[Midnightbsd-cvs] mports [15686] trunk/security/openssh-portable/files: 6.4p1
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Dec 19 21:52:33 EST 2013
Revision: 15686
http://svnweb.midnightbsd.org/mports/?rev=15686
Author: laffer1
Date: 2013-12-19 21:52:32 -0500 (Thu, 19 Dec 2013)
Log Message:
-----------
6.4p1
Modified Paths:
--------------
trunk/security/openssh-portable/Makefile
trunk/security/openssh-portable/distinfo
trunk/security/openssh-portable/files/patch-readconf.c
trunk/security/openssh-portable/files/patch-servconf.c
trunk/security/openssh-portable/files/patch-session.c
trunk/security/openssh-portable/files/patch-ssh-agent.c
trunk/security/openssh-portable/files/patch-sshd_config
trunk/security/openssh-portable/files/patch-sshd_config.5
Added Paths:
-----------
trunk/security/openssh-portable/files/extra-patch-hpn-build-options
trunk/security/openssh-portable/files/extra-patch-hpn-no-hpn
trunk/security/openssh-portable/files/extra-patch-ldns
Property Changed:
----------------
trunk/security/openssh-portable/distinfo
Modified: trunk/security/openssh-portable/Makefile
===================================================================
--- trunk/security/openssh-portable/Makefile 2013-12-20 02:25:13 UTC (rev 15685)
+++ trunk/security/openssh-portable/Makefile 2013-12-20 02:52:32 UTC (rev 15686)
@@ -1,7 +1,7 @@
# $MidnightBSD$
PORTNAME= openssh
-DISTVERSION= 6.2p2
+DISTVERSION= 6.4p1
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ${MASTER_SITE_OPENBSD}
Modified: trunk/security/openssh-portable/distinfo
===================================================================
--- trunk/security/openssh-portable/distinfo 2013-12-20 02:25:13 UTC (rev 15685)
+++ trunk/security/openssh-portable/distinfo 2013-12-20 02:52:32 UTC (rev 15686)
@@ -1,14 +1,14 @@
-SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
-SIZE (openssh-6.2p2.tar.gz) = 1182922
-SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b
-SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984
-SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9
-SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908
-SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae
-SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496
-SHA256 (openssh-6.2p2-gsskex-all-20110125.patch.gz) = 1c54be66bfedb90b4909f0dda11dde09b10db6dca5a1c565c4c3efaed2036b2d
-SIZE (openssh-6.2p2-gsskex-all-20110125.patch.gz) = 24309
-SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24
-SIZE (openssh-lpk-6.2p1.patch.gz) = 17881
-SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03
-SIZE (openssh-sctp-2163.patch.gz) = 6764
+SHA256 (openssh-6.4p1.tar.gz) = 5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2
+SIZE (openssh-6.4p1.tar.gz) = 1201402
+SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca
+SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450
+SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460
+SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962
+SHA256 (openssh-6.4-x509-glue.patch) = 8a199b3e6fe031775531c82e7a2d18fe468c1193c9d90ba17554ba9de2834876
+SIZE (openssh-6.4-x509-glue.patch) = 1219
+SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767
+SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486
+SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
+SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
+SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb
+SIZE (openssh-sctp-2329.patch.gz) = 8706
Property changes on: trunk/security/openssh-portable/distinfo
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.11
\ No newline at end of property
Added: trunk/security/openssh-portable/files/extra-patch-hpn-build-options
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn-build-options (rev 0)
+++ trunk/security/openssh-portable/files/extra-patch-hpn-build-options 2013-12-20 02:52:32 UTC (rev 15686)
