summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorsalo <salo@pkgsrc.org>2006-02-12 00:13:55 +0000
committersalo <salo@pkgsrc.org>2006-02-12 00:13:55 +0000
commit711b5325d2d025591dc1ce34f49eedcf5b2f593a (patch)
tree182bd6eda1a2ab1f730b408bbc0993bb778f9778 /security
parentd9f528e7fb2544c8776b57d6a55321f27d301104 (diff)
downloadpkgsrc-711b5325d2d025591dc1ce34f49eedcf5b2f593a.tar.gz
Update to version 3.4p1
From Jason White via PR pkg/32780 Changes: Security bugs resolved in this release: * CVE-2006-0225: scp (as does rcp, on which it is based) invoked a subshell to perform local to local, and remote to remote copy operations. This subshell exposed filenames to shell expansion twice; allowing a local attacker to create filenames containing shell metacharacters that, if matched by a wildcard, could lead to execution of attacker-specified commands with the privilege of the user running scp (Bugzilla #1094) This is primarily a bug-fix release, only one new feature has been added: * Add support for tunneling arbitrary network packets over a connection between an OpenSSH client and server via tun(4) virtual network interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN between the client and server providing real network connectivity at layer 2 or 3. This feature is experimental and is currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and FreeBSD. Other operating systems with tun/tap interface capability may be added in future portable OpenSSH releases. Please refer to the README.tun file in the source distribution for further details and usage examples. Some of the other bugs resolved and internal improvements are: * Reduce default key length for new DSA keys generated by ssh-keygen back to 1024 bits. DSA is not specified for longer lengths and does not fully benefit from simply making keys longer. As per FIPS 186-2 Change Notice 1, ssh-keygen will refuse to generate a new DSA key smaller or larger than 1024 bits * Fixed X forwarding failing to start when a the X11 client is executed in background at the time of session exit (Bugzilla #1086) * Change ssh-keygen to generate a protocol 2 RSA key when invoked without arguments (Bugzilla #1064) * Fix timing variance for valid vs. invalid accounts when attempting Kerberos authentication (Bugzilla #975) * Ensure that ssh always returns code 255 on internal error (Bugzilla #1137) * Cleanup wtmp files on SIGTERM when not using privsep (Bugzilla #1029) * Set SO_REUSEADDR on X11 listeners to avoid problems caused by lingering sockets from previous session (X11 applications can sometimes not connect to 127.0.0.1:60xx) (Bugzilla #1076) * Ensure that fds 0, 1 and 2 are always attached in all programs, by duping /dev/null to them if necessary. * Xauth list invocation had bogus "." argument (Bugzilla #1082) * Remove internal assumptions on key exchange hash algorithm and output length, preparing OpenSSH for KEX methods with alternate