Explicitly disable roaming, as per CVE-2016-0777 and CVE-2016-0778.

Fix patch dates and offsets while here. Bump PKGREVISION.
author: jperkin <jperkin@pkgsrc.org> 2016-01-18 12:53:25 +0000
committer: jperkin <jperkin@pkgsrc.org> 2016-01-18 12:53:25 +0000
commit: 7eb9d54e5a1664a8fa9273230f4e508c2069d404 (patch)
tree: 1083eeee9bebb2770044ba766719893bc1cadc3e /security/openssh
parent: 5a4119483e1b330a35b68d71b6c1a372059705ab (diff)
download: pkgsrc-7eb9d54e5a1664a8fa9273230f4e508c2069d404.tar.gz
29 files changed, 139 insertions, 102 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index f9e5e282fbb..4e552216a70 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.238 2015/11/11 11:40:06 sevan Exp $
+# $NetBSD: Makefile,v 1.239 2016/01/18 12:53:25 jperkin Exp $
 
 DISTNAME=		openssh-7.1p1
 PKGNAME=		${DISTNAME:S/p1/.1/}
-PKGREVISION= 		1
+PKGREVISION= 		2
 CATEGORIES=		security
 MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index d03b5cf5c52..53aa1824119 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.97 2015/08/22 05:17:22 taca Exp $
+$NetBSD: distinfo,v 1.98 2016/01/18 12:53:25 jperkin Exp $
 
 SHA1 (openssh-7.1p1-hpn-20150822.diff.bz2) = 444a2fbd80d57ff93b53ade84ec162e2a2f3aa67
 RMD160 (openssh-7.1p1-hpn-20150822.diff.bz2) = 87fb6887d9ccb4b305ff3c25fd5f67847d9996d1
@@ -6,29 +6,30 @@ Size (openssh-7.1p1-hpn-20150822.diff.bz2) = 12173 bytes
 SHA1 (openssh-7.1p1.tar.gz) = ed22af19f962262c493fcc6ed8c8826b2761d9b6
 RMD160 (openssh-7.1p1.tar.gz) = 2c97ea10099fa8658156c0351d60d715655b9b07
 Size (openssh-7.1p1.tar.gz) = 1493170 bytes
-SHA1 (patch-Makefile.in) = 2bf52a85ecdebac3aa299b25ecb561218a3316a2
-SHA1 (patch-auth-passwd.c) = 32da596dd9b255ffdd8168e6ea6f62596304b116
-SHA1 (patch-auth-rhosts.c) = 5752c384f1fd81ed6ef21707fa2b9743a3891987
-SHA1 (patch-auth.c) = 80f1c5ad8ea01a3c9dedce4eef1b625640958450
-SHA1 (patch-auth1.c) = 0bb4bc35e2ca2cd03c5596dadcd2ffb4329091a7
-SHA1 (patch-auth2.c) = 8a939381f72968d74a7df508a072dfb10f400284
-SHA1 (patch-channels.c) = 9ad160fd1c2c7fabbea3d49dacb36036d13adfaa
-SHA1 (patch-clientloop.c) = 11d44815ec39030ae20cb75727acff8c8e91144e
-SHA1 (patch-config.h.in) = 5df3b952565c054f39110b66012005087bba7219
-SHA1 (patch-configure.ac) = 8df3e2793a9bbd9179c69286f5cfea763bac3eea
-SHA1 (patch-defines.h) = ecb225b4319347d0bcc6a271c81b7042f4c18b02
-SHA1 (patch-includes.h) = f3d502dc30e680889ed1c7cf4fa6ad8282e6cd4d
-SHA1 (patch-loginrec.c) = b06a236e9faf871e9eb102c52dd0f583bf096373
-SHA1 (patch-openbsd-compat_bsd-openpty.c) = 9ccde56bfcfe1791b367f933e51b25137acce960
-SHA1 (patch-openbsd-compat_openbsd-compat.h) = da33ee063f0a45c3a5f165ee5ae96c3168890ef9
-SHA1 (patch-openbsd-compat_port-tun.c) = 5a8c8a7d2381a4b9530593754afe0ae0dbe2c8f5
-SHA1 (patch-platform.c) = 92d563030a6c7f8b1924b988e9a2565edfd8c3d6
-SHA1 (patch-sandbox-darwin.c) = a9255b1e8d52759506b61394de11050ea7ea25bb
-SHA1 (patch-scp.c) = 0f11569d52ff813f42dd41fe315beab2af650dd0
-SHA1 (patch-session.c) = 4e07cc45bc020d720f32788d7344d0213891969e
-SHA1 (patch-sftp-common.c) = 72146d410f78b5e4e5efae51ca05b22039d64545
-SHA1 (patch-ssh.c) = 25645adeaa67e04a98b75d04d1f016704aa84bca
-SHA1 (patch-sshd.8) = 50154729a94aeaef17213d92979967b12d9c4e15
-SHA1 (patch-sshd.c) = d381db6d05067d0f28be8268847df97a0c8e9ba4
-SHA1 (patch-sshpty.c) = f87451e49e39fe137c8876fae52110dc2569958a
-SHA1 (patch-uidswap.c) = 875be63bb6d1a7dd8c3d1c008c85aa4bf37dfdc2
+SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
+SHA1 (patch-auth-passwd.c) = 92c487cc3c092efb56f8b4ac4ca08ccd67803a83
+SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
+SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
+SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374
+SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
+SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c
+SHA1 (patch-clientloop.c) = a99fa9ff36e0068c059ee9daa392d06c01d1761c
+SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
+SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2
+SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
+SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
+SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = eaac72830e36e307c19a7b679e6018ece9aebaac
+SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
+SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee
+SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
+SHA1 (patch-readconf.c) = e1663d4d9a7ca8de8f87ba42d7b764923cdcc5db
+SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
+SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
+SHA1 (patch-session.c) = 2aa1d95a35b52519c4921494855f861dc1380f3b
+SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
+SHA1 (patch-ssh.c) = 00897c09b7d3037713c579cbc41301623d4c2ebf
+SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
+SHA1 (patch-sshd.c) = 85a9f50c8b1bdcc44156e2b457a583ccdbc5821b
+SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
+SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e
diff --git a/security/openssh/patches/patch-Makefile.in b/security/openssh/patches/patch-Makefile.in
index d5454a3ec22..f04cf0d7a9e 100644
--- a/security/openssh/patches/patch-Makefile.in
+++ b/security/openssh/patches/patch-Makefile.in
@@ -1,8 +1,8 @@
-$NetBSD: patch-Makefile.in,v 1.4 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-Makefile.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $
 