@@ -0,0 +1,142 @@
+--- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500
++++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500
+@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co
+ }
+ }
+
++#ifdef AES_THREADED
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
+ * so the initial aes-ctr is defined to point to the original single process
+ * evp. After authentication we'll be past the fork and the sandboxed privsep
+@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co
+ cipher_reset_multithreaded();
+ packet_request_rekeying();
+ }
++#endif
+
+ debug("Authentication succeeded (%s).", authctxt.method->name);
+ }
+--- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500
++++ sshd.c 2013-10-11 08:53:25.929132033 -0500
+@@ -2186,6 +2186,7 @@ main(int ac, char **av)
+
+ /* Start session. */
+
++#ifdef AES_THREADED
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
+ * so the initial aes-ctr is defined to point ot the original single process
+ * evp. After authentication we'll be past the fork and the sandboxed privsep
+@@ -2201,6 +2202,7 @@ main(int ac, char **av)
+ cipher_reset_multithreaded();
+ packet_request_rekeying();
+ }
++#endif
+
+ do_authenticated(authctxt);
+
+--- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500
++++ readconf.c 2013-10-11 09:19:12.295135966 -0500
+@@ -251,12 +251,16 @@ static struct {
+ { "kexalgorithms", oKexAlgorithms },
+ { "ipqos", oIPQoS },
+ { "requesttty", oRequestTTY },
++#ifdef NONECIPHER
+ { "noneenabled", oNoneEnabled },
+ { "noneswitch", oNoneSwitch },
++#endif
++#ifdef HPN
+ { "tcprcvbufpoll", oTcpRcvBufPoll },
+ { "tcprcvbuf", oTcpRcvBuf },
+ { "hpndisabled", oHPNDisabled },
+ { "hpnbuffersize", oHPNBufferSize },
++#endif
+ { "ignoreunknown", oIgnoreUnknown },
+
+ { NULL, oBadOption }
+@@ -1417,12 +1421,20 @@ fill_default_options(Options * options)
+ options->server_alive_interval = 0;
+ if (options->server_alive_count_max == -1)
+ options->server_alive_count_max = 3;
++#ifdef NONECIPHER
+ if (options->none_switch == -1)
++#endif
+ options->none_switch = 0;
++#ifdef NONECIPHER
+ if (options->none_enabled == -1)
++#endif
+ options->none_enabled = 0;
++#ifdef HPN
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
++#else
++ options->hpn_disabled = 1;
++#endif
+ if (options->hpn_buffer_size > -1)
+ {
+ /* if a user tries to set the size to 0 set it to 1KB */
+--- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500
++++ servconf.c 2013-10-11 09:25:50.777137928 -0500
+@@ -305,10 +305,16 @@ fill_default_server_options(ServerOption
+ options->permit_tun = SSH_TUNMODE_NO;
+ if (options->zero_knowledge_password_authentication == -1)
+ options->zero_knowledge_password_authentication = 0;
++#ifdef NONECIPHER
+ if (options->none_enabled == -1)
++#endif
+ options->none_enabled = 0;
++#ifdef HPN
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
++#else
++ options->hpn_disabled = 1;
++#endif
+
+ if (options->hpn_buffer_size == -1) {
+ /* option not explicitly set. Now we have to figure out */
+--- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500
++++ configure.ac 2013-10-12 17:18:35.610130039 -0500
+@@ -3968,6 +3968,34 @@
+ ]
+ ) # maildir
+
++#check whether user wants HPN support
++HPN_MSG="no"
++AC_ARG_WITH(hpn,
++ [ --with-hpn Enable HPN support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(HPN,1,[Define if you want HPN support.])
++ HPN_MSG="yes"
++ fi ]
++)
++#check whether user wants NONECIPHER support
++NONECIPHER_MSG="no"
++AC_ARG_WITH(nonecipher,
++ [ --with-nonecipher Enable NONECIPHER support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.])
++ NONECIPHER_MSG="yes"
++ fi ]
++)
++#check whether user wants AES_THREADED support
++AES_THREADED_MSG="no"
++AC_ARG_WITH(aes-threaded,
++ [ --with-aes-threaded Enable AES_THREADED support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.])
