diff options
author | tron <tron> | 2015-08-24 19:06:40 +0000 |
---|---|---|
committer | tron <tron> | 2015-08-24 19:06:40 +0000 |
commit | 7931208d3a2cee3dd997fbe76abf6550093d10f4 (patch) | |
tree | de68b4957787b5e641e053e2383b764845df6a5a | |
parent | b2e276965af538ed30701f5cf287b1368b376125 (diff) | |
download | pkgsrc-7931208d3a2cee3dd997fbe76abf6550093d10f4.tar.gz |
Pullup ticket #4796 - requested by wiz
security/openssh: security update
Revisions pulled up:
- security/openssh/Makefile patch
- security/openssh/PLIST patch
- security/openssh/distinfo patch
- security/openssh/files/org.openssh.sshd.sb.in patch
- security/openssh/patches/patch-auth2-chall.c patch
- security/openssh/patches/patch-auth2.c patch
- security/openssh/patches/patch-loginrec.c patch
- security/openssh/patches/patch-openbsd-compat_bsd-openpty.c patch
- security/openssh/patches/patch-sandbox-darwin.c patch
- security/openssh/patches/patch-sftp-common.c patch
- security/openssh/patches/patch-sshd.c patch
- security/openssh/patches/patch-uidswap.c patch
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Aug 21 08:12:09 UTC 2015
Modified Files:
pkgsrc/security/openssh: Makefile distinfo
Removed Files:
pkgsrc/security/openssh/patches: patch-auth2-chall.c
Log Message:
Update to 7.1p1:
Changes since OpenSSH 7.0
=========================
This is a bugfix release.
Security
--------
* sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin=
prohibit-password/without-password that could, depending on
compile-time configuration, permit password authentication to
root while preventing other forms of authentication. This problem
was reported by Mantas Mikulenas.
Bugfixes
--------
* ssh(1), sshd(8): add compatability workarounds for FuTTY
* ssh(1), sshd(8): refine compatability workarounds for WinSCP
* Fix a number of memory faults (double-free, free of uninitialised
memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz
Kocielski.
-rw-r--r-- | security/openssh/Makefile | 40 | ||||
-rw-r--r-- | security/openssh/PLIST | 3 | ||||
-rw-r--r-- | security/openssh/distinfo | 25 | ||||
-rw-r--r-- | security/openssh/files/org.openssh.sshd.sb.in | 23 | ||||
-rw-r--r-- | security/openssh/patches/patch-auth2-chall.c | 32 | ||||
-rw-r--r-- | security/openssh/patches/patch-auth2.c | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-loginrec.c | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-openbsd-compat_bsd-openpty.c | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-sandbox-darwin.c | 23 | ||||
-rw-r--r-- | security/openssh/patches/patch-sftp-common.c | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-sshd.c | 29 | ||||
-rw-r--r-- | security/openssh/patches/patch-uidswap.c | 4 |
12 files changed, 118 insertions, 77 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 588dea6e30e..af2b8061afc 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.230.2.2 2015/08/01 08:56:59 tron Exp $ +# $NetBSD: Makefile,v 1.230.2.3 2015/08/24 19:06:40 tron Exp $ -DISTNAME= openssh-6.9p1 -PKGNAME= openssh-6.9.1 -PKGREVISION= 1 +DISTNAME= openssh-7.1p1 +PKGNAME= ${DISTNAME:S/p1/.1/} CATEGORIES= security MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} @@ -33,6 +32,11 @@ INSTALL_TARGET= install-nokeys .include "options.mk" +.if ${OPSYS} == "Darwin" +# fixes: dyld: Symbol not found: _allow_severity +CONFIGURE_ARGS+= --disable-strip +.endif + .if ${OPSYS} == "Interix" # OpenSSH on Interix has some important caveats @@ -114,14 +118,14 @@ CONFIGURE_ARGS+= --disable-utmp --disable-wtmp CONFIGURE_ARGS+= --enable-md5-password .endif -# The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending +# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending # on if it's part of the X11 distribution, or if it's