diff options
Diffstat (limited to 'security/openssh')
-rw-r--r-- | security/openssh/Makefile | 5 | ||||
-rw-r--r-- | security/openssh/distinfo | 12 | ||||
-rw-r--r-- | security/openssh/patches/patch-sshd.c | 42 |
3 files changed, 29 insertions, 30 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index fe04938d06f..85194ed7b44 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.253 2017/07/24 16:33:22 he Exp $ +# $NetBSD: Makefile,v 1.253.4.1 2017/11/25 08:49:32 bsiegert Exp $ -DISTNAME= openssh-7.5p1 +DISTNAME= openssh-7.6p1 PKGNAME= ${DISTNAME:S/p1/.1/} -PKGREVISION= 1 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 95acaedf14e..4ad08bbfd97 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.104 2017/05/31 09:30:21 jperkin Exp $ +$NetBSD: distinfo,v 1.104.6.1 2017/11/25 08:49:32 bsiegert Exp $ -SHA1 (openssh-7.5p1.tar.gz) = 5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd -RMD160 (openssh-7.5p1.tar.gz) = c1b176a1fe92495d056edda0c5db54efcfb8764a -SHA512 (openssh-7.5p1.tar.gz) = 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81 -Size (openssh-7.5p1.tar.gz) = 1510857 bytes +SHA1 (openssh-7.6p1.tar.gz) = a6984bc2c72192bed015c8b879b35dd9f5350b3b +RMD160 (openssh-7.6p1.tar.gz) = 486ae743f51ffbf8197d564aab9ae54f9e2ac9da +SHA512 (openssh-7.6p1.tar.gz) = de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 +Size (openssh-7.6p1.tar.gz) = 1489788 bytes SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7 SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4 @@ -25,6 +25,6 @@ SHA1 (patch-session.c) = c67d649dc66a65ff39d701135a2f2dab6ba2fb93 SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778 SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1 -SHA1 (patch-sshd.c) = a1ccf7e54275629965d80d9cf7cd8669d9f1f4cf +SHA1 (patch-sshd.c) = 040ac961247fdd55bd09b85e65b905b63bc24f7d SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938 SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c index e21d7700b8f..3da0d391364 100644 --- a/security/openssh/patches/patch-sshd.c +++ b/security/openssh/patches/patch-sshd.c @@ -1,11 +1,11 @@ -$NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $ +$NetBSD: patch-sshd.c,v 1.8.8.1 2017/11/25 08:49:32 bsiegert Exp $ * Interix support * Revive tcp_wrappers support. ---- sshd.c.orig 2016-12-19 04:59:41.000000000 +0000 +--- sshd.c.orig 2017-10-02 19:34:26.000000000 +0000 +++ sshd.c -@@ -123,6 +123,13 @@ +@@ -122,6 +122,13 @@ #include "version.h" #include "ssherr.h" @@ -19,7 +19,7 @@ $NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $ /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -@@ -220,7 +227,11 @@ int *startup_pipes = NULL; +@@ -219,7 +226,11 @@ int *startup_pipes = NULL; int startup_pipe; /* in child */ /* variables used for privilege separation */ @@ -30,17 +30,8 @@ $NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $ +#endif struct monitor *pmonitor = NULL; int privsep_is_preauth = 1; - -@@ -541,7 +552,7 @@ privsep_preauth_child(void) - demote_sensitive_data(); - - /* Demote the child */ -- if (getuid() == 0 || geteuid() == 0) { -+ if (getuid() == ROOTUID || geteuid() == ROOTUID) { - /* Change our root directory */ - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, -@@ -552,10 +563,15 @@ privsep_preauth_child(void) + static int privsep_chroot = 1; +@@ -550,10 +561,15 @@ privsep_preauth_child(void) /* Drop our privileges */ debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, (u_int)privsep_pw->pw_gid); @@ -56,7 +47,7 @@ $NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $ } } -@@ -619,10 +635,17 @@ privsep_preauth(Authctxt *authctxt) +@@ -617,10 +633,17 @@ privsep_preauth(Authctxt *authctxt) /* Arrange for logging to be sent to the monitor */ set_log_handler(mm_log_handler, pmonitor); @@ -74,7 +65,7 @@ $NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $ return 0; } -@@ -634,7 +657,7 @@ privsep_postauth(Authctxt *authctxt) +@@ -632,7 +655,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else @@ -83,7 +74,7 @@ $NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $ #endif /* File descriptor passing is broken or root login */ use_privsep = 0; -@@ -1389,8 +1412,10 @@ main(int ac, char **av) +@@ -1393,8 +1416,10 @@ main(int ac, char **av) av = saved_argv; #endif @@ -95,7 +86,16 @@ $NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -1766,7 +1791,7 @@ main(int ac, char **av) +@@ -1636,7 +1661,7 @@ main(int ac, char **av) + ); + + /* Store privilege separation user for later use if required. */ +- privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0); ++ privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID); + if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { + if (privsep_chroot || options.kerberos_authentication) + fatal("Privilege separation user %s does not exist", +@@ -1769,7 +1794,7 @@ main(int ac, char **av) (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) #else @@ -104,7 +104,7 @@ $NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $ #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); -@@ -1789,8 +1814,10 @@ main(int ac, char **av) +@@ -1792,8 +1817,10 @@ main(int ac, char **av) * to create a file, and we can't control the code in every * module which might be used). */ @@ -115,7 +115,7 @@ $NetBSD: patch-sshd.c,v 1.8 2016/12/30 04:43:16 taca Exp $ if (rexec_flag) { rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); -@@ -1972,6 +1999,25 @@ main(int ac, char **av) +@@ -1981,6 +2008,25 @@ main(int ac, char **av) audit_connection_from(remote_ip, remote_port); #endif |