:00