summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorseb <seb@pkgsrc.org>2003-01-19 01:26:35 +0000
committerseb <seb@pkgsrc.org>2003-01-19 01:26:35 +0000
commitb95b9f3468d6c6308b3c4e00c49ff67468429aef (patch)
treefdf146398daf6bbe51e8a6f9b820602973302e7f /security
parent8837cdd3dcf26f7f7d7dfc635f5cf21fbda68e08 (diff)
downloadpkgsrc-b95b9f3468d6c6308b3c4e00c49ff67468429aef.tar.gz
Update to version 3.5p1
Also mark this package as conflicting with ssh2 package. Changes: 20021003 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2002/10/01 20:34:12 [ssh-agent.c] allow root to access the agent, since there is no protection from root. - markus@cvs.openbsd.org 2002/10/01 13:24:50 [version.h] OpenSSH 3.5 - (djm) Bump RPM spec version numbers - (djm) Bug #406 s/msg_send/ssh_msh_send/ for Mac OS X 1.2 20020930 - (djm) Tidy contrib/, add Makefile for GNOME passphrase dialogs, tweak README - (djm) OpenBSD CVS Sync - mickey@cvs.openbsd.org 2002/09/27 10:42:09 [compat.c compat.h sshd.c] add a generic match for a prober, such as sie big brother; idea from stevesk@; markus@ ok - stevesk@cvs.openbsd.org 2002/09/27 15:46:21 [ssh.1] clarify compression level protocol 1 only; ok markus@ deraadt@ 20020927 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2002/09/25 11:17:16 [sshd_config] sync LoginGraceTime with default - markus@cvs.openbsd.org 2002/09/25 15:19:02 [sshd.c] typo; pilot@monkey.org - markus@cvs.openbsd.org 2002/09/26 11:38:43 [auth1.c auth.h auth-krb4.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h] krb4 + privsep; ok dugsong@, deraadt@ 20020925 - (bal) Fix issue where successfull login does not clear failure counts in AIX. Patch by dtucker@zip.com.au ok by djm - (tim) Cray fixes (bug 367) based on patch from Wendy Palm @ cray. This does not include the deattack.c fixes. 20020923 - (djm) OpenBSD CVS Sync - stevesk@cvs.openbsd.org 2002/09/23 20:46:27 [canohost.c] change get_peer_ipaddr() and get_local_ipaddr() to not return NULL for non-sockets; fixes a problem passing NULL to snprintf(). ok markus@ - markus@cvs.openbsd.org 2002/09/23 22:11:05 [monitor.c] only call auth_krb5 if kerberos is enabled; ok deraadt@ - markus@cvs.openbsd.org 2002/09/24 08:46:04 [monitor.c] only call kerberos code for authctxt->valid - todd@cvs.openbsd.org 2002/09/24 20:59:44 [sshd.8] tweak the example $HOME/.ssh/rc script to not show on any cmdline the sensitive data it handles. This fixes bug # 402 as reported by kolya@mit.edu (Nickolai Zeldovich). ok markus@ and stevesk@ 20020923 - (tim) [configure.ac] s/return/exit/ patch by dtucker@zip.com.au 20020922 - (djm) OpenBSD CVS Sync - stevesk@cvs.openbsd.org 2002/09/19 14:53:14 [compat.c] - markus@cvs.openbsd.org 2002/09/19 15:51:23 [ssh-add.c] typo; cd@kalkatraz.de - stevesk@cvs.openbsd.org 2002/09/19 16:03:15 [serverloop.c] log IP address also; ok markus@ - stevesk@cvs.openbsd.org 2002/09/20 18:41:29 [auth.c] log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@ 20020919 - (djm) OpenBSD CVS Sync - stevesk@cvs.openbsd.org 2002/09/12 19:11:52 [ssh-agent.c] %u for uid print; ok markus@ - stevesk@cvs.openbsd.org 2002/09/12 19:50:36 [session.c ssh.1] add SSH_CONNECTION and deprecate SSH_CLIENT; bug #384. ok markus@ - stevesk@cvs.openbsd.org 2002/09/13 19:23:09 [channels.c sshconnect.c sshd.c] remove use of SO_LINGER, it should not be needed. error check SO_REUSEADDR. fixup comments. ok markus@ - stevesk@cvs.openbsd.org 2002/09/16 19:55:33 [session.c] log when _PATH_NOLOGIN exists; ok markus@ - stevesk@cvs.openbsd.org 2002/09/16 20:12:11 [sshd_config.5] more details on X11Forwarding security issues and threats; ok markus@ - stevesk@cvs.openbsd.org 2002/09/16 22:03:13 [sshd.8] reference moduli(5) in FILES /etc/moduli. - itojun@cvs.openbsd.org 2002/09/17 07:47:02 [channels.c] don't quit while creating X11 listening socket. http://mail-index.netbsd.org/current-users/2002/09/16/0005.html got from portable. markus ok - djm@cvs.openbsd.org 2002/09/19 01:58:18 [ssh.c sshconnect.c] bugzilla.mindrot.org #223 - ProxyCommands don't exit. Patch from dtucker@zip.com.au; ok