diff options
author | taca <taca@pkgsrc.org> | 2009-05-21 03:22:29 +0000 |
---|---|---|
committer | taca <taca@pkgsrc.org> | 2009-05-21 03:22:29 +0000 |
commit | 3dd52fd75030bb2b160179c5e6d857339fe691ac (patch) | |
tree | 1a6dc6584d8ea6df92029ba54dfad8285a269f37 /security/openssh | |
parent | d7e3ddb1e5ce42b05b28883605875c01527ef850 (diff) | |
download | pkgsrc-3dd52fd75030bb2b160179c5e6d857339fe691ac.tar.gz |
Update openssh package to 5.2.1(5.2p1).
Changes since OpenSSH 5.1
=========================
Security:
* This release changes the default cipher order to prefer the AES CTR
modes and the revised "arcfour256" mode to CBC mode ciphers that are
susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
* This release also adds countermeasures to mitigate CPNI-957037-style
attacks against the SSH protocol's use of CBC-mode ciphers. Upon
detection of an invalid packet length or Message Authentication
Code, ssh/sshd will continue reading up to the maximum supported
packet length rather than immediately terminating the connection.
This eliminates most of the known differences in behaviour that
leaked information about the plaintext of injected data which formed
the basis of this attack. We believe that these attacks are rendered
infeasible by these changes.
New features:
* Added a -y option to ssh(1) to force logging to syslog rather than
stderr, which is useful when running daemonised (ssh -f)
* The sshd_config(5) ForceCommand directive now accepts commandline
arguments for the internal-sftp server.
* The ssh(1) ~C escape commandline now support runtime creation of
dynamic (-D) port forwards.
* Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
(bz#1482)
* Support remote port forwarding with a listen port of '0'. This
informs the server that it should dynamically allocate a listen
port and report it back to the client. (bz#1003)
* sshd(8) now supports setting PermitEmptyPasswords and
AllowAgentForwarding in Match blocks
Bug and documentation fixes
* Repair a ssh(1) crash introduced in openssh-5.1 when the client is
sent a zero-length banner (bz#1496)
* Due to interoperability problems with certain
broken SSH implementations, the eow@openssh.com and
no-more-sessions@openssh.com protocol extensions are now only sent
to peers that identify themselves as OpenSSH.
* Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
* Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
a behaviour introduced in openssh-5.1).
* Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
* Correct fail-on-error behaviour in sftp(1) batchmode for remote
stat operations. (bz#1541)
* Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
connections. (bz#1543)
* Avoid hang in ssh(1) when attempting to connect to a server that
has MaxSessions=0 set.
* Multiple fixes to sshd(8) configuration test (-T) mode
* Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
* Many manual page improvements.
Diffstat (limited to 'security/openssh')
-rw-r--r-- | security/openssh/Makefile | 8 | ||||
-rw-r--r-- | security/openssh/distinfo | 46 | ||||
-rw-r--r-- | security/openssh/options.mk | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-aa | 18 | ||||
-rw-r--r-- | security/openssh/patches/patch-ab | 16 | ||||
-rw-r--r-- | security/openssh/patches/patch-ad | 16 | ||||
-rw-r--r-- | security/openssh/patches/patch-ag | 8 | ||||
-rw-r--r-- | security/openssh/patches/patch-ah | 10 | ||||
-rw-r--r-- | security/openssh/patches/patch-aj | 10 | ||||
-rw-r--r-- | security/openssh/patches/patch-ak | 10 | ||||
-rw-r--r-- | security/openssh/patches/patch-al | 8 | ||||
-rw-r--r-- | security/openssh/patches/patch-am | 6 | ||||
-rw-r--r-- | security/openssh/patches/patch-an | 10 | ||||
-rw-r--r-- | security/openssh/patches/patch-ao | 16 | ||||
-rw-r--r-- | security/openssh/patches/patch-ap | 6 | ||||
-rw-r--r-- | security/openssh/patches/patch-aq | 10 | ||||
