Update openssh package to 5.1.1 (5.1p1)

Changes from OpenSSH 5.0 is huge to write here, please refer its release note: http://www.openssh.com/txt/release-5.1. I quote only Security section from the release note. Security: * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly other platforms) when X11UseLocalhost=no When attempting to bind(2) to a port that has previously been bound with SO_REUSEADDR set, most operating systems check that either the effective user-id matches the previous bind (common on BSD-derived systems) or that the bind addresses do not overlap (Linux and Solaris). Some operating systems, such as HP/UX, do not perform these checks and are vulnerable to an X11 man-in-the-middle attack when the sshd_config(5) option X11UseLocalhost has been set to "no" - an attacker may establish a more-specific bind, which will be used in preference to sshd's wildcard listener. Modern BSD operating systems, Linux, OS X and Solaris implement the above checks and are not vulnerable to this attack, nor are systems where the X11UseLocalhost has been left at the default value of "yes". Portable OpenSSH 5.1 avoids this problem for all operating systems by not setting SO_REUSEADDR when X11UseLocalhost is set to no. This vulnerability was reported by sway2004009 AT hotmail.com.
author: taca <taca@pkgsrc.org> 2008-09-16 12:53:08 +0000
committer: taca <taca@pkgsrc.org> 2008-09-16 12:53:08 +0000
commit: 847296952ef9a1b4ce3bf9ad00af2f37c029e25b (patch)
tree: 1eeff042b564017126523aec8e4b30c46bb85ef6 /security
parent: e04b0abdc979370542a7de40b1a015b2dd9707fd (diff)
download: pkgsrc-847296952ef9a1b4ce3bf9ad00af2f37c029e25b.tar.gz
9 files changed, 28 insertions, 110 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 189243b0782..ab846109db8 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.189 2008/07/24 16:25:47 tnn Exp $
+# $NetBSD: Makefile,v 1.190 2008/09/16 12:53:08 taca Exp $
 
-DISTNAME=		openssh-5.0p1
-PKGNAME=		openssh-5.0.1
-PKGREVISION=		1
+DISTNAME=		openssh-5.1p1
+PKGNAME=		openssh-5.1.1
 SVR4_PKGNAME=		ossh
 CATEGORIES=		security
 MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
@@ -12,7 +11,7 @@ MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
 			ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/
 # Don't delete the last entry -- it's there if the pkgsrc version is not
 # up-to-date and the mirrors already removed the old distfile.
-DIST_SUBDIR=		${PKGBASE}-5.0.1-20080427
+DIST_SUBDIR=		${PKGBASE}-5.1.1-20080916
 
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.openssh.com/
diff --git a/security/openssh/PLIST b/security/openssh/PLIST
index 67b676b309a..90d752b64cb 100644
--- a/security/openssh/PLIST
+++ b/security/openssh/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.11 2005/07/28 16:31:13 reed Exp $
+@comment $NetBSD: PLIST,v 1.12 2008/09/16 12:53:08 taca Exp $
 bin/scp
 bin/sftp
 bin/slogin
@@ -17,6 +17,7 @@ man/man1/ssh-agent.1
 man/man1/ssh-keygen.1
 man/man1/ssh-keyscan.1
 man/man1/ssh.1
+man/man5/moduli.5
 man/man5/ssh_config.5
 man/man5/sshd_config.5
 man/man8/sftp-server.8
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 05f12a29452..6f39c5826d3 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,18 +1,18 @@
-$NetBSD: distinfo,v 1.70 2008/07/24 16:25:47 tnn Exp $
+$NetBSD: distinfo,v 1.71 2008/09/16 12:53:08 taca Exp $
 