markus@ 20020912 - (djm) Made GNOME askpass programs return non-zero if cancel button is pressed. - (djm) Added getpeereid() replacement. Properly implemented for systems with SO_PEERCRED support. Faked for systems which lack it. - (djm) Sync sys/tree.h with OpenBSD -current. Rename tree.h and fake-queue.h to sys-tree.h and sys-queue.h - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2002/09/08 20:24:08 [hostfile.h] no comma at end of enumerator list - itojun@cvs.openbsd.org 2002/09/09 06:48:06 [auth1.c auth.h auth-krb5.c monitor.c monitor.h] [monitor_wrap.c monitor_wrap.h] kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus - markus@cvs.openbsd.org 2002/09/09 14:54:15 [channels.c kex.h key.c monitor.c monitor_wrap.c radix.c uuencode.c] signed vs unsigned from -pedantic; ok henning@ - markus@cvs.openbsd.org 2002/09/10 20:24:47 [ssh-agent.c] check the euid of the connecting process with getpeereid(2); ok provos deraadt stevesk - stevesk@cvs.openbsd.org 2002/09/11 17:55:03 [ssh.1] add agent and X11 forwarding warning text from ssh_config.5; ok markus@ - stevesk@cvs.openbsd.org 2002/09/11 18:27:26 [authfd.c authfd.h ssh.c] don't connect to agent to test for presence if we've previously connected; ok markus@ - djm@cvs.openbsd.org 2002/09/11 22:41:50 [sftp.1 sftp-client.c sftp-client.h sftp-common.c sftp-common.h] [sftp-glob.c sftp-glob.h sftp-int.c sftp-server.c] support for short/long listings and globbing in "ls"; ok markus@ - djm@cvs.openbsd.org 2002/09/12 00:13:06 [sftp-int.c] zap unused var introduced in last commit 20020911 - (djm) Sync openbsd-compat with OpenBSD -current 20020910 - (djm) Bug #365: Read /.ssh/environment properly under CygWin. Patch from Mark Bradshaw <bradshaw@staff.crosswalk.com> - (djm) Bug #138: Make protocol 1 blowfish work with old OpenSSL. Patch from Robert Halubek <rob@adso.com.pl> 20020905 - (djm) OpenBSD CVS Sync - stevesk@cvs.openbsd.org 2002/09/04 18:52:42 [servconf.c sshd.8 sshd_config.5] default LoginGraceTime to 2m; 1m may be too short for slow systems. ok markus@ - (djm) Merge openssh-TODO.patch from Redhat (null) beta - (djm) Add gnome-ssh-askpass2.c (gtk2) by merge with patch from Nalin Dahyabhai <nalin@redhat.com> - (djm) Add support for building gtk2 password requestor from Redhat beta 20020903 - (djm) Patch from itojun@ for Darwin OS: test getaddrinfo, reorder libcrypt - (djm) Fix Redhat RPM build dependancy test - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2002/08/12 10:46:35 [ssh-agent.c] make ssh-agent setgid, disallow ptrace. - espie@cvs.openbsd.org 2002/08/21 11:20:59 [sshd.8] `RSA' updated to refer to `public key', where it matters. okay markus@ - stevesk@cvs.openbsd.org 2002/08/21 19:38:06 [servconf.c sshd.8 sshd_config sshd_config.5] change LoginGraceTime default to 1 minute; ok mouring@ markus@ - stevesk@cvs.openbsd.org 2002/08/21 20:10:28 [ssh-agent.c] raise listen backlog; ok markus@ - stevesk@cvs.openbsd.org 2002/08/22 19:27:53 [ssh-agent.c] use common close function; ok markus@ - stevesk@cvs.openbsd.org 2002/08/22 19:38:42 [clientloop.c] format with current EscapeChar; bugzilla #388 from wknox@mitre.org. ok markus@ - stevesk@cvs.openbsd.org 2002/08/22 20:57:19 [ssh-agent.c] shutdown(SHUT_RDWR) not needed before close here; ok markus@ - markus@cvs.openbsd.org 2002/08/22 21:33:58 [auth1.c auth2.c] auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325 - markus@cvs.openbsd.org 2002/08/22 21:45:41 [session.c] send signal name (not signal number) in "exit-signal" message; noticed by galb@vandyke.com - stevesk@cvs.openbsd.org 2002/08/27 17:13:56 [ssh-rsa.c] RSA_public_decrypt() returns -1 on error so len must be signed; ok markus@ - stevesk@cvs.openbsd.org 2002/08/27 17:18:40 [ssh_config.5] some warning text for ForwardAgent and ForwardX11; ok markus@ - stevesk@cvs.openbsd.org 2002/08/29 15:57:25 [monitor.c session.c sshlogin.c sshlogin.h] pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@ - stevesk@cvs.openbsd.org 2002/08/29 16:02:54 [ssh.1 ssh.c] deprecate -P as UsePrivilegedPort defaults to no now; ok markus@ - stevesk@cvs.openbsd.org 2002/08/29 16:09:02 [ssh_config.5] more on UsePrivilegedPort and setuid root; ok markus@ - stevesk@cvs.openbsd.org 2002/08/29 19:49:42 [ssh.c] shrink initial privilege bracket for setuid case; ok markus@ - stevesk@cvs.openbsd.org 2002/08/29 22:54:10 [ssh_config.5 sshd_config.5] state XAuthLocation is a full pathname 20020820 - OpenBSD CVS Sync - millert@cvs.openbsd.org 2002/08/02 14:43:15 [monitor.c monitor_mm.c] Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@ - marc@cvs.openbsd.org 2002/08/02 16:00:07 [ssh.1 sshd.8] note that .ssh/environment is only read when allowed (PermitUserEnvironment in sshd_config). OK markus@ - markus@cvs.openbsd.org 2002/08/02 21:23:41 [ssh-rsa.c] diff is u_int (2x); ok deraadt/provos - markus@cvs.openbsd.org 2002/08/02 22:20:30 [ssh-rsa.c] replace RSA_verify with our own version and avoid the OpenSSL ASN.1 parser for authentication; ok deraadt/djm - aaron@cvs.openbsd.org 2002/08/08 13:50:23 [sshconnect1.c] Use & to test if bits are set, not &&; markus@ ok. - stevesk@cvs.openbsd.org 2002/08/08 23:54:52 [auth.c] typo in comment - stevesk@cvs.openbsd.org 2002/08/09 17:21:42 [sshd_config.5] use Op for mdoc conformance; from esr@golux.thyrsus.com ok aaron@ - stevesk@cvs.openbsd.org 2002/08/09 17:41:12 [sshd_config.5] proxy vs. fake display - stevesk@cvs.openbsd.org 2002/08/12 17:30:35 [ssh.1 sshd.8 sshd_config.5] more PermitUserEnvironment; ok markus@ - stevesk@cvs.openbsd.org 2002/08/17 23:07:14 [ssh.1] ForwardAgent has defaulted to no for over 2 years; be more clear here. - stevesk@cvs.openbsd.org 2002/08/17 23:55:01 [ssh_config.5] ordered list here - (bal) [defines.h] Some platforms don't have SIZE_T_MAX. So assign it to ULONG_MAX. 20020813 - (tim) [configure.ac] Display OpenSSL header/library version. Patch by dtucker@zip.com.au 20020731 - (bal) OpenBSD CVS Sync - markus@cvs.openbsd.org 2002/07/24 16:11:18 [hostfile.c hostfile.h sshconnect.c] print out all known keys for a host if we get a unknown host key, see discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4 the ssharp mitm tool attacks users in a similar way, so i'd like to pointed out again: A MITM attack is always possible if the ssh client prints: The authenticity of host 'bla' can't be established. (protocol version 2 with pubkey authentication allows you to detect MITM attacks) - mouring@cvs.openbsd.org 2002/07/25 01:16:59 [sftp.c] FallBackToRsh does not exist anywhere else. Remove it from here. OK deraadt. - markus@cvs.openbsd.org 2002/07/29 18:57:30 [sshconnect.c] print file:line - markus@cvs.openbsd.org 2002/07/30 17:03:55 [auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5] add PermitUserEnvironment (off by default!); from dot@dotat.at; ok provos, deraadt 20020730 - (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de 20020728 - (stevesk) [auth-pam.c] should use PAM_MSG_MEMBER(); from solar - (stevesk) [CREDITS] solar - (stevesk) [ssh-rand-helper.c] RAND_bytes() and SHA1_Final() unsigned char arg. 20020725 - (djm) Remove some cruft from INSTALL - (djm) Latest config.guess and config.sub from ftp://ftp.gnu.org/gnu/config/ 20020723 - (bal) [bsd-cray.c bsd-cray.h] Part 2 of Cray merger. - (bal) sync ID w/ ssh-agent.c - (bal) OpenBSD Sync - markus@cvs.openbsd.org 2002/07/19 15:43:33 [log.c log.h session.c sshd.c] remove fatal cleanups after fork; based on discussions with and code from solar. - stevesk@cvs.openbsd.org 2002/07/19 17:42:40 [ssh.c] display a warning from ssh when XAuthLocation does not exist or xauth returned no authentication data. ok markus@ - stevesk@cvs.openbsd.org 2002/07/21 18:32:20 [auth-options.c] unneeded includes - stevesk@cvs.openbsd.org 2002/07/21 18:34:43 [auth-options.h] remove invalid comment - markus@cvs.openbsd.org 2002/07/22 11:03:06 [session.c] fallback to _PATH_STDPATH on setusercontext+LOGIN_SETPATH errors; - stevesk@cvs.openbsd.org 2002/07/22 17:32:56 [monitor.c] u_int here; ok provos@ - stevesk@cvs.openbsd.org 2002/07/23 16:03:10 [sshd.c] utmp_len is unsigned; display error consistent with other options. ok markus@ - stevesk@cvs.openbsd.org 2002/07/15 17:15:31 [uidswap.c] little more debugging; ok markus@ 20020722 - (bal) AIX tty data limiting patch fix by leigh@solinno.co.uk - (stevesk) [xmmap.c] missing prototype for fatal() - (bal) [configure.ac defines.h loginrec.c sshd.c sshpty.c] Partial sync with Cray (mostly #ifdef renaming). Patch by wendyp@cray.com. - (bal) [configure.ac] Missing ;; from cray patch. - (bal) [monitor_mm.c openbsd-compat/xmmap.h] Move xmmap() defines into it's own header. - (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be freed by the caller; add free_pam_environment() and use it. - (stevesk) [auth-pam.c] typo in comment 20020721 - (stevesk) [auth-pam.c] merge cosmetic changes from solar's openssh-3.4p1-owl-password-changing.diff - (stevesk) [auth-pam.c] merge rest of solar's PAM patch; PAM_NEW_AUTHTOK_REQD remains in #if 0 for now. - (stevesk) [auth-pam.c] cast to avoid initialization type mismatch warning on pam_conv struct conversation function. - (stevesk) [auth-pam.h] license - (stevesk) [auth-pam.h] unneeded include - (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.h 20020720 - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). 20020719 - (tim) [contrib/solaris/buildpkg.sh] create privsep user/group if needed. Patch by dtucker@zip.com.au - (tim) [configure.ac] test for libxnet on HP. Patch by dtucker@zip.com.au 20020718 - (tim) [defines.h] Bug 313 patch by dirk.meyer@dinoex.sub.org - (tim) [monitor_mm.c] add missing declaration for xmmap(). Reported by ayamura@ayamura.org - (tim) [configure.ac] Bug 267 rework int64_t test. - (tim) [includes.h] Bug 267 add stdint.h 20020717 - (bal) aixbff package updated by dtucker@zip.com.au - (tim) [configure.ac] change how we do paths in AC_PATH_PROGS tests for autoconf 2.53. Based on a patch by jrj@purdue.edu 20020716 - (tim) [contrib/solaris/opensshd.in] Only kill sshd if .pid file found 20020715 - (bal) OpenBSD CVS Sync - itojun@cvs.openbsd.org 2002/07/12 13:29:09 [sshconnect.c] print connect failure during debugging mode. - markus@cvs.openbsd.org 2002/07/12 15:50:17 [cipher.c] EVP_CIPH_CUSTOM_IV for our own rijndael - (bal) Remove unused tty defined in do_setusercontext() pointed out by dtucker@zip.com.au plus a a more KNF since I am near it. - (bal) Privsep user creation support in Solaris buildpkg.sh by dtucker@zip.com.au 20020714 - (tim) [Makefile.in] replace "id sshd" with "sshd -t" - (bal/tim) [acconfig.h configure.ac monitor_mm.c servconf.c openbsd-compat/Makefile.in] support compression on platforms that have no/broken MAP_ANON. Moved code to openbsd-compat/xmmap.c Based on patch from nalin@redhat.com of code extracted from Owl's package - (tim) [ssh_prng_cmds.in] Bug 323 arp -n flag doesn't exist under Solaris. report by chris@by-design.net - (tim) [loginrec.c] Bug 347: Fix typo (WTMPX_FILE) report by rodney@bond.net - (tim) [loginrec.c] Bug 348: add missing found = 1; to wtmpx_islogin() report by rodney@bond.net 20020712 - (tim) [Makefile.in] quiet down install-files: and check-user: - (tim) [configure.ac] remove unused filepriv line 20020710 - (tim) [contrib/cygwin/ssh-host-config] explicitely sets the permissions on /var/empty to 755 Patch by vinschen@redhat.com - (bal) OpenBSD CVS Sync - itojun@cvs.openbsd.org 2002/07/09 11:56:50 [sshconnect.c] silently try next address on connect(2). markus ok - itojun@cvs.openbsd.org 2002/07/09 11:56:27 [canohost.c] suppress log on reverse lookup failiure, as there's no real value in doing so. markus ok - itojun@cvs.openbsd.org 2002/07/09 12:04:02 [sshconnect.c] ed static function (less warnings) - stevesk@cvs.openbsd.org 2002/07/09 17:46:25 [sshd_config.5] clarify no preference ordering in protocol list; ok markus@ - itojun@cvs.openbsd.org 2002/07/10 10:28:15 [sshconnect.c] bark if all connection attempt fails. - deraadt@cvs.openbsd.org 2002/07/10 17:53:54 [rijndael.c] use right sizeof in memcpy; markus ok 20020709 - (bal) NO_IPPORT_RESERVED_CONCEPT used instead of CYGWIN so other platforms lacking that concept can share it. Patch by vinschen@redhat.com 20020708 - (tim) [openssh/contrib/solaris/buildpkg.sh] add PKG_INSTALL_ROOT to work in a jumpstart environment. patch by kbrint@rufus.net - (tim) [Makefile.in] workaround for broken pakadd on some systems. - (tim) [configure.ac] fix libc89 utimes test. Mention default path for --with-privsep-path= 20020707 - (tim) [Makefile.in] use umask instead of chmod on $(PRIVSEP_PATH) - (tim) [acconfig.h configure.ac sshd.c] s/BROKEN_FD_PASSING/DISABLE_FD_PASSING/ - (tim) [contrib/cygwin/ssh-host-config] sshd account creation fixes patch from vinschen@redhat.com - (bal) [realpath.c] Updated with OpenBSD tree. - (bal) OpenBSD CVS Sync - deraadt@cvs.openbsd.org 2002/07/04 04:15:33 [key.c monitor_wrap.c sftp-glob.c ssh-dss.c ssh-rsa.c] patch memory leaks; grendel@zeitbombe.org - deraadt@cvs.openbsd.org 2002/07/04 08:12:15 [channels.c packet.c] blah blah minor nothing as i read and re-read and re-read... - markus@cvs.openbsd.org 2002/07/04 10:41:47 [key.c monitor_wrap.c ssh-dss.c ssh-rsa.c] don't allocate, copy, and discard if there is not interested in the data; ok deraadt@ - deraadt@cvs.openbsd.org 2002/07/06 01:00:49 [log.c] KNF - deraadt@cvs.openbsd.org 2002/07/06 01:01:26 [ssh-keyscan.c] KNF, realloc fix, and clean usage - stevesk@cvs.openbsd.org 2002/07/06 17:47:58 [ssh-keyscan.c] unused variable - (bal) Minor KNF on ssh-keyscan.c 20020705 - (tim) [configure.ac] AIX 4.2.1 has authenticate() in libs. Reported by Darren Tucker <dtucker@zip.com.au> - (tim) [contrib/cygwin/ssh-host-config] double slash corrction from vinschen@redhat.com 20020704 - (bal) Limit data to TTY for AIX only (Newer versions can't handle the faster data rate) Bug #124 - (bal) glob.c defines TILDE and AIX also defines it. #undef it first. bug #265 - (bal) One too many nulls in ports-aix.c 20020703 - (bal) Updated contrib/cygwin/ patch by vinschen@redhat.com - (bal) minor correction to utimes() replacement. Patch by onoe@sm.sony.co.jp - OpenBSD CVS Sync - markus@cvs.openbsd.org 2002/06/27 08:49:44 [dh.c ssh-keyscan.c sshconnect.c] more checks for NULL pointers; from grendel@zeitbombe.org; ok deraadt@ - deraadt@cvs.openbsd.org 2002/06/27 09:08:00 [monitor.c] improve mm_zalloc check; markus ok - deraadt@cvs.openbsd.org 2002/06/27 10:35:47 [auth2-none.c monitor.c sftp-client.c] use xfree() - stevesk@cvs.openbsd.org 2002/06/27 19:49:08 [ssh-keyscan.c] use convtime(); ok markus@ - millert@cvs.openbsd.org 2002/06/28 01:49:31 [monitor_mm.c] tree(3) wants an int return value for its compare functions and the difference between two pointers is not an int. Just do the safest thing and store the result in a long and then return 0, -1, or 1 based on that result. - deraadt@cvs.openbsd.org 2002/06/28 01:50:37 [monitor_wrap.c] use ssize_t - deraadt@cvs.openbsd.org 2002/06/28 10:08:25 [sshd.c] range check -u option at invocation - deraadt@cvs.openbsd.org 2002/06/28 23:05:06 [sshd.c] gidset[2] -> gidset[1]; markus ok - deraadt@cvs.openbsd.org 2002/06/30 21:54:16 [auth2.c session.c sshd.c] lint asks that we use names that do not overlap - deraadt@cvs.openbsd.org 2002/06/30 21:59:45 [auth-bsdauth.c auth-skey.c auth2-chall.c clientloop.c key.c monitor_wrap.c monitor_wrap.h scard.h session.h sftp-glob.c ssh.c sshconnect2.c sshd.c] minor KNF - deraadt@cvs.openbsd.org 2002/07/01 16:15:25 [msg.c] %u - markus@cvs.openbsd.org 2002/07/01 19:48:46 [sshconnect2.c] for compression=yes, we fallback to no-compression if the server does not support compression, vice versa for compression=no. ok mouring@ - markus@cvs.openbsd.org 2002/07/03 09:55:38 [ssh-keysign.c] use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld) in order to avoid a possible Kocher timing attack pointed out by Charles Hannum; ok provos@ - markus@cvs.openbsd.org 2002/07/03 14:21:05 [ssh-keysign.8 ssh-keysign.c ssh.c ssh_config] re-enable ssh-keysign's sbit, but make ssh-keysign read /etc/ssh/ssh_config and exit if HostbasedAuthentication is disabled globally. based on discussions with deraadt, itojun and sommerfeld; ok itojun@ - (bal) Failed password attempts don't increment counter on AIX. Bug #145 - (bal) Missed Makefile.in change. keysign needs readconf.o - (bal) Clean up aix_usrinfo(). Ignore TTY= period I guess. 