-rw-r--r-- | security/openssh/patches/patch-ar | 6 | ||||
-rw-r--r-- | security/openssh/patches/patch-av | 18 | ||||
-rw-r--r-- | security/openssh/patches/patch-aw | 6 |
19 files changed, 116 insertions, 116 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index f496b58b631..986c4ac3c34 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.191 2009/05/01 14:27:34 zafer Exp $ +# $NetBSD: Makefile,v 1.192 2009/05/21 03:22:29 taca Exp $ -DISTNAME= openssh-5.1p1 -PKGNAME= openssh-5.1.1 +DISTNAME= openssh-5.2p1 +PKGNAME= openssh-5.2.1 SVR4_PKGNAME= ossh CATEGORIES= security MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ @@ -14,7 +14,7 @@ MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ ftp://mirror.pacific.net.au/OpenBSD/OpenSSH/portable/ # Don't delete the last entry -- it's there if the pkgsrc version is not # up-to-date and the mirrors already removed the old distfile. -DIST_SUBDIR= ${PKGBASE}-5.1.1-20080916 +DIST_SUBDIR= ${PKGBASE}-5.2.1-20090521 MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.openssh.com/ diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 6f39c5826d3..72ed3233e3e 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,29 +1,29 @@ -$NetBSD: distinfo,v 1.71 2008/09/16 12:53:08 taca Exp $ +$NetBSD: distinfo,v 1.72 2009/05/21 03:22:29 taca Exp $ -SHA1 (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = c2911f04f8d46a28afa9f9cbb7ec226cb2c893d1 -RMD160 (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = 6466cd0825e80366adc1978069e3c61255e0bde7 -Size (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = 23017 bytes -SHA1 (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 877ea5b283060fe0160e376ea645e8e168047ff5 -RMD160 (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 24293ad89633cfd4791f08eb3442becb7e5788ca -Size (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 1040041 bytes -SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0 -SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9 +SHA1 (openssh-5.2.1-20090521/openssh-5.2p1-hpn13v6.diff.gz) = 9683d5feb3f7e302ef836901af5366df6c425815 +RMD160 (openssh-5.2.1-20090521/openssh-5.2p1-hpn13v6.diff.gz) = d647d3b0547e4d698c616f5ed6643b3ddbcced95 +Size (openssh-5.2.1-20090521/openssh-5.2p1-hpn13v6.diff.gz) = 33540 bytes +SHA1 (openssh-5.2.1-20090521/openssh-5.2p1.tar.gz) = 8273a0237db98179fbdc412207ff8eb14ff3d6de +RMD160 (openssh-5.2.1-20090521/openssh-5.2p1.tar.gz) = 7c53f342034b16e9faa9f5a09ef46390420722eb +Size (openssh-5.2.1-20090521/openssh-5.2p1.tar.gz) = 1016612 bytes +SHA1 (patch-aa) = 38546f8fd8bf6021d43cdf076ab723ad39a5f78e +SHA1 (patch-ab) = 00e7e50a35e8b3bcfa53b239b520a12498c8dca0 SHA1 (patch-ac) = ba97b23c6527311256b335c58175da9e9a3616e4 -SHA1 (patch-ad) = 7921e029b56c0e4769a7ada03dff3eb2e275db7d +SHA1 (patch-ad) = 254e11c5f56a72bf0b30bb8860e45156b3a0adf2 SHA1 (patch-ae) = 9585221f9e49b4ebea31c374066d70e11aa804a1 SHA1 (patch-af) = ca3224af0b648803404776a8c12ed678db4f8ff6 -SHA1 (patch-ag) = eeaa6e09f743405af074009ffe80678a5179ed08 -SHA1 (patch-ah) = bc0d7c2903ecf264e62b53f3864812af5f2f04ce +SHA1 (patch-ag) = b5cb0400d3cda9cb6d60dc729e54b1ffc34ec9e2 +SHA1 (patch-ah) = fa5175734678e95d05dcdcebadeb79df3ecef760 SHA1 (patch-ai) = becad6262e5daeef2a6db14097a8971c40088403 -SHA1 (patch-aj) = 4f477f40d1d891dcda9083cec5521e80410ebd54 -SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc -SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7 -SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38 -SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250 -SHA1 (patch-ao) = a7c5a1832cb2a4584c77577fb125f84a1e9a9deb -SHA1 (patch-ap) = 3029b847ce83305e8103276e27c75e0338e1fc08 -SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34 -SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d +SHA1 (patch-aj) = 5c89b4a7da59f05c50c16083aa6dd6e465cd0305 +SHA1 (patch-ak) = 550eae0b47dc220dac2439f57b39b7e4319057c5 +SHA1 (patch-al) = a3906a9b6a9a15b948b8bab3a85454f2515400bd +SHA1 (patch-am) = 4893a8a059d611d35c1fb9ff03b598c590e0355e +SHA1 (patch-an) = 5b41d9493028dd4dce4a73ea78e43f3a073108e5 +SHA1 (patch-ao) = 6b64be9b230ddb634b9b5fdab22c4944ae605153 +SHA1 (patch-ap) = 041059e25d2331aace0eaa5a6c3032afb3d565b4 +SHA1 (patch-aq) = 1a7d8a4c5e70a0c6211247ba583534ed8ce317d0 +SHA1 (patch-ar) = a1099e0175a2b14f3b19db04261891179b1e3299 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f -SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365 -SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30 +SHA1 (patch-av) = 06126d8f83398aa9df8a56792ad55bc769dd2550 +SHA1 (patch-aw) = 532f2aebcb93cae5e0dd26a5faa1593a7d3a3c51 diff --git a/security/openssh/options.mk b/security/openssh/options.mk index 25b1ea42821..f5b05a73da8 100644 --- a/security/openssh/options.mk +++ b/security/openssh/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.16 2008/09/16 12:53:08 taca Exp $ +# $NetBSD: options.mk,v 1.17 2009/05/21 03:22:29 taca Exp $ .include "../../mk/bsd.prefs.mk" @@ -17,7 +17,7 @@ CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q} .endif .if !empty(PKG_OPTIONS:Mhpn-patch) -PATCHFILES= openssh-5.1p1-hpn13v5.diff.gz +PATCHFILES= openssh-5.2p1-hpn13v6.diff.gz PATCH_SITES= http://www.psc.edu/networking/projects/hpn-ssh/ PATCH_DIST_STRIP= -p1 .endif diff --git a/security/openssh/patches/patch-aa b/security/openssh/patches/patch-aa index 20e523159f8..2efc262c042 100644 --- a/security/openssh/patches/patch-aa +++ b/security/openssh/patches/patch-aa @@ -1,8 +1,8 @@ -$NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $ +$NetBSD: patch-aa,v 1.44 2009/05/21 03:22:29 taca Exp $ ---- configure.orig 2006-11-07 22:07:18.000000000 +0900 +--- configure.orig 2009-02-23 09:18:14.000000000 +0900 +++ configure -@@ -5835,6 +5835,9 @@ if test "${with_rpath+set}" = set; then +@@ -5666,6 +5666,9 @@ if test "${with_rpath+set}" = set; then fi @@ -12,7 +12,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $ # Allow user to specify flags # Check whether --with-cflags was given. -@@ -5976,6 +5979,7 @@ for ac_header in \ +@@ -5812,6 +5815,7 @@ for ac_header in \ maillock.h \ ndir.h \ net/if_tun.h \ @@ -20,7 +20,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $ netdb.h \ netgroup.h \ pam/pam_appl.h \ -@@ -7919,6 +7923,36 @@ _ACEOF +@@ -7521,6 +7525,36 @@ _ACEOF ;; esac ;; @@ -57,7 +57,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $ *-*-irix5*) PATH="$PATH:/usr/etc" -@@ -8524,7 +8558,7 @@ cat >>confdefs.h <<\_ACEOF +@@ -8082,7 +8116,7 @@ cat >>confdefs.h <<\_ACEOF _ACEOF ;; @@ -66,7 +66,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $ check_for_libcrypt_later=1 cat >>confdefs.h <<\_ACEOF -@@ -32058,14 +32092,21 @@ fi +@@ -29187,14 +29221,21 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test -z "$conf_utmpx_location"; then if test x"$system_utmpx_path" = x"no" ; then @@ -92,7 +92,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $ #define CONF_UTMPX_FILE "$conf_utmpx_location" _ACEOF -@@ -32146,14 +32187,20 @@ fi +@@ -29258,14 +29299,20 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then @@ -118,7 +118,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $ #define CONF_WTMPX_FILE "$conf_wtmpx_location" _ACEOF -@@ -33386,7 +33433,7 @@ echo "OpenSSH has been configured with t +@@ -30518,7 +30565,7 @@ echo "OpenSSH has been configured with t echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" diff --git a/security/openssh/patches/patch-ab b/security/openssh/patches/patch-ab index 102af7061a3..45f6cd22c7d 100644 --- a/security/openssh/patches/patch-ab +++ b/security/openssh/patches/patch-ab @@ -1,8 +1,8 @@ -$NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $ +$NetBSD: patch-ab,v 1.26 2009/05/21 03:22:29 taca Exp $ ---- configure.ac.orig 2006-10-07 08:07:21.000000000 +0900 +--- configure.ac.orig 2009-02-16 