diff options
author | nia <nia@pkgsrc.org> | 2019-06-10 13:44:35 +0000 |
---|---|---|
committer | nia <nia@pkgsrc.org> | 2019-06-10 13:44:35 +0000 |
commit | de53a6a34ce589a4330049bc7adbb6d5ec6bb4b4 (patch) | |
tree | 8b9194ef25f8118ab228f23435ed6d92d6964a9f /security | |
parent | c3e4cdb53bf7205422b388ad1787e33a55e871b6 (diff) | |
download | pkgsrc-de53a6a34ce589a4330049bc7adbb6d5ec6bb4b4.tar.gz |
dropbear: Update to 2019.78
Changes:
2019.78 - 27 March 2019
- Fix dbclient regression in 2019.77. After exiting the terminal would be left
in a bad state. Reported by Ryan Woodsmall
2019.77 - 23 March 2019
- Fix server -R option with ECDSA - only advertise one key size which will be accepted.
Reported by Peter Krefting, 2018.76 regression.
- Fix server regression in 2018.76 where multiple client -R forwards were all forwarded
to the first destination. Reported by Iddo Samet.
- Make failure delay more consistent to avoid revealing valid usernames, set server password
limit of 100 characters. Problem reported by usd responsible disclosure team
- Change handling of failed authentication to avoid disclosing valid usernames,
CVE-2018-15599.
- Fix dbclient to reliably return the exit code from the remote server.
Reported by W. Mike Petullo
- Fix export of 521-bit ECDSA keys, from Christian Hohnstädt
- Add -o Port=xxx option to work with sshfs, from xcko
- Merged fuzzing code, see FUZZER-NOTES.md
- Add a DROPBEAR_SVR_MULTIUSER=0 compile option to run on
single-user Linux kernels (CONFIG_MULTIUSER disabled). From Patrick Stewart
- Increase allowed username to 100 characters, reported by W. Mike Petullo
- Update config.sub and config.guess, should now work with RISC-V
- Cygwin compile fix from karel-m
- Don't require GNU sed (accidentally in 2018.76), reported by Samuel Hsu
- Fix for IRIX and writev(), reported by Kazuo Kuroi
- Other fixes and cleanups from François Perrad, Andre McCurdy, Konstantin Demin,
Michael Jones, Pawel Rapkiewicz
2018.76 - 27 February 2018
> > > Configuration/compatibility changes
IMPORTANT
Custom configuration is now specified in localoptions.h rather than options.h
Available options and defaults can be seen in default_options.h
To migrate your configuration, compare your customised options.h against the
upstream options.h from your relevant version. Any customised options should
be put in localoptions.h in the build directory.
- "configure --enable-static" should now be used instead of "make STATIC=1"
This will avoid 'hardened build' flags that conflict with static binaries
- Set 'hardened build' flags by default if supported by the compiler.
These can be disabled with configure --disable-harden if needed.
-Wl,-pie
-Wl,-z,now -Wl,-z,relro
-fstack-protector-strong
-D_FORTIFY_SOURCE=2
# spectre v2 mitigation
-mfunction-return=thunk
-mindirect-branch=thunk
Spectre patch from Loganaden Velvindron
- "dropbear -r" option for hostkeys no longer attempts to load the default
hostkey paths as well. If desired these can be specified manually.
Patch from CamVan Nguyen
- group1-sha1 key exchange is disabled in the server by default since
the fixed 1024-bit group may be susceptible to attacks
- twofish ciphers are now disabled in the default configuration
- Default generated ECDSA key size is now 256 (rather than 521)
for better interoperability
- Minimum RSA key length has been increased to 1024 bits
> > > Other features and fixes
- Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant
- Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket.
See dbclient manpage for a socat example. Patch from Harald Becker
- Add "-c forced_command" option. Patch from Jeremy Kerr
- Restricted group -G option added with patch from stellarpower
- Support server-chosen TCP forwarding ports, patch from houseofkodai
- Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port]
Patch from houseofkodai
- Makefile will now rebuild object files when header files are modified
- Add group14-256 and group16 key exchange options
- curve25519-sha256 also supported without @libssh.org suffix
- Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
This fixes building with some recent versions of clang
- Set PAM_RHOST which is needed by modules such as pam_abl
- Improvements to DSS and RSA public key validation, found by OSS-Fuzz.
- Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz
- Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz
- Numerous code cleanups and small issues fixed by Francois Perrad
- Test for pkt_sched.h rather than SO_PRIORITY which was problematic with some musl
platforms. Reported by Oliver Schneider and Andrew Bainbridge
- Fix some platform portability problems, from Ben Gardner
- Add EXEEXT filename suffix for building dropbearmulti, from William Foster
- Support --enable-<option> properly for configure, from Stefan Hauser
- configure have_openpty result can be cached, from Eric Bénard
- handle platforms that return close() < -1 on failure, from Marco Wenzel
- Build and configuration cleanups from Michael Witten
- Fix libtomcrypt/libtommath linking order, from Andre McCurdy
- Fix old Linux platforms that have SYS_clock_gettime but not CLOCK_MONOTONIC
- Update curve25519-donna implementation to current version
Diffstat (limited to 'security')
-rw-r--r-- | security/dropbear/Makefile | 8 | ||||
-rw-r--r-- | security/dropbear/distinfo | 14 | ||||
-rw-r--r-- | security/dropbear/patches/patch-aa | 34 | ||||
-rw-r--r-- | security/dropbear/patches/patch-default__options.h (renamed from security/dropbear/patches/patch-ab) | 8 |
4 files changed, 23 insertions, 41 deletions
diff --git a/security/dropbear/Makefile b/security/dropbear/Makefile index 7f93ad49257..b7f92a9e0fa 100644 --- a/security/dropbear/Makefile +++ b/security/dropbear/Makefile @@ -1,12 +1,12 @@ -# $NetBSD: Makefile,v 1.35 2018/07/04 13:40:33 jperkin Exp $ +# $NetBSD: Makefile,v 1.36 2019/06/10 13:44:35 nia Exp $ -DISTNAME= dropbear-2017.75 +DISTNAME= dropbear-2019.78 CATEGORIES= security -MASTER_SITES= http://matt.ucc.asn.au/dropbear/releases/ +MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/ EXTRACT_SUFX= .tar.bz2 MAINTAINER= snj@NetBSD.org -HOMEPAGE= http://matt.ucc.asn.au/dropbear/dropbear.html +HOMEPAGE= https://matt.ucc.asn.au/dropbear/dropbear.html COMMENT= Small SSH2 server and client, aimed at embedded market LICENSE= modified-bsd diff --git a/security/dropbear/distinfo b/security/dropbear/distinfo index b7c4d977625..2120430bc49 100644 --- a/security/dropbear/distinfo +++ b/security/dropbear/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.25 2017/11/09 19:00:25 snj Exp $ +$NetBSD: distinfo,v 1.26 2019/06/10 13:44:35 nia Exp $ -SHA1 (dropbear-2017.75.tar.bz2) = c30c64dda9db228592e3a97313078ca71d9d283f -RMD160 (dropbear-2017.75.tar.bz2) = 4ad8fafe8a5dd30066bec27af66a8e98bd6db7ed -SHA512 (dropbear-2017.75.tar.bz2) = 9c2f2a5e718339f83abc0ad7719bda12bfc75e5bcb87a7c0eec0afefc743e5c0a1575d290d5fde152ff2100b0f0e6fd5ef4431f7bbcb5ca9a332d93c20f5a8f4 -Size (dropbear-2017.75.tar.bz2) = 1623392 bytes -SHA1 (patch-aa) = d23b69458c54933a4cafa6146ca2167c80453523 -SHA1 (patch-ab) = 8595e4c65d8aa78c8d34af70619ced02f807e77b +SHA1 (dropbear-2019.78.tar.bz2) = 820ec2b8c869edbcf5ad1138777fc0f54349505c +RMD160 (dropbear-2019.78.tar.bz2) = a6b00e7aa6482b8ca2aa68443306b58be816d80e +SHA512 (dropbear-2019.78.tar.bz2) = f667ba8dae17ea89c118642b566f2c134c71bfd0b8bacea5cf7ec87d75ac79bd7cd1864a8788367a89d30ee35427d389ef6416375adff6e83caae30ff3e0549f +Size (dropbear-2019.78.tar.bz2) = 2708659 bytes +SHA1 (patch-aa) = 2f1ff3a9e3bccab9852d05ee7c0a68484be3f0c3 SHA1 (patch-configure) = 95c82b951d16a5cca92a3d4d7ef67b7eb5f47540 +SHA1 (patch-default__options.h) = ef38d09e20b9d74abdd118901a4fc30459eb0dcb diff --git a/security/dropbear/patches/patch-aa