diff options
author | tnn <tnn@pkgsrc.org> | 2008-04-27 00:34:27 +0000 |
---|---|---|
committer | tnn <tnn@pkgsrc.org> | 2008-04-27 00:34:27 +0000 |
commit | 8a00f770a529f0756bd330dbfc9f0068789fc314 (patch) | |
tree | c512b2a72f54af9d20896fda3ddc93c5c2b240b5 /security/openssh | |
parent | de47e1f2f1340ee6ae2990740d9df1b5ce510229 (diff) | |
download | pkgsrc-8a00f770a529f0756bd330dbfc9f0068789fc314.tar.gz |
Update to OpenSSH 5.0p1.
Changes since 4.7:
- fix two security issues
- chroot support for sshd(8)
- sftp server internalized in sshd(8)
- assorted bug fixes
Diffstat (limited to 'security/openssh')
-rw-r--r-- | security/openssh/Makefile | 18 | ||||
-rw-r--r-- | security/openssh/distinfo | 20 | ||||
-rw-r--r-- | security/openssh/options.mk | 4 | ||||
-rw-r--r-- | security/openssh/patches/patch-ao | 36 | ||||
-rw-r--r-- | security/openssh/patches/patch-ap | 10 | ||||
-rw-r--r-- | security/openssh/patches/patch-ax | 24 |
6 files changed, 47 insertions, 65 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 1409e032c2f..30391e48479 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.187 2008/04/03 07:59:08 tonnerre Exp $ +# $NetBSD: Makefile,v 1.188 2008/04/27 00:34:27 tnn Exp $ -DISTNAME= openssh-4.7p1 -PKGNAME= openssh-4.7.1 -PKGREVISION= 3 +DISTNAME= openssh-5.0p1 +PKGNAME= openssh-5.0.1 SVR4_PKGNAME= ossh CATEGORIES= security MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ @@ -12,7 +11,7 @@ MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/ # Don't delete the last entry -- it's there if the pkgsrc version is not # up-to-date and the mirrors already removed the old distfile. -DIST_SUBDIR= ${PKGBASE}-4.7.1-20070919 +DIST_SUBDIR= ${PKGBASE}-5.0.1-20080427 MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.openssh.com/ @@ -24,6 +23,8 @@ CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]* CONFLICTS+= openssh+gssapi-[0-9]* CONFLICTS+= lsh>2.0 +PKG_DESTDIR_SUPPORT= user-destdir + USE_TOOLS+= perl CRYPTO= yes @@ -161,12 +162,13 @@ SUBST_MESSAGE.patch= More patch a file. .include "../../security/tcp_wrappers/buildlink3.mk" post-install: - ${INSTALL_DATA_DIR} ${EGDIR} + ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR} cd ${WRKSRC}; for file in ${CONFS}; do \ - ${INSTALL_DATA} $${file}.out ${EGDIR}/$${file}; \ + ${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \ done .if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux" - ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic ${EGDIR}/sshd.pam + ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \ + ${DESTDIR}${EGDIR}/sshd.pam .endif .include "../../mk/bsd.pkg.mk" diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 6ee29f80b25..e2934e64117 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,11 +1,11 @@ -$NetBSD: distinfo,v 1.68 2008/04/08 06:36:47 taca Exp $ +$NetBSD: distinfo,v 1.69 2008/04/27 00:34:27 tnn Exp $ -SHA1 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 8ab61d12b5bcf70d0ffe9cb1d157136d20ebb22c -RMD160 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 7b35eb1a3f6f3b703ac7f155f620bff63a900a0e -Size (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 16094 bytes -SHA1 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4 -RMD160 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = b828e79d3d1a931cb77651ec7d7276cf3ba22d90 -Size (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 991119 bytes +SHA1 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 688265249dfaa449283ddfae2f81a9b6e3507f86 +RMD160 