[no description] https://git.osdyson.ru/mirror/pkgsrc/atom?h=pkgsrc_2008Q2 2008-07-25T09:21:40Z 2008-07-25T09:21:40Z rtr rtr 2008-07-25T09:21:40Z urn:sha1:1ccd1c9555ffb42273a78f0c231a3c0e850056e7 openssh: patch for X11 forwarding issue on HP-UX revisions pulled up: pkgsrc/security/openssh/Makefile 1.189 pkgsrc/security/openssh/distinfo 1.70 pkgsrc/security/openssh/patches/patch-at 1.7 Module Name: pkgsrc Committed By: tnn Date: Thu Jul 24 16:25:47 UTC 2008 Modified Files: pkgsrc/security/openssh: Makefile distinfo Added Files: pkgsrc/security/openssh/patches: patch-at Log Message: Add patch from OpenSSH 5.1 that fixes an X11 fwd security issue on HP-UX. Bump PKGREVISION. 2008-04-27T00:34:27Z tnn tnn 2008-04-27T00:34:27Z urn:sha1:515caaba443e57ca8b760fd93d43f2bc28dba263 Changes since 4.7: - fix two security issues - chroot support for sshd(8) - sftp server internalized in sshd(8) - assorted bug fixes 2008-04-08T06:36:47Z taca taca 2008-04-08T06:36:47Z urn:sha1:2c10e2d818157fe4fbdf1f390385fcf70cc7ff9b 2008-04-03T07:59:08Z tonnerre tonnerre 2008-04-03T07:59:08Z urn:sha1:973842f843b550f10eba492a5e89278e94ee5e07 - X11 forwarding information disclosure (CVE-2008-1483) - ForceCommand bypass vulnerability 2008-01-18T05:06:18Z tnn tnn 2008-01-18T05:06:18Z urn:sha1:1c8e24b168b5909ecc586bdbb660570b490d92ef on packages that are affected by the switch from the openssl 0.9.7 branch to the 0.9.8 branch. ok jlam@ 2007-11-12T00:06:06Z wiz wiz 2007-11-12T00:06:06Z urn:sha1:3344cae5b05e9e0ecba077477f0f46d5876a0fab From Zafer Aydogan in PR 37331. 2007-09-19T13:42:01Z taca taca 2007-09-19T13:42:01Z urn:sha1:5e52fbcf4cbee43fd69c3c4dc5467aad3e8a0ea3 Bump PKGREVISION. 2007-09-19T09:08:05Z taca taca 2007-09-19T09:08:05Z urn:sha1:f8368918deca9d1f7e1197ad4b5e7d9cd9e162d4 It seems that it corrected SSH_HPN definition to "-hpn12v18". 2007-09-07T22:12:10Z jlam jlam 2007-09-07T22:12:10Z urn:sha1:2f517bc25c1dfd477877da169af65a161a689211 and to support the "inet6" option instead. Remaining usage of USE_INET6 was solely for the benefit of the scripts that generate the README.html files. Replace: BUILD_DEFS+= USE_INET6 with BUILD_DEFS+= IPV6_READY and teach the README-generation tools to look for that instead. This nukes USE_INET6 from pkgsrc proper. We leave a tiny bit of code to continue to support USE_INET6 for pkgsrc-wip until it has been nuked from there as well. 2007-09-07T10:41:11Z taca taca 2007-09-07T10:41:11Z urn:sha1:9d50802825acaf71dc3be2d99be24b9a0ab85a1a Changes since OpenSSH 4.6: ============================ Security bugs resolved in this release: * Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec. Other changes, new functionality and fixes in this release: * sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. * The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. * ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. * A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. * A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes * Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. * ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. (bz #1261) * The following bugs have been fixed in this release: - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work (bz #616) - Make scp(1) skip FIFOs rather than hanging (bz #856) - Encode non-printing characters in scp(1) filenames. these could cause copies to be aborted with a "protocol error" (bz #891) - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated (bz #1196) - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms (bz #1220) - Improve documentation for ssh-add(1)'s -d option (bz #1224) - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. (bz #1225) - Delay execution of ssh(1)'s LocalCommand until after all forwadings have been established. (bz #1232) - In scp(1), do not truncate non-regular files (bz #1236) - Improve exit message from ControlMaster clients. (bz #1262) - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error. (bz #1286) * Portable OpenSSH bugs fixed: - Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243) - Implement getpeereid for Solaris using getpeerucred. Solaris systems will now refuse ssh-agent(1) and ssh(1) ControlMaster clients from different, non-root users (bz #1287) - Fix compilation warnings by including string.h if found. (bz #1294) - Remove redefinition of _res in getrrsetbyname.c for platforms that already define it. (bz #1299) - Fix spurious "chan_read_failed for istate 3" errors from sshd(8), a side-effect of the "hang on exit" fix introduced in 4.6p1. (bz #1306) - pam_end() was not being called if authentication failed (bz #1322) - Fix SELinux support when SELinux is in permissive mode. Previously sshd(8) was treating SELinux errors as always fatal. (bz #1325) - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys. (bz #1339) - Fix privilege separation on QNX - pre-auth only, this platform does not support file descriptior passing needed for post-auth privilege separation. (bz #1343)