Commit graph

32 commits

Author SHA1 Message Date
nia
3df0f20e22 security: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
2021-10-26 11:16:56 +00:00
nia
fa4b2904a6 security: Remove SHA1 hashes for distfiles 2021-10-07 14:53:40 +00:00
rillig
9637f7852e all: migrate homepages from http to https
pkglint -r --network --only "migrate"

As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
2020-01-26 17:30:40 +00:00
jperkin
cbaf4dda0f Requires termcap. 2017-05-10 10:45:26 +00:00
agc
30b55df38e Convert all occurrences (353 by my count) of
MASTER_SITES= 	site1 \
			site2

style continuation lines to be simple repeated

	MASTER_SITES+= site1
	MASTER_SITES+= site2

lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
2017-01-19 18:52:01 +00:00
agc
5293710fb4 Add SHA512 digests for distfiles for security category
Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
2015-11-04 01:17:40 +00:00
joerg
992861375f Fix inline use. 2013-03-03 01:09:34 +00:00
asau
1a433eae91 Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. 2012-10-23 18:16:19 +00:00
drochner
6fb5de7923 -explicitely disable kerberos support to avoid PLIST fluctuations
(seen in bulk build)
-fix obvious typo in asm code (fixes i386 build)
-don't install nettle library to avoid conflict with pkgsrc/nettle
bump PKGREV
2011-12-16 12:54:41 +00:00
asau
00708ce7e3 Recursive revision bump for GMP update. 2010-03-24 19:43:21 +00:00
obache
66a3fea37a Updte lsh to 2.0.4.
While here,
 * set LICENSE=gnu-gpl-v2
 * marked as user-destdir installation ready
 * switch to use system argp
 * add missing zlib buildlink

News for the 2.0.4 release

	Fixed x11 forwarding bug in the lsh client.

News for the 2.0.3 release

	At startup, lshd now tries to close any spurious open file
	descriptors. New test case for lshd fd leakage.

	lshd --daemonic --no-syslog now sets up a proper daemonic
	environment, except that log messages are still sent to
	stderr. Improved testing of this feature.
2010-03-13 04:40:12 +00:00
joerg
f0bbd1517d Remove @dirrm entries from PLISTs 2009-06-14 18:13:25 +00:00
dholland
c6ff9df47b This installs a bash script. Handle it properly.
PKGREVISION++
2008-08-17 05:32:12 +00:00
wiz
47036fe032 Upgrade lsh to version 2 (from lsh2) and remove lsh2.
No disagreement on pkgsrc-users.
2007-04-01 21:26:48 +00:00
drochner
da45d43410 pull in some patches from lsh2 to make it compile with gcc4 2007-02-22 17:38:33 +00:00
rillig
c4ac32f5b8 This package has info files. 2007-02-15 21:23:55 +00:00
jlam
7d619eb1fe Support checking passwords using either Kerberos or PAM via PKG_OPTIONS.
This fixes the PLIST on systems that have PAM natively.  Bump the
PKGREVISION to 5.
2006-06-16 18:43:18 +00:00
salo
12e8fb90e2 Backport fix for CVE-2006-0353 from lsh2:
"unix_random.c in lshd for lsh 2.0.1 leaks file descriptors related
 to the randomness generator, which allows local users to cause a denial
 of service by truncating the seed file, which prevents the server from
 starting, or obtain sensitive seed information that could be used to
 crack keys."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0353
2006-04-05 23:59:33 +00:00
reed
5d70841b79 Mention what version of lsh this package provides
(so lsh2 and lsh DESCRiptions are different.)

Also uppercase ssh2 to SSH2.

TODO: anyone want to document features or differences between
	these two packages?
2006-03-11 04:41:44 +00:00
jlam
9c8b5ede43 Point MAINTAINER to pkgsrc-users@NetBSD.org in the case where no
developer is officially maintaining the package.

The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list).  Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
2006-03-04 21:28:51 +00:00
joerg
5911def816 Recursive revision bump / recommended bump for gettext ABI change. 2006-02-05 23:08:03 +00:00
reed
7c9b31870e Mention this is version 1 in the COMMENT. 2005-12-27 22:28:33 +00:00
jlam
585534220c Remove USE_GNU_TOOLS and replace with the correct USE_TOOLS definitions:
USE_GNU_TOOLS	-> USE_TOOLS
	awk		-> gawk
	m4		-> gm4
	make		-> gmake
	sed		-> gsed
	yacc		-> bison
2005-05-22 20:07:36 +00:00
drochner
0271a0b85b Move the freshly update lsh-2.0.1 into a separate pkg and leave
security/lsh at 1.4.3.
lsh-2.0.1 has interoperability problems with openssh servers
(always gets "Invalid server signature" errors).
lsh-1.4.3 is not affected by CAN-2003-0826. Add a patch to address
CAN-2005-0814 and bump PKGREVISION.
2005-04-30 12:23:42 +00:00
wiz
a41ad46647 Update to 2.0.1:
News for the 2.0.1 release

	Fixed denial of service bug in lshd.

	Fixed a bug in lsh-make-seed, which could make the program go
	into an infinite loop on read errors.

	lsh now asks for passwords also in quite (-q) mode, as
	described in the manual.

	Control character filtering used to sometimes consider newline
	as a dangerous control character. Now newlines should be
	displayed normally.

	Removed support for the non-standard alias
	"diffie-hellman-group2-sha1". The standardized name is for
	this key exchange method is "diffie-hellman-group14-sha1".

