diff options
| author | taca <taca@pkgsrc.org> | 2008-09-16 12:53:08 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2008-09-16 12:53:08 +0000 |
| commit | 847296952ef9a1b4ce3bf9ad00af2f37c029e25b (patch) | |
| tree | 1eeff042b564017126523aec8e4b30c46bb85ef6 /security/openssh | |
| parent | e04b0abdc979370542a7de40b1a015b2dd9707fd (diff) | |
| download | pkgsrc-847296952ef9a1b4ce3bf9ad00af2f37c029e25b.tar.gz | |
Update openssh package to 5.1.1 (5.1p1)
Changes from OpenSSH 5.0 is huge to write here, please refer its
release note: http://www.openssh.com/txt/release-5.1.
I quote only Security section from the release note.
Security:
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
other platforms) when X11UseLocalhost=no
When attempting to bind(2) to a port that has previously been bound
with SO_REUSEADDR set, most operating systems check that either the
effective user-id matches the previous bind (common on BSD-derived
systems) or that the bind addresses do not overlap (Linux and
Solaris).
Some operating systems, such as HP/UX, do not perform these checks
and are vulnerable to an X11 man-in-the-middle attack when the
sshd_config(5) option X11UseLocalhost has been set to "no" - an
attacker may establish a more-specific bind, which will be used in
preference to sshd's wildcard listener.
Modern BSD operating systems, Linux, OS X and Solaris implement the
above checks and are not vulnerable to this attack, nor are systems
where the X11UseLocalhost has been left at the default value of
"yes".
Portable OpenSSH 5.1 avoids this problem for all operating systems
by not setting SO_REUSEADDR when X11UseLocalhost is set to no.
This vulnerability was reported by sway2004009 AT hotmail.com.
Diffstat (limited to 'security/openssh')
| -rw-r--r-- | security/openssh/Makefile | 9 | ||||
| -rw-r--r-- | security/openssh/PLIST | 3 | ||||
| -rw-r--r-- | security/openssh/distinfo | 21 | ||||
| -rw-r--r-- | security/openssh/options.mk | 4 | ||||
| -rw-r--r-- | security/openssh/patches/patch-ac | 17 | ||||
| -rw-r--r-- | security/openssh/patches/patch-ag | 16 | ||||
| -rw-r--r-- | security/openssh/patches/patch-as | 20 | ||||
| -rw-r--r-- | security/openssh/patches/patch-at | 38 | ||||
| -rw-r--r-- | security/openssh/patches/patch-ax | 10 |
9 files changed, 28 insertions, 110 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 189243b0782..ab846109db8 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.189 2008/07/24 16:25:47 tnn Exp $ +# $NetBSD: Makefile,v 1.190 2008/09/16 12:53:08 taca Exp $ -DISTNAME= openssh-5.0p1 -PKGNAME= openssh-5.0.1 -PKGREVISION= 1 +DISTNAME= openssh-5.1p1 +PKGNAME= openssh-5.1.1 SVR4_PKGNAME= ossh CATEGORIES= security MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ @@ -12,7 +11,7 @@ MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/ # Don't delete the last entry -- it's there if the pkgsrc version is not # up-to-date and the mirrors already removed the old distfile. -DIST_SUBDIR= ${PKGBASE}-5.0.1-20080427 +DIST_SUBDIR= ${PKGBASE}-5.1.1-20080916 MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.openssh.com/ diff --git a/security/openssh/PLIST b/security/openssh/PLIST index 67b676b309a..90d752b64cb 100644 --- a/security/openssh/PLIST +++ b/security/openssh/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.11 2005/07/28 16:31:13 reed Exp $ +@comment $NetBSD: PLIST,v 1.12 2008/09/16 12:53:08 taca Exp $ bin/scp bin/sftp bin/slogin @@ -17,6 +17,7 @@ man/man1/ssh-agent.1 man/man1/ssh-keygen.1 man/man1/ssh-keyscan.1 man/man1/ssh.1 +man/man5/moduli.5 man/man5/ssh_config.5 man/man5/sshd_config.5 man/man8/sftp-server.8 diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 05f12a29452..6f39c5826d3 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,18 +1,18 @@ -$NetBSD: distinfo,v 1.70 2008/07/24 16:25:47 tnn Exp $ +$NetBSD: distinfo,v 1.71 2008/09/16 12:53:08 taca Exp $ -SHA1 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 