++ AES_THREADED_MSG="yes"
++ fi ]
++)
++
+ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
+ AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
+ disable_ptmx_check=yes
+@@ -4636,6 +4664,9 @@
+ echo " BSD Auth support: $BSD_AUTH_MSG"
+ echo " Random number source: $RAND_MSG"
+ echo " Privsep sandbox style: $SANDBOX_STYLE"
++echo " HPN support: $HPN_MSG"
++echo " NONECIPHER support: $NONECIPHER_MSG"
++echo " AES_THREADED support: $AES_THREADED_MSG"
+
+ echo ""
+
Added: trunk/security/openssh-portable/files/extra-patch-hpn-no-hpn
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn-no-hpn (rev 0)
+++ trunk/security/openssh-portable/files/extra-patch-hpn-no-hpn 2013-12-20 02:52:32 UTC (rev 15686)
@@ -0,0 +1,32 @@
+--- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500
++++ sshd_config 2013-10-12 06:40:06.646129924 -0500
+@@ -125,20 +125,6 @@
+ # override default of no subsystems
+ Subsystem sftp /usr/libexec/sftp-server
+
+-# the following are HPN related configuration options
+-# tcp receive buffer polling. disable in non autotuning kernels
+-#TcpRcvBufPoll yes
+-
+-# disable hpn performance boosts
+-#HPNDisabled no
+-
+-# buffer size for hpn to non-hpn connections
+-#HPNBufferSize 2048
+-
+-
+-# allow the use of the none cipher
+-#NoneEnabled no
+-
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+--- version.h.orig 2013-10-12 06:42:19.578133368 -0500
++++ version.h 2013-10-12 06:42:28.581136160 -0500
+@@ -3,5 +3,4 @@
+ #define SSH_VERSION "OpenSSH_6.3"
+
+ #define SSH_PORTABLE "p1"
+-#define SSH_HPN "-hpn14v2"
+-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
++#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
Added: trunk/security/openssh-portable/files/extra-patch-ldns
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-ldns (rev 0)
+++ trunk/security/openssh-portable/files/extra-patch-ldns 2013-12-20 02:52:32 UTC (rev 15686)
@@ -0,0 +1,51 @@
+r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
+Changed paths:
+ M /head/crypto/openssh/readconf.c
+ M /head/crypto/openssh/ssh_config
+ M /head/crypto/openssh/ssh_config.5
+
+Change the default value of VerifyHostKeyDNS to "yes" if compiled with
+LDNS. With that setting, OpenSSH will silently accept host keys that
+match verified SSHFP records. If an SSHFP record exists but could not
+be verified, OpenSSH will print a message and prompt the user as usual.
+
+--- readconf.c 2013-10-03 08:15:03.496131082 -0500
++++ readconf.c 2013-10-03 08:15:22.716134315 -0500
+@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
+ options->rekey_limit = 0;
+ if (options->rekey_interval == -1)
+ options->rekey_interval = 0;
++#if HAVE_LDNS
++ if (options->verify_host_key_dns == -1)
++ /* automatically trust a verified SSHFP record */
++ options->verify_host_key_dns = 1;
++#else
+ if (options->verify_host_key_dns == -1)
+ options->verify_host_key_dns = 0;
++#endif
+ if (options->server_alive_interval == -1)
+ options->server_alive_interval = 0;
+ if (options->server_alive_count_max == -1)
+--- ssh_config 2013-10-03 08:15:03.537131330 -0500
++++ ssh_config 2013-10-03 08:15:22.755131175 -0500
+@@ -44,5 +44,6 @@
+ # TunnelDevice any:any
+ # PermitLocalCommand no
+ # VisualHostKey no
++# VerifyHostKeyDNS yes
+ # ProxyCommand ssh -q -W %h:%p gateway.example.com
+ # RekeyLimit 1G 1h
+--- ssh_config.5 2013-10-03 08:15:03.621130815 -0500
++++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500
+@@ -1246,7 +1246,10 @@ The argument must be
+ or
+ .Dq ask .
+ The default is
+-.Dq no .
++.Dq yes
++if compiled with LDNS and
++.Dq no
++otherwise.
+ Note that this option applies to protocol version 2 only.