News for the 2.0 release

	Several programs have new default behaviour:

	* lshd enables X11 forwarding by default (lsh still does not).

	* lsh-keygen generates RSA rather than DSA keys by default.

	* lsh-writekey encrypts the private key by default, using
	  aes256-cbc. Unless the --server flag is used.

	Improved the lcp script. It is now installed by default.

	Implemented the client side of "keyboard-interactive" user
	authentication.

	Support keyexchange with
	diffie-hellman-group14-sha1/diffie-hellman-group2-sha1 (the
	standardized name is at the moment not decided).

	Fixes to the utf8 encoder, and in particular interactions
	between utf8 and control character filtering.

News for the 1.5.5 release

	Added SOCKS-style proxying to lsh and lshg. See the new -D
	command line option. Supports both SOCKS-4 and SOCKS-5.

	The lsh client no longer sets its stdio file descriptors into
	non-blocking mode, which should avoid a bunch of problems. As
	a consequence, the --cvs-workaround command line option has
	been deleted.

	In the user lookup code, lshd now ignores the shadow database
	if getspnam returns NULL.

	In the server pty setup code, use the group "system" as a
	fallback if the group "tty" doesn't exist. This is the case on
	AIX. (There are however more problems on AIX, which makes it
	uncertain that lshd will work out of the box).

	Deleted the --ssh1-fallback option for lshd. I hope ssh1 is
	dead by now; if it isn't, you have to run ssh1d and lshd on
	different ports.

	Deleted code for bug-compatibility with ancient versions of
	Datafellow's SSH2. There are zero bug-compatibility hacks in
	this version.

News for the 1.5.4 release

	Added logging of tcpip-forward requests.

	Includes nettle-1.9, which have had some portability fixes and
	optimizations. In particular, arcfour on x86 should be much
	faster.

	Implemented flow control on the raw ssh connection. Enforce
	limits on the amount of buffered data waiting to be written to
	the socket.

	Moved all destructive string operations to a separate file
	lsh_string.c, which has exclusive rights of accessing string
	internals. Should make the code more robust, as buffer size
	and index calculations elsewhere in the code should hit an
	assert in lsh_string.c before doing damage.

	Some general simplification and cleanup of the code.

News for the 1.5.3 release

	Fixed heap buffer overrun with potential remote root
	compromise. Initial bug report by Bennett Todd.

	Fixed a similar bug in the check for channel number allocation
	failure in the handling of channel_open, and in the
	experimental client SRP code.

	lshd now has an experimental mode similar to telnet, where it
	accepts the 'none' authentication method and automatically
	disables services such as X and TCP forwarding. This can be
	useful in environment where it's required that /bin/login or
	some other program handle authentication and session setup
	(e.g. handle security contexts and so on).

News for the 1.5.2 release

	Encrypted private keys works again.

	New client escape sequence RET ~ ?, which lists all available
	escape sequences. Also fixed the werror functions so that they
	use \r\n to terminate lines when writing to a tty in raw mode.

	Implemented handling of multiple --interface options to lshd.
	As a side effect, The -p option must now be given before
	--interface to have any effect.

	Connecting to machines with multiple IP-adresses is smarter,
	it connects to a few addresses at a time, in parallel.

	Fixed a file descriptor leak in the server tcpip forwarding
	code.

	Lots of portability fixes.

News for the 1.5.1 release

	Incompatible change to key format, to comply with the current
	spki structure draft. You can use the script lsh-upgrade to
	copy and convert the information in the old .lsh/known-hosts
	to the new file .lsh/host-acls. The new code uses libspki.

	Fixed IPv6 bug reported by Simon Kowallik.

	lshd now does the equivalence of ulimit -n unlimited, this is
	inherited by processes started upon client requests. If you
	don't want this, you should use /etc/{profile,login,whatever}
	to set limits for your users. Do note that PAM-based solutions
	will NOT work as PAM is used from a separate process that
	terminates as soon as the authentication is finished (this of
	course goes for environment variables too).

	lsh and and lshg now parses options from LSHFLAGS and
	LSHGFLAGS, these are parsed before and can be overridden by
	the command line.

News for the 1.5 release

	Implemented the server side of X11 forwarding. Try lshd
	--x11-forward. There's one known bug: The server may start
	sending data on the session channel (typically your first
	shell prompt) before it has sent the reply to the client's
	"shell" or "exec" request. lsh will complain about, and ignore
	that data.

	As part of the X11 hacking, the socket code have been
	reorganized.

	Deleted one of the ipv6 configure tests. Now lsh will happily
	build ipv6 support even if ipv6 is not available at run-time
	on the build machine.

	Fixed bug preventing -c none from working.

	Another bug fix, call setsid even in the non-pty case.

	Various bug fixes.
2005-04-28 14:10:04 +00:00
tv
f816d81489 Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used. 2005-04-11 21:44:48 +00:00
agc
d81d19f8e0 Add RMD160 digests. 2005-02-24 12:51:41 +00:00
tv
c487cb967a Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10
in the process.  (More information on tech-pkg.)

Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.

Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
2004-10-03 00:12:51 +00:00
snj
16fa6427b0 Convert to buildlink3. 2004-04-25 03:47:44 +00:00
grant
1954268133 USE_GNU_TOOLS should be appended to with += 2004-02-14 22:41:17 +00:00
uebayasi
09dda46dcf USE_GMAKE=yes -> USE_GNU_TOOLS=make 2004-02-14 15:10:27 +00:00
drochner
94d670332b add a pkg for lsh-1.4.3, an alternative ssh2 client/server 2004-01-12 15:55:11 +00:00