head 1.7; access; symbols pkgsrc-2013Q2:1.7.0.14 pkgsrc-2013Q2-base:1.7 pkgsrc-2012Q4:1.7.0.12 pkgsrc-2012Q4-base:1.7 pkgsrc-2011Q4:1.7.0.10 pkgsrc-2011Q4-base:1.7 pkgsrc-2011Q2:1.7.0.8 pkgsrc-2011Q2-base:1.7 pkgsrc-2009Q4:1.7.0.6 pkgsrc-2009Q4-base:1.7 pkgsrc-2008Q4:1.7.0.4 pkgsrc-2008Q4-base:1.7 pkgsrc-2008Q3:1.7.0.2 pkgsrc-2008Q3-base:1.7 cube-native-xorg:1.6.0.6 cube-native-xorg-base:1.6 pkgsrc-2008Q2:1.6.0.4 pkgsrc-2008Q2-base:1.6 cwrapper:1.6.0.2 pkgsrc-2008Q1:1.5.0.2 pkgsrc-2008Q1-base:1.5 pkgsrc-2007Q4:1.4.0.4 pkgsrc-2007Q4-base:1.4 pkgsrc-2007Q3:1.4.0.2 pkgsrc-2007Q3-base:1.4 pkgsrc-2007Q2:1.3.0.4 pkgsrc-2007Q2-base:1.3 pkgsrc-2007Q1:1.3.0.2 pkgsrc-2007Q1-base:1.3 pkgsrc-2006Q4:1.2.0.2 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.1.0.2 pkgsrc-2006Q3-base:1.1; locks; strict; comment @# @; 1.7 date 2008.09.16.12.53.08; author taca; state dead; branches; next 1.6; 1.6 date 2008.04.27.00.34.27; author tnn; state Exp; branches; next 1.5; 1.5 date 2008.04.03.07.59.08; author tonnerre; state Exp; branches; next 1.4; 1.4 date 2007.09.07.10.41.12; author taca; state dead; branches; next 1.3; 1.3 date 2007.03.16.05.46.07; author cjs; state Exp; branches; next 1.2; 1.2 date 2006.10.31.03.31.20; author taca; state dead; branches; next 1.1; 1.1 date 2006.09.27.16.10.59; author taca; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2006.11.10.11.50.26; author salo; state dead; branches; next ; desc @@ 1.7 log @Update openssh package to 5.1.1 (5.1p1) Changes from OpenSSH 5.0 is huge to write here, please refer its release note: http://www.openssh.com/txt/release-5.1. I quote only Security section from the release note. Security: * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly other platforms) when X11UseLocalhost=no When attempting to bind(2) to a port that has previously been bound with SO_REUSEADDR set, most operating systems check that either the effective user-id matches the previous bind (common on BSD-derived systems) or that the bind addresses do not overlap (Linux and Solaris). Some operating systems, such as HP/UX, do not perform these checks and are vulnerable to an X11 man-in-the-middle attack when the sshd_config(5) option X11UseLocalhost has been set to "no" - an attacker may establish a more-specific bind, which will be used in preference to sshd's wildcard listener. Modern BSD operating systems, Linux, OS X and Solaris implement the above checks and are not vulnerable to this attack, nor are systems where the X11UseLocalhost has been left at the default value of "yes". Portable OpenSSH 5.1 avoids this problem for all operating systems by not setting SO_REUSEADDR when X11UseLocalhost is set to no. This vulnerability was reported by sway2004009 AT hotmail.com. @ text @$NetBSD: patch-ax,v 1.6 2008/04/27 00:34:27 tnn Exp $ --- sftp.h.orig 2008-02-10 12:40:12.000000000 +0100 +++ sftp.h @@@@ -94,4 +94,4 @@@@ struct passwd; int sftp_server_main(int, char **, struct passwd *); -void sftp_server_cleanup_exit(int) __dead; +void sftp_server_cleanup_exit(int) __attribute__((noreturn)); @ 1.6 log @Update to OpenSSH 5.0p1. Changes since 4.7: - fix two security issues - chroot support for sshd(8) - sftp server internalized in sshd(8) - assorted bug fixes @ text @d1 1 a1 1 $NetBSD$ @ 1.5 log @Fix two vulnerabilities in OpenSSH: - X11 forwarding information disclosure (CVE-2008-1483) - ForceCommand bypass vulnerability @ text @d3 4 a6 9 Don't deadlock on exit with multiple X forwarded channels. Don't use X11 port which can't be bound on all IP families. Fixes CVE-2008-1483. --- channels.c.orig 2007-06-25 09:04:47.000000000 +0000 +++ channels.c @@@@ -2905,9 +2905,6 @@@@ x11_create_display_inet(int x11_display_ debug2("bind port %d: %.100s", port, strerror(errno)); close(sock); d8 3 a10 6 - if (ai->ai_next) - continue; - for (n = 0; n < num_socks; n++) { close(socks[n]); } @ 1.4 log @Update