+ .Pp
+ See also VERIFYING HOST KEYS in
Modified: trunk/security/openssh-portable/files/patch-readconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-readconf.c 2013-12-20 02:25:13 UTC (rev 15685)
+++ trunk/security/openssh-portable/files/patch-readconf.c 2013-12-20 02:52:32 UTC (rev 15686)
@@ -1,3 +1,5 @@
+base defaults
+
r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/myproposal.h
@@ -17,20 +19,9 @@
Submitted by: delphij@
---- readconf.c.orig 2010-08-03 00:04:46.000000000 -0600
-+++ readconf.c 2010-09-14 16:14:12.000000000 -0600
-@@ -1169,7 +1169,7 @@
- if (options->batch_mode == -1)
- options->batch_mode = 0;
- if (options->check_host_ip == -1)
-- options->check_host_ip = 1;
-+ options->check_host_ip = 0;
- if (options->strict_host_key_checking == -1)
- options->strict_host_key_checking = 2; /* 2 is default */
- if (options->compression == -1)
---- readconf.c (revision 181917)
-+++ readconf.c (revision 181918)
-@@ -18,6 +18,7 @@
+--- readconf.c.orig 2013-10-03 06:56:21.649139613 -0500
++++ readconf.c 2013-10-03 06:56:50.961467272 -0500
+@@ -17,6 +17,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
@@ -37,8 +28,8 @@
+#include <sys/sysctl.h>
#include <netinet/in.h>
-
-@@ -245,7 +246,19 @@
+ #include <netinet/in_systm.h>
+@@ -265,7 +266,19 @@ add_local_forward(Options *options, cons
Forward *fwd;
#ifndef NO_IPPORT_RESERVED_CONCEPT
extern uid_t original_real_uid;
@@ -58,4 +49,13 @@
+ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
fatal("Privileged ports can only be forwarded by root.");
#endif
- if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
+ options->local_forwards = xrealloc(options->local_forwards,
+@@ -1281,7 +1294,7 @@ fill_default_options(Options * options)
+ if (options->batch_mode == -1)
+ options->batch_mode = 0;
+ if (options->check_host_ip == -1)
+- options->check_host_ip = 1;
++ options->check_host_ip = 0;
+ if (options->strict_host_key_checking == -1)
+ options->strict_host_key_checking = 2; /* 2 is default */
+ if (options->compression == -1)
Modified: trunk/security/openssh-portable/files/patch-servconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-servconf.c 2013-12-20 02:25:13 UTC (rev 15685)
+++ trunk/security/openssh-portable/files/patch-servconf.c 2013-12-20 02:52:32 UTC (rev 15686)
@@ -39,12 +39,3 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
-@@ -335,7 +339,7 @@
- options->version_addendum = xstrdup("");
- /* Turn privilege separation on by default */
- if (use_privsep == -1)
-- use_privsep = PRIVSEP_NOSANDBOX;
-+ use_privsep = PRIVSEP_ON;
-
- #ifndef HAVE_MMAP
- if (use_privsep && options->compression == 1) {
Modified: trunk/security/openssh-portable/files/patch-session.c
===================================================================
--- trunk/security/openssh-portable/files/patch-session.c 2013-12-20 02:25:13 UTC (rev 15685)
+++ trunk/security/openssh-portable/files/patch-session.c 2013-12-20 02:52:32 UTC (rev 15686)
@@ -41,8 +41,8 @@
+ LOGIN_SETENV|LOGIN_SETPATH);
+ copy_environment(environ, &env, &envsize);
+ for (var = environ; *var != NULL; ++var)
-+ xfree(*var);
-+ xfree(environ);
++ free(*var);
++ free(environ);
+ environ = senv;
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
Modified: trunk/security/openssh-portable/files/patch-ssh-agent.c
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh-agent.c 2013-12-20 02:25:13 UTC (rev 15685)
+++ trunk/security/openssh-portable/files/patch-ssh-agent.c 2013-12-20 02:52:32 UTC (rev 15686)
@@ -90,13 +90,3 @@
default:
usage();
}
-@@ -1348,8 +1376,7 @@
- if (ac > 0)
- parent_alive_interval = 10;
- idtab_init();
-- if (!d_flag)
-- signal(SIGINT, SIG_IGN);
-+ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
- signal(SIGPIPE, SIG_IGN);
- signal(SIGHUP, cleanup_handler);
- signal(SIGTERM, cleanup_handler);
Modified: trunk/security/openssh-portable/files/patch-sshd_config
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd_config 2013-12-20 02:25:13 UTC (rev 15685)
+++ trunk/security/openssh-portable/files/patch-sshd_config 2013-12-20 02:52:32 UTC (rev 15686)
@@ -72,7 +72,7 @@
#TCPKeepAlive yes
#UseLogin no
-UsePrivilegeSeparation sandbox # Default for new installations.
-+#UsePrivilegeSeparation sandbox
++#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
Modified: trunk/security/openssh-portable/files/patch-sshd_config.5
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd_config.5 2013-12-20 02:25:13 UTC (rev 15685)
+++ trunk/security/openssh-portable/files/patch-sshd_config.5 2013-12-20 02:52:32 UTC (rev 15686)
@@ -79,15 +79,6 @@
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-@@ -1157,7 +1183,7 @@
- The goal of privilege separation is to prevent privilege
- escalation by containing any corruption within the unprivileged processes.
- The default is
--.Dq yes .
-+.Dq sandbox .
- If
- .Cm UsePrivilegeSeparation
- is set to
@@ -1182,7 +1208,7 @@
or
.Dq no .
More information about the Midnightbsd-cvs
mailing list