hashes. * Ignore junk sent by a server before it sends the "SSH-" banner (Bugzilla #1067) * The manpages has been significantly improves and rearranged, in addition to other specific manpage fixes: #1037 - Man page entries for -L and -R should mention -g. #1077 - Descriptions for "ssh -D" and DynamicForward should mention they can specify "bind_address" optionally. #1088 - Incorrect descriptions in ssh_config man page for ControlMaster=no. #1121 - Several corrections for ssh_agent manpages * Lots of cleanups, including fixes to memory leaks on error paths (Bugzilla #1109, #1110, #1111 and more) and possible crashes (#1092) * Portable OpenSSH-specific fixes: - Pass random seed during re-exec for each connection: speeds up processing of new connections on platforms using the OpenSSH's builtin entropy collector (ssh-rand-helper) - PAM fixes and improvements: #1045 - Missing option for ignoring the /etc/nologin file #1087 - Show PAM password expiry message from LDAP on login #1028 - Forward final non-query conversations to client #1126 - Prevent user from being forced to change an expired password repeatedly on AIX in some PAM configurations. #1045 - Do not check /etc/nologin when PAM is enabled, instead allow PAM to handle it. Note that on platforms using PAM, the pam_nologin module should be used in sshd's session stack in order to maintain past behaviour - Portability-related fixes: #989 - Fix multiplexing regress test on Solaris #1097 - Cross-compile fixes. #1096 - ssh-keygen broken on HPUX. #1098 - $MAIL being set incorrectly for HPUX server login. #1104 - Compile error on Tru64 Unix 4.0f #1106 - Updated .spec file and startup for SuSE. #1122 - Use _GNU_SOURCE define in favor of __USE_GNU, fixing compilation problems on glibc 2.4
Diffstat (limited to 'security')
-rw-r--r--security/openssh/Makefile6
-rw-r--r--security/openssh/distinfo36
-rw-r--r--security/openssh/options.mk4
-rw-r--r--security/openssh/patches/patch-aa42
-rw-r--r--security/openssh/patches/patch-ab26
-rw-r--r--security/openssh/patches/patch-ac10
-rw-r--r--security/openssh/patches/patch-ae8
-rw-r--r--security/openssh/patches/patch-ag12
-rw-r--r--security/openssh/patches/patch-am8
-rw-r--r--security/openssh/patches/patch-an12
-rw-r--r--security/openssh/patches/patch-ao20
-rw-r--r--security/openssh/patches/patch-ap8
-rw-r--r--security/openssh/patches/patch-at8
-rw-r--r--security/openssh/patches/patch-av24
14 files changed, 115 insertions, 109 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 216e9e7e151..e1f71e7ac4b 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.163 2005/12/29 06:22:10 jlam Exp $
+# $NetBSD: Makefile,v 1.164 2006/02/12 00:13:55 salo Exp $
-DISTNAME= openssh-4.2p1
-PKGNAME= openssh-4.2.1
+DISTNAME= openssh-4.3p1
+PKGNAME= openssh-4.3.1
SVR4_PKGNAME= ossh
CATEGORIES= security
MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index bac8cf05128..d9a437bda41 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,30 +1,30 @@
