Update openssh to 6.9.1 (OpenSSH 6.9p1) which contains security fix.

pkgsrc change: * tcp_wrappers support was removed from release 6.7, but add it refering FreeBSD's ports. * hpn-patch is also based on FreeBSD's ports. Security -------- * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn. * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci. For more information, please refer release announce. http://www.openssh.com/txt/release-6.9 http://www.openssh.com/txt/release-6.8 http://www.openssh.com/txt/release-6.7
author: taca <taca@pkgsrc.org> 2015-07-09 16:14:23 +0000
committer: taca <taca@pkgsrc.org> 2015-07-09 16:14:23 +0000
commit: e23b72f165decf47df45ee1271ba753515b2f4e1 (patch)
tree: 21ab50a1a63df2fbf8f778eecf5c924bb4c75c02
parent: dcd8654957d60e358bfebbf425a40a8419bd6bb3 (diff)
download: pkgsrc-e23b72f165decf47df45ee1271ba753515b2f4e1.tar.gz
27 files changed, 325 insertions, 344 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 03f7025a193..df2be515d62 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.232 2015/07/04 16:18:39 joerg Exp $
+# $NetBSD: Makefile,v 1.233 2015/07/09 16:14:23 taca Exp $
 
-DISTNAME=		openssh-6.6p1
-PKGNAME=		openssh-6.6.1
-PKGREVISION=		7
+DISTNAME=		openssh-6.9p1
+PKGNAME=		openssh-6.9.1
 CATEGORIES=		security
 MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 
@@ -17,7 +16,7 @@ CONFLICTS+=		openssh+gssapi-[0-9]*
 CONFLICTS+=		lsh>2.0
 
 USE_GCC_RUNTIME=	yes
-USE_TOOLS+=		perl
+USE_TOOLS+=		autoconf perl
 
 CRYPTO=			yes
 
@@ -177,6 +176,9 @@ SUBST_MESSAGE.patch=	More patch a file.
 #
 # type of key "ecdsa" isn't always supported depends on OpenSSL.
 #
+pre-configure:
+	cd ${WRKSRC} && autoconf -i
+
 post-configure:
 	if ${EGREP} -q '^\#define[ 	]+OPENSSL_HAS_ECC' \
 	    ${WRKSRC}/config.h; then \
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 80178a991fe..68bb19673e5 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,35 +1,34 @@
-$NetBSD: distinfo,v 1.91 2015/05/16 14:43:02 sevan Exp $
+$NetBSD: distinfo,v 1.92 2015/07/09 16:14:23 taca Exp $
 
-SHA1 (openssh-6.6p1-hpnssh14v4.diff.gz) = 1cb86c7151ea4c805cfb1197eac13844cd8f2f2c
-RMD160 (openssh-6.6p1-hpnssh14v4.diff.gz) = 292cea7880ff66040d915f2d5957dd27d0835984
-Size (openssh-6.6p1-hpnssh14v4.diff.gz) = 23417 bytes
-SHA1 (openssh-6.6p1.tar.gz) = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e
-RMD160 (openssh-6.6p1.tar.gz) = e19ed34e240001898b6665bb4356b868bba5513d
-Size (openssh-6.6p1.tar.gz) = 1282502 bytes
-SHA1 (patch-Makefile.in) = 3b136be23e0dab21894dcc881746cf5a186ff572
-SHA1 (patch-auth-passwd.c) = de9f5487fe1f5848cc702e549bce949fd75d70cd
-SHA1 (patch-auth-rhosts.c) = ab8dd3e375accc5bed3e15b158a85a1b1f9a2e3e
-SHA1 (patch-auth.c) = 950b0380bcbb0fa1681014cfbb41528d09a10a18
-SHA1 (patch-auth1.c) = 7b0481f445bc85cce9d7539b00bf581b9aa09fea
-SHA1 (patch-auth2.c) = 8f4f97516874fc4af5814cbd3a1f59b9ca77b43f
-SHA1 (patch-channels.c) = 88af4136f13f93d73c70caacea0a2ded0601d1cf
-SHA1 (patch-clientloop.c) = 499f34ce4e067f1da8aca257cfa7dd820efa3504
-SHA1 (patch-compat.c) = 9248aace83134287c1f0b78f2b3b61ad5545f5e2
-SHA1 (patch-config.h.in) = 9799f48f204aa213318914f1d6c45e83a8af942f
-SHA1 (patch-configure) = 3015dda57a5626667cf5c15c7c7be25f8844cfc6
-SHA1 (patch-configure.ac) = 996a3bcf133a0832b9d7fa35cc0983562d9fa60a
-SHA1 (patch-defines.h) = 4f4f4c8dc54aa86275192edf230b36737b1c0cf6
-SHA1 (patch-includes.h) = 0a899d3b38ef3de7f5b08fec022696b4e998b54e
+SHA1 (openssh-6.9p1-hpn-20150709.diff.gz) = a39571c1cdb13382631a1d9cfe89b82fb346c92c
+RMD160 (openssh-6.9p1-hpn-20150709.diff.gz) = 8bb077e7ecbc7550386a050209e84d6f4d895788
+Size (openssh-6.9p1-hpn-20150709.diff.gz) = 13370 bytes
+SHA1 (openssh-6.9p1.tar.gz) = 86ab57f00d0fd9bf302760f2f6deac1b6e9df265
+RMD160 (openssh-6.9p1.tar.gz) = 4fb2f0a0280db51024bf72b0f5cd3912d25cb59a
+Size (openssh-6.9p1.tar.gz) = 1487617 bytes
+SHA1 (patch-Makefile.in) = 2bf52a85ecdebac3aa299b25ecb561218a3316a2
+SHA1 (patch-auth-passwd.c) = 32da596dd9b255ffdd8168e6ea6f62596304b116
+SHA1 (patch-auth-rhosts.c) = 5752c384f1fd81ed6ef21707fa2b9743a3891987
+SHA1 (patch-auth.c) = 80f1c5ad8ea01a3c9dedce4eef1b625640958450
+SHA1 (patch-auth1.c) = 0bb4bc35e2ca2cd03c5596dadcd2ffb4329091a7
+SHA1 (patch-auth2.c) = 831139b9cdbd9b4d3429ea1aba176daf78be3405
+SHA1 (patch-channels.c) = 9ad160fd1c2c7fabbea3d49dacb36036d13adfaa
+SHA1 (patch-clientloop.c) = 11d44815ec39030ae20cb75727acff8c8e91144e
+SHA1 (patch-config.h.in) = 5df3b952565c054f39110b66012005087bba7219
+SHA1 (patch-configure.ac) = 8df3e2793a9bbd9179c69286f5cfea763bac3eea
+SHA1 (patch-defines.h) = ecb225b4319347d0bcc6a271c81b7042f4c18b02
+SHA1 (patch-includes.h) = f3d502dc30e680889ed1c7cf4fa6ad8282e6cd4d
 SHA1 (patch-loginrec.c) = 111530a4895c8f88c464c7495cee0dba1952d9ce
 SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695
-SHA1 (patch-openbsd-compat_openbsd-compat.h) = 1cafbe8f226c16443d2cfd003166923f33352eb0
-SHA1 (patch-openbsd-compat_port-tun.c) = 8288e2b9336ea1fcc1129d8a2ab5e55816b2ccbf
-SHA1 (patch-platform.c) = c2f85f494f0a38ed9fea93c46c98b20d865610a0
-SHA1 (patch-scp.c) = 97e33843cc1b93babb6c45225c07ac74555e6d54
-SHA1 (patch-session.c) = 55e84175c7294816107c970f002401d1766f7095
+SHA1 (patch-openbsd-compat_openbsd-compat.h) = da33ee063f0a45c3a5f165ee5ae96c3168890ef9
+SHA1 (patch-openbsd-compat_port-tun.c) = 5a8c8a7d2381a4b9530593754afe0ae0dbe2c8f5
+SHA1 (patch-platform.c) = 92d563030a6c7f8b1924b988e9a2565edfd8c3d6
+SHA1 (patch-scp.c) = 0f11569d52ff813f42dd41fe315beab2af650dd0
+SHA1 (patch-session.c) = 4e07cc45bc020d720f32788d7344d0213891969e
 SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd
-SHA1 (patch-ssh.c) = 8965e0458aabc137fa3b5e53c6573c0f0fba8280
-SHA1 (patch-sshconnect.c) = 7bee56ee50ec26913999296eefa93c0be63a9e75
-SHA1 (patch-sshd.c) = 43b3e4383142303a5d1158f08baee4a27f2f7b13
-SHA1 (patch-sshpty.c) = 9f08f899919d05567998087a060b90800c2c7b11
+SHA1 (patch-ssh.c) = 25645adeaa67e04a98b75d04d1f016704aa84bca
+SHA1 (patch-sshconnect.c) = da39a3ee5e6b4b0d3255bfef95601890afd80709
+SHA1 (patch-sshd.8) = 50154729a94aeaef17213d92979967b12d9c4e15
+SHA1 (patch-sshd.c) = f84fd4b4d299f75792f31d8967a1f9f6273ff06b
+SHA1 (patch-sshpty.c) = f87451e49e39fe137c8876fae52110dc2569958a
 SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd
diff --git a/security/openssh/options.mk b/security/openssh/options.mk
index da7c49cd2e1..7730ec9191d 100644
--- a/security/openssh/options.mk
+++ b/security/openssh/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.29 2014/03/29 10:30:15 taca Exp $
+# $NetBSD: options.mk,v 1.30 2015/07/09 16:14:23 taca Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
@@ -16,7 +16,7 @@ CONFIGURE_ENV+=		ac_cv_search_k_hasafs=no
 .endif
 