installed from pkgsrc # (security/ssh-askpass). # .if exists(${X11BASE}/bin/ssh-askpass) ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass .else -ASKPASS_PROGRAM= ${X11PREFIX}/bin/ssh-askpass +ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass .endif CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q} MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q} @@ -130,12 +134,12 @@ MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q} .if exists(${X11BASE}/bin/xauth) CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth .else -CONFIGURE_ARGS+= --with-xauth=${X11PREFIX}/bin/xauth +CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth .endif CONFS= ssh_config sshd_config moduli -PLIST_VARS+= prng +PLIST_VARS+= darwin prng .if exists(/dev/urandom) . if ${OPSYS} == "NetBSD" @@ -148,7 +152,14 @@ PLIST.prng= yes .endif EGDIR= ${PREFIX}/share/examples/${PKGBASE} -CONF_FILES= # empty + +# enable privsep patches +.if ${OPSYS} == "Darwin" +CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb +CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__ +PLIST.darwin= yes +.endif + .for f in ${CONFS} CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} .endfor @@ -161,9 +172,9 @@ FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q} SUBST_CLASSES+= patch SUBST_STAGE.patch= pre-configure -SUBST_FILES.patch= session.c +SUBST_FILES.patch= session.c sandbox-darwin.c SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/' -SUBST_MESSAGE.patch= More patch a file. +SUBST_VARS.patch= PKG_SYSCONFDIR .include "../../devel/zlib/buildlink3.mk" .include "../../security/openssl/buildlink3.mk" @@ -184,6 +195,9 @@ post-configure: ${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \ fi + ${SED} -e 's,@VARBASE@,${VARBASE:Q},g' \ + < ${FILESDIR}/org.openssh.sshd.sb.in \ + > ${WRKDIR}/org.openssh.sshd.sb post-install: ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR} @@ -194,5 +208,9 @@ post-install: ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \ ${DESTDIR}${EGDIR}/sshd.pam .endif +.if ${OPSYS} == "Darwin" + ${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \ + ${DESTDIR}${EGDIR}/org.openssh.sshd.sb +.endif .include "../../mk/bsd.pkg.mk" diff --git a/security/openssh/PLIST b/security/openssh/PLIST index 6aa5f151cb7..3a6397c3898 100644 --- a/security/openssh/PLIST +++ b/security/openssh/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.16 2014/03/29 09:38:11 taca Exp $ +@comment $NetBSD: PLIST,v 1.16.12.1 2015/08/24 19:06:40 tron Exp $ bin/scp bin/sftp bin/slogin @@ -28,6 +28,7 @@ man/man8/ssh-pkcs11-helper.8 man/man8/sshd.8 sbin/sshd share/examples/openssh/moduli +${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb share/examples/openssh/ssh_config ${PLIST.prng}share/examples/openssh/ssh_prng_cmds ${PLIST.pam}share/examples/openssh/sshd.pam diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 9bd1e551878..14a20846a03 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,34 +1,31 @@ -$NetBSD: distinfo,v 1.91.2.2 2015/08/01 08:56:59 tron Exp $ +$NetBSD: distinfo,v 1.91.2.3 2015/08/24 19:06:40 tron Exp $ -SHA1 (openssh-6.9p1-hpn-20150709.diff.gz) = a39571c1cdb13382631a1d9cfe89b82fb346c92c -RMD160 (openssh-6.9p1-hpn-20150709.diff.gz) = 8bb077e7ecbc7550386a050209e84d6f4d895788 -Size (openssh-6.9p1-hpn-20150709.diff.gz) = 13370 bytes -SHA1 (openssh-6.9p1.tar.gz) = 86ab57f00d0fd9bf302760f2f6deac1b6e9df265 -RMD160 (openssh-6.9p1.tar.gz) = 4fb2f0a0280db51024bf72b0f5cd3912d25cb59a -Size (openssh-6.9p1.tar.gz) = 1487617 bytes +SHA1 (openssh-7.1p1.tar.gz) = ed22af19f962262c493fcc6ed8c8826b2761d9b6 +RMD160 (openssh-7.1p1.tar.gz) = 2c97ea10099fa8658156c0351d60d715655b9b07 +Size (openssh-7.1p1.tar.gz) = 1493170 bytes SHA1 (patch-Makefile.in) = 