From 9d50802825acaf71dc3be2d99be24b9a0ab85a1a Mon Sep 17 00:00:00 2001 From: taca Date: Fri, 7 Sep 2007 10:41:11 +0000 Subject: Update openssh package to 4.7.1 (4.7p1). Changes since OpenSSH 4.6: ============================ Security bugs resolved in this release: * Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec. Other changes, new functionality and fixes in this release: * sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. * The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. * ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. * A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. * A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes * Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. * ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. (bz #1261) * The following bugs have been fixed in this release: - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work (bz #616) - Make scp(1) skip FIFOs rather than hanging (bz #856) - Encode non-printing characters in scp(1) filenames. these could cause copies to be aborted with a "protocol error" (bz #891) - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated (bz #1196) - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms (bz #1220) - Improve documentation for ssh-add(1)'s -d option (bz #1224) - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. (bz #1225) - Delay execution of ssh(1)'s LocalCommand until after all forwadings have been established. (bz #1232) - In scp(1), do not truncate non-regular files (bz #1236) - Improve exit message from ControlMaster clients. (bz #1262) - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error. (bz #1286) * Portable OpenSSH bugs fixed: - Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243) - Implement getpeereid for Solaris using getpeerucred. Solaris systems will now refuse ssh-agent(1) and ssh(1) ControlMaster clients from different, non-root users (bz #1287) - Fix compilation warnings by including string.h if found. (bz #1294) - Remove redefinition of _res in getrrsetbyname.c for platforms that already define it. (bz #1299) - Fix spurious "chan_read_failed for istate 3" errors from sshd(8), a side-effect of the "hang on exit" fix introduced in 4.6p1. (bz #1306) - pam_end() was not being called if authentication failed (bz #1322) - Fix SELinux support when SELinux is in permissive mode. Previously sshd(8) was treating SELinux errors as always fatal. (bz #1325) - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys. (bz #1339) - Fix privilege separation on QNX - pre-auth only, this platform does not support file descriptior passing needed for post-auth privilege separation. (bz #1343) --- security/openssh/Makefile | 7 +++---- security/openssh/distinfo | 16 +++++++--------- security/openssh/options.mk | 4 ++-- security/openssh/patches/patch-ax | 21 --------------------- security/openssh/patches/patch-ba | 25 ------------------------- 5 files changed, 12 insertions(+), 61 deletions(-) delete mode 100644 security/openssh/patches/patch-ax delete mode 100644 security/openssh/patches/patch-ba (limited to 'security/openssh') diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 4ba76e96dec..48724a8b728 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.181 2007/07/31 02:29:38 taca Exp $ +# $NetBSD: Makefile,v 1.182 2007/09/07 10:41:11 taca Exp $ -DISTNAME= openssh-4.6p1 -PKGNAME= openssh-4.6.1 -PKGREVISION= 1 +DISTNAME= openssh-4.7p1 +PKGNAME= openssh-4.7.1 SVR4_PKGNAME= ossh CATEGORIES= security MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 495b6d9492b..d3101250ef7 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,11 +1,11 @@ -$NetBSD: distinfo,v 1.63 2007/07/31 02:29:39 taca