 .if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES=		openssh-6.6p1-hpnssh14v4.diff.gz
+PATCHFILES=		openssh-6.9p1-hpn-20150709.diff.gz
 PATCH_SITES=		ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
 PATCH_DIST_STRIP=	-p1
 .endif
diff --git a/security/openssh/patches/patch-Makefile.in b/security/openssh/patches/patch-Makefile.in
index 0ff95c0d838..d5454a3ec22 100644
--- a/security/openssh/patches/patch-Makefile.in
+++ b/security/openssh/patches/patch-Makefile.in
@@ -1,8 +1,8 @@
-$NetBSD: patch-Makefile.in,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-Makefile.in,v 1.4 2015/07/09 16:14:23 taca Exp $
 
 Removed install-sysconf as we handle that phase through post-install
 
---- Makefile.in.orig	2014-02-04 00:12:56.000000000 +0000
+--- Makefile.in.orig	2015-07-01 02:35:31.000000000 +0000
 +++ Makefile.in
 @@ -2,5 +2,5 @@
  
@@ -18,7 +18,7 @@ Removed install-sysconf as we handle that phase through post-install
 +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
-@@ -250,5 +250,5 @@ distprep: catman-do
+@@ -288,5 +288,5 @@ distprep: catman-do
  
  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
 -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
diff --git a/security/openssh/patches/patch-auth-passwd.c b/security/openssh/patches/patch-auth-passwd.c
index 653d7020d0a..fe60caca0ab 100644
--- a/security/openssh/patches/patch-auth-passwd.c
+++ b/security/openssh/patches/patch-auth-passwd.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-auth-passwd.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-auth-passwd.c,v 1.2 2015/07/09 16:14:23 taca Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth-passwd.c.orig	2012-04-25 23:51:28.000000000 +0000
+--- auth-passwd.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth-passwd.c
-@@ -87,7 +87,7 @@ auth_password(Authctxt *authctxt, const 
+@@ -88,7 +88,7 @@ auth_password(Authctxt *authctxt, const 
  #endif
  
