Update openssh package to 5.2.1(5.2p1).

Changes since OpenSSH 5.1 ========================= Security: * This release changes the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". * This release also adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes. New features: * Added a -y option to ssh(1) to force logging to syslog rather than stderr, which is useful when running daemonised (ssh -f) * The sshd_config(5) ForceCommand directive now accepts commandline arguments for the internal-sftp server. * The ssh(1) ~C escape commandline now support runtime creation of dynamic (-D) port forwards. * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. (bz#1482) * Support remote port forwarding with a listen port of '0'. This informs the server that it should dynamically allocate a listen port and report it back to the client. (bz#1003) * sshd(8) now supports setting PermitEmptyPasswords and AllowAgentForwarding in Match blocks Bug and documentation fixes * Repair a ssh(1) crash introduced in openssh-5.1 when the client is sent a zero-length banner (bz#1496) * Due to interoperability problems with certain broken SSH implementations, the eow@openssh.com and no-more-sessions@openssh.com protocol extensions are now only sent to peers that identify themselves as OpenSSH. * Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. * Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1). * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539) * Correct fail-on-error behaviour in sftp(1) batchmode for remote stat operations. (bz#1541) * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave connections. (bz#1543) * Avoid hang in ssh(1) when attempting to connect to a server that has MaxSessions=0 set. * Multiple fixes to sshd(8) configuration test (-T) mode * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540 * Many manual page improvements.
author: taca <taca@pkgsrc.org> 2009-05-21 03:22:29 +0000
committer: taca <taca@pkgsrc.org> 2009-05-21 03:22:29 +0000
commit: 3dd52fd75030bb2b160179c5e6d857339fe691ac (patch)
tree: 1a6dc6584d8ea6df92029ba54dfad8285a269f37 /security
parent: d7e3ddb1e5ce42b05b28883605875c01527ef850 (diff)
download: pkgsrc-3dd52fd75030bb2b160179c5e6d857339fe691ac.tar.gz
19 files changed, 116 insertions, 116 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index f496b58b631..986c4ac3c34 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.191 2009/05/01 14:27:34 zafer Exp $
+# $NetBSD: Makefile,v 1.192 2009/05/21 03:22:29 taca Exp $
 
-DISTNAME=		openssh-5.1p1
-PKGNAME=		openssh-5.1.1
+DISTNAME=		openssh-5.2p1
+PKGNAME=		openssh-5.2.1
 SVR4_PKGNAME=		ossh
 CATEGORIES=		security
 MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
@@ -14,7 +14,7 @@ MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
 			ftp://mirror.pacific.net.au/OpenBSD/OpenSSH/portable/
 # Don't delete the last entry -- it's there if the pkgsrc version is not
 # up-to-date and the mirrors already removed the old distfile.
-DIST_SUBDIR=		${PKGBASE}-5.1.1-20080916
+DIST_SUBDIR=		${PKGBASE}-5.2.1-20090521
 
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.openssh.com/
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 6f39c5826d3..72ed3233e3e 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,29 +1,29 @@
-$NetBSD: distinfo,v 1.71 2008/09/16 12:53:08 taca Exp $
+$NetBSD: distinfo,v 1.72 2009/05/21 03:22:29 taca Exp $
 
