summaryrefslogtreecommitdiff
path: root/security/openssh
diff options
context:
space:
mode:
authortnn <tnn@pkgsrc.org>2008-04-27 00:34:27 +0000
committertnn <tnn@pkgsrc.org>2008-04-27 00:34:27 +0000
commit8a00f770a529f0756bd330dbfc9f0068789fc314 (patch)
treec512b2a72f54af9d20896fda3ddc93c5c2b240b5 /security/openssh
parentde47e1f2f1340ee6ae2990740d9df1b5ce510229 (diff)
downloadpkgsrc-8a00f770a529f0756bd330dbfc9f0068789fc314.tar.gz
Update to OpenSSH 5.0p1.
Changes since 4.7: - fix two security issues - chroot support for sshd(8) - sftp server internalized in sshd(8) - assorted bug fixes
Diffstat (limited to 'security/openssh')
-rw-r--r--security/openssh/Makefile18
-rw-r--r--security/openssh/distinfo20
-rw-r--r--security/openssh/options.mk4
-rw-r--r--security/openssh/patches/patch-ao36
-rw-r--r--security/openssh/patches/patch-ap10
-rw-r--r--security/openssh/patches/patch-ax24
6 files changed, 47 insertions, 65 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 1409e032c2f..30391e48479 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.187 2008/04/03 07:59:08 tonnerre Exp $
+# $NetBSD: Makefile,v 1.188 2008/04/27 00:34:27 tnn Exp $
-DISTNAME= openssh-4.7p1
-PKGNAME= openssh-4.7.1
-PKGREVISION= 3
+DISTNAME= openssh-5.0p1
+PKGNAME= openssh-5.0.1
SVR4_PKGNAME= ossh
CATEGORIES= security
MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
@@ -12,7 +11,7 @@ MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/
# Don't delete the last entry -- it's there if the pkgsrc version is not
# up-to-date and the mirrors already removed the old distfile.
-DIST_SUBDIR= ${PKGBASE}-4.7.1-20070919
+DIST_SUBDIR= ${PKGBASE}-5.0.1-20080427
MAINTAINER= pkgsrc-users@NetBSD.org
HOMEPAGE= http://www.openssh.com/
@@ -24,6 +23,8 @@ CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
CONFLICTS+= openssh+gssapi-[0-9]*
CONFLICTS+= lsh>2.0
+PKG_DESTDIR_SUPPORT= user-destdir
+
USE_TOOLS+= perl
CRYPTO= yes
@@ -161,12 +162,13 @@ SUBST_MESSAGE.patch= More patch a file.
.include "../../security/tcp_wrappers/buildlink3.mk"
post-install:
- ${INSTALL_DATA_DIR} ${EGDIR}
+ ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
cd ${WRKSRC}; for file in ${CONFS}; do \
- ${INSTALL_DATA} $${file}.out ${EGDIR}/$${file}; \
+ ${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
done
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
- ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic ${EGDIR}/sshd.pam
+ ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
+ ${DESTDIR}${EGDIR}/sshd.pam
.endif
.include "../../mk/bsd.pkg.mk"
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 6ee29f80b25..e2934e64117 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.68 2008/04/08 06:36:47 taca Exp $
+$NetBSD: distinfo,v 1.69 2008/04/27 00:34:27 tnn Exp $
-SHA1 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 8ab61d12b5bcf70d0ffe9cb1d157136d20ebb22c
-RMD160 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 7b35eb1a3f6f3b703ac7f155f620bff63a900a0e
-Size (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 16094 bytes
-SHA1 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4
-RMD160 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = b828e79d3d1a931cb77651ec7d7276cf3ba22d90
-Size (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 991119 bytes
+SHA1 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 688265249dfaa449283ddfae2f81a9b6e3507f86
+RMD160 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = d4baca41f6212036b513173835de6e1081d49ac8
+Size (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 24060 bytes
+SHA1 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 121cea3a730c0b0353334b6f46f438de30ab4928