20020702 - (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc & friends consistently. Spotted by Solar Designer <solar@openwall.com> 20020629 - (bal) fix to auth2-pam.c to swap fatal() arguments, A bit of style clean up while I'm near it. 20020628 - (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented options should contain default value. from solar. - (bal) Cygwin uid0 fix by vinschen@redhat.com - (bal) s/config.h/includes.h/ in openbsd-compat/ for *.c. Otherwise wise have issues of our fixes not propogating right (ie bcopy instead of memmove). OK tim - (bal) FreeBSD needs <sys/types.h> to detect if mmap() is supported. Bug #303 20020627 - OpenBSD CVS Sync - deraadt@cvs.openbsd.org 2002/06/26 14:49:36 [monitor.c] correct %u - deraadt@cvs.openbsd.org 2002/06/26 14:50:04 [monitor_fdpass.c] use ssize_t for recvmsg() and sendmsg() return - markus@cvs.openbsd.org 2002/06/26 14:51:33 [ssh-add.c] fix exit code for -X/-x - deraadt@cvs.openbsd.org 2002/06/26 15:00:32 [monitor_wrap.c] more %u - markus@cvs.openbsd.org 2002/06/26 22:27:32 [ssh-keysign.c] bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu
Diffstat (limited to 'security')
-rw-r--r--security/openssh/Makefile8
-rw-r--r--security/openssh/distinfo10
-rw-r--r--security/openssh/patches/patch-aa154
-rw-r--r--security/openssh/patches/patch-ab58
4 files changed, 19 insertions, 211 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index bacd45d0440..694ca6b0e7f 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.91 2002/09/19 09:04:22 jlam Exp $
+# $NetBSD: Makefile,v 1.92 2003/01/19 01:26:35 seb Exp $
-DISTNAME= openssh-3.4p1
-PKGNAME= openssh-3.4.0.1
+DISTNAME= openssh-3.5p1
+PKGNAME= openssh-3.5.0.1
SVR4_PKGNAME= ossh
CATEGORIES= security
#MASTER_SITES= ftp://gd.tuwien.ac.at/opsys/OpenBSD/OpenSSH/portable/ \
@@ -15,7 +15,7 @@ HOMEPAGE= http://www.openssh.com/
COMMENT= Open Source Secure shell client and server (remote login program)
CONFLICTS= sftp-[0-9]*
-CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
+CONFLICTS+= ssh-[0-9]* ssh6-[0-9]* ssh2-[0-9]*
USE_PERL5= build
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index a81a0dedd2b..08f7fa32f00 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.22 2002/09/09 20:16:22 jlam Exp $
+$NetBSD: distinfo,v 1.23 2003/01/19 01:26:36 seb Exp $
-SHA1 (openssh-3.4p1.tar.gz) = 8841326bf79b2c8a88d7a6e371739ec21cee73bc
-Size (openssh-3.4p1.tar.gz) = 837668 bytes
-SHA1 (patch-aa) = 6ef5aad9f5db134be3b6c2fa34a3e5ab158b7a58
-SHA1 (patch-ab) = a8021e0af1bbc2ea2e74ca117f1210fbd2837699
+SHA1 (openssh-3.5p1.tar.gz) = 44025609bc882933ae8626dd012fd866f07af935
+Size (openssh-3.5p1.tar.gz) = 851486 bytes
+SHA1 (patch-aa) = 63aa7c0acb4c568545b684cd9838410a82659bac
+SHA1 (patch-ab) = 1069fe256b7925fcf404781ef14e5c492f52c21e
SHA1 (patch-ah) = 9913c868bde5d318915b1dee2c05dcf454a0f506
diff --git a/security/openssh/patches/patch-aa b/security/openssh/patches/patch-aa
index 15b80194482..4445f258df2 100644
--- a/security/openssh/patches/patch-aa
+++ b/security/openssh/patches/patch-aa
@@ -1,75 +1,8 @@
-$NetBSD: patch-aa,v 1.26 2002/09/09 20:16:25 jlam Exp $
+$NetBSD: patch-aa,v 1.27 2003/01/19 01:26:38 seb Exp $
---- configure.orig Wed Jun 26 07:08:18 2002
+--- configure.orig Sun Jan 19 00:38:52 2003
+++ configure
-@@ -3683,10 +3683,49 @@ _ACEOF
-
- ;;
- *-*-darwin*)
-+ echo "$as_me:$LINENO: checking if we have working getaddrinfo" >&5
-+echo $ECHO_N "checking if we have working getaddrinfo... $ECHO_C" >&6
-+ if test "$cross_compiling" = yes; then
-+ echo "$as_me:$LINENO: result: assume it is working" >&5
-+echo "${ECHO_T}assume it is working" >&6
-+else
-+ cat >conftest.$ac_ext <<_ACEOF
-+#line $LINENO "configure"
-+#include "confdefs.h"
-+#include <mach-o/dyld.h>
-+main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
-+ exit(0);
-+ else
-+ exit(1);
-+}
-+_ACEOF
-+rm -f conftest$ac_exeext
-+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-+ (eval $ac_link) 2>&5
-+ ac_status=$?