-SHA1 (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = c2911f04f8d46a28afa9f9cbb7ec226cb2c893d1
-RMD160 (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = 6466cd0825e80366adc1978069e3c61255e0bde7
-Size (openssh-5.1.1-20080916/openssh-5.1p1-hpn13v5.diff.gz) = 23017 bytes
-SHA1 (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 877ea5b283060fe0160e376ea645e8e168047ff5
-RMD160 (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 24293ad89633cfd4791f08eb3442becb7e5788ca
-Size (openssh-5.1.1-20080916/openssh-5.1p1.tar.gz) = 1040041 bytes
-SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0
-SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9
+SHA1 (openssh-5.2.1-20090521/openssh-5.2p1-hpn13v6.diff.gz) = 9683d5feb3f7e302ef836901af5366df6c425815
+RMD160 (openssh-5.2.1-20090521/openssh-5.2p1-hpn13v6.diff.gz) = d647d3b0547e4d698c616f5ed6643b3ddbcced95
+Size (openssh-5.2.1-20090521/openssh-5.2p1-hpn13v6.diff.gz) = 33540 bytes
+SHA1 (openssh-5.2.1-20090521/openssh-5.2p1.tar.gz) = 8273a0237db98179fbdc412207ff8eb14ff3d6de
+RMD160 (openssh-5.2.1-20090521/openssh-5.2p1.tar.gz) = 7c53f342034b16e9faa9f5a09ef46390420722eb
+Size (openssh-5.2.1-20090521/openssh-5.2p1.tar.gz) = 1016612 bytes
+SHA1 (patch-aa) = 38546f8fd8bf6021d43cdf076ab723ad39a5f78e
+SHA1 (patch-ab) = 00e7e50a35e8b3bcfa53b239b520a12498c8dca0
 SHA1 (patch-ac) = ba97b23c6527311256b335c58175da9e9a3616e4
-SHA1 (patch-ad) = 7921e029b56c0e4769a7ada03dff3eb2e275db7d
+SHA1 (patch-ad) = 254e11c5f56a72bf0b30bb8860e45156b3a0adf2
 SHA1 (patch-ae) = 9585221f9e49b4ebea31c374066d70e11aa804a1
 SHA1 (patch-af) = ca3224af0b648803404776a8c12ed678db4f8ff6
-SHA1 (patch-ag) = eeaa6e09f743405af074009ffe80678a5179ed08
-SHA1 (patch-ah) = bc0d7c2903ecf264e62b53f3864812af5f2f04ce
+SHA1 (patch-ag) = b5cb0400d3cda9cb6d60dc729e54b1ffc34ec9e2
+SHA1 (patch-ah) = fa5175734678e95d05dcdcebadeb79df3ecef760
 SHA1 (patch-ai) = becad6262e5daeef2a6db14097a8971c40088403
-SHA1 (patch-aj) = 4f477f40d1d891dcda9083cec5521e80410ebd54
-SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc
-SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7
-SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38
-SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250
-SHA1 (patch-ao) = a7c5a1832cb2a4584c77577fb125f84a1e9a9deb
-SHA1 (patch-ap) = 3029b847ce83305e8103276e27c75e0338e1fc08
-SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34
-SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d
+SHA1 (patch-aj) = 5c89b4a7da59f05c50c16083aa6dd6e465cd0305
+SHA1 (patch-ak) = 550eae0b47dc220dac2439f57b39b7e4319057c5
+SHA1 (patch-al) = a3906a9b6a9a15b948b8bab3a85454f2515400bd
+SHA1 (patch-am) = 4893a8a059d611d35c1fb9ff03b598c590e0355e
+SHA1 (patch-an) = 5b41d9493028dd4dce4a73ea78e43f3a073108e5
+SHA1 (patch-ao) = 6b64be9b230ddb634b9b5fdab22c4944ae605153
+SHA1 (patch-ap) = 041059e25d2331aace0eaa5a6c3032afb3d565b4
+SHA1 (patch-aq) = 1a7d8a4c5e70a0c6211247ba583534ed8ce317d0
+SHA1 (patch-ar) = a1099e0175a2b14f3b19db04261891179b1e3299
 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f
-SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365
-SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30
+SHA1 (patch-av) = 06126d8f83398aa9df8a56792ad55bc769dd2550
+SHA1 (patch-aw) = 532f2aebcb93cae5e0dd26a5faa1593a7d3a3c51
diff --git a/security/openssh/options.mk b/security/openssh/options.mk
index 25b1ea42821..f5b05a73da8 100644
--- a/security/openssh/options.mk
+++ b/security/openssh/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.16 2008/09/16 12:53:08 taca Exp $
+# $NetBSD: options.mk,v 1.17 2009/05/21 03:22:29 taca Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
@@ -17,7 +17,7 @@ CONFIGURE_ARGS+=	--with-kerberos5=${KRB5BASE:Q}
 .endif
 
 .if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES=		openssh-5.1p1-hpn13v5.diff.gz
+PATCHFILES=		openssh-5.2p1-hpn13v6.diff.gz
 PATCH_SITES=		http://www.psc.edu/networking/projects/hpn-ssh/
 PATCH_DIST_STRIP=	-p1
 .endif
diff --git a/security/openssh/patches/patch-aa b/security/openssh/patches/patch-aa
index 20e523159f8..2efc262c042 100644
--- a/security/openssh/patches/patch-aa
+++ b/security/openssh/patches/patch-aa
@@ -1,8 +1,8 @@
-$NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $
+$NetBSD: patch-aa,v 1.44 2009/05/21 03:22:29 taca Exp $
 
---- configure.orig	2006-11-07 22:07:18.000000000 +0900
+--- configure.orig	2009-02-23 09:18:14.000000000 +0900
 +++ configure
-@@ -5835,6 +5835,9 @@ if test "${with_rpath+set}" = set; then
+@@ -5666,6 +5666,9 @@ if test "${with_rpath+set}" = set; then
  fi
  
  
@@ -12,7 +12,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $
  # Allow user to specify flags
  
