All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
version 0.9.6 (released 2021-08-26)
* CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with
different key exchange mechanism
* Fix several memory leaks on error paths
* Reset pending_call_state on disconnect
* Fix handshake bug with AEAD ciphers and no HMAC overlap
* Use OPENSSL_CRYPTO_LIBRARIES in CMake
* Ignore request success and failure message if they are not expected
* Support more identity files in configuration
* Avoid setting compiler flags directly in CMake
* Support build directories with special characters
* Include stdlib.h to avoid crash in Windows
* Fix sftp_new_channel constructs an invalid object
* Fix Ninja multiple rules error
* Several tests fixes
version 0.9.5 (released 2020-XX-XX)
* CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
* Improve handling of library initialization (T222)
* Fix parsing of subsecond times in SFTP (T219)
* Make the documentation reproducible
* Remove deprecated API usage in OpenSSL
* Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
* Define version in one place (T226)
* Prevent invalid free when using different C runtimes than OpenSSL (T229)
* Compatibility improvements to testsuite
version 0.9.4 (released 2020-04-09)
* Fixed CVE-2020-1730 - Possible DoS in client and server when handling
AES-CTR keys with OpenSSL
* Added diffie-hellman-group14-sha256
* Fixed serveral possible memory leaks
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
version 0.9.3 (released 2019-12-10)
* Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
* SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
* SSH-01-006 General: Various unchecked Null-derefs cause DOS
* SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
* SSH-01-010 SSH: Deprecated hash function in fingerprinting
* SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
* SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
* SSH-01-001 State Machine: Initial machine states should be set explicitly
* SSH-01-002 Kex: Differently bound macros used to iterate same array
* SSH-01-005 Code-Quality: Integer sign confusion during assignments
* SSH-01-008 SCP: Protocol Injection via unescaped File Names
* SSH-01-009 SSH: Update documentation which RFCs are implemented
* SSH-01-012 PKI: Information leak via uninitialized stack buffer
version 0.9.1 (released 2019-10-25)
* Added support for Ed25519 via OpenSSL
* Added support for X25519 via OpenSSL
* Added support for localuser in Match keyword
* Fixed Match keyword to be case sensitive
* Fixed compilation with LibreSSL
* Fixed error report of channel open (T75)
* Fixed sftp documentation (T137)
* Fixed known_hosts parsing (T156)
* Fixed build issue with MinGW (T157)
* Fixed build with gcc 9 (T164)
* Fixed deprecation issues (T165)
* Fixed known_hosts directory creation (T166)
ChangeLog
Added support for AES-GCM
Added improved rekeying support
Added performance improvements
Disabled blowfish support by default
Fixed several ssh config parsing issues
Added support for DH Group Exchange KEX
Added support for Encrypt-then-MAC mode
Added support for parsing server side configuration file
Added support for ECDSA/Ed25519 certificates
Added FIPS 140-2 compatibility
Improved known_hosts parsing
Improved documentation
Improved OpenSSL API usage for KEX, DH, KDF and signatures
version 0.8.7 (released 2019-02-25)
* Fixed handling extension flags in the server implementation
* Fixed exporting ed25519 private keys
* Fixed corner cases for rsa-sha2 signatures
* Fixed some issues with connector
version 0.8.6 (released 2018-12-24)
* Fixed compilation issues with different OpenSSL versions
* Fixed StrictHostKeyChecking in new knownhosts API
* Fixed ssh_send_keepalive() with packet filter
* Fixed possible crash with knownhosts options
* Fixed issus with rekeying
* Fixed strong ECDSA keys
* Fixed some issues with rsa-sha2 extentions
* Fixed access violation in ssh_init() (static linking)
* Fixed ssh_channel_close() handling
version 0.8.5:
* Added support to get known_hosts locations with ssh_options_get()
* Fixed preferred algorithm for known hosts negotiations
* Fixed KEX with some server implementations (e.g. Cisco)
* Fixed issues with MSVC
* Fixed keyboard-interactive auth in server mode
(regression from CVE-2018-10933)
* Fixed gssapi auth in server mode (regression from CVE-2018-10933)
* Fixed socket fd handling with proxy command
* Fixed a memory leak with OpenSSL
version 0.8.4:
* Fixed CVE-2018-10933
* Fixed building without globbing support
* Fixed possible memory leaks
* Avoid SIGPIPE on sockets
version 0.8.3:
* Added support for rsa-sha2
* Added support to parse private keys in openssh container format
(other than ed25519)
* Added support for diffie-hellman-group18-sha512 and
diffie-hellman-group16-sha512
* Added ssh_get_fingerprint_hash()
* Added ssh_pki_export_privkey_base64()
* Added support for Match keyword in config file
* Improved performance and reduced memory footprint for sftp
* Fixed ecdsa publickey auth
* Fixed reading a closed channel
* Added support to announce posix-rename@openssh.com and
hardlink@openssh.com in the sftp server
version 0.8.2:
* Added sha256 fingerprints for pubkeys
* Improved compiler flag detection
* Fixed race condition in reading sftp messages
* Fixed doxygen generation and added modern style
* Fixed library initialization on Windows
* Fixed __bounded__ attribute detection
* Fixed a bug in the options parser
* Fixed documentation for new knwon_hosts API
version 0.8.1:
* Fixed version number in the header
* Fixed version number in pkg-config and cmake config
* Fixed library initialization
* Fixed attribute detection
version 0.8.0:
* Removed support for deprecated SSHv1 protocol
* Added new connector API for clients
* Added new known_hosts parsing API
* Added support for OpenSSL 1.1
* Added support for chacha20-poly1305 cipher
* Added crypto backend for mbedtls crypto library
* Added ECDSA support with gcrypt backend
* Added advanced client and server testing using cwrap.org
* Added support for curve25519-sha256 alias
* Added support for global known_hosts file
* Added support for symbol versioning
* Improved ssh_config parsing
* Improved threading support
version 0.7.6 (released 2018-10-16)
* Fixed CVE-2018-10933
* Added support for OpenSSL 1.1
* Added SHA256 support for ssh_get_publickey_hash()
* Fixed config parsing
* Fixed random memory corruption when importing pubkeys
version 0.7.5 (released 2017-04-13)
* Fixed a memory allocation issue with buffers
* Fixed PKI on Windows
* Fixed some SSHv1 functions
* Fixed config hostname expansion
version 0.7.4 (released 2017-02-03)
* Added id_ed25519 to the default identity list
* Fixed sftp EOF packet handling
* Fixed ssh_send_banner() to confirm with RFC 4253
* Fixed some memory leaks
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
Suggested by Noud de Brouwer in wip/libssh and PR pkg/47518, but needed
some changes to PLIST as well as to make "pkg_admin audit" and updates
compare correctly.
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
Suggested by Noud de Brouwer in wip/libssh and PR pkg/47518, but needed
some changes to PLIST as well as to make "pkg_admin audit" and updates
compare correctly.