  #ifndef HAVE_CYGWIN
@@ -13,7 +13,7 @@ Replace uid 0 with ROOTUID macro
  		ok = 0;
  #endif
  	if (*password == '\0' && options.permit_empty_passwd == 0)
-@@ -122,7 +122,12 @@ auth_password(Authctxt *authctxt, const 
+@@ -123,7 +123,12 @@ auth_password(Authctxt *authctxt, const 
  			authctxt->force_pwchange = 1;
  	}
  #endif
diff --git a/security/openssh/patches/patch-auth-rhosts.c b/security/openssh/patches/patch-auth-rhosts.c
index 31c71c2a93c..013c4c76ffe 100644
--- a/security/openssh/patches/patch-auth-rhosts.c
+++ b/security/openssh/patches/patch-auth-rhosts.c
@@ -1,19 +1,19 @@
-$NetBSD: patch-auth-rhosts.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-auth-rhosts.c,v 1.2 2015/07/09 16:14:23 taca Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth-rhosts.c.orig	2010-03-07 12:05:17.000000000 +0000
+--- auth-rhosts.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth-rhosts.c
-@@ -230,7 +230,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
- 		return 0;
- 
- 	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
--	if (pw->pw_uid != 0) {
-+	if (pw->pw_uid != ROOTUID) {
+@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ 	 * If not logging in as superuser, try /etc/hosts.equiv and
+ 	 * shosts.equiv.
+ 	 */
+-	if (pw->pw_uid == 0)
++	if (pw->pw_uid == ROOTUID)
+ 		debug3("%s: root user, ignoring system hosts files", __func__);
+ 	else {
  		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
- 		    client_user, pw->pw_name)) {
- 			auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
-@@ -256,7 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
  		return 0;
  	}
  	if (options.strict_modes &&
@@ -22,7 +22,7 @@ Replace uid 0 with ROOTUID macro
  	    (st.st_mode & 022) != 0)) {
  		logit("Rhosts authentication refused for %.100s: "
  		    "bad ownership or modes for home directory.", pw->pw_name);
-@@ -283,7 +283,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
  		 * allowing access to their account by anyone.
  		 */
  		if (options.strict_modes &&
diff --git a/security/openssh/patches/patch-auth.c b/security/openssh/patches/patch-auth.c
index 5539877c0d6..a5c6701f74a 100644
--- a/security/openssh/patches/patch-auth.c
+++ b/security/openssh/patches/patch-auth.c
@@ -1,10 +1,13 @@
-$NetBSD: patch-auth.c,v 1.2 2013/12/01 06:11:41 taca Exp $
+$NetBSD: patch-auth.c,v 1.3 2015/07/09 16:14:23 taca Exp $
 
-Replace uid 0 with ROOTUID macro
+* Replace uid 0 with ROOTUID macro.
+* Use login_getpwclass() instead of login_getclass() so that the root
+  vs. default login class distinction is made correctly, from FrrrBSD's
+  ports.
 
---- auth.c.orig	2013-06-01 21:41:51.000000000 +0000
+--- auth.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth.c
-@@ -407,7 +407,7 @@ check_key_in_hostfiles(struct passwd *pw
+@@ -422,7 +422,7 @@ check_key_in_hostfiles(struct passwd *pw
  		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
  		if (options.strict_modes &&
  		    (stat(user_hostfile, &st) == 0) &&
@@ -13,3 +16,12 @@ Replace uid 0 with ROOTUID macro
  		    (st.st_mode & 022) != 0)) {
  			logit("Authentication refused for %.100s: "
  			    "bad owner or modes for %.200s",
+@@ -651,7 +651,7 @@ getpwnamallow(const char *user)
+ 	if (!allowed_user(pw))
+ 		return (NULL);
+ #ifdef HAVE_LOGIN_CAP
+-	if ((lc = login_getclass(pw->pw_class)) == NULL) {
++	if ((lc = login_getpwclass(pw)) == NULL) {
+ 		debug("unable to get login class: %s", user);
+ 		return (NULL);
+ 	}
diff --git a/security/openssh/patches/patch-auth1.c b/security/openssh/patches/patch-auth1.c
index 554d8054670..c628f078c52 100644
--- a/security/openssh/patches/patch-auth1.c
+++ b/security/openssh/patches/patch-auth1.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-auth1.c,v 1.2 2013/12/01 06:11:41 taca Exp $
+$NetBSD: patch-auth1.c,v 1.3 2015/07/09 16:14:23 taca Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth1.c.orig	2013-06-01 22:01:24.000000000 +0000
+--- auth1.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth1.c
-@@ -319,7 +319,7 @@ do_authloop(Authctxt *authctxt)
+@@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt)
  
  #ifndef HAVE_CYGWIN
  		/* Special handling for root */
@@ -13,7 +13,7 @@ Replace uid 0 with ROOTUID macro
  		    !auth_root_allowed(meth->name)) {
   			authenticated = 0;
  # ifdef SSH_AUDIT_EVENTS
-@@ -420,8 +420,8 @@ do_authentication(Authctxt *authctxt)
+@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt)
  	 * If we are not running as root, the user must have the same uid as
  	 * the server.
  	 */
diff --git a/security/openssh/patches/patch-auth2.c b/security/openssh/patches/patch-auth2.c
index 488a3cb493b..f54e65d7f2f 100644
--- a/security/openssh/patches/patch-auth2.c
+++ b/security/openssh/patches/patch-auth2.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-auth2.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-auth2.c,v 1.4 2015/07/09 16:14:23 taca Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth2.c.orig	2014-02-04 00:12:57.000000000 +0000
+--- auth2.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth2.c
-@@ -301,7 +301,7 @@ userauth_finish(Authctxt *authctxt, int 
+@@ -302,7 +330,7 @@ userauth_finish(Authctxt *authctxt, int 
  		fatal("INTERNAL ERROR: authenticated and postponed");
  
  	/* Special handling for root */
diff --git a/security/openssh/patches/patch-channels.c b/security/openssh/patches/patch-channels.c
index 5e35a13d744..eae778d49da 100644
--- a/security/openssh/patches/patch-channels.c
+++ b/security/openssh/patches/patch-channels.c
@@ -1,12 +1,12 @@
-$NetBSD: patch-channels.c,v 1.1 2015/03/19 20:23:55 tron Exp $
+$NetBSD: patch-channels.c,v 1.2 2015/07/09 16:14:23 taca Exp $
 
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 
 https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
 
---- channels.c.orig	2014-02-26 23:18:33.000000000 +0000
-+++ channels.c	2015-03-19 20:16:04.000000000 +0000
-@@ -3576,15 +3576,35 @@
+--- channels.c.orig	2015-07-01 02:35:31.000000000 +0000
++++ channels.c
+@@ -4037,15 +4037,35 @@ x11_connect_display(void)
  	 * connection to the real X server.
  	 */
  
diff --git a/security/openssh/patches/patch-clientloop.c b/security/openssh/patches/patch-clientloop.c
index b212f23f7a5..36682d34d70 100644
--- a/security/openssh/patches/patch-clientloop.c
+++ b/security/openssh/patches/patch-clientloop.c
@@ -1,14 +1,14 @@
-$NetBSD: patch-clientloop.c,v 1.1 2015/03/19 20:23:55 tron Exp $
+$NetBSD: patch-clientloop.c,v 1.2 2015/07/09 16:14:23 taca Exp $
 