 Removed install-sysconf as we handle that phase through post-install
 
---- Makefile.in.orig	2015-07-01 02:35:31.000000000 +0000
+--- Makefile.in.orig	2015-08-21 04:49:03.000000000 +0000
 +++ Makefile.in
 @@ -2,5 +2,5 @@
  
diff --git a/security/openssh/patches/patch-auth-passwd.c b/security/openssh/patches/patch-auth-passwd.c
index fe60caca0ab..4cc6a057996 100644
--- a/security/openssh/patches/patch-auth-passwd.c
+++ b/security/openssh/patches/patch-auth-passwd.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-auth-passwd.c,v 1.2 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-auth-passwd.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth-passwd.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- auth-passwd.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ auth-passwd.c
 @@ -88,7 +88,7 @@ auth_password(Authctxt *authctxt, const 
  #endif
diff --git a/security/openssh/patches/patch-auth-rhosts.c b/security/openssh/patches/patch-auth-rhosts.c
index 013c4c76ffe..fef060635c4 100644
--- a/security/openssh/patches/patch-auth-rhosts.c
+++ b/security/openssh/patches/patch-auth-rhosts.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-auth-rhosts.c,v 1.2 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth-rhosts.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- auth-rhosts.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ auth-rhosts.c
 @@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
  	 * If not logging in as superuser, try /etc/hosts.equiv and
diff --git a/security/openssh/patches/patch-auth.c b/security/openssh/patches/patch-auth.c
index a5c6701f74a..80ad49e22ae 100644
--- a/security/openssh/patches/patch-auth.c
+++ b/security/openssh/patches/patch-auth.c
@@ -1,13 +1,13 @@
-$NetBSD: patch-auth.c,v 1.3 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
 
 * Replace uid 0 with ROOTUID macro.
 * Use login_getpwclass() instead of login_getclass() so that the root
   vs. default login class distinction is made correctly, from FrrrBSD's
   ports.
 