Exp $ +$NetBSD: distinfo,v 1.64 2007/09/07 10:41:11 taca Exp $ -SHA1 (openssh-4.6p1-hpn12v16.diff.gz) = a10ed53ad92e2e3106da7050c3b0076a2cd1c0ca -RMD160 (openssh-4.6p1-hpn12v16.diff.gz) = 421e2c189c2e9b378f6ee3944183355f9f18d5e8 -Size (openssh-4.6p1-hpn12v16.diff.gz) = 15944 bytes -SHA1 (openssh-4.6p1.tar.gz) = b2aefeb1861b4688b1777436035239ec32a47da8 -RMD160 (openssh-4.6p1.tar.gz) = 2959ac56c9175275bf82847ec64b2b169aedcb82 -Size (openssh-4.6p1.tar.gz) = 967395 bytes +SHA1 (openssh-4.7p1-hpn12v18.diff.gz) = 6083da9c1d537a2a3bc7f1fa00a99142407a063e +RMD160 (openssh-4.7p1-hpn12v18.diff.gz) = fec2096269a16e05667f931a073fd13f096742b5 +Size (openssh-4.7p1-hpn12v18.diff.gz) = 16094 bytes +SHA1 (openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4 +RMD160 (openssh-4.7p1.tar.gz) = b828e79d3d1a931cb77651ec7d7276cf3ba22d90 +Size (openssh-4.7p1.tar.gz) = 991119 bytes SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0 SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9 SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9 @@ -28,5 +28,3 @@ SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365 SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30 -SHA1 (patch-ax) = a6708b956341ff373835a6789541c7547b3b85e5 -SHA1 (patch-ba) = 35a4f544b52403bf9b3f0943d3f975fc8f350173 diff --git a/security/openssh/options.mk b/security/openssh/options.mk index 24fffa0b576..c3aa485d162 100644 --- a/security/openssh/options.mk +++ b/security/openssh/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.13 2007/03/18 12:38:45 taca Exp $ +# $NetBSD: options.mk,v 1.14 2007/09/07 10:41:12 taca Exp $ .include "../../mk/bsd.prefs.mk" @@ -17,7 +17,7 @@ CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q} .endif .if !empty(PKG_OPTIONS:Mhpn-patch) -PATCHFILES= openssh-4.6p1-hpn12v16.diff.gz +PATCHFILES= openssh-4.7p1-hpn12v18.diff.gz PATCH_SITES= http://www.psc.edu/networking/projects/hpn-ssh/ PATCH_DIST_STRIP= -p1 .endif diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax deleted file mode 100644 index 0d3cbaafe7a..00000000000 --- a/security/openssh/patches/patch-ax +++ /dev/null @@ -1,21 +0,0 @@ -$NetBSD: patch-ax,v 1.3 2007/03/16 05:46:07 cjs Exp $ - -# http://bugzilla.mindrot.org/show_bug.cgi?id=1299 - ---- openbsd-compat/getrrsetbyname.c.orig 2006-09-02 14:32:40.000000000 +0900 -+++ openbsd-compat/getrrsetbyname.c 2007-03-16 14:07:32.000000000 +0900 -@@ -67,14 +67,6 @@ - #endif - #define _THREAD_PRIVATE(a,b,c) (c) - --/* to avoid conflicts where a platform already has _res */ --#ifdef _res --# undef _res --#endif --#define _res _compat_res -- --struct __res_state _res; -- - /* Necessary functions and macros */ - - /* diff --git a/security/openssh/patches/patch-ba b/security/openssh/patches/patch-ba deleted file mode 100644 index cec0025355e..00000000000 --- a/security/openssh/patches/patch-ba +++ /dev/null @@ -1,25 +0,0 @@ -$NetBSD: patch-ba,v 1.1 2007/07/31 02:29:39 taca Exp $ - -# https://bugzilla.mindrot.org/show_bug.cgi?id=1306 - ---- channels.c.orig 2007-07-31 09:48:58.000000000 +0900 -+++ channels.c -@@ -1471,14 +1471,13 @@ static int - channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) - { - char buf[CHAN_RBUF]; -- int len; -+ int len, force; - -- if (c->rfd != -1 && -- (c->detach_close || FD_ISSET(c->rfd, readset))) { -+ force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; -+ if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) { - errno = 0; - len = read(c->rfd, buf, sizeof(buf)); -- if (len < 0 && (errno == EINTR || -- (errno == EAGAIN && !(c->isatty && c->detach_close)))) -+ if (len < 0 && (errno == EINTR || (errno == EAGAIN && !force))) - return 1; - #ifndef PTY_ZEROREAD - if (len <= 0) { -- cgit v1.2.3