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 
 https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
 
---- clientloop.c.orig	2014-02-04 00:20:15.000000000 +0000
-+++ clientloop.c	2015-03-19 20:16:04.000000000 +0000
-@@ -313,6 +313,10 @@
+--- clientloop.c.orig	2015-07-01 02:35:31.000000000 +0000
++++ clientloop.c
+@@ -314,6 +314,10 @@ client_x11_get_proto(const char *display
  	struct stat st;
- 	u_int now;
+ 	u_int now, x11_timeout_real;
  
 +#if __APPLE__
 +	int is_path_to_socket = 0;
@@ -17,7 +17,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
  	xauthdir = xauthfile = NULL;
  	*_proto = proto;
  	*_data = data;
-@@ -328,6 +332,33 @@
+@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display
  			debug("x11_get_proto: DISPLAY not set");
  			return;
  		}
@@ -51,7 +51,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
  		/*
  		 * Handle FamilyLocal case where $DISPLAY does
  		 * not match an authorization entry.  For this we
-@@ -407,6 +438,9 @@
+@@ -420,6 +451,9 @@ client_x11_get_proto(const char *display
  	if (!got_data) {
  		u_int32_t rnd = 0;
  
diff --git a/security/openssh/patches/patch-compat.c b/security/openssh/patches/patch-compat.c
deleted file mode 100644
index b5e0a4be2a7..00000000000
--- a/security/openssh/patches/patch-compat.c
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-compat.c,v 1.1 2015/05/16 14:43:02 sevan Exp $
-
-Use the correct buffer when calling strlen
-http://www.openwall.com/lists/oss-security/2015/05/16/3
-
---- compat.c.orig	2015-05-16 13:05:33.000000000 +0000
-+++ compat.c
-@@ -223,7 +223,7 @@ filter_proposal(char *proposal, const ch
- 	buffer_init(&b);
- 	tmp = orig_prop = xstrdup(proposal);
- 	while ((cp = strsep(&tmp, ",")) != NULL) {
--		if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) {
-+		if (match_pattern_list(cp, filter, strlen(filter), 0) != 1) {
- 			if (buffer_len(&b) > 0)
- 				buffer_append(&b, ",", 1);
- 			buffer_append(&b, cp, strlen(cp));
diff --git a/security/openssh/patches/patch-config.h.in b/security/openssh/patches/patch-config.h.in
index 652655ab98a..00b9b0272de 100644
--- a/security/openssh/patches/patch-config.h.in
+++ b/security/openssh/patches/patch-config.h.in
@@ -1,10 +1,11 @@
-$NetBSD: patch-config.h.in,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-config.h.in,v 1.4 2015/07/09 16:14:23 taca Exp $
 
-Added Interix and define new path to if_tun.h
+* Added Interix and define new path to if_tun.h.
+* Revive tcp_wrappers support.
 
---- config.h.in.orig	2014-03-13 02:18:56.000000000 +0000
+--- config.h.in.orig	2015-07-01 02:41:59.000000000 +0000
 +++ config.h.in
-@@ -636,6 +636,9 @@
+@@ -640,6 +640,9 @@
  /* define if you have int64_t data type */
  #undef HAVE_INT64_T
  
@@ -14,7 +15,7 @@ Added Interix and define new path to if_tun.h
  /* Define to 1 if the system has the type `intmax_t'. */
  #undef HAVE_INTMAX_T
  
-@@ -792,6 +795,9 @@
+@@ -799,6 +802,9 @@
  /* Define to 1 if you have the <net/if_tun.h> header file. */
  #undef HAVE_NET_IF_TUN_H
  
@@ -24,3 +25,13 @@ Added Interix and define new path to if_tun.h
  /* Define if you are on NeXT */
  #undef HAVE_NEXT
  
+@@ -1394,6 +1400,9 @@
+ /* Define if pututxline updates lastlog too */
+ #undef LASTLOG_WRITE_PUTUTXLINE
+ 
++/* Define if you want TCP Wrappers support */
++#undef LIBWRAP
++
+ /* Define to whatever link() returns for "not supported" if it doesn't return
+    EOPNOTSUPP. */
+ #undef LINK_OPNOTSUPP_ERRNO
diff --git a/security/openssh/patches/patch-configure b/security/openssh/patches/patch-configure
deleted file mode 100644
index 0cf7e1b321a..00000000000
--- a/security/openssh/patches/patch-configure
+++ /dev/null
@@ -1,103 +0,0 @@
-$NetBSD: patch-configure,v 1.3 2014/03/29 09:38:11 taca Exp $
-
-Various fixes regarding portability
-
---- configure.orig	2014-03-13 02:19:03.000000000 +0000
-+++ configure
-@@ -6500,6 +6500,9 @@ if test "${with_rpath+set}" = set; then 
- fi
- 
- 
-+# pkgsrc handles any rpath settings this package needs
-+need_dash_r=
-+
- # Allow user to specify flags
- 
- # Check whether --with-cflags was given.
-@@ -6586,6 +6589,7 @@ for ac_header in  \
- 	maillock.h \
- 	ndir.h \
- 	net/if_tun.h \
-+	net/tun/if_tun.h \
- 	netdb.h \
- 	netgroup.h \
- 	pam/pam_appl.h \
-@@ -7369,6 +7373,36 @@ $as_echo "#define HAVE_SECUREWARE 1" >>c
- 		;;
- 	esac
- 	;;
-+*-*-interix*)
-+        cat >>confdefs.h <<\_ACEOF
-+#define HAVE_INTERIX 1
-+_ACEOF
-+
-+        cat >>confdefs.h <<\_ACEOF
-+#define DISABLE_FD_PASSING 1
-+_ACEOF
-+
-+        cat >>confdefs.h <<\_ACEOF
-+#define DISABLE_SHADOW 1
-+_ACEOF
-+
-+        cat >>confdefs.h <<\_ACEOF
-+#define IP_TOS_IS_BROKEN 1
-+_ACEOF
-+
-+        cat >>confdefs.h <<\_ACEOF
-+#define MISSING_HOWMANY 1
-+_ACEOF
-+
-+        cat >>confdefs.h <<\_ACEOF
-+#define NO_IPPORT_RESERVED_CONCEPT 1
-+_ACEOF
-+
-+        cat >>confdefs.h <<\_ACEOF
-+#define USE_PIPES 1
-+_ACEOF
-+
-+       ;;
- *-*-irix5*)
- 	PATH="$PATH:/usr/etc"
- 
-@@ -7578,7 +7612,7 @@ $as_echo "#define BROKEN_STRNVIS 1" >>co
- $as_echo "#define BROKEN_READ_COMPARISON 1" >>confdefs.h
- 
- 	;;
--*-*-freebsd*)
-+*-*-freebsd*|*-*-dragonfly*)
- 	check_for_libcrypt_later=1
- 
- $as_echo "#define LOCKED_PASSWD_PREFIX \"*LOCKED*\"" >>confdefs.h
-@@ -18248,12 +18282,18 @@ fi
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- if test -z "$conf_wtmpx_location"; then
- 	if test x"$system_wtmpx_path" = x"no" ; then
--		$as_echo "#define DISABLE_WTMPX 1" >>confdefs.h
--
-+		for f in /var/log/wtmpx; do
-+			if test -f $f ; then
-+				conf_wtmpx_location=$f
-+			fi
-+		done
-+		if test -z "$conf_wtmpx_location"; then
-+			$as_echo "#define DISABLE_WTMPX 1" >>confdefs.h
-+		fi
- 	fi
--else
--
--cat >>confdefs.h <<_ACEOF
-+fi
-+if test -n "$conf_wtmpx_location"; then
-+	cat >>confdefs.h <<_ACEOF
- #define CONF_WTMPX_FILE "$conf_wtmpx_location"
- _ACEOF
- 
-@@ -19660,7 +19700,7 @@ echo "OpenSSH has been configured with t
- echo "                     User binaries: $B"
- echo "                   System binaries: $C"
- echo "               Configuration files: $D"
--echo "                   Askpass program: $E"
-+echo "                   Askpass program: ${ASKPASS_PROGRAM}"
- echo "                      Manual pages: $F"
- echo "                          PID file: $G"
- echo "  Privilege separation chroot path: $H"
diff --git a/security/openssh/patches/patch-configure.ac b/security/openssh/patches/patch-configure.ac
index bbc2e3f7902..b3bc0dc114a 100644
--- a/security/openssh/patches/patch-configure.ac
+++ b/security/openssh/patches/patch-configure.ac
@@ -1,10 +1,11 @@
-$NetBSD: patch-configure.ac,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-configure.ac,v 1.4 2015/07/09 16:14:23 taca Exp $
 