-SHA1 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 688265249dfaa449283ddfae2f81a9b6e3507f86
-RMD160 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = d4baca41f6212036b513173835de6e1081d49ac8
-Size (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 24060 bytes
-SHA1 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 121cea3a730c0b0353334b6f46f438de30ab4928
-RMD160 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = b813234014e339fe2d9d10a5adad9f8e065918fc
-Size (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 1011556 bytes
+SHA1 (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = c2911f04f8d46a28afa9f9cbb7ec226cb2c893d1
+RMD160 (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = 6466cd0825e80366adc1978069e3c61255e0bde7
+Size (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = 23017 bytes
+SHA1 (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 877ea5b283060fe0160e376ea645e8e168047ff5
+RMD160 (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 24293ad89633cfd4791f08eb3442becb7e5788ca
+Size (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 1040041 bytes
 SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0
 SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9
-SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9
+SHA1 (patch-ac) = ba97b23c6527311256b335c58175da9e9a3616e4
 SHA1 (patch-ad) = 7921e029b56c0e4769a7ada03dff3eb2e275db7d
 SHA1 (patch-ae) = 9585221f9e49b4ebea31c374066d70e11aa804a1
 SHA1 (patch-af) = ca3224af0b648803404776a8c12ed678db4f8ff6
-SHA1 (patch-ag) = b6f92a5394a3442fcc0c2a2ee204c10df5a4aea5
+SHA1 (patch-ag) = eeaa6e09f743405af074009ffe80678a5179ed08
 SHA1 (patch-ah) = bc0d7c2903ecf264e62b53f3864812af5f2f04ce
 SHA1 (patch-ai) = becad6262e5daeef2a6db14097a8971c40088403
 SHA1 (patch-aj) = 4f477f40d1d891dcda9083cec5521e80410ebd54
@@ -24,9 +24,6 @@ SHA1 (patch-ao) = a7c5a1832cb2a4584c77577fb125f84a1e9a9deb
 SHA1 (patch-ap) = 3029b847ce83305e8103276e27c75e0338e1fc08
 SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34
 SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d
-SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3
-SHA1 (patch-at) = 7e7220e024d59d5462157b1d16dd90f23ab697f3
 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f
 SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365
 SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30
-SHA1 (patch-ax) = 8b876f4ba5b020dbd41f1166fc0b169444874d5a
diff --git a/security/openssh/options.mk b/security/openssh/options.mk
index 86785c5004f..25b1ea42821 100644
--- a/security/openssh/options.mk
+++ b/security/openssh/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.15 2008/04/27 00:34:27 tnn Exp $
+# $NetBSD: options.mk,v 1.16 2008/09/16 12:53:08 taca Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
@@ -17,7 +17,7 @@ CONFIGURE_ARGS+=	--with-kerberos5=${KRB5BASE:Q}
 .endif
 
 .if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES=		openssh-5.0p1-hpn13v3.diff.gz
+PATCHFILES=		openssh-5.1p1-hpn13v5.diff.gz
 PATCH_SITES=		http://www.psc.edu/networking/projects/hpn-ssh/
 PATCH_DIST_STRIP=	-p1
 .endif
diff --git a/security/openssh/patches/patch-ac b/security/openssh/patches/patch-ac
index d1859243214..e68b350f72c 100644
--- a/security/openssh/patches/patch-ac
+++ b/security/openssh/patches/patch-ac
@@ -1,6 +1,6 @@
-$NetBSD: patch-ac,v 1.16 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ac,v 1.17 2008/09/16 12:53:08 taca Exp $
 
---- defines.h.orig	2006-09-21 22:13:30.000000000 +0900
+--- defines.h.orig	2008-07-04 22:10:49.000000000 +0900
 +++ defines.h
 @@ -30,6 +30,15 @@
  
@@ -18,18 +18,7 @@ $NetBSD: patch-ac,v 1.16 2006/10/31 03:31:20 taca Exp $
  #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
  enum
  {
-@@ -437,10 +446,6 @@ struct winsize {
- # define __attribute__(x)
- #endif /* !defined(__GNUC__) || (__GNUC__ < 2) */
- 
--#ifndef __dead
--# define __dead	__attribute__((noreturn))
--#endif
--
- #if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__)
- # define __sentinel__
- #endif
-@@ -643,6 +648,24 @@ struct winsize {
+@@ -645,6 +654,24 @@ struct winsize {
  #    endif
  #  endif
  #endif
diff --git a/security/openssh/patches/patch-ag b/security/openssh/patches/patch-ag
index b647b6f6dcf..60451e45489 100644
--- a/security/openssh/patches/patch-ag
+++ b/security/openssh/patches/patch-ag
@@ -1,18 +1,18 @@
-$NetBSD: patch-ag,v 1.9 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ag,v 1.10 2008/09/16 12:53:08 taca Exp $
 
---- config.h.in.orig	2006-09-26 20:03:33.000000000 +0900
+--- config.h.in.orig	2008-07-21 17:30:49.000000000 +0900
 +++ config.h.in
-@@ -32,6 +32,9 @@
-    */
- #undef BROKEN_ONE_BYTE_DIRENT_D_NAME
+@@ -506,6 +506,9 @@
+ /* define if you have int64_t data type */
+ #undef HAVE_INT64_T
  
