summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authortaca <taca@pkgsrc.org>2016-09-18 17:30:10 +0000
committertaca <taca@pkgsrc.org>2016-09-18 17:30:10 +0000
commitf5e7167f10b27081d03506f7eb695981546bee24 (patch)
tree12ed62d4147c654c50be4294763e930acc58a5bd /security
parent2a7e70b6d055688a7fcac5058fc2f574225de727 (diff)
downloadpkgsrc-f5e7167f10b27081d03506f7eb695981546bee24.tar.gz
Update openssh to 7.3.1 (OpenSSH 7.3p1).
OpenSSH 7.3p1 is primarily a bugfix release and here is summary. Changes since OpenSSH 7.2 ========================= Security -------- * sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters. Independently reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto. * sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and only included for legacy compatibility. * ssh(1), sshd(8): Improve operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage has been observed. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. * sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes. If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh. New Features ------------ * ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts". * ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment. * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. bz#2577 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00. * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03. * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA signatures in certificates; * ssh(1): Add an Include directive for ssh_config(5) files. * ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. bz#2058 Bugfixes -------- * ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. bz#2585 * sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. bz#2398 * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. bz#2585 * ssh(1): Close ControlPersist background process stderr except in debug mode or when logging to syslog. bz#1988 * misc: Make PROTOCOL description for direct-streamlocal@openssh.com channel open messages match deployed code. bz#2529 * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. bz#2562 * sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. bz#2559. * sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts; bz#2554 * ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. bz#2550 * sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. bz#2252
Diffstat (limited to 'security')
-rw-r--r--security/openssh/Makefile7
-rw-r--r--security/openssh/distinfo14
-rw-r--r--security/openssh/patches/patch-auth-passwd.c10
-rw-r--r--security/openssh/patches/patch-session.c24
4 files changed, 22 insertions, 33 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 4a598466de4..119a1c9b55c 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.248 2016/07/10 10:41:38 rillig Exp $
+# $NetBSD: Makefile,v 1.249 2016/09/18 17:30:10 taca Exp $
-DISTNAME= openssh-7.2p2
-PKGNAME= ${DISTNAME:S/p2/.2/}
-PKGREVISION= 3
+DISTNAME= openssh-7.3p1
+PKGNAME= ${DISTNAME:S/p1/.1/}
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 7aec83df872..f776fb466d5 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.101 2016/06/06 08:55:35 taca Exp $
+$NetBSD: distinfo,v 1.102 2016/09/18 17:30:10 taca Exp $
-SHA1 (openssh-7.2p2.tar.gz) = 70e35d7d6386fe08abbd823b3a12a3ca44ac6d38
-RMD160 (openssh-7.2p2.tar.gz) = d18d73719ceeefa5116b5b741124f3604d7ddb99
-SHA512 (openssh-7.2p2.tar.gz) = 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b
-Size (openssh-7.2p2.tar.gz) = 1499808 bytes
+SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5
+RMD160 (openssh-7.3p1.tar.gz) = 823fc1e16c5d27a2361ed0b22f5ee24be11d2c13
+SHA512 (openssh-7.3p1.tar.gz) = 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801
+Size (openssh-7.3p1.tar.gz) = 1522617 bytes
SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
-SHA1 (patch-auth-passwd.c) = 92c487cc3c092efb56f8b4ac4ca08ccd67803a83
+SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7
SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374
@@ -23,7 +23,7 @@ SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590e
SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
-SHA1 (patch-session.c) = 2a7276382278f70ac1d8f51f273e8ffa2c0c59d2
+SHA1 (patch-session.c) = 850cef27299cf8af6a19987d5e070bf501cd57fb
SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca
SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
diff --git a/security/openssh/patches/patch-auth-passwd.c b/security/openssh/patches/patch-auth-passwd.c
index 4cc6a057996..dbdbce7302d 100644
--- a/security/openssh/patches/patch-auth-passwd.c
+++ b/security/openssh/patches/patch-auth-passwd.c
@@ -1,11 +1,11 @@
-$NetBSD: patch-auth-passwd.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-auth-passwd.c,v 1.4 2016/09/18 17:30:11 taca Exp $
Replace uid 0 with ROOTUID macro
---- auth-passwd.c.orig 2015-08-21 04:49:03.000000000 +0000
+--- auth-passwd.c.orig 2016-07-27 22:54:27.000000000 +0000
+++ auth-passwd.c
-@@ -88,7 +88,7 @@ auth_password(Authctxt *authctxt, const
- #endif
+@@ -93,7 +93,7 @@ auth_password(Authctxt *authctxt, const
+ return 0;
#ifndef HAVE_CYGWIN
- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
@@ -13,7 +13,7 @@ Replace uid 0 with ROOTUID macro
ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
-@@ -123,7 +123,12 @@ auth_password(Authctxt *authctxt, const
+@@ -128,7 +128,12 @@ auth_password(Authctxt *authctxt, const
authctxt->force_pwchange = 1;
}
#endif
diff --git a/security/openssh/patches/patch-session.c b/security/openssh/patches/patch-session.c
index 16be597f95a..5666fd2151a 100644
--- a/security/openssh/patches/patch-session.c
+++ b/security/openssh/patches/patch-session.c
@@ -1,11 +1,10 @@
-$NetBSD: patch-session.c,v 1.6 2016/06/06 08:55:35 taca Exp $
+$NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $
* Interix support.
-* Fix for CVE-2015-8325
---- session.c.orig 2016-03-09 18:04:48.000000000 +0000
+--- session.c.orig 2016-07-27 22:54:27.000000000 +0000
+++ session.c
-@@ -1117,7 +1117,7 @@ read_etc_default_login(char ***env, u_in
+@@ -1120,7 +1120,7 @@ read_etc_default_login(char ***env, u_in
if (tmpenv == NULL)
return;
@@ -14,7 +13,7 @@ $NetBSD: patch-session.c,v 1.6 2016/06/06 08:55:35 taca Exp $
var = child_get_env(tmpenv, "SUPATH");
else
var = child_get_env(tmpenv, "PATH");
-@@ -1226,7 +1226,7 @@ do_setup_env(Session *s, const char *she
+@@ -1230,7 +1230,7 @@ do_setup_env(Session *s, const char *she
# endif /* HAVE_ETC_DEFAULT_LOGIN */
if (path == NULL || *path == '\0') {
child_set_env(&env, &envsize, "PATH",
@@ -23,16 +22,7 @@ $NetBSD: patch-session.c,v 1.6 2016/06/06 08:55:35 taca Exp $
SUPERUSER_PATH : _PATH_STDPATH);
}
# endif /* HAVE_CYGWIN */
-@@ -1317,7 +1317,7 @@ do_setup_env(Session *s, const char *she
- * Pull in any environment variables that may have
- * been set by PAM.
- */
-- if (options.use_pam) {
-+ if (options.use_pam && !options.use_login) {
- char **p;
-
- p = fetch_pam_child_environment();
-@@ -1340,6 +1340,18 @@ do_setup_env(Session *s, const char *she
+@@ -1346,6 +1346,18 @@ do_setup_env(Session *s, const char *she
strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
read_environment_file(&env, &envsize, buf);
}
@@ -51,7 +41,7 @@ $NetBSD: patch-session.c,v 1.6 2016/06/06 08:55:35 taca Exp $
if (debug_flag) {
/* dump the environment */
fprintf(stderr, "Environment:\n");
-@@ -1531,11 +1543,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1537,11 +1549,13 @@ do_setusercontext(struct passwd *pw)
perror("setgid");
exit(1);
}
@@ -65,7 +55,7 @@ $NetBSD: patch-session.c,v 1.6 2016/06/06 08:55:35 taca Exp $
endgrent();
#endif
-@@ -2381,7 +2395,7 @@ session_pty_cleanup2(Session *s)
+@@ -2388,7 +2402,7 @@ session_pty_cleanup2(Session *s)
record_logout(s->pid, s->tty, s->pw->pw_name);
/* Release the pseudo-tty. */