13:37:03.000000000 +0900 +++ configure.ac -@@ -127,6 +127,9 @@ AC_ARG_WITH(rpath, +@@ -191,6 +191,9 @@ AC_ARG_WITH(rpath, ] ) @@ -12,7 +12,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $ # Allow user to specify flags AC_ARG_WITH(cflags, [ --with-cflags Specify additional flags to pass to compiler], -@@ -194,6 +197,7 @@ AC_CHECK_HEADERS( \ +@@ -258,6 +261,7 @@ AC_CHECK_HEADERS( \ maillock.h \ ndir.h \ net/if_tun.h \ @@ -20,7 +20,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $ netdb.h \ netgroup.h \ pam/pam_appl.h \ -@@ -454,6 +458,15 @@ main() { if (NSVersionOfRunTimeLibrary(" +@@ -531,6 +535,15 @@ main() { if (NSVersionOfRunTimeLibrary(" ;; esac ;; @@ -36,7 +36,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $ *-*-irix5*) PATH="$PATH:/usr/etc" AC_DEFINE(BROKEN_INET_NTOA, 1, -@@ -3876,9 +3889,17 @@ AC_TRY_COMPILE([ +@@ -4063,9 +4076,17 @@ AC_TRY_COMPILE([ ) if test -z "$conf_utmpx_location"; then if test x"$system_utmpx_path" = x"no" ; then @@ -56,7 +56,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $ AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", [Define if you want to specify the path to your utmpx file]) fi -@@ -3902,9 +3923,17 @@ AC_TRY_COMPILE([ +@@ -4089,9 +4110,17 @@ AC_TRY_COMPILE([ ) if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then @@ -76,7 +76,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $ AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", [Define if you want to specify the path to your wtmpx file]) fi -@@ -3944,7 +3973,7 @@ echo "OpenSSH has been configured with t +@@ -4138,7 +4167,7 @@ echo "OpenSSH has been configured with t echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" diff --git a/security/openssh/patches/patch-ad b/security/openssh/patches/patch-ad index 12ae915a4e4..0e40539f65d 100644 --- a/security/openssh/patches/patch-ad +++ b/security/openssh/patches/patch-ad @@ -1,8 +1,8 @@ -$NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-ad,v 1.13 2009/05/21 03:22:29 taca Exp $ ---- loginrec.c.orig 2006-09-07 21:57:54.000000000 +0900 +--- loginrec.c.orig 2009-02-12 11:12:22.000000000 +0900 +++ loginrec.c -@@ -430,8 +430,8 @@ login_set_addr(struct logininfo *li, con +@@ -431,8 +431,8 @@ login_set_addr(struct logininfo *li, con int login_write(struct logininfo *li) { @@ -13,7 +13,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $ logit("Attempt to write login records by non-root user (aborting)"); return (1); } -@@ -439,7 +439,7 @@ login_write(struct logininfo *li) +@@ -440,7 +440,7 @@ login_write(struct logininfo *li) /* set the timestamp */ login_set_current_time(li); @@ -22,7 +22,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $ syslogin_write_entry(li); #endif #ifdef USE_LASTLOG -@@ -619,7 +619,7 @@ line_abbrevname(char *dst, const char *s +@@ -620,7 +620,7 @@ line_abbrevname(char *dst, const char *s ** into account. **/ @@ -31,7 +31,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $ /* build the utmp structure */ void -@@ -756,10 +756,6 @@ construct_utmpx(struct logininfo *li, st +@@ -757,10 +757,6 @@ construct_utmpx(struct logininfo *li, st set_utmpx_time(li, utx); utx->ut_pid = li->pid; @@ -42,7 +42,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $ if (li->type == LTYPE_LOGOUT) return; -@@ -768,6 +764,8 @@ construct_utmpx(struct logininfo *li, st +@@ -769,6 +765,8 @@ construct_utmpx(struct logininfo *li, st * for logouts. */ @@ -51,7 +51,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $ # ifdef HAVE_HOST_IN_UTMPX strncpy(utx->ut_host, li->hostname, MIN_SIZEOF(utx->ut_host, li->hostname)); -@@ -1397,7 +1395,7 @@ wtmpx_get_entry(struct logininfo *li) +@@ -1398,7 +1396,7 @@ wtmpx_get_entry(struct logininfo *li) ** Low-level libutil login() functions **/ diff --git a/security/openssh/patches/patch-ag b/security/openssh/patches/patch-ag index 60451e45489..63f28b8fe7d 100644 --- a/security/openssh/patches/patch-ag +++ b/security/openssh/patches/patch-ag @@ -1,8 +1,8 @@ -$NetBSD: patch-ag,v 1.10 2008/09/16 12:53:08 taca Exp $ +$NetBSD: patch-ag,v 1.11 2009/05/21 03:22:29 taca Exp $ ---- config.h.in.orig 2008-07-21 17:30:49.000000000 +0900 +--- config.h.in.orig 2009-02-23 09:18:12.000000000 +0900 +++ config.h.in -@@ -506,6 +506,9 @@ +@@ -509,6 +509,9 @@ /* define if you have int64_t data type */ #undef HAVE_INT64_T @@ -12,7 +12,7 @@ $NetBSD: patch-ag,v 1.10 2008/09/16 12:53:08 taca Exp $ /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H -@@ -623,6 +626,9 @@ +@@ -626,6 +629,9 @@ /* Define to 1 if you have the <net/if_tun.h> header file. */ #undef HAVE_NET_IF_TUN_H diff --git a/security/openssh/patches/patch-ah b/security/openssh/patches/patch-ah index 0899809e42a..abdd6769d4e 100644 --- a/security/openssh/patches/patch-ah +++ b/security/openssh/patches/patch-ah @@ -1,8 +1,8 @@ -$NetBSD: patch-ah,v 1.24 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-ah,v 1.25 2009/05/21 03:22:29 taca Exp $ ---- Makefile.in.orig 2006-09-12 20:54:10.000000000 +0900 +--- Makefile.in.orig 2008-11-05 14:20:46.000000000 +0900 +++ Makefile.in -@@ -21,7 +21,7 @@ top_srcdir=@top_srcdir@ +@@ -22,7 +22,7 @@ top_srcdir=@top_srcdir@ DESTDIR= VPATH=@srcdir@ SSH_PROGRAM=@bindir@/ssh @@ -11,7 +11,7 @@ $NetBSD: patch-ah,v 1.24 2006/10/31 03:31:20 taca Exp $ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign RAND_HELPER=$(libexecdir)/ssh-rand-helper -@@ -234,7 +234,7 @@ distprep: catman-do +@@ -233,7 +233,7 @@ distprep: catman-do (cd scard && $(MAKE) -f Makefile.in distprep) install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config @@ -20,7 +20,7 @@ $NetBSD: patch-ah,v 1.24 2006/10/31 03:31:20 taca Exp $ install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files check-config: -@@ -243,7 +243,7 @@ check-config: +@@ -242,7 +242,7 @@ check-config: scard-install: (cd scard && $(MAKE) DESTDIR=$(DESTDIR) install) diff --git a/security/openssh/patches/patch-aj b/security/openssh/patches/patch-aj index e403be88acf..d9d31a4e589 100644 --- a/security/openssh/patches/patch-aj +++ b/security/openssh/patches/patch-aj @@ -1,8 +1,8 @@ -$NetBSD: patch-aj,v 1.7 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-aj,v 1.8 2009/05/21 03:22:29 taca Exp $ ---- auth-rhosts.c.orig 2006-08-05 11:39:39.000000000 +0900 +--- auth-rhosts.c.orig 2008-06-14 08:01:25.000000000 +0900 +++ auth-rhosts.c -@@ -212,7 +212,7 @@ auth_rhosts2_raw(struct passwd *pw, cons +@@ -230,7 +230,7 @@ auth_rhosts2_raw(struct passwd *pw, cons return 0; /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ @@ -11,7 +11,7 @@ $NetBSD: patch-aj,v 1.7 2006/10/31 03:31:20 taca Exp $ if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", -@@ -238,7 +238,7 @@ auth_rhosts2_raw(struct passwd *pw, cons +@@ -256,7 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, cons return 0; } if (options.strict_modes && @@ -20,7 +20,7 @@ $NetBSD: patch-aj,v 1.7 2006/10/31 03:31:20 taca Exp $ (st.st_mode & 022) != 0)) { logit("Rhosts authentication refused for %.100s: " "bad ownership or modes for home directory.", pw->pw_name); -@@ -265,7 +265,7 @@ auth_rhosts2_raw(struct passwd *pw, cons +@@ -283,7 +283,7 @@ auth_rhosts2_raw(struct passwd *pw, cons * allowing access to their account by anyone. */ if (options.strict_modes && diff --git a/security/openssh/patches/patch-ak b/security/openssh/patches/patch-ak index 8f219befee9..a4c009b6204 100644 --- a/security/openssh/patches/patch-ak +++ b/security/openssh/patches/patch-ak @@ -1,8 +1,8 @@ -$NetBSD: patch-ak,v 1.8 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-ak,v 1.9 2009/05/21 03:22:29 taca Exp $ ---- auth.c.orig 2006-09-07 09:36:43.000000000 +0900 +--- auth.c.orig 2008-11-05 14:12:54.000000000 +0900 +++ auth.c -@@ -377,7 +377,7 @@ check_key_in_hostfiles(struct passwd *pw +@@ -378,7 +378,7 @@ check_key_in_hostfiles(struct