2bf52a85ecdebac3aa299b25ecb561218a3316a2 SHA1 (patch-auth-passwd.c) = 32da596dd9b255ffdd8168e6ea6f62596304b116 SHA1 (patch-auth-rhosts.c) = 5752c384f1fd81ed6ef21707fa2b9743a3891987 SHA1 (patch-auth.c) = 80f1c5ad8ea01a3c9dedce4eef1b625640958450 SHA1 (patch-auth1.c) = 0bb4bc35e2ca2cd03c5596dadcd2ffb4329091a7 -SHA1 (patch-auth2-chall.c) = 9edd679fc0a1d128786cea8939e804adb400c3c9 -SHA1 (patch-auth2.c) = 831139b9cdbd9b4d3429ea1aba176daf78be3405 +SHA1 (patch-auth2.c) = 8a939381f72968d74a7df508a072dfb10f400284 SHA1 (patch-channels.c) = 9ad160fd1c2c7fabbea3d49dacb36036d13adfaa SHA1 (patch-clientloop.c) = 11d44815ec39030ae20cb75727acff8c8e91144e SHA1 (patch-config.h.in) = 5df3b952565c054f39110b66012005087bba7219 SHA1 (patch-configure.ac) = 8df3e2793a9bbd9179c69286f5cfea763bac3eea SHA1 (patch-defines.h) = ecb225b4319347d0bcc6a271c81b7042f4c18b02 SHA1 (patch-includes.h) = f3d502dc30e680889ed1c7cf4fa6ad8282e6cd4d -SHA1 (patch-loginrec.c) = 111530a4895c8f88c464c7495cee0dba1952d9ce -SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695 +SHA1 (patch-loginrec.c) = b06a236e9faf871e9eb102c52dd0f583bf096373 +SHA1 (patch-openbsd-compat_bsd-openpty.c) = 9ccde56bfcfe1791b367f933e51b25137acce960 SHA1 (patch-openbsd-compat_openbsd-compat.h) = da33ee063f0a45c3a5f165ee5ae96c3168890ef9 SHA1 (patch-openbsd-compat_port-tun.c) = 5a8c8a7d2381a4b9530593754afe0ae0dbe2c8f5 SHA1 (patch-platform.c) = 92d563030a6c7f8b1924b988e9a2565edfd8c3d6 +SHA1 (patch-sandbox-darwin.c) = a9255b1e8d52759506b61394de11050ea7ea25bb SHA1 (patch-scp.c) = 0f11569d52ff813f42dd41fe315beab2af650dd0 SHA1 (patch-session.c) = 4e07cc45bc020d720f32788d7344d0213891969e -SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd +SHA1 (patch-sftp-common.c) = 72146d410f78b5e4e5efae51ca05b22039d64545 SHA1 (patch-ssh.c) = 25645adeaa67e04a98b75d04d1f016704aa84bca SHA1 (patch-sshd.8) = 50154729a94aeaef17213d92979967b12d9c4e15 -SHA1 (patch-sshd.c) = f84fd4b4d299f75792f31d8967a1f9f6273ff06b +SHA1 (patch-sshd.c) = d381db6d05067d0f28be8268847df97a0c8e9ba4 SHA1 (patch-sshpty.c) = f87451e49e39fe137c8876fae52110dc2569958a -SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd +SHA1 (patch-uidswap.c) = 875be63bb6d1a7dd8c3d1c008c85aa4bf37dfdc2 diff --git a/security/openssh/files/org.openssh.sshd.sb.in b/security/openssh/files/org.openssh.sshd.sb.in new file mode 100644 index 00000000000..82609df4fbc --- /dev/null +++ b/security/openssh/files/org.openssh.sshd.sb.in @@ -0,0 +1,23 @@ +;; $NetBSD: org.openssh.sshd.sb.in,v 1.1.2.2 2015/08/24 19:06:40 tron Exp $ +;; +;; Copyright (c) 2008 Apple Inc. All Rights reserved. +;; +;; sshd - profile for privilege separated children +;; +;; WARNING: The sandbox rules in this file currently constitute +;; Apple System Private Interface and are subject to change at any time and +;; without notice. +;; + +(version 1) + +(deny default) + +(allow file-chroot) +(allow file-read-metadata (literal "@VARBASE@")) + +(allow sysctl-read) +(allow mach-per-user-lookup) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.logger")) diff --git a/security/openssh/patches/patch-auth2-chall.c b/security/openssh/patches/patch-auth2-chall.c index bbf296bdd05..e69de29bb2d 100644 --- a/security/openssh/patches/patch-auth2-chall.c +++ b/security/openssh/patches/patch-auth2-chall.c @@ -1,32 +0,0 @@ -$NetBSD: patch-auth2-chall.c,v 1.1.2.2 2015/08/01 08:56:59 tron Exp $ - -Fix for CVE-2015-5600 from FreeBSD via NetBSD base. - ---- auth2-chall.c.orig 2015-07-01 02:35:31.000000000 +0000 -+++ auth2-chall.c -@@ -83,6 +83,7 @@ struct KbdintAuthctxt - void *ctxt; - KbdintDevice *device; - u_int nreq; -+ u_int devices_done; - }; - - #ifdef USE_PAM -@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, K - if (len == 0) - break; - for (i = 