-$NetBSD: distinfo,v 1.50 2005/11/07 19:50:20 tv Exp $
+$NetBSD: distinfo,v 1.51 2006/02/12 00:13:55 salo Exp $
-SHA1 (openssh-4.2p1.tar.gz) = 5e7231cfa8ec673ea856ce291b78fac8b380eb78
-RMD160 (openssh-4.2p1.tar.gz) = e1f45333e66d0afceb9934ab73401b4ca06f03a6
-Size (openssh-4.2p1.tar.gz) = 914165 bytes
-SHA1 (openssh-4.2p1-hpn11.diff) = 7a8af1ce909bfee6ac9d498834a503fdae928b88
-RMD160 (openssh-4.2p1-hpn11.diff) = c3cd4cbb53094fb1f248a780c3e5a05af2585f88
-Size (openssh-4.2p1-hpn11.diff) = 14765 bytes
-SHA1 (patch-aa) = cbe1d379a9ee8c9d907c132dcc4f090c3056b307
-SHA1 (patch-ab) = 9fa222f3ec2be4dc7d2090d5ea9e1812544659f3
-SHA1 (patch-ac) = 8df0d13db445e2c0ca4fce5d095cc2b948b1471d
+SHA1 (openssh-4.3p1.tar.gz) = b1f379127829e7e820955b2825130edd1601ba59
+RMD160 (openssh-4.3p1.tar.gz) = c1d69873ecc453b40d825a2f1b3a0909da815f5e
+Size (openssh-4.3p1.tar.gz) = 940777 bytes
+SHA1 (openssh-4.3p1-hpn11.diff) = 22f2c99d314abc400bd1731d9c35b0540cbf2eae
+RMD160 (openssh-4.3p1-hpn11.diff) = c3b807437fd9f40f2ab73c52586de194b84cce6e
+Size (openssh-4.3p1-hpn11.diff) = 11024 bytes
+SHA1 (patch-aa) = 213f5f5a3c7ae0bceafac1b169063fc71806dc7c
+SHA1 (patch-ab) = 6c71ad1a39a1d6f7e48fc244993a4189c2cd9ef7
+SHA1 (patch-ac) = 8c625fdaca4d73c27e4e68b5bb3aa54327eb61ff
SHA1 (patch-ad) = 23f73b7ce008c6ccd431d3d80692e59fcf33aa14
-SHA1 (patch-ae) = 21b58d72f4dbf9affed65857518c26ab9277a0f8
+SHA1 (patch-ae) = 0ea1559a47f536fe7bf758f78a2cae672285875f
SHA1 (patch-af) = abb711b840d58b499de961b72df7550b9298134a
-SHA1 (patch-ag) = e60b35b5d6f7db2bd30ef24f503463145689f1ea
+SHA1 (patch-ag) = b8b454c107e4e35473265489445e8918113d8ea8
SHA1 (patch-ah) = 5435b5d55c3a728f05243bbaade94bf6c3b7a6ef
SHA1 (patch-ai) = f4ac9340c106c30434cd017bc91a06c9bc83258c
SHA1 (patch-aj) = 44f2b11949a4dea6a8760b8397db5360b64bf01f
SHA1 (patch-ak) = 99f789676e606d4a51effc2abc02a50776f4e781
SHA1 (patch-al) = 2843c7c6e8b3d93a03b2d66d71c894a9e302f987
-SHA1 (patch-am) = c99132cf25317053dcd6fb50ac19d35b12b0b46b
-SHA1 (patch-an) = f32b94365452f8446f0c8872fa244cf1da387570
-SHA1 (patch-ao) = c08515b05456bb2840c2d5ce28622d2f47f12057
-SHA1 (patch-ap) = c9101ae26b01a6b0cb9c9f5b7ddea77f3cf0c4b3
+SHA1 (patch-am) = 19f8c2f251354995d5efc041023dca0290caf171
+SHA1 (patch-an) = 6242250d2393b2ac4041f117fe4539a29e1cadeb
+SHA1 (patch-ao) = 9721181847cc8cab0458d84a45e0384da9d34679
+SHA1 (patch-ap) = 05f53408ea224ddd6934ae64ec7698f604ecf8cd
SHA1 (patch-aq) = 3786a41a974d6583f379350068a762a725b8334d
SHA1 (patch-ar) = fe7d5b715ac51bece44d6f3ba9c3c6245d27d00d
SHA1 (patch-as) = 6af976b7c018c1a9b0841617edbffdb8b977a2d6
-SHA1 (patch-at) = 2468567cc0e91ea375f43c9ebae57644f50a5f27
+SHA1 (patch-at) = ffbcb38cf8578f05319b2af9cfcdb5ada2a57e78
SHA1 (patch-au) = 052b0b6d8869ad09144e4fc9e1b3c5e03c669c44
-SHA1 (patch-av) = e4116ca18ca2f182761270ae8022987b1553c6b7
+SHA1 (patch-av) = 5543fcf94eaad26e27043c1527921e23ecfefc77
diff --git a/security/openssh/options.mk b/security/openssh/options.mk