passwd *pw user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); if (options.strict_modes && (stat(user_hostfile, &st) == 0) && @@ -11,7 +11,7 @@ $NetBSD: patch-ak,v 1.8 2006/10/31 03:31:20 taca Exp $ (st.st_mode & 022) != 0)) { logit("Authentication refused for %.100s: " "bad owner or modes for %.200s", -@@ -430,7 +430,7 @@ secure_filename(FILE *f, const char *fil +@@ -431,7 +431,7 @@ secure_filename(FILE *f, const char *fil /* check the open file to avoid races */ if (fstat(fileno(f), &st) < 0 || @@ -20,7 +20,7 @@ $NetBSD: patch-ak,v 1.8 2006/10/31 03:31:20 taca Exp $ (st.st_mode & 022) != 0) { snprintf(err, errlen, "bad ownership or modes for file %s", buf); -@@ -447,7 +447,7 @@ secure_filename(FILE *f, const char *fil +@@ -448,7 +448,7 @@ secure_filename(FILE *f, const char *fil debug3("secure_filename: checking '%s'", buf); if (stat(buf, &st) < 0 || diff --git a/security/openssh/patches/patch-al b/security/openssh/patches/patch-al index 3e8b49202b2..67fa78f21c0 100644 --- a/security/openssh/patches/patch-al +++ b/security/openssh/patches/patch-al @@ -1,8 +1,8 @@ -$NetBSD: patch-al,v 1.7 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-al,v 1.8 2009/05/21 03:22:29 taca Exp $ ---- auth1.c.orig 2006-09-01 14:38:36.000000000 +0900 +--- auth1.c.orig 2008-07-09 19:54:05.000000000 +0900 +++ auth1.c -@@ -325,7 +325,7 @@ do_authloop(Authctxt *authctxt) +@@ -328,7 +328,7 @@ do_authloop(Authctxt *authctxt) } #else /* Special handling for root */ @@ -11,7 +11,7 @@ $NetBSD: patch-al,v 1.7 2006/10/31 03:31:20 taca Exp $ !auth_root_allowed(meth->name)) { authenticated = 0; # ifdef SSH_AUDIT_EVENTS -@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt) +@@ -426,8 +426,8 @@ do_authentication(Authctxt *authctxt) * If we are not running as root, the user must have the same uid as * the server. */ diff --git a/security/openssh/patches/patch-am b/security/openssh/patches/patch-am index 6b4cf1f9a92..9a45a833bb9 100644 --- a/security/openssh/patches/patch-am +++ b/security/openssh/patches/patch-am @@ -1,8 +1,8 @@ -$NetBSD: patch-am,v 1.7 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-am,v 1.8 2009/05/21 03:22:29 taca Exp $ ---- auth2.c.orig 2006-08-05 11:39:39.000000000 +0900 +--- auth2.c.orig 2008-11-05 14:20:46.000000000 +0900 +++ auth2.c -@@ -223,7 +223,7 @@ userauth_finish(Authctxt *authctxt, int +@@ -298,7 +298,7 @@ userauth_finish(Authctxt *authctxt, int authctxt->user); /* Special handling for root */ diff --git a/security/openssh/patches/patch-an b/security/openssh/patches/patch-an index dac9e7edfe6..d837aea414e 100644 --- a/security/openssh/patches/patch-an +++ b/security/openssh/patches/patch-an @@ -1,8 +1,8 @@ -$NetBSD: patch-an,v 1.9 2007/03/18 12:38:45 taca Exp $ +$NetBSD: patch-an,v 1.10 2009/05/21 03:22:29 taca Exp $ ---- scp.c.orig 2007-03-18 16:27:26.000000000 +0900 +--- scp.c.orig 2008-11-03 17:23:45.000000000 +0900 +++ scp.c -@@ -377,7 +377,11 @@ main(int argc, char **argv) +@@ -390,7 +390,11 @@ main(int argc, char **argv) argc -= optind; argv += optind; @@ -14,7 +14,7 @@ $NetBSD: patch-an,v 1.9 2007/03/18 12:38:45 taca Exp $ fatal("unknown user %u", (u_int) userid); if (!isatty(STDOUT_FILENO)) -@@ -724,8 +728,10 @@ rsource(char *name, struct stat *statp) +@@ -782,8 +786,10 @@ rsource(char *name, struct stat *statp) return; } while ((dp = readdir(dirp)) != NULL) { @@ -25,7 +25,7 @@ $NetBSD: patch-an,v 1.9 2007/03/18 12:38:45 taca Exp $ if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) continue; if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) { -@@ -1175,7 +1181,9 @@ okname(char *cp0) +@@ -1233,7 +1239,9 @@ okname(char *cp0) case '\'': case '"': case '`': diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao index 6823d1e0080..2d3931130a0 100644 --- a/security/openssh/patches/patch-ao +++ b/security/openssh/patches/patch-ao @@ -1,12 +1,12 @@ -$NetBSD: patch-ao,v 