0; devices[i]; i++) { -- if (!auth2_method_allowed(authctxt, -+ if ((kbdintctxt->devices_done & (1 << i)) != 0 || -+ !auth2_method_allowed(authctxt, - "keyboard-interactive", devices[i]->name)) - continue; -- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) -+ if (strncmp(kbdintctxt->devices, devices[i]->name, -+ len) == 0) { - kbdintctxt->device = devices[i]; -+ kbdintctxt->devices_done |= 1 << i; -+ } - } - t = kbdintctxt->devices; - kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; diff --git a/security/openssh/patches/patch-auth2.c b/security/openssh/patches/patch-auth2.c index 5bba2885ef5..07677e7f0d8 100644 --- a/security/openssh/patches/patch-auth2.c +++ b/security/openssh/patches/patch-auth2.c @@ -1,10 +1,10 @@ -$NetBSD: patch-auth2.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ +$NetBSD: patch-auth2.c,v 1.3.12.2 2015/08/24 19:06:40 tron Exp $ Replace uid 0 with ROOTUID macro --- auth2.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ auth2.c -@@ -302,7 +330,7 @@ userauth_finish(Authctxt *authctxt, int +@@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int fatal("INTERNAL ERROR: authenticated and postponed"); /* Special handling for root */ diff --git a/security/openssh/patches/patch-loginrec.c b/security/openssh/patches/patch-loginrec.c index 11bf035bd68..fa0e545b37f 100644 --- a/security/openssh/patches/patch-loginrec.c +++ b/security/openssh/patches/patch-loginrec.c @@ -1,8 +1,8 @@ -$NetBSD: patch-loginrec.c,v 1.3 2015/03/20 22:41:19 rodent Exp $ +$NetBSD: patch-loginrec.c,v 1.3.4.1 2015/08/24 19:06:40 tron Exp $ Interix support and related fixes. Fix build on FreeBSD. ---- loginrec.c.orig 2014-01-17 01:23:24.000000000 +0000 +--- loginrec.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ loginrec.c @@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con int diff --git a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c index 2d706e37602..b0fe6d03410 100644 --- a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c +++ b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c @@ -1,8 +1,8 @@ -$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.1 2013/05/01 19:58:26 imil Exp $ +$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.1.18.1 2015/08/24 19:06:40 tron Exp $ Interix support ---- openbsd-compat/bsd-openpty.c.orig 2006-08-24 09:52:30.000000000 +0000 +--- openbsd-compat/bsd-openpty.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ openbsd-compat/bsd-openpty.c @@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char return (-1); diff --git a/security/openssh/patches/patch-sandbox-darwin.c b/security/openssh/patches/patch-sandbox-darwin.c new file mode 100644 index 00000000000..564de9afbb1 --- /dev/null +++ b/security/openssh/patches/patch-sandbox-darwin.c @@ -0,0 +1,23 @@ +$NetBSD: patch-sandbox-darwin.c,v 1.1.2.2 2015/08/24 19:06:40 tron Exp $ + +Support sandbox on newer OSX, from MacPorts. + +--- sandbox-darwin.c.orig 2015-07-01 02:35:31.000000000 +0000 ++++ sandbox-darwin.c +@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo + struct rlimit rl_zero; + + debug3("%s: starting Darwin sandbox", __func__); ++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__ ++#ifndef SANDBOX_NAMED_EXTERNAL ++#define SANDBOX_NAMED_EXTERNAL (0x3) ++#endif ++ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb", ++ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1) ++#else + if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, + &errmsg) == -1) ++#endif + fatal("%s: sandbox_init: %s", __func__, errmsg); + + /* diff --git a/security/openssh/patches/patch-sftp-common.c b/security/openssh/patches/patch-sftp-common.c index 80d7f87e721..696b5f8a38d 100644 --- a/security/openssh/patches/patch-sftp-common.c +++ b/security/openssh/patches/patch-sftp-common.c @@ -1,8 +1,8 @@ -$NetBSD: patch-sftp-common.c,v 1.2 2014/03/29 09:38:11 taca Exp $ +$NetBSD: patch-sftp-common.c,v 1.2.12.1 2015/08/24 19:06:40 tron Exp $ Include <unistd.h> for strmode(3). ---- sftp-common.c.orig 2014-01-09 23:40:45.000000000 +0000 +--- sftp-common.