  # Check whether --with-cflags was given.
-@@ -5976,6 +5979,7 @@ for ac_header in \
+@@ -5812,6 +5815,7 @@ for ac_header in \
  	maillock.h \
  	ndir.h \
  	net/if_tun.h \
@@ -20,7 +20,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $
  	netdb.h \
  	netgroup.h \
  	pam/pam_appl.h \
-@@ -7919,6 +7923,36 @@ _ACEOF
+@@ -7521,6 +7525,36 @@ _ACEOF
  		;;
  	esac
  	;;
@@ -57,7 +57,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $
  *-*-irix5*)
  	PATH="$PATH:/usr/etc"
  
-@@ -8524,7 +8558,7 @@ cat >>confdefs.h <<\_ACEOF
+@@ -8082,7 +8116,7 @@ cat >>confdefs.h <<\_ACEOF
  _ACEOF
  
  	;;
@@ -66,7 +66,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $
  	check_for_libcrypt_later=1
  
  cat >>confdefs.h <<\_ACEOF
-@@ -32058,14 +32092,21 @@ fi
+@@ -29187,14 +29221,21 @@ fi
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  if test -z "$conf_utmpx_location"; then
  	if test x"$system_utmpx_path" = x"no" ; then
@@ -92,7 +92,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $
  #define CONF_UTMPX_FILE "$conf_utmpx_location"
  _ACEOF
  
-@@ -32146,14 +32187,20 @@ fi
+@@ -29258,14 +29299,20 @@ fi
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  if test -z "$conf_wtmpx_location"; then
  	if test x"$system_wtmpx_path" = x"no" ; then
@@ -118,7 +118,7 @@ $NetBSD: patch-aa,v 1.43 2006/11/08 01:49:22 taca Exp $
  #define CONF_WTMPX_FILE "$conf_wtmpx_location"
  _ACEOF
  
-@@ -33386,7 +33433,7 @@ echo "OpenSSH has been configured with t
+@@ -30518,7 +30565,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
diff --git a/security/openssh/patches/patch-ab b/security/openssh/patches/patch-ab
index 102af7061a3..45f6cd22c7d 100644
--- a/security/openssh/patches/patch-ab
+++ b/security/openssh/patches/patch-ab
@@ -1,8 +1,8 @@
-$NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $
+$NetBSD: patch-ab,v 1.26 2009/05/21 03:22:29 taca Exp $
 
---- configure.ac.orig	2006-10-07 08:07:21.000000000 +0900
+--- configure.ac.orig	2009-02-16 13:37:03.000000000 +0900
 +++ configure.ac
-@@ -127,6 +127,9 @@ AC_ARG_WITH(rpath,
+@@ -191,6 +191,9 @@ AC_ARG_WITH(rpath,
  	]
  )
  
@@ -12,7 +12,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $
  # Allow user to specify flags
  AC_ARG_WITH(cflags,
  	[  --with-cflags           Specify additional flags to pass to compiler],
-@@ -194,6 +197,7 @@ AC_CHECK_HEADERS( \
+@@ -258,6 +261,7 @@ AC_CHECK_HEADERS( \
  	maillock.h \
  	ndir.h \
  	net/if_tun.h \
@@ -20,7 +20,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $
  	netdb.h \
  	netgroup.h \
  	pam/pam_appl.h \
-@@ -454,6 +458,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -531,6 +535,15 @@ main() { if (NSVersionOfRunTimeLibrary("
  		;;
  	esac
  	;;
@@ -36,7 +36,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $
  *-*-irix5*)
  	PATH="$PATH:/usr/etc"
  	AC_DEFINE(BROKEN_INET_NTOA, 1,
-@@ -3876,9 +3889,17 @@ AC_TRY_COMPILE([
+@@ -4063,9 +4076,17 @@ AC_TRY_COMPILE([
  )
  if test -z "$conf_utmpx_location"; then
  	if test x"$system_utmpx_path" = x"no" ; then
@@ -56,7 +56,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $
  	AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location",
  		[Define if you want to specify the path to your utmpx file])
  fi
-@@ -3902,9 +3923,17 @@ AC_TRY_COMPILE([
+@@ -4089,9 +4110,17 @@ AC_TRY_COMPILE([
  )
  if test -z "$conf_wtmpx_location"; then
  	if test x"$system_wtmpx_path" = x"no" ; then
@@ -76,7 +76,7 @@ $NetBSD: patch-ab,v 1.25 2006/11/08 01:49:22 taca Exp $
  	AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location",
  		[Define if you want to specify the path to your wtmpx file])
  fi
-@@ -3944,7 +3973,7 @@ echo "OpenSSH has been configured with t
+@@ -4138,7 +4167,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
diff --git a/security/openssh/patches/patch-ad b/security/openssh/patches/patch-ad
index 12ae915a4e4..0e40539f65d 100644
--- a/security/openssh/patches/patch-ad
+++ b/security/openssh/patches/patch-ad
@@ -1,8 +1,8 @@
-$NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ad,v 1.13 2009/05/21 03:22:29 taca Exp $
 