---- auth.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- auth.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ auth.c
-@@ -422,7 +422,7 @@ check_key_in_hostfiles(struct passwd *pw
+@@ -424,7 +424,7 @@ check_key_in_hostfiles(struct passwd *pw
  		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
  		if (options.strict_modes &&
  		    (stat(user_hostfile, &st) == 0) &&
@@ -16,7 +16,7 @@ $NetBSD: patch-auth.c,v 1.3 2015/07/09 16:14:23 taca Exp $
  		    (st.st_mode & 022) != 0)) {
  			logit("Authentication refused for %.100s: "
  			    "bad owner or modes for %.200s",
-@@ -651,7 +651,7 @@ getpwnamallow(const char *user)
+@@ -653,7 +653,7 @@ getpwnamallow(const char *user)
  	if (!allowed_user(pw))
  		return (NULL);
  #ifdef HAVE_LOGIN_CAP
diff --git a/security/openssh/patches/patch-auth1.c b/security/openssh/patches/patch-auth1.c
index c628f078c52..011c4bb54db 100644
--- a/security/openssh/patches/patch-auth1.c
+++ b/security/openssh/patches/patch-auth1.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-auth1.c,v 1.3 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-auth1.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth1.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- auth1.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ auth1.c
 @@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt)
  
diff --git a/security/openssh/patches/patch-auth2.c b/security/openssh/patches/patch-auth2.c
index e43029ad95e..f9b6acf2e02 100644
--- a/security/openssh/patches/patch-auth2.c
+++ b/security/openssh/patches/patch-auth2.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-auth2.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
+$NetBSD: patch-auth2.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth2.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- auth2.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ auth2.c
 @@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int 
  		fatal("INTERNAL ERROR: authenticated and postponed");
diff --git a/security/openssh/patches/patch-channels.c b/security/openssh/patches/patch-channels.c
index eae778d49da..1c13d603a92 100644
--- a/security/openssh/patches/patch-channels.c
+++ b/security/openssh/patches/patch-channels.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-channels.c,v 1.2 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-channels.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
 
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 
 https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
 
---- channels.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- channels.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ channels.c
 @@ -4037,15 +4037,35 @@ x11_connect_display(void)
  	 * connection to the real X server.
diff --git a/security/openssh/patches/patch-clientloop.c b/security/openssh/patches/patch-clientloop.c
index 36682d34d70..a0937955e63 100644
--- a/security/openssh/patches/patch-clientloop.c
+++ b/security/openssh/patches/patch-clientloop.c
@@ -1,12 +1,12 @@
-$NetBSD: patch-clientloop.c,v 1.2 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-clientloop.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
 
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 
 https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
 
---- clientloop.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- clientloop.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ clientloop.c
-@@ -314,6 +314,10 @@ client_x11_get_proto(const char *display
+@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
  	struct stat st;
  	u_int now, x11_timeout_real;
  
@@ -17,7 +17,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
  	xauthdir = xauthfile = NULL;
  	*_proto = proto;
  	*_data = data;
-@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display
+@@ -330,6 +334,33 @@ client_x11_get_proto(const char *display
  			debug("x11_get_proto: DISPLAY not set");
  			return;
  		}
@@ -51,7 +51,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
  		/*
  		 * Handle FamilyLocal case where $DISPLAY does
  		 * not match an authorization entry.  For this we
-@@ -420,6 +451,9 @@ client_x11_get_proto(const char *display
+@@ -421,6 +452,9 @@ client_x11_get_proto(const char *display
  	if (!got_data) {
  		u_int32_t rnd = 0;
  
diff --git a/security/openssh/patches/patch-config.h.in b/security/openssh/patches/patch-config.h.in
index 00b9b0272de..4253ab9c3de 100644
--- a/security/openssh/patches/patch-config.h.in
+++ b/security/openssh/patches/patch-config.h.in
@@ -1,9 +1,9 @@
-$NetBSD: patch-config.h.in,v 1.4 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-config.h.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $
 
 * Added Interix and define new path to if_tun.h.
 * Revive tcp_wrappers support.
 