-Various fixes regarding portability
+* Various fixes regarding portability
+* Revive tcp_wrappers support.
 
---- configure.ac.orig	2014-02-21 17:09:34.000000000 +0000
+--- configure.ac.orig	2015-07-01 02:35:31.000000000 +0000
 +++ configure.ac
-@@ -275,6 +275,9 @@ AC_ARG_WITH([rpath],
+@@ -316,6 +316,9 @@ AC_ARG_WITH([rpath],
  	]
  )
  
@@ -14,7 +15,7 @@ Various fixes regarding portability
  # Allow user to specify flags
  AC_ARG_WITH([cflags],
  	[  --with-cflags           Specify additional flags to pass to compiler],
-@@ -346,6 +349,7 @@ AC_CHECK_HEADERS([ \
+@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
  	maillock.h \
  	ndir.h \
  	net/if_tun.h \
@@ -22,7 +23,7 @@ Various fixes regarding portability
  	netdb.h \
  	netgroup.h \
  	pam/pam_appl.h \
-@@ -655,6 +659,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -696,6 +700,15 @@ main() { if (NSVersionOfRunTimeLibrary("
  		;;
  	esac
  	;;
@@ -38,7 +39,70 @@ Various fixes regarding portability
  *-*-irix5*)
  	PATH="$PATH:/usr/etc"
  	AC_DEFINE([BROKEN_INET_NTOA], [1],
-@@ -4731,9 +4744,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -1424,6 +1437,62 @@ AC_ARG_WITH([skey],
+ 	]
+ )
+ 
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++	[
++		if test "x$withval" != "xno" ; then
++			saved_LIBS="$LIBS"
++			saved_LDFLAGS="$LDFLAGS"
++			saved_CPPFLAGS="$CPPFLAGS"
++			if test -n "${withval}" && \
++			    test "x${withval}" != "xyes"; then
++				if test -d "${withval}/lib"; then
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++					fi
++				else
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval} ${LDFLAGS}"
++					fi
++				fi
++				if test -d "${withval}/include"; then
++					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++				else
++					CPPFLAGS="-I${withval} ${CPPFLAGS}"
++				fi
++			fi
++			LIBS="-lwrap $LIBS"
++			AC_MSG_CHECKING([for libwrap])
++			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++				]], [[
++	hosts_access(0);
++				]])], [
++					AC_MSG_RESULT([yes])
++					AC_DEFINE([LIBWRAP], [1],
++						[Define if you want
++						TCP Wrappers support])
++					SSHDLIBS="$SSHDLIBS -lwrap"
++					TCPW_MSG="yes"
++				], [
++					AC_MSG_ERROR([*** libwrap missing])
++				
++			])
++			LIBS="$saved_LIBS"
++		fi
++	]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -4791,9 +4860,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
  ])
  if test -z "$conf_wtmpx_location"; then
  	if test x"$system_wtmpx_path" = x"no" ; then
@@ -58,7 +122,7 @@ Various fixes regarding portability
  	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
  		[Define if you want to specify the path to your wtmpx file])
  fi
-@@ -4820,7 +4841,7 @@ echo "OpenSSH has been configured with t
+@@ -4880,7 +4957,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
@@ -67,3 +131,11 @@ Various fixes regarding portability
  echo "                      Manual pages: $F"
  echo "                          PID file: $G"
  echo "  Privilege separation chroot path: $H"
+@@ -4904,6 +4981,7 @@ echo "                 KerberosV support
+ echo "                   SELinux support: $SELINUX_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
++echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
diff --git a/security/openssh/patches/patch-defines.h b/security/openssh/patches/patch-defines.h
index 415fbbea741..d3ebabd7d55 100644
--- a/security/openssh/patches/patch-defines.h
+++ b/security/openssh/patches/patch-defines.h
@@ -1,8 +1,8 @@
-$NetBSD: patch-defines.h,v 1.2 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-defines.h,v 1.3 2015/07/09 16:14:23 taca Exp $
 