---- loginrec.c.orig	2006-09-07 21:57:54.000000000 +0900
+--- loginrec.c.orig	2009-02-12 11:12:22.000000000 +0900
 +++ loginrec.c
-@@ -430,8 +430,8 @@ login_set_addr(struct logininfo *li, con
+@@ -431,8 +431,8 @@ login_set_addr(struct logininfo *li, con
  int
  login_write(struct logininfo *li)
  {
@@ -13,7 +13,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $
  		logit("Attempt to write login records by non-root user (aborting)");
  		return (1);
  	}
-@@ -439,7 +439,7 @@ login_write(struct logininfo *li)
+@@ -440,7 +440,7 @@ login_write(struct logininfo *li)
  
  	/* set the timestamp */
  	login_set_current_time(li);
@@ -22,7 +22,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $
  	syslogin_write_entry(li);
  #endif
  #ifdef USE_LASTLOG
-@@ -619,7 +619,7 @@ line_abbrevname(char *dst, const char *s
+@@ -620,7 +620,7 @@ line_abbrevname(char *dst, const char *s
   ** into account.
   **/
  
@@ -31,7 +31,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $
  
  /* build the utmp structure */
  void
-@@ -756,10 +756,6 @@ construct_utmpx(struct logininfo *li, st
+@@ -757,10 +757,6 @@ construct_utmpx(struct logininfo *li, st
  	set_utmpx_time(li, utx);
  	utx->ut_pid = li->pid;
  
@@ -42,7 +42,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $
  	if (li->type == LTYPE_LOGOUT)
  		return;
  
-@@ -768,6 +764,8 @@ construct_utmpx(struct logininfo *li, st
+@@ -769,6 +765,8 @@ construct_utmpx(struct logininfo *li, st
  	 * for logouts.
  	 */
  
@@ -51,7 +51,7 @@ $NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $
  # ifdef HAVE_HOST_IN_UTMPX
  	strncpy(utx->ut_host, li->hostname,
  	    MIN_SIZEOF(utx->ut_host, li->hostname));
-@@ -1397,7 +1395,7 @@ wtmpx_get_entry(struct logininfo *li)
+@@ -1398,7 +1396,7 @@ wtmpx_get_entry(struct logininfo *li)
   ** Low-level libutil login() functions
   **/
  
diff --git a/security/openssh/patches/patch-ag b/security/openssh/patches/patch-ag
index 60451e45489..63f28b8fe7d 100644
--- a/security/openssh/patches/patch-ag
+++ b/security/openssh/patches/patch-ag
@@ -1,8 +1,8 @@
-$NetBSD: patch-ag,v 1.10 2008/09/16 12:53:08 taca Exp $
+$NetBSD: patch-ag,v 1.11 2009/05/21 03:22:29 taca Exp $
 
---- config.h.in.orig	2008-07-21 17:30:49.000000000 +0900
+--- config.h.in.orig	2009-02-23 09:18:12.000000000 +0900
 +++ config.h.in
-@@ -506,6 +506,9 @@
+@@ -509,6 +509,9 @@
  /* define if you have int64_t data type */
  #undef HAVE_INT64_T
  
@@ -12,7 +12,7 @@ $NetBSD: patch-ag,v 1.10 2008/09/16 12:53:08 taca Exp $
  /* Define to 1 if you have the <inttypes.h> header file. */
  #undef HAVE_INTTYPES_H
  
-@@ -623,6 +626,9 @@
+@@ -626,6 +629,9 @@
  /* Define to 1 if you have the <net/if_tun.h> header file. */
  #undef HAVE_NET_IF_TUN_H
  
diff --git a/security/openssh/patches/patch-ah b/security/openssh/patches/patch-ah
index 0899809e42a..abdd6769d4e 100644
--- a/security/openssh/patches/patch-ah
+++ b/security/openssh/patches/patch-ah
@@ -1,8 +1,8 @@
-$NetBSD: patch-ah,v 1.24 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ah,v 1.25 2009/05/21 03:22:29 taca Exp $
 