b/security/dropbear/patches/patch-aa index 78c144c6de2..f3eb7390aea 100644 --- a/security/dropbear/patches/patch-aa +++ b/security/dropbear/patches/patch-aa @@ -1,32 +1,14 @@ -$NetBSD: patch-aa,v 1.11 2017/05/16 21:54:21 snj Exp $ +$NetBSD: patch-aa,v 1.12 2019/06/10 13:44:35 nia Exp $ use pkgsrc macros to install programs and man pages set up dropbear default key locations correctly ---- Makefile.in.orig 2016-07-21 08:17:09.000000000 -0700 -+++ Makefile.in 2017-05-16 14:04:51.556137923 -0700 -@@ -75,6 +75,7 @@ datarootdir = @datarootdir@ - bindir=@bindir@ - sbindir=@sbindir@ - mandir=@mandir@ -+sysconfdir=@sysconfdir@ - - CC=@CC@ - AR=@AR@ -@@ -98,6 +99,9 @@ ifneq (,$(strip $(foreach prog, $(PROGRA - CFLAGS+= -DDROPBEAR_CLIENT - endif - -+CFLAGS+=-DDSS_PRIV_FILENAME=\"$(sysconfdir)/dropbear/dropbear_dss_host_key\" -+CFLAGS+=-DRSA_PRIV_FILENAME=\"$(sysconfdir)/dropbear/dropbear_rsa_host_key\" -+CFLAGS+=-DECDSA_PRIV_FILENAME=\"$(sysconfdir)/dropbear/dropbear_ecdsa_host_key\" - - # these are exported so that libtomcrypt's makefile will use them - export CC -@@ -127,31 +131,30 @@ strip: $(TARGETS) +--- Makefile.in.orig 2019-06-10 12:46:46.830428737 +0000 ++++ Makefile.in +@@ -154,31 +154,30 @@ strip: $(TARGETS) install: $(addprefix inst_, $(TARGETS)) - insmultidropbear: dropbearmulti + insmultidropbear: dropbearmulti$(EXEEXT) - $(INSTALL) -d $(DESTDIR)$(sbindir) + $(BSD_INSTALL_PROGRAM_DIR) $(DESTDIR)$(sbindir) -rm -f $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) @@ -36,7 +18,7 @@ set up dropbear default key locations correctly + $(BSD_INSTALL_MAN_DIR) $(DESTDIR)$(mandir)/man8 + $(BSD_INSTALL_MAN) $(srcdir)/dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 - insmulti%: dropbearmulti + insmulti%: dropbearmulti$(EXEEXT) - $(INSTALL) -d $(DESTDIR)$(bindir) - -rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) + $(BSD_INSTALL_PROGRAM_DIR) $(DESTDIR)$(bindir) @@ -64,8 +46,8 @@ set up dropbear default key locations correctly - if test -e $*.1; then $(INSTALL) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi + $(BSD_INSTALL_PROGRAM_DIR) $(DESTDIR)$(bindir) + $(BSD_INSTALL_PROGRAM) $*$(EXEEXT) $(DESTDIR)$(bindir) -+ $(BSD_INSTALL_MAN_DIR) $(DESTDIR)$(mandir)/man1 -+ if test -e $*.1; then $(BSD_INSTALL_MAN) $*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi ++ $(BSD_INSTALL_MAN_DIR) -d $(DESTDIR)$(mandir)/man1 ++ if test -e $*.1; then $(BSD_INSTALL_MAN) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi inst_dropbearmulti: $(addprefix insmulti, $(PROGRAMS)) diff --git a/security/dropbear/patches/patch-ab b/security/dropbear/patches/patch-default__options.h index 203f7a98723..e844b28f5b2 100644 --- a/security/dropbear/patches/patch-ab +++ b/security/dropbear/patches/patch-default__options.h @@ -1,11 +1,11 @@ -$NetBSD: patch-ab,v 1.9 2017/05/16 21:54:21 snj Exp $ +$NetBSD: patch-default__options.h,v 1.1 2019/06/10 13:44:35 nia Exp $ comment out the path to the dropbear ssh client - this is passed through CFLAGS ---- options.h.orig 2016-07-21 08:17:09.000000000 -0700 -+++ options.h 2017-03-18 00:25:05.000000000 -0700 -@@ -305,7 +305,7 @@ Homedir is prepended unless path begins +--- default_options.h.orig 2019-03-27 14:15:23.000000000 +0000 ++++ default_options.h +@@ -259,7 +259,7 @@ Homedir is prepended unless path begins /* This is used by the scp binary when used as a client binary. If you're * not using the Dropbear client, you'll need to change it */ |