index 408105a4aa1..8c887c41e68 100644
--- a/security/openssh/options.mk
+++ b/security/openssh/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.7 2005/12/05 23:55:18 rillig Exp $
+# $NetBSD: options.mk,v 1.8 2006/02/12 00:13:55 salo Exp $
.include "../../mk/bsd.prefs.mk"
@@ -17,7 +17,7 @@ CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q}
.endif
.if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES= openssh-4.2p1-hpn11.diff
+PATCHFILES= openssh-4.3p1-hpn11.diff
PATCH_SITES= http://www.psc.edu/networking/projects/hpn-ssh/
PATCH_DIST_STRIP= -p1
.endif
diff --git a/security/openssh/patches/patch-aa b/security/openssh/patches/patch-aa
index ae36aa2db9f..06382a4b831 100644
--- a/security/openssh/patches/patch-aa
+++ b/security/openssh/patches/patch-aa
@@ -1,8 +1,8 @@
-$NetBSD: patch-aa,v 1.40 2005/11/04 15:27:34 tv Exp $
+$NetBSD: patch-aa,v 1.41 2006/02/12 00:13:55 salo Exp $
---- configure.orig 2005-09-01 05:15:24.000000000 -0400
-+++ configure
-@@ -5481,6 +5481,36 @@ _ACEOF
+--- configure.orig 2006-02-01 05:33:51.000000000 -0600
++++ configure 2006-02-08 22:02:30.000000000 -0600
+@@ -5417,6 +5417,36 @@
;;
esac
;;
@@ -38,17 +38,17 @@ $NetBSD: patch-aa,v 1.40 2005/11/04 15:27:34 tv Exp $
+ ;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
- cat >>confdefs.h <<\_ACEOF
-@@ -5706,7 +5736,7 @@ _ACEOF
- need_dash_r=1
- fi
+
+@@ -6233,7 +6263,7 @@
+ _ACEOF
+
;;
-*-*-freebsd*)
+*-*-freebsd*|*-*-dragonfly*)
check_for_libcrypt_later=1
- ;;
- *-*-bsdi*)
-@@ -6554,6 +6584,9 @@ _ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+@@ -7269,6 +7299,9 @@
;;
esac
@@ -58,7 +58,7 @@ $NetBSD: patch-aa,v 1.40 2005/11/04 15:27:34 tv Exp $
# Allow user to specify flags
# Check whether --with-cflags or --without-cflags was given.
-@@ -25360,12 +25393,19 @@ fi
+@@ -26694,14 +26727,21 @@
rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
if test -z "$conf_utmpx_location"; then
if test x"$system_utmpx_path" = x"no" ; then
@@ -72,16 +72,19 @@ $NetBSD: patch-aa,v 1.40 2005/11/04 15:27:34 tv Exp $
+ cat >>confdefs.h <<\_ACEOF
#define DISABLE_UTMPX 1
_ACEOF
--
+ fi
+
fi
-else
+-
+-cat >>confdefs.h <<_ACEOF
+fi
+if test -n "$conf_utmpx_location"; then
- cat >>confdefs.h <<_ACEOF
++ cat >>confdefs.h <<_ACEOF
#define CONF_UTMPX_FILE "$conf_utmpx_location"
_ACEOF
-@@ -25434,12 +25474,20 @@ fi
+
+@@ -26769,14 +26809,20 @@
rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
if test -z "$conf_wtmpx_location"; then
if test x"$system_wtmpx_path" = x"no" ; then
@@ -95,16 +98,19 @@ $NetBSD: patch-aa,v 1.40 2005/11/04 15:27:34 tv Exp $
+ cat >>confdefs.h <<\_ACEOF
#define DISABLE_WTMPX 1
_ACEOF
+-
+ fi
-
fi
-else
+-
+-cat >>confdefs.h <<_ACEOF
+fi
+if test -n "$conf_wtmpx_location"; then
- cat >>confdefs.h <<_ACEOF
++ cat >>confdefs.h <<_ACEOF
#define CONF_WTMPX_FILE "$conf_wtmpx_location"
_ACEOF
-@@ -26665,7 +26713,7 @@ echo "OpenSSH has been configured with t
+