---- Makefile.in.orig	2006-09-12 20:54:10.000000000 +0900
+--- Makefile.in.orig	2008-11-05 14:20:46.000000000 +0900
 +++ Makefile.in
-@@ -21,7 +21,7 @@ top_srcdir=@top_srcdir@
+@@ -22,7 +22,7 @@ top_srcdir=@top_srcdir@
  DESTDIR=
  VPATH=@srcdir@
  SSH_PROGRAM=@bindir@/ssh
@@ -11,7 +11,7 @@ $NetBSD: patch-ah,v 1.24 2006/10/31 03:31:20 taca Exp $
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
  RAND_HELPER=$(libexecdir)/ssh-rand-helper
-@@ -234,7 +234,7 @@ distprep: catman-do
+@@ -233,7 +233,7 @@ distprep: catman-do
  	(cd scard && $(MAKE) -f Makefile.in distprep)
  
  install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
@@ -20,7 +20,7 @@ $NetBSD: patch-ah,v 1.24 2006/10/31 03:31:20 taca Exp $
  install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
  
  check-config:
-@@ -243,7 +243,7 @@ check-config:
+@@ -242,7 +242,7 @@ check-config:
  scard-install:
  	(cd scard && $(MAKE) DESTDIR=$(DESTDIR) install)
  
diff --git a/security/openssh/patches/patch-aj b/security/openssh/patches/patch-aj
index e403be88acf..d9d31a4e589 100644
--- a/security/openssh/patches/patch-aj
+++ b/security/openssh/patches/patch-aj
@@ -1,8 +1,8 @@
-$NetBSD: patch-aj,v 1.7 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-aj,v 1.8 2009/05/21 03:22:29 taca Exp $
 
---- auth-rhosts.c.orig	2006-08-05 11:39:39.000000000 +0900
+--- auth-rhosts.c.orig	2008-06-14 08:01:25.000000000 +0900
 +++ auth-rhosts.c
-@@ -212,7 +212,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+@@ -230,7 +230,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
  		return 0;
  
  	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
@@ -11,7 +11,7 @@ $NetBSD: patch-aj,v 1.7 2006/10/31 03:31:20 taca Exp $
  		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
  		    client_user, pw->pw_name)) {
  			auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
-@@ -238,7 +238,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+@@ -256,7 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
  		return 0;
  	}
  	if (options.strict_modes &&
@@ -20,7 +20,7 @@ $NetBSD: patch-aj,v 1.7 2006/10/31 03:31:20 taca Exp $
  	    (st.st_mode & 022) != 0)) {
  		logit("Rhosts authentication refused for %.100s: "
  		    "bad ownership or modes for home directory.", pw->pw_name);
-@@ -265,7 +265,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+@@ -283,7 +283,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
  		 * allowing access to their account by anyone.
  		 */
  		if (options.strict_modes &&
diff --git a/security/openssh/patches/patch-ak b/security/openssh/patches/patch-ak
index 8f219befee9..a4c009b6204 100644
--- a/security/openssh/patches/patch-ak
+++ b/security/openssh/patches/patch-ak
@@ -1,8 +1,8 @@
-$NetBSD: patch-ak,v 1.8 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ak,v 1.9 2009/05/21 03:22:29 taca Exp $
 
---- auth.c.orig	2006-09-07 09:36:43.000000000 +0900
+--- auth.c.orig	2008-11-05 14:12:54.000000000 +0900
 +++ auth.c
-@@ -377,7 +377,7 @@ check_key_in_hostfiles(struct passwd *pw
+@@ -378,7 +378,7 @@ check_key_in_hostfiles(struct passwd *pw
  		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
  		if (options.strict_modes &&
  		    (stat(user_hostfile, &st) == 0) &&
@@ -11,7 +11,7 @@ $NetBSD: patch-ak,v 1.8 2006/10/31 03:31:20 taca Exp $
  		    (st.st_mode & 022) != 0)) {
  			logit("Authentication refused for %.100s: "
  			    "bad owner or modes for %.200s",
-@@ -430,7 +430,7 @@ secure_filename(FILE *f, const char *fil
+@@ -431,7 +431,7 @@ secure_filename(FILE *f, const char *fil
  
  	/* check the open file to avoid races */
  	if (fstat(fileno(f), &st) < 0 ||
@@ -20,7 +20,7 @@ $NetBSD: patch-ak,v 1.8 2006/10/31 03:31:20 taca Exp $
  	    (st.st_mode & 022) != 0) {
  		snprintf(err, errlen, "bad ownership or modes for file %s",
  		    buf);
-@@ -447,7 +447,7 @@ secure_filename(FILE *f, const char *fil
+@@ -448,7 +448,7 @@ secure_filename(FILE *f, const char *fil
  
  		debug3("secure_filename: checking '%s'", buf);
  		if (stat(buf, &st) < 0 ||
diff --git a/security/openssh/patches/patch-al b/security/openssh/patches/patch-al
index 3e8b49202b2..67fa78f21c0 100644
--- a/security/openssh/patches/patch-al
+++ b/security/openssh/patches/patch-al
@@ -1,8 +1,8 @@
-$NetBSD: patch-al,v 1.7 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-al,v 1.8 2009/05/21 03:22:29 taca Exp $
 