 Define ROOTUID, UTMPX_FILE and WTMPX_FILE
 
---- defines.h.orig	2014-01-17 13:12:38.000000000 +0000
+--- defines.h.orig	2015-07-01 02:35:31.000000000 +0000
 +++ defines.h
 @@ -30,6 +30,15 @@
  
@@ -20,7 +20,7 @@ Define ROOTUID, UTMPX_FILE and WTMPX_FILE
  #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
  enum
  {
-@@ -708,6 +717,24 @@ struct winsize {
+@@ -721,6 +730,24 @@ struct winsize {
  #    endif
  #  endif
  #endif
diff --git a/security/openssh/patches/patch-includes.h b/security/openssh/patches/patch-includes.h
index 9f8b3afc4c5..f62ce342d4a 100644
--- a/security/openssh/patches/patch-includes.h
+++ b/security/openssh/patches/patch-includes.h
@@ -1,10 +1,10 @@
-$NetBSD: patch-includes.h,v 1.2 2013/12/01 06:11:41 taca Exp $
+$NetBSD: patch-includes.h,v 1.3 2015/07/09 16:14:23 taca Exp $
 
 Interix support
 
---- includes.h.orig	2013-03-22 01:51:09.000000000 +0000
+--- includes.h.orig	2015-07-01 02:35:31.000000000 +0000
 +++ includes.h
-@@ -126,6 +126,10 @@
+@@ -127,6 +127,10 @@
  #ifdef HAVE_READPASSPHRASE_H
  # include <readpassphrase.h>
  #endif
diff --git a/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h b/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h
index 6fa9688c401..01c22af816b 100644
--- a/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h
+++ b/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h
@@ -1,10 +1,10 @@
-$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.2 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.3 2015/07/09 16:14:23 taca Exp $
 
 strtoll() declaration
 
---- openbsd-compat/openbsd-compat.h.orig	2014-02-04 00:18:23.000000000 +0000
+--- openbsd-compat/openbsd-compat.h.orig	2015-07-01 02:35:31.000000000 +0000
 +++ openbsd-compat/openbsd-compat.h
-@@ -84,6 +84,10 @@ size_t strlcat(char *dst, const char *sr
+@@ -91,6 +91,10 @@ size_t strlcat(char *dst, const char *sr
  int setenv(register const char *name, register const char *value, int rewrite);
  #endif
  
diff --git a/security/openssh/patches/patch-openbsd-compat_port-tun.c b/security/openssh/patches/patch-openbsd-compat_port-tun.c
index 7945b5815e8..24deaf09af3 100644
--- a/security/openssh/patches/patch-openbsd-compat_port-tun.c
+++ b/security/openssh/patches/patch-openbsd-compat_port-tun.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-openbsd-compat_port-tun.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-openbsd-compat_port-tun.c,v 1.2 2015/07/09 16:14:23 taca Exp $
 
 if_tun.h can be found in net/tun
 
---- openbsd-compat/port-tun.c.orig	2010-08-10 02:47:42.000000000 +0000
+--- openbsd-compat/port-tun.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ openbsd-compat/port-tun.c
-@@ -110,6 +110,10 @@ sys_tun_open(int tun, int mode)
+@@ -111,6 +111,10 @@ sys_tun_open(int tun, int mode)
  #include <sys/socket.h>
  #include <net/if.h>
  
@@ -15,3 +15,26 @@ if_tun.h can be found in net/tun
  #ifdef HAVE_NET_IF_TUN_H
  #include <net/if_tun.h>
  #endif
+@@ -120,7 +124,10 @@ sys_tun_open(int tun, int mode)
+ {
+ 	struct ifreq ifr;
+ 	char name[100];
+-	int fd = -1, sock, flag;
++	int fd = -1, sock;
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
++	int flag;
++#endif
+ 	const char *tunbase = "tun";
+ 
+ 	if (mode == SSH_TUNMODE_ETHERNET) {
+@@ -154,9 +161,9 @@ sys_tun_open(int tun, int mode)
+ 		return (-1);
+ 	}
+ 
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ 	/* Turn on tunnel headers */
+ 	flag = 1;
+-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ 	if (mode != SSH_TUNMODE_ETHERNET &&
+ 	    ioctl(fd, TUNSIFHEAD, &flag) == -1) {
+ 		debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
diff --git a/security/openssh/patches/patch-platform.c b/security/openssh/patches/patch-platform.c
index 78f8921152b..34c1469ece1 100644
--- a/security/openssh/patches/patch-platform.c
+++ b/security/openssh/patches/patch-platform.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-platform.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-platform.c,v 1.4 2015/07/09 16:14:23 taca Exp $
 
 Interix support
 
---- platform.c.orig	2014-01-21 01:59:29.000000000 +0000
+--- platform.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ platform.c
-@@ -89,7 +89,9 @@ platform_privileged_uidswap(void)
+@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
  	/* uid 0 is not special on Cygwin so always try */
  	return 1;
  #else
diff --git a/security/openssh/patches/patch-scp.c b/security/openssh/patches/patch-scp.c
index 551c3175801..0f324b3afe2 100644
--- a/security/openssh/patches/patch-scp.c
+++ b/security/openssh/patches/patch-scp.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-scp.c,v 1.2 2013/12/01 06:11:41 taca Exp $
+$NetBSD: patch-scp.c,v 1.3 2015/07/09 16:14:23 taca Exp $
 
 Interix support
 
---- scp.c.orig	2013-07-18 06:11:25.000000000 +0000
+--- scp.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ scp.c
-@@ -477,7 +477,11 @@ main(int argc, char **argv)
+@@ -478,7 +478,11 @@ main(int argc, char **argv)
  	argc -= optind;
  	argv += optind;
  
@@ -16,7 +16,7 @@ Interix support
  		fatal("unknown user %u", (u_int) userid);
  
  	if (!isatty(STDOUT_FILENO))
-@@ -881,8 +885,10 @@ rsource(char *name, struct stat *statp)
+@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
  		return;
  	}
  	while ((dp = readdir(dirp)) != NULL) {
@@ -27,7 +27,7 @@ Interix support
  		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
  			continue;
  		if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
-@@ -1292,7 +1298,9 @@ okname(char *cp0)
+@@ -1297,7 +1303,9 @@ okname(char *cp0)
  			case '\'':
  			case '"':
  			case '`':
diff --git a/security/openssh/patches/patch-session.c b/security/openssh/patches/patch-session.c
index 8a89c5635c7..5f71356d0de 100644
--- a/security/openssh/patches/patch-session.c
+++ b/security/openssh/patches/patch-session.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-session.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-session.c,v 1.4 2015/07/09 16:14:23 taca Exp $
 