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ sftp-common.c @@ -37,6 +37,9 @@ #include <string.h> diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c index 68110388937..7657c48f380 100644 --- a/security/openssh/patches/patch-sshd.c +++ b/security/openssh/patches/patch-sshd.c @@ -1,4 +1,4 @@ -$NetBSD: patch-sshd.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ +$NetBSD: patch-sshd.c,v 1.3.12.2 2015/08/24 19:06:40 tron Exp $ * Interix support * Revive tcp_wrappers support. @@ -24,9 +24,9 @@ $NetBSD: patch-sshd.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ /* variables used for privilege separation */ +#ifdef HAVE_INTERIX - int use_privsep = -1; -+#else +int use_privsep = 0; ++#else + int use_privsep = -1; +#endif struct monitor *pmonitor = NULL; int privsep_is_preauth = 1; @@ -47,16 +47,27 @@ $NetBSD: patch-sshd.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ #endif } -@@ -714,7 +730,7 @@ privsep_preauth(Authctxt *authctxt) +@@ -714,11 +730,18 @@ privsep_preauth(Authctxt *authctxt) set_log_handler(mm_log_handler, pmonitor); /* Demote the child */ - if (getuid() == 0 || geteuid() == 0) ++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__ ++ /* We need to do this before we chroot() so we can read sshd.sb */ ++ if (box != NULL) ++ ssh_sandbox_child(box); ++#endif + if (getuid() == ROOTUID || geteuid() == ROOTUID) privsep_preauth_child(); setproctitle("%s", "[net]"); ++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__ if (box != NULL) -@@ -732,7 +748,7 @@ privsep_postauth(Authctxt *authctxt) + ssh_sandbox_child(box); ++#endif + + return 0; + } +@@ -732,7 +755,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else @@ -65,7 +76,7 @@ $NetBSD: patch-sshd.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ #endif /* File descriptor passing is broken or root login */ use_privsep = 0; -@@ -1485,8 +1501,10 @@ main(int ac, char **av) +@@ -1485,8 +1508,10 @@ main(int ac, char **av) av = saved_argv; #endif @@ -77,7 +88,7 @@ $NetBSD: patch-sshd.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -1915,7 +1933,7 @@ main(int ac, char **av) +@@ -1915,7 +1940,7 @@ main(int ac, char **av) (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) #else @@ -86,7 +97,7 @@ $NetBSD: patch-sshd.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); -@@ -1938,8 +1956,10 @@ main(int ac, char **av) +@@ -1938,8 +1963,10 @@ main(int ac, char **av) * to create a file, and we can't control the code in every * module which might be used). */ @@ -97,7 +108,7 @@ $NetBSD: patch-sshd.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ if (rexec_flag) { rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); -@@ -2135,6 +2155,25 @@ main(int ac, char **av) +@@ -2135,6 +2162,25 @@ main(int ac, char **av) audit_connection_from(remote_ip, remote_port); #endif diff --git a/security/openssh/patches/patch-uidswap.c b/security/openssh/patches/patch-uidswap.c index d28e7300566..7abdbbdc25e 100644 --- a/security/openssh/patches/patch-uidswap.c +++ b/security/openssh/patches/patch-uidswap.c @@ -1,8 +1,8 @@ -$NetBSD: patch-uidswap.c,v 1.3 2014/03/29 09:38:11 taca Exp $ +$NetBSD: patch-uidswap.c,v 1.3.12.1 2015/08/24 19:06:40 tron Exp $ Interix support ---- uidswap.c.orig 2014-01-18 09:43:50.000000000 +0000 +--- uidswap.c.orig 2015-07-01 02:35:31.000000000 +0000 +++ uidswap.c @@ -67,13 +67,13 @@ temporarily_use_uid(struct passwd *pw) (u_int)pw->pw_uid, (u_int)pw->pw_gid, |