---- auth1.c.orig	2006-09-01 14:38:36.000000000 +0900
+--- auth1.c.orig	2008-07-09 19:54:05.000000000 +0900
 +++ auth1.c
-@@ -325,7 +325,7 @@ do_authloop(Authctxt *authctxt)
+@@ -328,7 +328,7 @@ do_authloop(Authctxt *authctxt)
  		}
  #else
  		/* Special handling for root */
@@ -11,7 +11,7 @@ $NetBSD: patch-al,v 1.7 2006/10/31 03:31:20 taca Exp $
  		    !auth_root_allowed(meth->name)) {
   			authenticated = 0;
  # ifdef SSH_AUDIT_EVENTS
-@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt)
+@@ -426,8 +426,8 @@ do_authentication(Authctxt *authctxt)
  	 * If we are not running as root, the user must have the same uid as
  	 * the server.
  	 */
diff --git a/security/openssh/patches/patch-am b/security/openssh/patches/patch-am
index 6b4cf1f9a92..9a45a833bb9 100644
--- a/security/openssh/patches/patch-am
+++ b/security/openssh/patches/patch-am
@@ -1,8 +1,8 @@
-$NetBSD: patch-am,v 1.7 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-am,v 1.8 2009/05/21 03:22:29 taca Exp $
 
---- auth2.c.orig	2006-08-05 11:39:39.000000000 +0900
+--- auth2.c.orig	2008-11-05 14:20:46.000000000 +0900
 +++ auth2.c
-@@ -223,7 +223,7 @@ userauth_finish(Authctxt *authctxt, int 
+@@ -298,7 +298,7 @@ userauth_finish(Authctxt *authctxt, int 
  		    authctxt->user);
  
  	/* Special handling for root */
diff --git a/security/openssh/patches/patch-an b/security/openssh/patches/patch-an
index dac9e7edfe6..d837aea414e 100644
--- a/security/openssh/patches/patch-an
+++ b/security/openssh/patches/patch-an
@@ -1,8 +1,8 @@
-$NetBSD: patch-an,v 1.9 2007/03/18 12:38:45 taca Exp $
+$NetBSD: patch-an,v 1.10 2009/05/21 03:22:29 taca Exp $
 
---- scp.c.orig	2007-03-18 16:27:26.000000000 +0900
+--- scp.c.orig	2008-11-03 17:23:45.000000000 +0900
 +++ scp.c
-@@ -377,7 +377,11 @@ main(int argc, char **argv)
+@@ -390,7 +390,11 @@ main(int argc, char **argv)
  	argc -= optind;
  	argv += optind;
  
@@ -14,7 +14,7 @@ $NetBSD: patch-an,v 1.9 2007/03/18 12:38:45 taca Exp $
  		fatal("unknown user %u", (u_int) userid);
  
  	if (!isatty(STDOUT_FILENO))
-@@ -724,8 +728,10 @@ rsource(char *name, struct stat *statp)
+@@ -782,8 +786,10 @@ rsource(char *name, struct stat *statp)
  		return;
  	}
  	while ((dp = readdir(dirp)) != NULL) {
@@ -25,7 +25,7 @@ $NetBSD: patch-an,v 1.9 2007/03/18 12:38:45 taca Exp $
  		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
  			continue;
  		if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
-@@ -1175,7 +1181,9 @@ okname(char *cp0)
+@@ -1233,7 +1239,9 @@ okname(char *cp0)
  			case '\'':
  			case '"':
  			case '`':
diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao
index 6823d1e0080..2d3931130a0 100644
--- a/security/openssh/patches/patch-ao
+++ b/security/openssh/patches/patch-ao
@@ -1,12 +1,12 @@
-$NetBSD: patch-ao,v 1.12 2008/04/27 00:34:27 tnn Exp $
+$NetBSD: patch-ao,v 1.13 2009/05/21 03:22:29 taca Exp $
 
 One more replacing 0 with ROOTUID is handled by using SUBST framework
 because patch can't handle it when hpn-patch option is enabled.
 So, don't simply update this file with mkpatch command.
 
---- session.c.orig	2008-03-27 01:03:05.000000000 +0100
+--- session.c.orig	2009-01-28 14:29:49.000000000 +0900
 +++ session.c
-@@ -955,7 +955,7 @@ read_etc_default_login(char ***env, u_in
+@@ -1068,7 +1068,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
  		return;
  