688265249dfaa449283ddfae2f81a9b6e3507f86 -RMD160 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = d4baca41f6212036b513173835de6e1081d49ac8 -Size (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 24060 bytes -SHA1 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 121cea3a730c0b0353334b6f46f438de30ab4928 -RMD160 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = b813234014e339fe2d9d10a5adad9f8e065918fc -Size (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 1011556 bytes +SHA1 (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = c2911f04f8d46a28afa9f9cbb7ec226cb2c893d1 +RMD160 (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = 6466cd0825e80366adc1978069e3c61255e0bde7 +Size (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = 23017 bytes +SHA1 (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 877ea5b283060fe0160e376ea645e8e168047ff5 +RMD160 (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 24293ad89633cfd4791f08eb3442becb7e5788ca +Size (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 1040041 bytes SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0 SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9 -SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9 +SHA1 (patch-ac) = ba97b23c6527311256b335c58175da9e9a3616e4 SHA1 (patch-ad) = 7921e029b56c0e4769a7ada03dff3eb2e275db7d SHA1 (patch-ae) = 9585221f9e49b4ebea31c374066d70e11aa804a1 SHA1 (patch-af) = ca3224af0b648803404776a8c12ed678db4f8ff6 -SHA1 (patch-ag) = b6f92a5394a3442fcc0c2a2ee204c10df5a4aea5 +SHA1 (patch-ag) = eeaa6e09f743405af074009ffe80678a5179ed08 SHA1 (patch-ah) = bc0d7c2903ecf264e62b53f3864812af5f2f04ce SHA1 (patch-ai) = becad6262e5daeef2a6db14097a8971c40088403 SHA1 (patch-aj) = 4f477f40d1d891dcda9083cec5521e80410ebd54 @@ -24,9 +24,6 @@ SHA1 (patch-ao) = a7c5a1832cb2a4584c77577fb125f84a1e9a9deb SHA1 (patch-ap) = 3029b847ce83305e8103276e27c75e0338e1fc08 SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34 SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d -SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3 -SHA1 (patch-at) = 7e7220e024d59d5462157b1d16dd90f23ab697f3 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365 SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30 -SHA1 (patch-ax) = 8b876f4ba5b020dbd41f1166fc0b169444874d5a diff --git a/security/openssh/options.mk b/security/openssh/options.mk index 86785c5004f..25b1ea42821 100644 --- a/security/openssh/options.mk +++ b/security/openssh/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.15 2008/04/27 00:34:27 tnn Exp $ +# $NetBSD: options.mk,v 1.16 2008/09/16 12:53:08 taca Exp $ .include "../../mk/bsd.prefs.mk" @@ -17,7 +17,7 @@ CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q} .endif .if !empty(PKG_OPTIONS:Mhpn-patch) -PATCHFILES= openssh-5.0p1-hpn13v3.diff.gz +PATCHFILES= openssh-5.1p1-hpn13v5.diff.gz PATCH_SITES= http://www.psc.edu/networking/projects/hpn-ssh/ PATCH_DIST_STRIP= -p1 .endif diff --git a/security/openssh/patches/patch-ac b/security/openssh/patches/patch-ac index d1859243214..e68b350f72c 100644 --- a/security/openssh/patches/patch-ac +++ b/security/openssh/patches/patch-ac @@ -1,6 +1,6 @@ -$NetBSD: patch-ac,v 1.16 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-ac,v 1.17 2008/09/16 12:53:08 taca Exp $ ---- defines.h.orig 2006-09-21 22:13:30.000000000 +0900 +--- defines.h.orig 2008-07-04 22:10:49.000000000 +0900 +++ defines.h @@ -30,6 +30,15 @@ @@ -18,18 +18,7 @@ $NetBSD: patch-ac,v 1.16 2006/10/31 03:31:20 taca Exp $ #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0 enum { -@@ -437,10 +446,6 @@ struct winsize { - # define __attribute__(x) - #endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ - --#ifndef __dead --# define __dead __attribute__((noreturn)) --#endif -- - #if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__) - # define __sentinel__ - #endif -@@ -643,6 +648,24 @@ struct winsize { +@@ -645,6 +654,24 @@ struct winsize { # endif # endif #endif diff --git a/security/openssh/patches/patch-ag b/security/openssh/patches/patch-ag index b647b6f6dcf..60451e45489 100644 --- a/security/openssh/patches/patch-ag +++ b/security/openssh/patches/patch-ag @@ -1,18 +1,18 @@ -$NetBSD: patch-ag,v 1.9 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-ag,v 1.10 2008/09/16 12:53:08 taca Exp $ ---- config.h.in.orig 2006-09-26 20:03:33.000000000 +0900 +--- config.h.in.orig 2008-07-21 17:30:49.000000000 +0900 +++ config.h.in -@@ -32,6 +32,9 @@ - */ - #undef BROKEN_ONE_BYTE_DIRENT_D_NAME +@@ -506,6 +506,9 @@ + /* define if you have int64_t data type */ + #undef HAVE_INT64_T +/* Define if you are on Interix */ +#undef HAVE_INTERIX + - /* Define if you have a broken realpath. */ - #undef BROKEN_REALPATH + /* Define to 1 if you have the <inttypes.h> header file. */ + #undef HAVE_INTTYPES_H -@@ -573,6 +576,9 @@ +@@ -623,6 +626,9 @@ /* Define to 1 if you have the <net/if_tun.h> header file. */ #undef HAVE_NET_IF_TUN_H diff --git a/security/openssh/patches/patch-as b/security/openssh/patches/patch-as deleted file mode 100644 index aaa954ff6cb..00000000000 --- a/security/openssh/patches/patch-as +++ /dev/null @@ -1,20 +0,0 @@ -$NetBSD: patch-as,v 1.5 2006/10/31 03:31:20 taca Exp $ - ---- log.h.orig 2006-08-18 23:32:21.000000000 +0900 -+++ log.h -@@ -51,7 +51,7 @@ void log_init(char *, LogLevel, Sysl - SyslogFacility log_facility_number(char *); - LogLevel log_level_number(char *); - --void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); -+void fatal(const char *, ...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2))); - void error(const char *, ...) __attribute__((format(printf, 1, 2))); - void sigdie(const char *, ...) __attribute__((format(printf, 1, 2))); - void logit(const char *, ...) __attribute__((format(printf, 1, 2))); -@@ -61,5 +61,5 @@ void debug2(const char *, ...) __att - void debug3(const char *, ...) __attribute__((format(printf, 1, 2))); - - void do_log(LogLevel, const char *, va_list); --void cleanup_exit(int) __dead; -+void cleanup_exit(int) __attribute__((noreturn)); - #endif diff --git a/security/openssh/patches/patch-at b/security/openssh/patches/patch-at deleted file mode 100644 index b1a501ccca0..00000000000 --- a/security/openssh/patches/patch-at +++ /dev/null @@ -1,38 +0,0 @@ -$NetBSD: patch-at,v 1.7 2008/07/24 16:25:47 tnn Exp $ - -Index: channels.c -=================================================================== -RCS file: /cvs/openssh/channels.c,v -retrieving revision 1.262 -retrieving revision 1.263 -diff -u -p -u -r1.262 -r1.263 ---- channels.c 10 Jun 2008 13:01:51 -0000 1.262 -+++ channels.c 11 Jun 2008 20:05:12 -0000 1.263 -@@ -3018,7 +3018,8 @@ x11_create_display_inet(int x11_display_ - error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); - } - #endif -- channel_set_reuseaddr(sock); -+ if (x11_use_localhost) -+ channel_set_reuseaddr(sock); - if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { - debug2("bind port %d: %.100s", port, strerror(errno)); - close(sock); -@@ -3030,17 +3031,8 @@ x11_create_display_inet(int x11_display_ - break; - } - socks[num_socks++] = sock; --#ifndef DONT_TRY_OTHER_AF - if (num_socks == NUM_SOCKS) - break; --#else -- if (x11_use_localhost) { -- if (num_socks == NUM_SOCKS) -- break; -- } else { -- break; -- } --#endif - } - freeaddrinfo(aitop); - if (num_socks > 0) diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax deleted file mode 100644 index 6965d5865b1..00000000000 --- a/security/openssh/patches/patch-ax +++ /dev/null @@ -1,10 +0,0 @@ -$NetBSD: patch-ax,v 1.6 2008/04/27 00:34:27 tnn Exp $ - ---- sftp.h.orig 2008-02-10 12:40:12.000000000 +0100 -+++ sftp.h -@@ -94,4 +94,4 @@ - struct passwd; - - int sftp_server_main(int, char **, struct passwd *); --void sftp_server_cleanup_exit(int) __dead; -+void sftp_server_cleanup_exit(int) __attribute__((noreturn)); |