---- config.h.in.orig	2015-07-01 02:41:59.000000000 +0000
+--- config.h.in.orig	2015-08-21 05:09:20.000000000 +0000
 +++ config.h.in
 @@ -640,6 +640,9 @@
  /* define if you have int64_t data type */
diff --git a/security/openssh/patches/patch-configure.ac b/security/openssh/patches/patch-configure.ac
index b3bc0dc114a..790ef5ad5fe 100644
--- a/security/openssh/patches/patch-configure.ac
+++ b/security/openssh/patches/patch-configure.ac
@@ -1,9 +1,9 @@
-$NetBSD: patch-configure.ac,v 1.4 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
 
 * Various fixes regarding portability
 * Revive tcp_wrappers support.
 
---- configure.ac.orig	2015-07-01 02:35:31.000000000 +0000
+--- configure.ac.orig	2015-08-21 04:49:03.000000000 +0000
 +++ configure.ac
 @@ -316,6 +316,9 @@ AC_ARG_WITH([rpath],
  	]
@@ -102,7 +102,7 @@ $NetBSD: patch-configure.ac,v 1.4 2015/07/09 16:14:23 taca Exp $
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -4791,9 +4860,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -4816,9 +4885,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
  ])
  if test -z "$conf_wtmpx_location"; then
  	if test x"$system_wtmpx_path" = x"no" ; then
@@ -122,7 +122,7 @@ $NetBSD: patch-configure.ac,v 1.4 2015/07/09 16:14:23 taca Exp $
  	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
  		[Define if you want to specify the path to your wtmpx file])
  fi
-@@ -4880,7 +4957,7 @@ echo "OpenSSH has been configured with t
+@@ -4905,7 +4982,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
@@ -131,7 +131,7 @@ $NetBSD: patch-configure.ac,v 1.4 2015/07/09 16:14:23 taca Exp $
  echo "                      Manual pages: $F"
  echo "                          PID file: $G"
  echo "  Privilege separation chroot path: $H"
-@@ -4904,6 +4981,7 @@ echo "                 KerberosV support
+@@ -4929,6 +5006,7 @@ echo "                 KerberosV support
  echo "                   SELinux support: $SELINUX_MSG"
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
diff --git a/security/openssh/patches/patch-defines.h b/security/openssh/patches/patch-defines.h
index d3ebabd7d55..63788b31baf 100644
--- a/security/openssh/patches/patch-defines.h
+++ b/security/openssh/patches/patch-defines.h
@@ -1,8 +1,8 @@
-$NetBSD: patch-defines.h,v 1.3 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
 
 Define ROOTUID, UTMPX_FILE and WTMPX_FILE
 
---- defines.h.orig	2015-07-01 02:35:31.000000000 +0000
+--- defines.h.orig	2015-08-21 04:49:03.000000000 +0000
 +++ defines.h
 @@ -30,6 +30,15 @@
  
diff --git a/security/openssh/patches/patch-includes.h b/security/openssh/patches/patch-includes.h
index f62ce342d4a..5e54a9dcd86 100644
--- a/security/openssh/patches/patch-includes.h
+++ b/security/openssh/patches/patch-includes.h
@@ -1,8 +1,8 @@
-$NetBSD: patch-includes.h,v 1.3 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
 
 Interix support
 
---- includes.h.orig	2015-07-01 02:35:31.000000000 +0000
+--- includes.h.orig	2015-08-21 04:49:03.000000000 +0000
 +++ includes.h
 @@ -127,6 +127,10 @@
  #ifdef HAVE_READPASSPHRASE_H
diff --git a/security/openssh/patches/patch-loginrec.c b/security/openssh/patches/patch-loginrec.c
index 7394d49310d..fa56d5a158f 100644
--- a/security/openssh/patches/patch-loginrec.c
+++ b/security/openssh/patches/patch-loginrec.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-loginrec.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $
+$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
 
 Interix support and related fixes. Fix build on FreeBSD.
 