+@@ -28002,7 +28048,7 @@
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
diff --git a/security/openssh/patches/patch-ab b/security/openssh/patches/patch-ab
index 7ccf35c635b..6820ed2f6b0 100644
--- a/security/openssh/patches/patch-ab
+++ b/security/openssh/patches/patch-ab
@@ -1,8 +1,8 @@
-$NetBSD: patch-ab,v 1.22 2005/11/04 15:27:34 tv Exp $
+$NetBSD: patch-ab,v 1.23 2006/02/12 00:13:55 salo Exp $
---- configure.ac.orig 2005-08-31 12:59:49.000000000 -0400
-+++ configure.ac
-@@ -305,6 +305,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+--- configure.ac.orig 2006-01-29 07:22:39.000000000 -0600
++++ configure.ac 2006-02-08 20:55:34.000000000 -0600
+@@ -277,6 +277,15 @@
;;
esac
;;
@@ -17,8 +17,8 @@ $NetBSD: patch-ab,v 1.22 2005/11/04 15:27:34 tv Exp $
+ ;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
- AC_DEFINE(BROKEN_INET_NTOA)
-@@ -572,6 +581,9 @@ mips-sony-bsd|mips-sony-newsos4)
+ AC_DEFINE(BROKEN_INET_NTOA, 1,
+@@ -597,6 +606,9 @@
;;
esac
@@ -28,7 +28,7 @@ $NetBSD: patch-ab,v 1.22 2005/11/04 15:27:34 tv Exp $
# Allow user to specify flags
AC_ARG_WITH(cflags,
[ --with-cflags Specify additional flags to pass to compiler],
-@@ -3358,9 +3370,17 @@ AC_TRY_COMPILE([
+@@ -3668,9 +3680,17 @@
)
if test -z "$conf_utmpx_location"; then
if test x"$system_utmpx_path" = x"no" ; then
@@ -45,10 +45,10 @@ $NetBSD: patch-ab,v 1.22 2005/11/04 15:27:34 tv Exp $
-else
+fi
+if test -n "$conf_utmpx_location"; then
- AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location")
+ AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location",
+ [Define if you want to specify the path to your utmpx file])
fi
-
-@@ -3383,9 +3403,17 @@ AC_TRY_COMPILE([
+@@ -3694,9 +3714,17 @@
)
if test -z "$conf_wtmpx_location"; then
if test x"$system_wtmpx_path" = x"no" ; then
@@ -65,10 +65,10 @@ $NetBSD: patch-ab,v 1.22 2005/11/04 15:27:34 tv Exp $
-else
+fi
+if test -n "$conf_wtmpx_location"; then
- AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location")
+ AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location",
+ [Define if you want to specify the path to your wtmpx file])
fi
-
-@@ -3431,7 +3459,7 @@ echo "OpenSSH has been configured with t
+@@ -3743,7 +3771,7 @@
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
diff --git a/security/openssh/patches/patch-ac b/security/openssh/patches/patch-ac
index 5467b632cc3..946429ead91 100644
--- a/security/openssh/patches/patch-ac
+++ b/security/openssh/patches/patch-ac
@@ -1,7 +1,7 @@
-$NetBSD: patch-ac,v 1.14 2005/11/04 15:45:03 tv Exp $
+$NetBSD: patch-ac,v 1.15 2006/02/12 00:13:55 salo Exp $
---- defines.h.orig 2005-08-31 12:59:49.000000000 -0400
-+++ defines.h
+--- defines.h.orig 2005-12-17 05:04:09.000000000 -0600
++++ defines.h 2006-02-08 20:58:45.000000000 -0600
@@ -30,6 +30,15 @@
/* Constants */
@@ -18,7 +18,7 @@ $NetBSD: patch-ac,v 1.14 2005/11/04 15:45:03 tv Exp $
#ifndef SHUT_RDWR
enum
{
-@@ -442,10 +451,6 @@ struct winsize {