 Interix support
 
---- session.c.orig	2014-03-03 22:35:17.000000000 +0000
+--- session.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ session.c
-@@ -1109,7 +1109,7 @@ read_etc_default_login(char ***env, u_in
+@@ -1093,7 +1093,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
  		return;
  
@@ -13,7 +13,7 @@ Interix support
  		var = child_get_env(tmpenv, "SUPATH");
  	else
  		var = child_get_env(tmpenv, "PATH");
-@@ -1218,7 +1218,7 @@ do_setup_env(Session *s, const char *she
+@@ -1202,7 +1202,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
  		if (path == NULL || *path == '\0') {
  			child_set_env(&env, &envsize, "PATH",
@@ -22,7 +22,7 @@ Interix support
  				SUPERUSER_PATH : _PATH_STDPATH);
  		}
  # endif /* HAVE_CYGWIN */
-@@ -1332,6 +1332,18 @@ do_setup_env(Session *s, const char *she
+@@ -1316,6 +1316,18 @@ do_setup_env(Session *s, const char *she
  		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
  		read_environment_file(&env, &envsize, buf);
  	}
@@ -41,7 +41,7 @@ Interix support
  	if (debug_flag) {
  		/* dump the environment */
  		fprintf(stderr, "Environment:\n");
-@@ -1522,11 +1534,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1510,11 +1522,13 @@ do_setusercontext(struct passwd *pw)
  			perror("setgid");
  			exit(1);
  		}
@@ -55,7 +55,7 @@ Interix support
  		endgrent();
  #endif
  
-@@ -2358,7 +2372,7 @@ session_pty_cleanup2(Session *s)
+@@ -2356,7 +2370,7 @@ session_pty_cleanup2(Session *s)
  		record_logout(s->pid, s->tty, s->pw->pw_name);
  
  	/* Release the pseudo-tty. */
diff --git a/security/openssh/patches/patch-ssh.c b/security/openssh/patches/patch-ssh.c
index 9dc62196d23..89fd92dcf45 100644
--- a/security/openssh/patches/patch-ssh.c
+++ b/security/openssh/patches/patch-ssh.c
@@ -1,13 +1,13 @@
-$NetBSD: patch-ssh.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-ssh.c,v 1.4 2015/07/09 16:14:23 taca Exp $
 
 Interix support
 
---- ssh.c.orig	2014-02-26 23:17:13.000000000 +0000
+--- ssh.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ ssh.c
-@@ -943,7 +943,7 @@ main(int ac, char **av)
- 	    strcmp(options.proxy_command, "-") == 0 &&
- 	    options.proxy_use_fdpass)
- 		fatal("ProxyCommand=- and ProxyUseFDPass are incompatible");
+@@ -1083,7 +1083,7 @@ main(int ac, char **av)
+ 		    "disabling");
+ 		options.update_hostkeys = 0;
+ 	}
 -#ifndef HAVE_CYGWIN
 +#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX)
  	if (original_effective_uid != 0)
diff --git a/security/openssh/patches/patch-sshconnect.c b/security/openssh/patches/patch-sshconnect.c
deleted file mode 100644
index 527ba9bb96d..00000000000
--- a/security/openssh/patches/patch-sshconnect.c
+++ /dev/null
@@ -1,87 +0,0 @@
-$NetBSD: patch-sshconnect.c,v 1.1 2014/10/08 15:50:22 taca Exp $
-
-Fix for CVE-2014-2653 from
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513.
-
---- sshconnect.c.orig	2014-02-06 22:24:34.000000000 +0000
-+++ sshconnect.c
-@@ -1213,6 +1213,51 @@ fail:
- 	return -1;
- }
- 
-+static int
-+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
-+{
-+	int rc = -1;
-+	int flags = 0;
-+	Key *raw_key = NULL;
-+
-+	if (!options.verify_host_key_dns)
-+		goto done;
-+
-+	/* XXX certs are not yet supported for DNS; try looking the raw key
-+	 * up in the DNS anyway.
-+	 */
-+	if (key_is_cert(host_key)) {
-+	  debug2("Extracting key from cert for SSHFP lookup");
-+		raw_key = key_from_private(host_key);
-+		if (key_drop_cert(raw_key))
-+			fatal("Couldn't drop certificate");
-+		host_key = raw_key;
-+	}
-+
-+	if (verify_host_key_dns(host, hostaddr, host_key, &flags))
-+		goto done;
-+
-+	if (flags & DNS_VERIFY_FOUND) {
-+
-+		if (options.verify_host_key_dns == 1 &&
-+		    flags & DNS_VERIFY_MATCH &&
-+		    flags & DNS_VERIFY_SECURE) {
-+			rc = 0;
-+		} else if (flags & DNS_VERIFY_MATCH) {
-+			matching_host_key_dns = 1;
-+		} else {
-+			warn_changed_key(host_key);
-+			error("Update the SSHFP RR in DNS with the new "
-+			      "host key to get rid of this message.");
-+		}
-+	}
-+
-+done:
-+	if (raw_key)
-+		key_free(raw_key);
-+	return rc;
-+}
-+
- /* returns 0 if key verifies or -1 if key does NOT verify */
- int
- verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
-@@ -1224,25 +1269,8 @@ verify_host_key(char *host, struct socka
- 	debug("Server host key: %s %s", key_type(host_key), fp);
- 	free(fp);
- 
--	/* XXX certs are not yet supported for DNS */
--	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
--	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
--		if (flags & DNS_VERIFY_FOUND) {
--
--			if (options.verify_host_key_dns == 1 &&
--			    flags & DNS_VERIFY_MATCH &&
--			    flags & DNS_VERIFY_SECURE)
--				return 0;
--
--			if (flags & DNS_VERIFY_MATCH) {
--				matching_host_key_dns = 1;
--			} else {
--				warn_changed_key(host_key);
--				error("Update the SSHFP RR in DNS with the new "
--				    "host key to get rid of this message.");
--			}
--		}
--	}
-+	if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
-+		return 0;
- 
- 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
- 	    options.user_hostfiles, options.num_user_hostfiles,
diff --git a/security/openssh/patches/patch-sshd.8 b/security/openssh/patches/patch-sshd.8
new file mode 100644
index 00000000000..16cf513e203
--- /dev/null
+++ b/security/openssh/patches/patch-sshd.8
@@ -0,0 +1,27 @@
+$NetBSD: patch-sshd.8,v 1.1 2015/07/09 16:14:23 taca Exp $
+
+* Revive tcp_wrappers support.
+
+--- sshd.8.orig	2015-07-01 02:35:31.000000000 +0000
++++ sshd.8
+@@ -853,6 +853,12 @@ the user's home directory becomes access
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -956,6 +962,7 @@ The content of this file is not sensitiv
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c
index fd49eafbe09..872b92dc08e 100644
--- a/security/openssh/patches/patch-sshd.c
+++ b/security/openssh/patches/patch-sshd.c
@@ -1,10 +1,25 @@
-$NetBSD: patch-sshd.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $
 