---- loginrec.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- loginrec.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ loginrec.c
 @@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
  int
diff --git a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
index e7438d52856..05c46daa46a 100644
--- a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
+++ b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.2 2015/08/14 08:57:00 jperkin Exp $
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
 
 Interix support
 
---- openbsd-compat/bsd-openpty.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- openbsd-compat/bsd-openpty.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ openbsd-compat/bsd-openpty.c
 @@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char 
  		return (-1);
diff --git a/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h b/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h
index 01c22af816b..771757f15f0 100644
--- a/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h
+++ b/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h
@@ -1,10 +1,10 @@
-$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.3 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
 
 strtoll() declaration
 
---- openbsd-compat/openbsd-compat.h.orig	2015-07-01 02:35:31.000000000 +0000
+--- openbsd-compat/openbsd-compat.h.orig	2015-08-21 04:49:03.000000000 +0000
 +++ openbsd-compat/openbsd-compat.h
-@@ -91,6 +91,10 @@ size_t strlcat(char *dst, const char *sr
+@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
  int setenv(register const char *name, register const char *value, int rewrite);
  #endif
  
diff --git a/security/openssh/patches/patch-openbsd-compat_port-tun.c b/security/openssh/patches/patch-openbsd-compat_port-tun.c
index 24deaf09af3..7114086073f 100644
--- a/security/openssh/patches/patch-openbsd-compat_port-tun.c
+++ b/security/openssh/patches/patch-openbsd-compat_port-tun.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-openbsd-compat_port-tun.c,v 1.2 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-openbsd-compat_port-tun.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
 
 if_tun.h can be found in net/tun
 
---- openbsd-compat/port-tun.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- openbsd-compat/port-tun.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ openbsd-compat/port-tun.c
 @@ -111,6 +111,10 @@ sys_tun_open(int tun, int mode)
  #include <sys/socket.h>
diff --git a/security/openssh/patches/patch-platform.c b/security/openssh/patches/patch-platform.c
index 34c1469ece1..fe837c1b5a8 100644
--- a/security/openssh/patches/patch-platform.c
+++ b/security/openssh/patches/patch-platform.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-platform.c,v 1.4 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
 
 Interix support
 
---- platform.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- platform.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ platform.c
 @@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
  	/* uid 0 is not special on Cygwin so always try */
diff --git a/security/openssh/patches/patch-readconf.c b/security/openssh/patches/patch-readconf.c
new file mode 100644
index 00000000000..79e5a01cbdf
--- /dev/null
+++ b/security/openssh/patches/patch-readconf.c
@@ -0,0 +1,25 @@
+$NetBSD: patch-readconf.c,v 1.1 2016/01/18 12:53:26 jperkin Exp $
+
+Disable roaming.
+
+--- readconf.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ readconf.c
+@@ -1660,7 +1660,7 @@ initialize_options(Options * options)
+ 	options->tun_remote = -1;
+ 	options->local_command = NULL;
+ 	options->permit_local_command = -1;
+-	options->use_roaming = -1;
++	options->use_roaming = 0;
+ 	options->visual_host_key = -1;
+ 	options->ip_qos_interactive = -1;
+ 	options->ip_qos_bulk = -1;
+@@ -1833,8 +1833,7 @@ fill_default_options(Options * options)
+ 		options->tun_remote = SSH_TUNID_ANY;
+ 	if (options->permit_local_command == -1)
+ 		options->permit_local_command = 0;
+-	if (options->use_roaming == -1)
+-		options->use_roaming = 1;
++	options->use_roaming = 0;
+ 	if (options->visual_host_key == -1)
+ 		options->visual_host_key = 0;
+ 	if (options->ip_qos_interactive == -1)
diff --git a/security/openssh/patches/patch-sandbox-darwin.c b/security/openssh/patches/patch-sandbox-darwin.c
index c19da070152..b6624a068e2 100644
--- a/security/openssh/patches/patch-sandbox-darwin.c
+++ b/security/openssh/patches/patch-sandbox-darwin.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-sandbox-darwin.c,v 1.1 2015/08/14 08:57:00 jperkin Exp $
+$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
 
 Support sandbox on newer OSX, from MacPorts.
 