 +/* Define if you are on Interix */
 +#undef HAVE_INTERIX
 +
- /* Define if you have a broken realpath. */
- #undef BROKEN_REALPATH
+ /* Define to 1 if you have the <inttypes.h> header file. */
+ #undef HAVE_INTTYPES_H
  
-@@ -573,6 +576,9 @@
+@@ -623,6 +626,9 @@
  /* Define to 1 if you have the <net/if_tun.h> header file. */
  #undef HAVE_NET_IF_TUN_H
  
diff --git a/security/openssh/patches/patch-as b/security/openssh/patches/patch-as
deleted file mode 100644
index aaa954ff6cb..00000000000
--- a/security/openssh/patches/patch-as
+++ /dev/null
@@ -1,20 +0,0 @@
-$NetBSD: patch-as,v 1.5 2006/10/31 03:31:20 taca Exp $
-
---- log.h.orig	2006-08-18 23:32:21.000000000 +0900
-+++ log.h
-@@ -51,7 +51,7 @@ void     log_init(char *, LogLevel, Sysl
- SyslogFacility	log_facility_number(char *);
- LogLevel log_level_number(char *);
- 
--void     fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2)));
-+void     fatal(const char *, ...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2)));
- void     error(const char *, ...) __attribute__((format(printf, 1, 2)));
- void     sigdie(const char *, ...) __attribute__((format(printf, 1, 2)));
- void     logit(const char *, ...) __attribute__((format(printf, 1, 2)));
-@@ -61,5 +61,5 @@ void     debug2(const char *, ...) __att
- void     debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
- 
- void	 do_log(LogLevel, const char *, va_list);
--void	 cleanup_exit(int) __dead;
-+void	 cleanup_exit(int) __attribute__((noreturn));
- #endif
diff --git a/security/openssh/patches/patch-at b/security/openssh/patches/patch-at
deleted file mode 100644
index b1a501ccca0..00000000000
--- a/security/openssh/patches/patch-at
+++ /dev/null
@@ -1,38 +0,0 @@
-$NetBSD: patch-at,v 1.7 2008/07/24 16:25:47 tnn Exp $
-
-Index: channels.c
-===================================================================
-RCS file: /cvs/openssh/channels.c,v
-retrieving revision 1.262
-retrieving revision 1.263
-diff -u -p -u -r1.262 -r1.263
---- channels.c	10 Jun 2008 13:01:51 -0000	1.262
-+++ channels.c	11 Jun 2008 20:05:12 -0000	1.263
-@@ -3018,7 +3018,8 @@ x11_create_display_inet(int x11_display_
- 					error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));
- 			}
- #endif
--			channel_set_reuseaddr(sock);
-+			if (x11_use_localhost)
-+				channel_set_reuseaddr(sock);
- 			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
- 				debug2("bind port %d: %.100s", port, strerror(errno));
- 				close(sock);
-@@ -3030,17 +3031,8 @@ x11_create_display_inet(int x11_display_
- 				break;
- 			}
- 			socks[num_socks++] = sock;
--#ifndef DONT_TRY_OTHER_AF
- 			if (num_socks == NUM_SOCKS)
- 				break;
--#else
--			if (x11_use_localhost) {
--				if (num_socks == NUM_SOCKS)
--					break;
--			} else {
--				break;
--			}
--#endif
- 		}
- 		freeaddrinfo(aitop);
- 		if (num_socks > 0)
diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax
deleted file mode 100644
index 6965d5865b1..00000000000
--- a/security/openssh/patches/patch-ax
+++ /dev/null
@@ -1,10 +0,0 @@
-$NetBSD: patch-ax,v 1.6 2008/04/27 00:34:27 tnn Exp $
-
---- sftp.h.orig	2008-02-10 12:40:12.000000000 +0100
-+++ sftp.h
-@@ -94,4 +94,4 @@
- struct passwd;
- 
- int	sftp_server_main(int, char **, struct passwd *);
--void	sftp_server_cleanup_exit(int) __dead;
-+void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
author	taca <taca@pkgsrc.org>	2008-09-16 12:53:08 +0000
committer	taca <taca@pkgsrc.org>	2008-09-16 12:53:08 +0000
commit	847296952ef9a1b4ce3bf9ad00af2f37c029e25b (patch)
tree	1eeff042b564017126523aec8e4b30c46bb85ef6 /security
parent	e04b0abdc979370542a7de40b1a015b2dd9707fd (diff)
download	pkgsrc-847296952ef9a1b4ce3bf9ad00af2f37c029e25b.tar.gz