+@@ -442,10 +451,6 @@
# define __attribute__(x)
#endif /* !defined(__GNUC__) || (__GNUC__ < 2) */
@@ -29,7 +29,7 @@ $NetBSD: patch-ac,v 1.14 2005/11/04 15:45:03 tv Exp $
#if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__)
# define __sentinel__
#endif
-@@ -635,6 +640,24 @@ struct winsize {
+@@ -639,6 +644,24 @@
# endif
# endif
#endif
diff --git a/security/openssh/patches/patch-ae b/security/openssh/patches/patch-ae
index 4191bc0648a..e77ef625ee5 100644
--- a/security/openssh/patches/patch-ae
+++ b/security/openssh/patches/patch-ae
@@ -1,8 +1,8 @@
-$NetBSD: patch-ae,v 1.10 2005/09/21 18:07:09 reed Exp $
+$NetBSD: patch-ae,v 1.11 2006/02/12 00:13:55 salo Exp $
---- includes.h.orig 2005-08-26 15:15:20.000000000 -0500
-+++ includes.h
-@@ -164,6 +164,10 @@
+--- includes.h.orig 2006-01-02 06:40:10.000000000 -0600
++++ includes.h 2006-02-08 21:01:39.000000000 -0600
+@@ -165,6 +165,10 @@
#ifdef HAVE_READPASSPHRASE_H
# include <readpassphrase.h>
#endif
diff --git a/security/openssh/patches/patch-ag b/security/openssh/patches/patch-ag
index abcae6f796a..ea563bd5898 100644
--- a/security/openssh/patches/patch-ag
+++ b/security/openssh/patches/patch-ag
@@ -1,10 +1,10 @@
-$NetBSD: patch-ag,v 1.7 2005/09/21 18:07:09 reed Exp $
+$NetBSD: patch-ag,v 1.8 2006/02/12 00:13:55 salo Exp $
---- config.h.in.orig 2005-09-01 04:15:22.000000000 -0500
-+++ config.h.in
-@@ -113,6 +113,9 @@
- /* Define if you are on Cygwin */
- #undef HAVE_CYGWIN
+--- config.h.in.orig 2006-02-01 05:33:49.000000000 -0600
++++ config.h.in 2006-02-08 21:02:59.000000000 -0600
+@@ -32,6 +32,9 @@
+ */
+ #undef BROKEN_ONE_BYTE_DIRENT_D_NAME
+/* Define if you are on Interix */
+#undef HAVE_INTERIX
diff --git a/security/openssh/patches/patch-am b/security/openssh/patches/patch-am
index c12784293db..417c7d6bade 100644
--- a/security/openssh/patches/patch-am
+++ b/security/openssh/patches/patch-am
@@ -1,8 +1,8 @@
-$NetBSD: patch-am,v 1.5 2005/09/21 18:07:09 reed Exp $
+$NetBSD: patch-am,v 1.6 2006/02/12 00:13:55 salo Exp $
---- auth2.c.orig 2005-07-17 02:26:44.000000000 -0500
-+++ auth2.c
-@@ -216,7 +216,7 @@
+--- auth2.c.orig 2005-09-23 21:43:51.000000000 -0500
++++ auth2.c 2006-02-08 21:05:04.000000000 -0600
+@@ -212,7 +212,7 @@
authctxt->user);
/* Special handling for root */
diff --git a/security/openssh/patches/patch-an b/security/openssh/patches/patch-an
index 2f025fe9c8e..318b2827609 100644
--- a/security/openssh/patches/patch-an
+++ b/security/openssh/patches/patch-an
@@ -1,8 +1,8 @@
-$NetBSD: patch-an,v 1.6 2005/09/21 18:07:09 reed Exp $
+$NetBSD: patch-an,v 1.7 2006/02/12 00:13:55 salo Exp $
---- scp.c.orig 2005-08-02 02:07:08.000000000 -0500
-+++ scp.c
-@@ -298,7 +298,11 @@
+--- scp.c.orig 2006-01-31 05:11:38.000000000 -0600
++++ scp.c 2006-02-08 21:06:37.000000000 -0600
+@@ -345,7 +345,11 @@
argc -= optind;
argv += optind;
@@ -14,7 +14,7 @@ $NetBSD: patch-an,v 1.6 2005/09/21 18:07:09 reed Exp $
fatal("unknown user %u", (u_int) userid);