---- sandbox-darwin.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- sandbox-darwin.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ sandbox-darwin.c
 @@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
  	struct rlimit rl_zero;
diff --git a/security/openssh/patches/patch-scp.c b/security/openssh/patches/patch-scp.c
index 0f324b3afe2..415ddfbc2bf 100644
--- a/security/openssh/patches/patch-scp.c
+++ b/security/openssh/patches/patch-scp.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-scp.c,v 1.3 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
 
 Interix support
 
---- scp.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- scp.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ scp.c
 @@ -478,7 +478,11 @@ main(int argc, char **argv)
  	argc -= optind;
diff --git a/security/openssh/patches/patch-session.c b/security/openssh/patches/patch-session.c
index 5f71356d0de..6a4285cd789 100644
--- a/security/openssh/patches/patch-session.c
+++ b/security/openssh/patches/patch-session.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-session.c,v 1.4 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-session.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
 
 Interix support
 
---- session.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- session.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ session.c
 @@ -1093,7 +1093,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
diff --git a/security/openssh/patches/patch-sftp-common.c b/security/openssh/patches/patch-sftp-common.c
index c12b4fcf627..4bf2960569c 100644
--- a/security/openssh/patches/patch-sftp-common.c
+++ b/security/openssh/patches/patch-sftp-common.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-sftp-common.c,v 1.3 2015/08/14 08:57:00 jperkin Exp $
+$NetBSD: patch-sftp-common.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
 
 Include <unistd.h> for strmode(3).
 
---- sftp-common.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- sftp-common.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ sftp-common.c
 @@ -37,6 +37,9 @@
  #include <string.h>
diff --git a/security/openssh/patches/patch-ssh.c b/security/openssh/patches/patch-ssh.c
index 89fd92dcf45..32c1235f15b 100644
--- a/security/openssh/patches/patch-ssh.c
+++ b/security/openssh/patches/patch-ssh.c
@@ -1,10 +1,11 @@
-$NetBSD: patch-ssh.c,v 1.4 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-ssh.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
 
 Interix support
+Disable roaming
 
---- ssh.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- ssh.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ ssh.c
-@@ -1083,7 +1083,7 @@ main(int ac, char **av)
+@@ -1084,7 +1084,7 @@ main(int ac, char **av)
  		    "disabling");
  		options.update_hostkeys = 0;
  	}
@@ -13,3 +14,13 @@ Interix support
  	if (original_effective_uid != 0)
  		options.use_privileged_port = 0;
  #endif
+@@ -1932,9 +1932,6 @@ ssh_session2(void)
+ 			fork_postauth();
+ 	}
+ 
+-	if (options.use_roaming)
+-		request_roaming();
+-
+ 	return client_loop(tty_flag, tty_flag ?
+ 	    options.escape_char : SSH_ESCAPECHAR_NONE, id);
+ }
diff --git a/security/openssh/patches/patch-sshd.8 b/security/openssh/patches/patch-sshd.8
index 16cf513e203..085accf98c3 100644
--- a/security/openssh/patches/patch-sshd.8
+++ b/security/openssh/patches/patch-sshd.8
@@ -1,10 +1,10 @@
-$NetBSD: patch-sshd.8,v 1.1 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
 
 * Revive tcp_wrappers support.
 
---- sshd.8.orig	2015-07-01 02:35:31.000000000 +0000
+--- sshd.8.orig	2015-08-21 04:49:03.000000000 +0000
 +++ sshd.8
-@@ -853,6 +853,12 @@ the user's home directory becomes access
+@@ -850,6 +850,12 @@ the user's home directory becomes access
  This file should be writable only by the user, and need not be
  readable by anyone else.
  .Pp
@@ -17,7 +17,7 @@ $NetBSD: patch-sshd.8,v 1.1 2015/07/09 16:14:23 taca Exp $
  .It Pa /etc/hosts.equiv
  This file is for host-based authentication (see
  .Xr ssh 1 ) .
-@@ -956,6 +962,7 @@ The content of this file is not sensitiv
+@@ -953,6 +959,7 @@ The content of this file is not sensitiv
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c
index 24a67203e2f..36b0419e342 100644
--- a/security/openssh/patches/patch-sshd.c
+++ b/security/openssh/patches/patch-sshd.c
@@ -1,11 +1,11 @@
-$NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
+$NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
 
 * Interix support
 * Revive tcp_wrappers support.
 