1.12 2008/04/27 00:34:27 tnn Exp $ +$NetBSD: patch-ao,v 1.13 2009/05/21 03:22:29 taca Exp $ One more replacing 0 with ROOTUID is handled by using SUBST framework because patch can't handle it when hpn-patch option is enabled. So, don't simply update this file with mkpatch command. ---- session.c.orig 2008-03-27 01:03:05.000000000 +0100 +--- session.c.orig 2009-01-28 14:29:49.000000000 +0900 +++ session.c -@@ -955,7 +955,7 @@ read_etc_default_login(char ***env, u_in +@@ -1068,7 +1068,7 @@ read_etc_default_login(char ***env, u_in if (tmpenv == NULL) return; @@ -15,7 +15,7 @@ So, don't simply update this file with mkpatch command. var = child_get_env(tmpenv, "SUPATH"); else var = child_get_env(tmpenv, "PATH"); -@@ -1064,7 +1064,7 @@ do_setup_env(Session *s, const char *she +@@ -1177,7 +1177,7 @@ do_setup_env(Session *s, const char *she # endif /* HAVE_ETC_DEFAULT_LOGIN */ if (path == NULL || *path == '\0') { child_set_env(&env, &envsize, "PATH", @@ -24,7 +24,7 @@ So, don't simply update this file with mkpatch command. SUPERUSER_PATH : _PATH_STDPATH); } # endif /* HAVE_CYGWIN */ -@@ -1178,6 +1178,18 @@ do_setup_env(Session *s, const char *she +@@ -1291,6 +1291,18 @@ do_setup_env(Session *s, const char *she strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); read_environment_file(&env, &envsize, buf); } @@ -43,7 +43,7 @@ So, don't simply update this file with mkpatch command. if (debug_flag) { /* dump the environment */ fprintf(stderr, "Environment:\n"); -@@ -1351,9 +1363,9 @@ do_setusercontext(struct passwd *pw) +@@ -1464,9 +1476,9 @@ do_setusercontext(struct passwd *pw) (void)ssh_selinux_enabled(); #endif @@ -55,7 +55,7 @@ So, don't simply update this file with mkpatch command. { #ifdef HAVE_SETPCRED -@@ -1387,11 +1399,13 @@ do_setusercontext(struct passwd *pw) +@@ -1500,11 +1512,13 @@ do_setusercontext(struct passwd *pw) perror("setgid"); exit(1); } @@ -69,7 +69,7 @@ So, don't simply update this file with mkpatch command. endgrent(); # ifdef USE_PAM /* -@@ -2175,7 +2189,7 @@ session_pty_cleanup2(Session *s) +@@ -2328,7 +2342,7 @@ session_pty_cleanup2(Session *s) record_logout(s->pid, s->tty, s->pw->pw_name); /* Release the pseudo-tty. */ diff --git a/security/openssh/patches/patch-ap b/security/openssh/patches/patch-ap index 3b982f750a3..70377e9c4a1 100644 --- a/security/openssh/patches/patch-ap +++ b/security/openssh/patches/patch-ap @@ -1,8 +1,8 @@ -$NetBSD: patch-ap,v 1.9 2008/04/27 00:34:27 tnn Exp $ +$NetBSD: patch-ap,v 1.10 2009/05/21 03:22:29 taca Exp $ ---- ssh.c.orig 2008-02-28 09:13:52.000000000 +0100 +--- ssh.c.orig 2009-02-14 14:28:21.000000000 +0900 +++ ssh.c -@@ -693,7 +693,7 @@ main(int ac, char **av) +@@ -702,7 +702,7 @@ main(int ac, char **av) if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, &timeout_ms, options.tcp_keep_alive, diff --git a/security/openssh/patches/patch-aq b/security/openssh/patches/patch-aq index 2501dc65c6e..ed29d3f1d2a 100644 --- a/security/openssh/patches/patch-aq +++ b/security/openssh/patches/patch-aq @@ -1,17 +1,17 @@ -$NetBSD: patch-aq,v 1.6 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-aq,v 1.7 2009/05/21 03:22:29 taca Exp $ ---- sshpty.c.orig 2006-08-05 11:39:41.000000000 +0900 +--- sshpty.c.orig 2009-02-12 10:19:21.000000000 +0900 +++ sshpty.c -@@ -78,7 +78,7 @@ pty_allocate(int *ptyfd, int *ttyfd, cha - void +@@ -86,7 +86,7 @@ void pty_release(const char *tty) { + #ifndef __APPLE_PRIVPTY__ - if (chown(tty, (uid_t) 0, (gid_t) 0) < 0) + if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0) error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno)); if (chmod(tty, (mode_t) 0666) < 0) error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno)); -@@ -224,7 +224,7 @@ pty_setowner(struct passwd *pw, const ch +@@ -233,7 +233,7 @@ pty_setowner(struct passwd *pw, const ch if (st.st_uid != pw->pw_uid || st.st_gid != gid) { if (chown(tty, pw->pw_uid, gid) < 0) { if (errno == EROFS && diff --git a/security/openssh/patches/patch-ar b/security/openssh/patches/patch-ar index b60e7466dae..3c6d715a04f 100644 --- a/security/openssh/patches/patch-ar +++ b/security/openssh/patches/patch-ar @@ -1,6 +1,6 @@ -$NetBSD: patch-ar,v 1.7 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-ar,v 1.8 2009/05/21 03:22:29 taca Exp $ ---- uidswap.c.orig 2006-08-05 11:39:41.000000000 +0900 +--- uidswap.c.orig 2009-01-21 14:04:24.000000000 +0900 +++ uidswap.c @@ -66,13 +66,13 @@ temporarily_use_uid(struct passwd *pw) (u_int)pw->pw_uid, (u_int)pw->pw_gid, @@ -64,7 +64,7 @@ $NetBSD: patch-ar,v 1.7 2006/10/31 03:31:20 taca Exp $ #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); -@@ -268,6 +278,7 @@ permanently_set_uid(struct passwd *pw) +@@ -278,6 +288,7 @@ permanently_set_uid(struct passwd *pw) (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) fatal("%s: was able to restore old [e]uid", __func__); #endif diff --git a/security/openssh/patches/patch-av b/security/openssh/patches/patch-av index b029a71e43f..3e06c1b1ccd 100644 --- a/security/openssh/patches/patch-av +++ b/security/openssh/patches/patch-av @@ -1,8 +1,8 @@ -$NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $ +$NetBSD: patch-av,v 1.7 2009/05/21 03:22:29 taca Exp $ ---- sshd.c.orig 2006-10-29 17:01:29.000000000 +0900 +--- sshd.c.orig 2009-01-28 14:31:23.000000000 +0900 +++ sshd.c -@@ -232,7 +232,11 @@ int *startup_pipes = NULL; +@@ -234,7 +234,11 @@ int *startup_pipes = NULL; int startup_pipe; /* in child */ /* variables used for privilege separation */ @@ -14,7 +14,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $ struct monitor *pmonitor = NULL; /* global authentication context */ -@@ -608,10 +612,15 @@ privsep_preauth_child(void) +@@ -604,10 +608,15 @@ privsep_preauth_child(void) /* XXX not ready, too heavy after chroot */ do_setusercontext(privsep_pw); #else @@ -30,7 +30,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $ #endif } -@@ -651,7 +660,7 @@ privsep_preauth(Authctxt *authctxt) +@@ -647,7 +656,7 @@ privsep_preauth(Authctxt *authctxt) close(pmonitor->m_sendfd); /* Demote the child */ @@ -39,7 +39,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $ privsep_preauth_child(); setproctitle("%s", "[net]"); } -@@ -664,7 +673,7 @@ privsep_postauth(Authctxt *authctxt) +@@ -662,7 +671,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else @@ -48,7 +48,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $ #endif /* File descriptor passing is broken or root login */ use_privsep = 0; -@@ -1256,8 +1265,10 @@ main(int ac, char **av) +@@ -1272,8 +1281,10 @@ main(int ac, char **av) av = saved_argv; #endif @@ -60,7 +60,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -1519,7 +1530,7 @@ main(int ac, char **av) +@@ -1577,7 +1588,7 @@ main(int ac, char **av) (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) #else @@ -69,7 +69,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $ #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); -@@ -1536,8 +1547,10 @@ main(int ac, char **av) +@@ -1601,8 +1612,10 @@ main(int ac, char **av) * to create a file, and we can't control the code in every * module which might be used). */ diff --git a/security/openssh/patches/patch-aw b/security/openssh/patches/patch-aw index 3af175388fb..c61742928c9 100644 --- a/security/openssh/patches/patch-aw +++ b/security/openssh/patches/patch-aw @@ -1,8 +1,8 @@ -$NetBSD: patch-aw,v 1.2 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-aw,v 1.3 2009/05/21 03:22:29 taca Exp $ ---- openbsd-compat/port-tun.c.orig 2006-09-02 14:32:40.000000000 +0900 +--- openbsd-compat/port-tun.c.orig 2008-05-19 14:28:36.000000000 +0900 +++ openbsd-compat/port-tun.c -@@ -109,6 +109,10 @@ sys_tun_open(int tun, int mode) +@@ -110,6 +110,10 @@ sys_tun_open(int tun, int mode) #include <sys/socket.h> #include <net/if.h> |