+RMD160 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = b813234014e339fe2d9d10a5adad9f8e065918fc
+Size (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 1011556 bytes
SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0
SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9
SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9
@@ -20,12 +20,12 @@ SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc
SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7
SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38
SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250
-SHA1 (patch-ao) = f2188b57baff4c88a793eee37dad69ffc523f7e5
-SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a
+SHA1 (patch-ao) = a7c5a1832cb2a4584c77577fb125f84a1e9a9deb
+SHA1 (patch-ap) = 3029b847ce83305e8103276e27c75e0338e1fc08
SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34
SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d
SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3
SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f
SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365
SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30
-SHA1 (patch-ax) = 1ddf59636b6f3b544850f787ca63287fd93cae88
+SHA1 (patch-ax) = 8b876f4ba5b020dbd41f1166fc0b169444874d5a
diff --git a/security/openssh/options.mk b/security/openssh/options.mk
index c3aa485d162..86785c5004f 100644
--- a/security/openssh/options.mk
+++ b/security/openssh/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.14 2007/09/07 10:41:12 taca Exp $
+# $NetBSD: options.mk,v 1.15 2008/04/27 00:34:27 tnn Exp $
.include "../../mk/bsd.prefs.mk"
@@ -17,7 +17,7 @@ CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q}
.endif
.if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES= openssh-4.7p1-hpn12v18.diff.gz
+PATCHFILES= openssh-5.0p1-hpn13v3.diff.gz
PATCH_SITES= http://www.psc.edu/networking/projects/hpn-ssh/
PATCH_DIST_STRIP= -p1
.endif
diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao
index 6b726840be7..6823d1e0080 100644
--- a/security/openssh/patches/patch-ao
+++ b/security/openssh/patches/patch-ao
@@ -1,12 +1,12 @@
-$NetBSD: patch-ao,v 1.11 2008/04/08 06:36:47 taca Exp $
+$NetBSD: patch-ao,v 1.12 2008/04/27 00:34:27 tnn Exp $
One more replacing 0 with ROOTUID is handled by using SUBST framework
because patch can't handle it when hpn-patch option is enabled.
So, don't simply update this file with mkpatch command.
---- session.c.orig 2007-08-16 13:28:04.000000000 +0000
+--- session.c.orig 2008-03-27 01:03:05.000000000 +0100
+++ session.c
-@@ -954,7 +954,7 @@ read_etc_default_login(char ***env, u_in
+@@ -955,7 +955,7 @@ read_etc_default_login(char ***env, u_in
if (tmpenv == NULL)
return;
@@ -15,7 +15,7 @@ So, don't simply update this file with mkpatch command.
var = child_get_env(tmpenv, "SUPATH");
else
var = child_get_env(tmpenv, "PATH");
-@@ -1063,7 +1063,7 @@ do_setup_env(Session *s, const char *she
+@@ -1064,7 +1064,7 @@ do_setup_env(Session *s, const char *she
# endif /* HAVE_ETC_DEFAULT_LOGIN */
if (path == NULL || *path == '\0') {
child_set_env(&env, &envsize, "PATH",
@@ -24,7 +24,7 @@ So, don't simply update this file with mkpatch command.
SUPERUSER_PATH : _PATH_STDPATH);
}
# endif /* HAVE_CYGWIN */
-@@ -1177,6 +1177,18 @@ do_setup_env(Session *s, const char *she
+@@ -1178,6 +1178,18 @@ do_setup_env(Session *s, const char *she
strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
read_environment_file(&env, &envsize, buf);
}
@@ -43,22 +43,10 @@ So, don't simply update this file with mkpatch command.