-+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+ (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+ (eval $ac_try) 2>&5
-+ ac_status=$?
-+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+ (exit $ac_status); }; }; then
-+ echo "$as_me:$LINENO: result: working" >&5
-+echo "${ECHO_T}working" >&6
-+else
-+ echo "$as_me: program exited with status $ac_status" >&5
-+echo "$as_me: failed program was:" >&5
-+cat conftest.$ac_ext >&5
-+( exit $ac_status )
-+echo "$as_me:$LINENO: result: buggy" >&5
-+echo "${ECHO_T}buggy" >&6
- cat >>confdefs.h <<\_ACEOF
- #define BROKEN_GETADDRINFO 1
- _ACEOF
-
-+fi
-+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-+fi
- ;;
- *-*-hpux10.26)
- if test -z "$GCC"; then
-@@ -3920,6 +3959,7 @@ _ACEOF
- SONY=1
- ;;
- *-*-netbsd*)
-+ check_for_libcrypt_before=1
- need_dash_r=1
- ;;
- *-*-freebsd*)
-@@ -3950,8 +3990,6 @@ _ACEOF
- CFLAGS="$CFLAGS"
- ;;
- *-*-solaris*)
-- CPPFLAGS="$CPPFLAGS -I/usr/local/include"
-- LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib"
- need_dash_r=1
- cat >>confdefs.h <<\_ACEOF
- #define PAM_SUN_CODEBASE 1
-@@ -4406,6 +4444,9 @@ _ACEOF
+@@ -4697,6 +4697,9 @@ _ACEOF
;;
esac
@@ -79,7 +12,7 @@ $NetBSD: patch-aa,v 1.26 2002/09/09 20:16:25 jlam Exp $
# Allow user to specify flags
# Check whether --with-cflags or --without-cflags was given.
-@@ -6319,6 +6360,10 @@ echo $ECHO_N "checking for libwrap... $E
+@@ -6616,6 +6619,10 @@ echo $ECHO_N "checking for libwrap... $E
#line $LINENO "configure"
#include "confdefs.h"
@@ -90,84 +23,7 @@ $NetBSD: patch-aa,v 1.26 2002/09/09 20:16:25 jlam Exp $
#include <tcpd.h>
int deny_severity = 0, allow_severity = 0;
-@@ -8090,6 +8135,76 @@ fi
- rm -f conftest.$ac_objext conftest.$ac_ext
- fi
-
-+# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
-+# because the system crypt() is more featureful.
-+if test "x$check_for_libcrypt_before" = "x1"; then
-+
-+echo "$as_me:$LINENO: checking for crypt in -lcrypt" >&5
-+echo $ECHO_N "checking for crypt in -lcrypt... $ECHO_C" >&6
-+if test "${ac_cv_lib_crypt_crypt+set}" = set; then
-+ echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+ ac_check_lib_save_LIBS=$LIBS
-+LIBS="-lcrypt $LIBS"
-+cat >conftest.$ac_ext <<_ACEOF
-+#line $LINENO "configure"
-+#include "confdefs.h"
-+
-+/* Override any gcc2 internal prototype to avoid an error. */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+/* We use char because int might match the return type of a gcc2
-+ builtin and then its argument prototype would still apply. */
-+char crypt ();
-+#ifdef F77_DUMMY_MAIN
-+# ifdef __cplusplus
-+ extern "C"
-+# endif
-+ int F77_DUMMY_MAIN() { return 1; }
-+#endif
-+int
-+main ()
-+{
-+crypt ();
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-+ (eval $ac_link) 2>&5
-+ ac_status=$?
-+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+ (exit $ac_status); } &&
-+ { ac_try='test -s conftest$ac_exeext'
-+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+ (eval $ac_try) 2>&5
-+ ac_status=$?