if (!isatty(STDERR_FILENO))
-@@ -643,8 +647,10 @@
+@@ -695,8 +699,10 @@
return;
}
while ((dp = readdir(dirp)) != NULL) {
@@ -25,7 +25,7 @@ $NetBSD: patch-an,v 1.6 2005/09/21 18:07:09 reed Exp $
if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
continue;
if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
-@@ -1093,7 +1099,9 @@
+@@ -1145,7 +1151,9 @@
case '\'':
case '"':
case '`':
diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao
index 5b4f22de5d4..010b7f61f1c 100644
--- a/security/openssh/patches/patch-ao
+++ b/security/openssh/patches/patch-ao
@@ -1,8 +1,8 @@
-$NetBSD: patch-ao,v 1.7 2005/09/21 18:07:09 reed Exp $
+$NetBSD: patch-ao,v 1.8 2006/02/12 00:13:55 salo Exp $
---- session.c.orig 2005-08-31 11:59:49.000000000 -0500
-+++ session.c
-@@ -331,7 +331,7 @@
+--- session.c.orig 2005-12-23 21:59:12.000000000 -0600
++++ session.c 2006-02-08 21:07:01.000000000 -0600
+@@ -322,7 +322,7 @@
break;
}
debug("Received TCP/IP port forwarding request.");
@@ -11,7 +11,7 @@ $NetBSD: patch-ao,v 1.7 2005/09/21 18:07:09 reed Exp $
success = 1;
break;
-@@ -930,7 +930,7 @@
+@@ -921,7 +921,7 @@
if (tmpenv == NULL)
return;
@@ -20,7 +20,7 @@ $NetBSD: patch-ao,v 1.7 2005/09/21 18:07:09 reed Exp $
var = child_get_env(tmpenv, "SUPATH");
else
var = child_get_env(tmpenv, "PATH");
-@@ -1036,7 +1036,7 @@
+@@ -1027,7 +1027,7 @@
# endif /* HAVE_ETC_DEFAULT_LOGIN */
if (path == NULL || *path == '\0') {
child_set_env(&env, &envsize, "PATH",
@@ -29,7 +29,7 @@ $NetBSD: patch-ao,v 1.7 2005/09/21 18:07:09 reed Exp $
SUPERUSER_PATH : _PATH_STDPATH);
}
# endif /* HAVE_CYGWIN */
-@@ -1150,6 +1150,18 @@
+@@ -1141,6 +1141,18 @@
strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
read_environment_file(&env, &envsize, buf);
}
@@ -48,7 +48,7 @@ $NetBSD: patch-ao,v 1.7 2005/09/21 18:07:09 reed Exp $
if (debug_flag) {
/* dump the environment */
fprintf(stderr, "Environment:\n");
-@@ -1260,9 +1272,9 @@
+@@ -1251,9 +1263,9 @@
void
do_setusercontext(struct passwd *pw)
{
@@ -60,7 +60,7 @@ $NetBSD: patch-ao,v 1.7 2005/09/21 18:07:09 reed Exp $
{
#ifdef HAVE_SETPCRED
-@@ -1304,11 +1316,13 @@
+@@ -1295,11 +1307,13 @@
perror("setgid");
exit(1);
}
@@ -74,7 +74,7 @@ $NetBSD: patch-ao,v 1.7 2005/09/21 18:07:09 reed Exp $
endgrent();
#ifdef GSSAPI
if (options.gss_authentication) {
-@@ -2052,7 +2066,7 @@
+@@ -2045,7 +2059,7 @@
record_logout(s->pid, s->tty, s->pw->pw_name);
/* Release the pseudo-tty. */
diff --git a/security/openssh/patches/patch-ap b/security/openssh/patches/patch-ap
index 5fdfdb82a66..b531a18d2cb 100644
--- a/security/openssh/patches/patch-ap
+++ b/security/openssh/patches/patch-ap
@@ -1,8 +1,8 @@
-$NetBSD: patch-ap,v 1.6 2005/09/21 18:07:09 reed Exp $
+$NetBSD: patch-ap,v 1.7 2006/02/12 00:13:55 salo Exp $
---- ssh.c.orig 2005-08-12 07:10:56.000000000 -0500
-+++ ssh.c
-@@ -636,7 +636,7 @@
+--- ssh.c.orig 2005-12-30 23:33:37.000000000 -0600
++++ ssh.c 2006-02-08 21:07:24.000000000 -0600