if (debug_flag) {
/* dump the environment */
fprintf(stderr, "Environment:\n");
-@@ -1201,8 +1213,9 @@ do_rc_files(Session *s, const char *shel
- do_xauth =
- s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
+@@ -1351,9 +1363,9 @@ do_setusercontext(struct passwd *pw)
+ (void)ssh_selinux_enabled();
+ #endif
-- /* ignore _PATH_SSH_USER_RC for subsystems */
-- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
-+ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
-+ if (!s->is_subsystem && options.adm_forced_command == NULL &&
-+ (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
- snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
- shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
- if (debug_flag)
-@@ -1287,9 +1300,9 @@ do_nologin(struct passwd *pw)
- void
- do_setusercontext(struct passwd *pw)
- {
-#ifndef HAVE_CYGWIN
+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
if (getuid() == 0 || geteuid() == 0)
@@ -67,7 +55,7 @@ So, don't simply update this file with mkpatch command.
{
#ifdef HAVE_SETPCRED
-@@ -1331,11 +1344,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1387,11 +1399,13 @@ do_setusercontext(struct passwd *pw)
perror("setgid");
exit(1);
}
@@ -79,9 +67,9 @@ So, don't simply update this file with mkpatch command.
}
+# endif /* !HAVE_INTERIX */
endgrent();
- #ifdef GSSAPI
- if (options.gss_authentication) {
-@@ -2086,7 +2101,7 @@ session_pty_cleanup2(Session *s)
+ # ifdef USE_PAM
+ /*
+@@ -2175,7 +2189,7 @@ session_pty_cleanup2(Session *s)
record_logout(s->pid, s->tty, s->pw->pw_name);
/* Release the pseudo-tty. */
diff --git a/security/openssh/patches/patch-ap b/security/openssh/patches/patch-ap
index 8155f7cb536..3b982f750a3 100644
--- a/security/openssh/patches/patch-ap
+++ b/security/openssh/patches/patch-ap
@@ -1,11 +1,11 @@
-$NetBSD: patch-ap,v 1.8 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ap,v 1.9 2008/04/27 00:34:27 tnn Exp $
---- ssh.c.orig 2006-10-29 12:02:30.000000000 +0900
+--- ssh.c.orig 2008-02-28 09:13:52.000000000 +0100
+++ ssh.c
-@@ -684,7 +684,7 @@ main(int ac, char **av)
- /* Open a connection to the remote host. */
+@@ -693,7 +693,7 @@ main(int ac, char **av)
if (ssh_connect(host, &hostaddr, options.port,
- options.address_family, options.connection_attempts,
+ options.address_family, options.connection_attempts, &timeout_ms,
+ options.tcp_keep_alive,
-#ifdef HAVE_CYGWIN
+#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX)
options.use_privileged_port,
diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax
index 581b9f1afab..6965d5865b1 100644
--- a/security/openssh/patches/patch-ax
+++ b/security/openssh/patches/patch-ax
@@ -1,18 +1,10 @@
-$NetBSD: patch-ax,v 1.5 2008/04/03 07:59:08 tonnerre Exp $
+$NetBSD: patch-ax,v 1.6 2008/04/27 00:34:27 tnn Exp $
-Don't deadlock on exit with multiple X forwarded channels.
-Don't use X11 port which can't be bound on all IP families.
-Fixes CVE-2008-1483.
-
---- channels.c.orig 2007-06-25 09:04:47.000000000 +0000
-+++ channels.c
-@@ -2905,9 +2905,6 @@ x11_create_display_inet(int x11_display_
- debug2("bind port %d: %.100s", port, strerror(errno));
- close(sock);
+--- sftp.h.orig 2008-02-10 12:40:12.000000000 +0100
++++ sftp.h
+@@ -94,4 +94,4 @@
+ struct passwd;
-- if (ai->ai_next)
-- continue;
--
- for (n = 0; n < num_socks; n++) {
- close(socks[n]);
- }
+ int sftp_server_main(int, char **, struct passwd *);
+-void sftp_server_cleanup_exit(int) __dead;
++void sftp_server_cleanup_exit(int) __attribute__((noreturn));