-+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+ (exit $ac_status); }; }; then
-+ ac_cv_lib_crypt_crypt=yes
-+else
-+ echo "$as_me: failed program was:" >&5
-+cat conftest.$ac_ext >&5
-+ac_cv_lib_crypt_crypt=no
-+fi
-+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+echo "$as_me:$LINENO: result: $ac_cv_lib_crypt_crypt" >&5
-+echo "${ECHO_T}$ac_cv_lib_crypt_crypt" >&6
-+if test $ac_cv_lib_crypt_crypt = yes; then
-+ cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBCRYPT 1
-+_ACEOF
-+
-+ LIBS="-lcrypt $LIBS"
-+
-+fi
-+
-+fi
-+
- # Search for OpenSSL
- saved_CPPFLAGS="$CPPFLAGS"
- saved_LDFLAGS="$LDFLAGS"
-@@ -17497,7 +17612,7 @@ echo "OpenSSH has been configured with t
+@@ -17846,7 +17853,7 @@ echo "OpenSSH has been configured with t
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
diff --git a/security/openssh/patches/patch-ab b/security/openssh/patches/patch-ab
index af0c28a8918..cb659caa00f 100644
--- a/security/openssh/patches/patch-ab
+++ b/security/openssh/patches/patch-ab
@@ -1,43 +1,8 @@
-$NetBSD: patch-ab,v 1.13 2002/09/09 20:16:26 jlam Exp $
+$NetBSD: patch-ab,v 1.14 2003/01/19 01:26:40 seb Exp $
---- configure.ac.orig Tue Jun 25 15:35:16 2002
+--- configure.ac.orig Thu Sep 26 00:38:47 2002
+++ configure.ac
-@@ -93,7 +93,16 @@ case "$host" in
- AC_DEFINE(IP_TOS_IS_BROKEN)
- ;;
- *-*-darwin*)
-- AC_DEFINE(BROKEN_GETADDRINFO)
-+ AC_MSG_CHECKING(if we have working getaddrinfo)
-+ AC_TRY_RUN([#include <mach-o/dyld.h>
-+main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
-+ exit(0);
-+ else
-+ exit(1);
-+}], [AC_MSG_RESULT(working)],
-+ [AC_MSG_RESULT(buggy)
-+ AC_DEFINE(BROKEN_GETADDRINFO)],
-+ [AC_MSG_RESULT(assume it is working)])
- ;;
- *-*-hpux10.26)
- if test -z "$GCC"; then
-@@ -167,6 +176,7 @@ mips-sony-bsd|mips-sony-newsos4)
- SONY=1
- ;;
- *-*-netbsd*)
-+ check_for_libcrypt_before=1
- need_dash_r=1
- ;;
- *-*-freebsd*)
-@@ -185,8 +195,6 @@ mips-sony-bsd|mips-sony-newsos4)
- CFLAGS="$CFLAGS"
- ;;
- *-*-solaris*)
-- CPPFLAGS="$CPPFLAGS -I/usr/local/include"
-- LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib"
- need_dash_r=1
- AC_DEFINE(PAM_SUN_CODEBASE)
- AC_DEFINE(LOGIN_NEEDS_UTMPX)
-@@ -312,6 +320,9 @@ mips-sony-bsd|mips-sony-newsos4)
+@@ -341,6 +341,9 @@ mips-sony-bsd|mips-sony-newsos4)
;;
esac
@@ -47,7 +12,7 @@ $NetBSD: patch-ab,v 1.13 2002/09/09 20:16:26 jlam Exp $
# Allow user to specify flags
AC_ARG_WITH(cflags,
[ --with-cflags Specify additional flags to pass to compiler],
-@@ -545,6 +556,10 @@ AC_ARG_WITH(tcp-wrappers,
+@@ -575,6 +578,10 @@ AC_ARG_WITH(tcp-wrappers,
AC_MSG_CHECKING(for libwrap)
AC_TRY_LINK(
[
@@ -58,20 +23,7 @@ $NetBSD: patch-ab,v 1.13 2002/09/09 20:16:26 jlam Exp $
#include <tcpd.h>
int deny_severity = 0, allow_severity = 0;
],
-@@ -723,6 +738,12 @@ if test "x$PAM_MSG" = "xyes" ; then
- )
- fi
-
-+# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
-+# because the system crypt() is more featureful.
-+if test "x$check_for_libcrypt_before" = "x1"; then
-+ AC_CHECK_LIB(crypt, crypt)
-+fi
-+
- # Search for OpenSSL
- saved_CPPFLAGS="$CPPFLAGS"
- saved_LDFLAGS="$LDFLAGS"
-@@ -2385,7 +2406,7 @@ echo "OpenSSH has been configured with t
+@@ -2449,7 +2456,7 @@ echo "OpenSSH has been configured with t
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"