-Interix support
+* Interix support
+* Revive tcp_wrappers support.
 
---- sshd.c.orig	2014-02-26 23:20:08.000000000 +0000
+--- sshd.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ sshd.c
-@@ -243,7 +243,11 @@ int *startup_pipes = NULL;
+@@ -125,6 +125,13 @@
+ #include "version.h"
+ #include "ssherr.h"
+ 
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ #ifndef O_NOCTTY
+ #define O_NOCTTY	0
+ #endif
+@@ -236,7 +243,11 @@ int *startup_pipes = NULL;
  int startup_pipe;		/* in child */
  
  /* variables used for privilege separation */
@@ -16,7 +31,7 @@ Interix support
  struct monitor *pmonitor = NULL;
  int privsep_is_preauth = 1;
  
-@@ -646,10 +650,15 @@ privsep_preauth_child(void)
+@@ -643,10 +654,15 @@ privsep_preauth_child(void)
  	/* XXX not ready, too heavy after chroot */
  	do_setusercontext(privsep_pw);
  #else
@@ -32,7 +47,7 @@ Interix support
  #endif
  }
  
-@@ -711,7 +720,7 @@ privsep_preauth(Authctxt *authctxt)
+@@ -714,7 +730,7 @@ privsep_preauth(Authctxt *authctxt)
  		set_log_handler(mm_log_handler, pmonitor);
  
  		/* Demote the child */
@@ -41,7 +56,7 @@ Interix support
  			privsep_preauth_child();
  		setproctitle("%s", "[net]");
  		if (box != NULL)
-@@ -729,7 +738,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -732,7 +748,7 @@ privsep_postauth(Authctxt *authctxt)
  #ifdef DISABLE_FD_PASSING
  	if (1) {
  #else
@@ -50,7 +65,7 @@ Interix support
  #endif
  		/* File descriptor passing is broken or root login */
  		use_privsep = 0;
-@@ -1413,8 +1422,10 @@ main(int ac, char **av)
+@@ -1485,8 +1501,10 @@ main(int ac, char **av)
  	av = saved_argv;
  #endif
  
@@ -62,7 +77,7 @@ Interix support
  
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
-@@ -1815,7 +1826,7 @@ main(int ac, char **av)
+@@ -1915,7 +1933,7 @@ main(int ac, char **av)
  		    (st.st_uid != getuid () ||
  		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
  #else
@@ -71,7 +86,7 @@ Interix support
  #endif
  			fatal("%s must be owned by root and not group or "
  			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1838,8 +1849,10 @@ main(int ac, char **av)
+@@ -1938,8 +1956,10 @@ main(int ac, char **av)
  	 * to create a file, and we can't control the code in every
  	 * module which might be used).
  	 */
@@ -82,3 +97,29 @@ Interix support
  
  	if (rexec_flag) {
  		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
+@@ -2135,6 +2155,25 @@ main(int ac, char **av)
+ 	audit_connection_from(remote_ip, remote_port);
+ #endif
+ 
++#ifdef LIBWRAP
++	allow_severity = options.log_facility|LOG_INFO;
++	deny_severity = options.log_facility|LOG_WARNING;
++	/* Check whether logins are denied from this host. */
++	if (packet_connection_is_on_socket()) {
++		struct request_info req;
++
++		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++		fromhost(&req);
++
++		if (!hosts_access(&req)) {
++			debug("Connection refused by tcp wrapper");
++			refuse(&req);
++			/* NOTREACHED */
++			fatal("libwrap refuse returns");
++		}
++	}
++#endif /* LIBWRAP */
++
+ 	/* Log the connection. */
+ 	laddr = get_local_ipaddr(sock_in);
+ 	verbose("Connection from %s port %d on %s port %d",
diff --git a/security/openssh/patches/patch-sshpty.c b/security/openssh/patches/patch-sshpty.c
index d7d9c6efd1b..256971bde6a 100644
--- a/security/openssh/patches/patch-sshpty.c
+++ b/security/openssh/patches/patch-sshpty.c
@@ -1,19 +1,19 @@
-$NetBSD: patch-sshpty.c,v 1.1 2013/05/01 19:58:27 imil Exp $
+$NetBSD: patch-sshpty.c,v 1.2 2015/07/09 16:14:23 taca Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- sshpty.c.orig	2009-02-12 01:19:21.000000000 +0000
+--- sshpty.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ sshpty.c
 @@ -86,7 +86,7 @@ void
  pty_release(const char *tty)
  {
- #ifndef __APPLE_PRIVPTY__
+ #if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
 -	if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
 +	if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
  		error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
  	if (chmod(tty, (mode_t) 0666) < 0)
  		error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
-@@ -233,7 +233,7 @@ pty_setowner(struct passwd *pw, const ch
+@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
  	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
  		if (chown(tty, pw->pw_uid, gid) < 0) {
  			if (errno == EROFS &&
author	taca <taca@pkgsrc.org>	2015-07-09 16:14:23 +0000
committer	taca <taca@pkgsrc.org>	2015-07-09 16:14:23 +0000
commit	e23b72f165decf47df45ee1271ba753515b2f4e1 (patch)
tree	21ab50a1a63df2fbf8f778eecf5c924bb4c75c02
parent	dcd8654957d60e358bfebbf425a40a8419bd6bb3 (diff)
download	pkgsrc-e23b72f165decf47df45ee1271ba753515b2f4e1.tar.gz