+@@ -648,7 +648,7 @@
/* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts,
diff --git a/security/openssh/patches/patch-at b/security/openssh/patches/patch-at
index cc31c3f04b1..c3065ac48ce 100644
--- a/security/openssh/patches/patch-at
+++ b/security/openssh/patches/patch-at
@@ -1,8 +1,8 @@
-$NetBSD: patch-at,v 1.2 2005/09/21 18:07:09 reed Exp $
+$NetBSD: patch-at,v 1.3 2006/02/12 00:13:55 salo Exp $
---- servconf.c.orig 2005-08-12 07:11:37.000000000 -0500
-+++ servconf.c
-@@ -232,7 +232,11 @@
+--- servconf.c.orig 2005-12-13 02:33:20.000000000 -0600
++++ servconf.c 2006-02-08 21:07:59.000000000 -0600
+@@ -235,7 +235,11 @@
/* Turn privilege separation on by default */
if (use_privsep == -1)
diff --git a/security/openssh/patches/patch-av b/security/openssh/patches/patch-av
index 2ee1bf87622..6c1e379d1f0 100644
--- a/security/openssh/patches/patch-av
+++ b/security/openssh/patches/patch-av
@@ -1,8 +1,8 @@
-$NetBSD: patch-av,v 1.3 2005/11/07 19:50:20 tv Exp $
+$NetBSD: patch-av,v 1.4 2006/02/12 00:13:55 salo Exp $
---- sshd.c.orig 2005-07-26 07:54:56.000000000 -0400
-+++ sshd.c
-@@ -574,10 +574,15 @@ privsep_preauth_child(void)
+--- sshd.c.orig 2005-12-23 21:59:12.000000000 -0600
++++ sshd.c 2006-02-08 21:08:46.000000000 -0600
+@@ -574,10 +574,15 @@
/* XXX not ready, too heavy after chroot */
do_setusercontext(pw);
#else
@@ -18,7 +18,7 @@ $NetBSD: patch-av,v 1.3 2005/11/07 19:50:20 tv Exp $
#endif
}
-@@ -617,7 +622,7 @@ privsep_preauth(Authctxt *authctxt)
+@@ -617,7 +622,7 @@
close(pmonitor->m_sendfd);
/* Demote the child */
@@ -27,7 +27,7 @@ $NetBSD: patch-av,v 1.3 2005/11/07 19:50:20 tv Exp $
privsep_preauth_child();
setproctitle("%s", "[net]");
}
-@@ -630,7 +635,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -630,7 +635,7 @@
#ifdef DISABLE_FD_PASSING
if (1) {
#else
@@ -35,8 +35,8 @@ $NetBSD: patch-av,v 1.3 2005/11/07 19:50:20 tv Exp $
+ if (authctxt->pw->pw_uid == ROOTUID || options.use_login) {
#endif
/* File descriptor passing is broken or root login */
- monitor_apply_keystate(pmonitor);
-@@ -911,8 +916,10 @@ main(int ac, char **av)
+ use_privsep = 0;
+@@ -914,8 +919,10 @@
av = saved_argv;
#endif
@@ -46,9 +46,9 @@ $NetBSD: patch-av,v 1.3 2005/11/07 19:50:20 tv Exp $
debug("setgroups(): %.200s", strerror(errno));
+#endif
- /* Initialize configuration options to their default values. */
- initialize_server_options(&options);
-@@ -1168,7 +1175,7 @@ main(int ac, char **av)
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+@@ -1174,7 +1181,7 @@
(st.st_uid != getuid () ||
(st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
#else
@@ -57,7 +57,7 @@ $NetBSD: patch-av,v 1.3 2005/11/07 19:50:20 tv Exp $
#endif
fatal("%s must be owned by root and not group or "
"world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1185,8 +1192,10 @@ main(int ac, char **av)
+@@ -1191,8 +1198,10 @@
* to create a file, and we can't control the code in every
* module which might be used).
*/