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = d4baca41f6212036b513173835de6e1081d49ac8 +Size (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 24060 bytes +SHA1 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 121cea3a730c0b0353334b6f46f438de30ab4928 +RMD160 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = b813234014e339fe2d9d10a5adad9f8e065918fc +Size (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 1011556 bytes SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0 SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9 SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9 @@ -20,12 +20,12 @@ SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7 SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38 SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250 -SHA1 (patch-ao) = f2188b57baff4c88a793eee37dad69ffc523f7e5 -SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a +SHA1 (patch-ao) = a7c5a1832cb2a4584c77577fb125f84a1e9a9deb +SHA1 (patch-ap) = 3029b847ce83305e8103276e27c75e0338e1fc08 SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34 SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365 SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30 -SHA1 (patch-ax) = 1ddf59636b6f3b544850f787ca63287fd93cae88 +SHA1 (patch-ax) = 8b876f4ba5b020dbd41f1166fc0b169444874d5a diff --git a/security/openssh/options.mk b/security/openssh/options.mk index c3aa485d162..86785c5004f 100644 --- a/security/openssh/options.mk +++ b/security/openssh/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.14 2007/09/07 10:41:12 taca Exp $ +# $NetBSD: options.mk,v 1.15 2008/04/27 00:34:27 tnn Exp $ .include "../../mk/bsd.prefs.mk" @@ -17,7 +17,7 @@ CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q} .endif .if !empty(PKG_OPTIONS:Mhpn-patch) -PATCHFILES= openssh-4.7p1-hpn12v18.diff.gz +PATCHFILES= openssh-5.0p1-hpn13v3.diff.gz PATCH_SITES= http://www.psc.edu/networking/projects/hpn-ssh/ PATCH_DIST_STRIP= -p1 .endif diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao index 6b726840be7..6823d1e0080 100644 --- a/security/openssh/patches/patch-ao +++ b/security/openssh/patches/patch-ao @@ -1,12 +1,12 @@ -$NetBSD: patch-ao,v 1.11 2008/04/08 06:36:47 taca Exp $ +$NetBSD: patch-ao,v 1.12 2008/04/27 00:34:27 tnn Exp $ One more replacing 0 with ROOTUID is handled by using SUBST framework because patch can't handle it when hpn-patch option is enabled. So, don't simply update this file with mkpatch command. ---- session.c.orig 2007-08-16 13:28:04.000000000 +0000 +--- session.c.orig 2008-03-27 01:03:05.000000000 +0100 +++ session.c -@@ -954,7 +954,7 @@ read_etc_default_login(char ***env, u_in +@@ -955,7 +955,7 @@ read_etc_default_login(char ***env, u_in if (tmpenv == NULL) return; @@ -15,7 +15,7 @@ So, don't simply update this file with mkpatch command. var = child_get_env(tmpenv, "SUPATH"); else var = child_get_env(tmpenv, "PATH"); -@@ -1063,7 +1063,7 @@ do_setup_env(Session *s, const char *she +@@ -1064,7 +1064,7 @@ do_setup_env(Session *s, const char *she # endif /* HAVE_ETC_DEFAULT_LOGIN */ if (path == NULL || *path == '\0') { child_set_env(&env, &envsize, "PATH", @@ -24,7 +24,7 @@ So, don't simply update this file with mkpatch command. SUPERUSER_PATH : _PATH_STDPATH); } # endif /* HAVE_CYGWIN */ -@@ -1177,6 +1177,18 @@ do_setup_env(Session *s, const char *she +@@ -1178,6 +1178,18 @@ do_setup_env(Session *s, const char *she strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); read_environment_file(&env, &envsize, buf); } @@ -43,22 +43,10 @@ So, don't simply update this file with mkpatch command. if (debug_flag) { /* dump the environment */ fprintf(stderr, "Environment:\n"); -@@ -1201,8 +1213,9 @@ do_rc_files(Session *s, const char *shel - do_xauth = - s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; +@@ -1351,9 +1363,9 @@ do_setusercontext(struct passwd *pw) + (void)ssh_selinux_enabled(); + #endif -- /* ignore _PATH_SSH_USER_RC for subsystems */ -- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { -+ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ -+ if (!s->is_subsystem && options.adm_forced_command == NULL && -+ (stat(_PATH_SSH_USER_RC, &st) >= 0)) { - snprintf(cmd, sizeof cmd, "%s -c '%s %s'", - shell, _PATH_BSHELL, _PATH_SSH_USER_RC); - if (debug_flag) -@@ -1287,9 +1300,9 @@ do_nologin(struct passwd *pw) - void - do_setusercontext(struct passwd *pw) - { -#ifndef HAVE_CYGWIN +#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) if (getuid() == 0 || geteuid() == 0) @@ -67,7 +55,7 @@ So, don't simply update this file with mkpatch command. { #ifdef HAVE_SETPCRED -@@ -1331,11 +1344,13 @@ do_setusercontext(struct passwd *pw) +@@ -1387,11 +1399,13 @@ do_setusercontext(struct passwd *pw) perror("setgid"); exit(1); } @@ -79,9 +67,9 @@ So, don't simply update this file with mkpatch command. } +# endif /* !HAVE_INTERIX */ endgrent(); - #ifdef GSSAPI - if (options.gss_authentication) { -@@ -2086,7 +2101,7 @@ session_pty_cleanup2(Session *s) + # ifdef USE_PAM + /* +@@ -2175,7 +2189,7 @@ session_pty_cleanup2(Session *s) record_logout(s->pid, s->tty, s->pw->pw_name); /* Release the pseudo-tty. */ diff --git a/security/openssh/patches/patch-ap b/security/openssh/patches/patch-ap index 8155f7cb536..3b982f750a3 100644 --- a/security/openssh/patches/patch-ap +++ b/security/openssh/patches/patch-ap @@ -1,11 +1,11 @@ -$NetBSD: patch-ap,v 1.8 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-ap,v 1.9 2008/04/27 00:34:27 tnn Exp $ ---- ssh.c.orig 2006-10-29 12:02:30.000000000 +0900 +--- ssh.c.orig 2008-02-28 09:13:52.000000000 +0100 +++ ssh.c -@@ -684,7 +684,7 @@ main(int ac, char **av) - /* Open a connection to the remote host. */ +@@ -693,7 +693,7 @@ main(int ac, char **av) if (ssh_connect(host, &hostaddr, options.port, - options.address_family, options.connection_attempts, + options.address_family, options.connection_attempts, &timeout_ms, + options.tcp_keep_alive, -#ifdef HAVE_CYGWIN +#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX) options.use_privileged_port, diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax index 581b9f1afab..6965d5865b1 100644 --- a/security/openssh/patches/patch-ax +++ b/security/openssh/patches/patch-ax @@ -1,18 +1,10 @@ -$NetBSD: patch-ax,v 1.5 2008/04/03 07:59:08 tonnerre Exp $ +$NetBSD: patch-ax,v 1.6 2008/04/27 00:34:27 tnn Exp $ -Don't deadlock on exit with multiple X forwarded channels. -Don't use X11 port which can't be bound on all IP families. -Fixes CVE-2008-1483. - ---- channels.c.orig 2007-06-25 09:04:47.000000000 +0000 -+++ channels.c -@@ -2905,9 +2905,6 @@ x11_create_display_inet(int x11_display_ - debug2("bind port %d: %.100s", port, strerror(errno)); - close(sock); +--- sftp.h.orig 2008-02-10 12:40:12.000000000 +0100 ++++ sftp.h +@@ -94,4 +94,4 @@ + struct passwd; -- if (ai->ai_next) -- continue; -- - for (n = 0; n < num_socks; n++) { - close(socks[n]); - } + int sftp_server_main(int, char **, struct passwd *); +-void sftp_server_cleanup_exit(int) __dead; ++void sftp_server_cleanup_exit(int) __attribute__((noreturn)); |