@@ -15,7 +15,7 @@ So, don't simply update this file with mkpatch command.
  		var = child_get_env(tmpenv, "SUPATH");
  	else
  		var = child_get_env(tmpenv, "PATH");
-@@ -1064,7 +1064,7 @@ do_setup_env(Session *s, const char *she
+@@ -1177,7 +1177,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
  		if (path == NULL || *path == '\0') {
  			child_set_env(&env, &envsize, "PATH",
@@ -24,7 +24,7 @@ So, don't simply update this file with mkpatch command.
  				SUPERUSER_PATH : _PATH_STDPATH);
  		}
  # endif /* HAVE_CYGWIN */
-@@ -1178,6 +1178,18 @@ do_setup_env(Session *s, const char *she
+@@ -1291,6 +1291,18 @@ do_setup_env(Session *s, const char *she
  		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
  		read_environment_file(&env, &envsize, buf);
  	}
@@ -43,7 +43,7 @@ So, don't simply update this file with mkpatch command.
  	if (debug_flag) {
  		/* dump the environment */
  		fprintf(stderr, "Environment:\n");
-@@ -1351,9 +1363,9 @@ do_setusercontext(struct passwd *pw)
+@@ -1464,9 +1476,9 @@ do_setusercontext(struct passwd *pw)
  	(void)ssh_selinux_enabled();
  #endif
  
@@ -55,7 +55,7 @@ So, don't simply update this file with mkpatch command.
  	{
  
  #ifdef HAVE_SETPCRED
-@@ -1387,11 +1399,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1500,11 +1512,13 @@ do_setusercontext(struct passwd *pw)
  			perror("setgid");
  			exit(1);
  		}
@@ -69,7 +69,7 @@ So, don't simply update this file with mkpatch command.
  		endgrent();
  # ifdef USE_PAM
  		/*
-@@ -2175,7 +2189,7 @@ session_pty_cleanup2(Session *s)
+@@ -2328,7 +2342,7 @@ session_pty_cleanup2(Session *s)
  		record_logout(s->pid, s->tty, s->pw->pw_name);
  
  	/* Release the pseudo-tty. */
diff --git a/security/openssh/patches/patch-ap b/security/openssh/patches/patch-ap
index 3b982f750a3..70377e9c4a1 100644
--- a/security/openssh/patches/patch-ap
+++ b/security/openssh/patches/patch-ap
@@ -1,8 +1,8 @@
-$NetBSD: patch-ap,v 1.9 2008/04/27 00:34:27 tnn Exp $
+$NetBSD: patch-ap,v 1.10 2009/05/21 03:22:29 taca Exp $
 
---- ssh.c.orig	2008-02-28 09:13:52.000000000 +0100
+--- ssh.c.orig	2009-02-14 14:28:21.000000000 +0900
 +++ ssh.c
-@@ -693,7 +693,7 @@ main(int ac, char **av)
+@@ -702,7 +702,7 @@ main(int ac, char **av)
  	if (ssh_connect(host, &hostaddr, options.port,
  	    options.address_family, options.connection_attempts, &timeout_ms,
  	    options.tcp_keep_alive, 
diff --git a/security/openssh/patches/patch-aq b/security/openssh/patches/patch-aq
index 2501dc65c6e..ed29d3f1d2a 100644
--- a/security/openssh/patches/patch-aq
+++ b/security/openssh/patches/patch-aq
@@ -1,17 +1,17 @@
-$NetBSD: patch-aq,v 1.6 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-aq,v 1.7 2009/05/21 03:22:29 taca Exp $
 
---- sshpty.c.orig	2006-08-05 11:39:41.000000000 +0900
+--- sshpty.c.orig	2009-02-12 10:19:21.000000000 +0900
 +++ sshpty.c
-@@ -78,7 +78,7 @@ pty_allocate(int *ptyfd, int *ttyfd, cha
- void
+@@ -86,7 +86,7 @@ void
  pty_release(const char *tty)
  {
+ #ifndef __APPLE_PRIVPTY__
 -	if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
 +	if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
  		error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
  	if (chmod(tty, (mode_t) 0666) < 0)
  		error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
-@@ -224,7 +224,7 @@ pty_setowner(struct passwd *pw, const ch
+@@ -233,7 +233,7 @@ pty_setowner(struct passwd *pw, const ch
  	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
  		if (chown(tty, pw->pw_uid, gid) < 0) {
  			if (errno == EROFS &&
diff --git a/security/openssh/patches/patch-ar b/security/openssh/patches/patch-ar
index b60e7466dae..3c6d715a04f 100644
--- a/security/openssh/patches/patch-ar
+++ b/security/openssh/patches/patch-ar
@@ -1,6 +1,6 @@
-$NetBSD: patch-ar,v 1.7 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ar,v 1.8 2009/05/21 03:22:29 taca Exp $
 