---- sshd.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- sshd.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ sshd.c
-@@ -125,6 +125,13 @@
+@@ -126,6 +126,13 @@
  #include "version.h"
  #include "ssherr.h"
  
@@ -19,7 +19,7 @@ $NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
  #ifndef O_NOCTTY
  #define O_NOCTTY	0
  #endif
-@@ -236,7 +243,11 @@ int *startup_pipes = NULL;
+@@ -237,7 +244,11 @@ int *startup_pipes = NULL;
  int startup_pipe;		/* in child */
  
  /* variables used for privilege separation */
@@ -31,7 +31,7 @@ $NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
  struct monitor *pmonitor = NULL;
  int privsep_is_preauth = 1;
  
-@@ -643,10 +654,15 @@ privsep_preauth_child(void)
+@@ -644,10 +655,15 @@ privsep_preauth_child(void)
  	/* XXX not ready, too heavy after chroot */
  	do_setusercontext(privsep_pw);
  #else
@@ -47,7 +47,7 @@ $NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
  #endif
  }
  
-@@ -714,11 +730,18 @@ privsep_preauth(Authctxt *authctxt)
+@@ -715,11 +731,18 @@ privsep_preauth(Authctxt *authctxt)
  		set_log_handler(mm_log_handler, pmonitor);
  
  		/* Demote the child */
@@ -67,7 +67,7 @@ $NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
  
  		return 0;
  	}
-@@ -732,7 +755,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -733,7 +756,7 @@ privsep_postauth(Authctxt *authctxt)
  #ifdef DISABLE_FD_PASSING
  	if (1) {
  #else
@@ -76,7 +76,7 @@ $NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
  #endif
  		/* File descriptor passing is broken or root login */
  		use_privsep = 0;
-@@ -1485,8 +1508,10 @@ main(int ac, char **av)
+@@ -1489,8 +1512,10 @@ main(int ac, char **av)
  	av = saved_argv;
  #endif
  
@@ -88,7 +88,7 @@ $NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
  
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
-@@ -1915,7 +1940,7 @@ main(int ac, char **av)
+@@ -1919,7 +1944,7 @@ main(int ac, char **av)
  		    (st.st_uid != getuid () ||
  		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
  #else
@@ -97,7 +97,7 @@ $NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
  #endif
  			fatal("%s must be owned by root and not group or "
  			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1938,8 +1963,10 @@ main(int ac, char **av)
+@@ -1942,8 +1967,10 @@ main(int ac, char **av)
  	 * to create a file, and we can't control the code in every
  	 * module which might be used).
  	 */
@@ -108,7 +108,7 @@ $NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
  
  	if (rexec_flag) {
  		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
-@@ -2135,6 +2162,25 @@ main(int ac, char **av)
+@@ -2139,6 +2166,25 @@ main(int ac, char **av)
  	audit_connection_from(remote_ip, remote_port);
  #endif
  
diff --git a/security/openssh/patches/patch-sshpty.c b/security/openssh/patches/patch-sshpty.c
index 256971bde6a..c96ba181fe2 100644
--- a/security/openssh/patches/patch-sshpty.c
+++ b/security/openssh/patches/patch-sshpty.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-sshpty.c,v 1.2 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- sshpty.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- sshpty.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ sshpty.c
 @@ -86,7 +86,7 @@ void
  pty_release(const char *tty)
diff --git a/security/openssh/patches/patch-uidswap.c b/security/openssh/patches/patch-uidswap.c
index bb46fb9e080..3b623b8b8ee 100644
--- a/security/openssh/patches/patch-uidswap.c
+++ b/security/openssh/patches/patch-uidswap.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-uidswap.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $
+$NetBSD: patch-uidswap.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
 
 Interix support
 
---- uidswap.c.orig	2015-07-01 02:35:31.000000000 +0000
+--- uidswap.c.orig	2015-08-21 04:49:03.000000000 +0000
 +++ uidswap.c
 @@ -67,13 +67,13 @@ temporarily_use_uid(struct passwd *pw)
  	    (u_int)pw->pw_uid, (u_int)pw->pw_gid,
author	jperkin <jperkin@pkgsrc.org>	2016-01-18 12:53:25 +0000
committer	jperkin <jperkin@pkgsrc.org>	2016-01-18 12:53:25 +0000
commit	7eb9d54e5a1664a8fa9273230f4e508c2069d404 (patch)
tree	1083eeee9bebb2770044ba766719893bc1cadc3e /security/openssh
parent	5a4119483e1b330a35b68d71b6c1a372059705ab (diff)
download	pkgsrc-7eb9d54e5a1664a8fa9273230f4e508c2069d404.tar.gz