---- uidswap.c.orig	2006-08-05 11:39:41.000000000 +0900
+--- uidswap.c.orig	2009-01-21 14:04:24.000000000 +0900
 +++ uidswap.c
 @@ -66,13 +66,13 @@ temporarily_use_uid(struct passwd *pw)
  	    (u_int)pw->pw_uid, (u_int)pw->pw_gid,
@@ -64,7 +64,7 @@ $NetBSD: patch-ar,v 1.7 2006/10/31 03:31:20 taca Exp $
  #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
  	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
  		fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
-@@ -268,6 +278,7 @@ permanently_set_uid(struct passwd *pw)
+@@ -278,6 +288,7 @@ permanently_set_uid(struct passwd *pw)
  	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
  		fatal("%s: was able to restore old [e]uid", __func__);
  #endif
diff --git a/security/openssh/patches/patch-av b/security/openssh/patches/patch-av
index b029a71e43f..3e06c1b1ccd 100644
--- a/security/openssh/patches/patch-av
+++ b/security/openssh/patches/patch-av
@@ -1,8 +1,8 @@
-$NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $
+$NetBSD: patch-av,v 1.7 2009/05/21 03:22:29 taca Exp $
 
---- sshd.c.orig	2006-10-29 17:01:29.000000000 +0900
+--- sshd.c.orig	2009-01-28 14:31:23.000000000 +0900
 +++ sshd.c
-@@ -232,7 +232,11 @@ int *startup_pipes = NULL;
+@@ -234,7 +234,11 @@ int *startup_pipes = NULL;
  int startup_pipe;		/* in child */
  
  /* variables used for privilege separation */
@@ -14,7 +14,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $
  struct monitor *pmonitor = NULL;
  
  /* global authentication context */
-@@ -608,10 +612,15 @@ privsep_preauth_child(void)
+@@ -604,10 +608,15 @@ privsep_preauth_child(void)
  	/* XXX not ready, too heavy after chroot */
  	do_setusercontext(privsep_pw);
  #else
@@ -30,7 +30,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $
  #endif
  }
  
-@@ -651,7 +660,7 @@ privsep_preauth(Authctxt *authctxt)
+@@ -647,7 +656,7 @@ privsep_preauth(Authctxt *authctxt)
  		close(pmonitor->m_sendfd);
  
  		/* Demote the child */
@@ -39,7 +39,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $
  			privsep_preauth_child();
  		setproctitle("%s", "[net]");
  	}
-@@ -664,7 +673,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -662,7 +671,7 @@ privsep_postauth(Authctxt *authctxt)
  #ifdef DISABLE_FD_PASSING
  	if (1) {
  #else
@@ -48,7 +48,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $
  #endif
  		/* File descriptor passing is broken or root login */
  		use_privsep = 0;
-@@ -1256,8 +1265,10 @@ main(int ac, char **av)
+@@ -1272,8 +1281,10 @@ main(int ac, char **av)
  	av = saved_argv;
  #endif
  
@@ -60,7 +60,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $
  
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
-@@ -1519,7 +1530,7 @@ main(int ac, char **av)
+@@ -1577,7 +1588,7 @@ main(int ac, char **av)
  		    (st.st_uid != getuid () ||
  		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
  #else
@@ -69,7 +69,7 @@ $NetBSD: patch-av,v 1.6 2006/11/21 17:43:56 tv Exp $
  #endif
  			fatal("%s must be owned by root and not group or "
  			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1536,8 +1547,10 @@ main(int ac, char **av)
+@@ -1601,8 +1612,10 @@ main(int ac, char **av)
  	 * to create a file, and we can't control the code in every
  	 * module which might be used).
  	 */
diff --git a/security/openssh/patches/patch-aw b/security/openssh/patches/patch-aw
index 3af175388fb..c61742928c9 100644
--- a/security/openssh/patches/patch-aw
+++ b/security/openssh/patches/patch-aw
@@ -1,8 +1,8 @@
-$NetBSD: patch-aw,v 1.2 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-aw,v 1.3 2009/05/21 03:22:29 taca Exp $
 
---- openbsd-compat/port-tun.c.orig	2006-09-02 14:32:40.000000000 +0900
+--- openbsd-compat/port-tun.c.orig	2008-05-19 14:28:36.000000000 +0900
 +++ openbsd-compat/port-tun.c
-@@ -109,6 +109,10 @@ sys_tun_open(int tun, int mode)
+@@ -110,6 +110,10 @@ sys_tun_open(int tun, int mode)
  #include <sys/socket.h>
  #include <net/if.h>
author	taca <taca@pkgsrc.org>	2009-05-21 03:22:29 +0000
committer	taca <taca@pkgsrc.org>	2009-05-21 03:22:29 +0000
commit	3dd52fd75030bb2b160179c5e6d857339fe691ac (patch)
tree	1a6dc6584d8ea6df92029ba54dfad8285a269f37 /security
parent	d7e3ddb1e5ce42b05b28883605875c01527ef850 (diff)
download	pkgsrc-3dd52fd75030bb2b160179c5e6d857339fe691ac.tar.gz