openssh package to 4.7.1 (4.7p1). Changes since OpenSSH 4.6: ============================ Security bugs resolved in this release: * Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec. Other changes, new functionality and fixes in this release: * sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. * The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. * ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. * A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. * A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes * Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. * ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. (bz #1261) * The following bugs have been fixed in this release: - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work (bz #616) - Make scp(1) skip FIFOs rather than hanging (bz #856) - Encode non-printing characters in scp(1) filenames. these could cause copies to be aborted with a "protocol error" (bz #891) - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated (bz #1196) - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms (bz #1220) - Improve documentation for ssh-add(1)'s -d option (bz #1224) - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. (bz #1225) - Delay execution of ssh(1)'s LocalCommand until after all forwadings have been established. (bz #1232) - In scp(1), do not truncate non-regular files (bz #1236) - Improve exit message from ControlMaster clients. (bz #1262) - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error. (bz #1286) * Portable OpenSSH bugs fixed: - Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243) - Implement getpeereid for Solaris using getpeerucred. Solaris systems will now refuse ssh-agent(1) and ssh(1) ControlMaster clients from different, non-root users (bz #1287) - Fix compilation warnings by including string.h if found. (bz #1294) - Remove redefinition of _res in getrrsetbyname.c for platforms that already define it. (bz #1299) - Fix spurious "chan_read_failed for istate 3" errors from sshd(8), a side-effect of the "hang on exit" fix introduced in 4.6p1. (bz #1306) - pam_end() was not being called if authentication failed (bz #1322) - Fix SELinux support when SELinux is in permissive mode. Previously sshd(8) was treating SELinux errors as always fatal. (bz #1325) - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys. (bz #1339) - Fix privilege separation on QNX - pre-auth only, this platform does not support file descriptior passing needed for post-auth privilege separation. (bz #1343) @ text @d1 1 a1 1 $NetBSD: patch-ax,v 1.3 2007/03/16 05:46:07 cjs Exp $ d3 3 a5 1 # http://bugzilla.mindrot.org/show_bug.cgi?id=1299 d7 5 a11 5 --- openbsd-compat/getrrsetbyname.c.orig 2006-09-02 14:32:40.000000000 +0900 +++ openbsd-compat/getrrsetbyname.c 2007-03-16 14:07:32.000000000 +0900 @@@@ -67,14 +67,6 @@@@ #endif #define _THREAD_PRIVATE(a,b,c) (c) d13 2 a14 5 -/* to avoid conflicts where a platform already has _res */ -#ifdef _res -# undef _res -#endif -#define _res _compat_res d16 3 a18 5 -struct __res_state _res; - /* Necessary functions and macros */ /* @ 1.3 log @Bring in patch suggested in http://bugzilla.mindrot.org/show_bug.cgi?id=1299 . This fixes the issue that, when "options edns0" is turned on (usually in /etc/resolv.conf), ssh doesn't see it, and thus fails to request a DNSSEC response, which in turn leads to SSHFP records being considered insecure. @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @Update openssh package to 4.4.1 (openssh-4.4p1). - A few pkglint warning clean up. - Major changes are here. For complete changes, see http://www.openssh.com/txt/release-4.4. Changes since OpenSSH 4.3: ============================ Security bugs resolved in this release: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. This release includes the following new functionality and fixes: * Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post- authentication options are supported and more are expected to be added in future releases. * Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. * Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. * Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. * Add optional logging of transactions to sftp-server(8). * ssh(1) will now record port numbers for hosts stored in ~/.ssh/authorized_keys when a non-standard port has been requested. * Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. * Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. * Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. * Many manpage fixes and improvements * New portable OpenSSH-specific features: - Add optional support for SELinux, controlled using the --with-selinux configure option (experimental) - Add optional support for Solaris process contracts, enabled using the --with-solaris-contracts configure option (experimental) This option will also include SMF metadata in Solaris packages built using the "make package" target - Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. @ text @d1 1 a1 1 $NetBSD: patch-ax,v 1.1 2006/09/27 16:10:59 taca Exp $ d3 1 a3 1 Secunia Advisory SA22091 d5 15 a19 47 --- deattack.c.orig Mon Sep 22 20:04:23 2003 +++ deattack.c @@@@ -27,6 +27,24 @@@@ RCSID("$OpenBSD: deattack.c,v 1.19 2003/ #include "xmalloc.h" #include "deattack.h" +/* + * CRC attack detection has a worst-case behaviour that is O(N^3) over + * the number of identical blocks in a packet. This behaviour can be + * exploited to create a limited denial of service attack. + * + * However, because we are dealing with encrypted data, identical + * blocks should only occur every 2^35 maximally-sized packets or so. + * Consequently, we can detect this DoS by looking for identical blocks + * in a packet. + * + * The parameter below determines how many identical blocks we will + * accept in a single packet, trading off between attack detection and + * likelihood of terminating a legitimate connection. A value of 32 + * corresponds to an average of 2^40 messages before an attack is + * misdetected + */ +#define MAX_IDENTICAL 32 + /* SSH Constants */ #define SSH_MAXBLOCKS (32 * 1024) #define SSH_BLOCKSIZE (8) @@@@ -56,17 +74,12 @@@@ crc_update(u_int32_t *a, u_int32_t b) /* detect if a block is used in a particular pattern */ static int -check_crc(u_char *S, u_char *buf, u_int32_t len, - u_char *IV) +check_crc(u_char *S, u_char *buf, u_int32_t len) { u_int32_t crc; u_char *c; crc = 0; - if (IV && !CMP(S, IV)) { - crc_update(&crc, 1); - crc_update(&crc, 0); - } for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { if (!CMP(S, c)) { crc_update(&crc, 1); @@@@ -82,12 +95,12 @@@@ check_crc(u_char *S, u_char *buf, u_int3 d21 1 a21 55 /* Detect a crc32 compensation attack on a packet */ int -detect_attack(u_char *buf, u_int32_t len, u_char *IV) +detect_attack(u_char *buf, u_int32_t len) { static u_int16_t *h = (u_int16_t *) NULL; static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; u_int32_t i, j; - u_int32_t l; + u_int32_t l, same; u_char *c; u_char *d; @@@@ -111,15 +124,9 @@@@ detect_attack(u_char *buf, u_int32_t len if (len <= HASH_MINBLOCKS) { for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { - if (IV && (!CMP(c, IV))) { - if ((check_crc(c, buf, len, IV))) - return (DEATTACK_DETECTED); - else - break; - } for (d = buf; d < c; d += SSH_BLOCKSIZE) { if (!CMP(c, d)) { - if ((check_crc(c, buf, len, IV))) + if ((check_crc(c, buf, len))) return (DEATTACK_DETECTED); else break; @@@@ -130,21 +137,11 @@@@ detect_attack(u_char *buf, u_int32_t len } memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); - if (IV) - h[HASH(IV) & (n - 1)] = HASH_IV; - - for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { + for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; i = (i + 1) & (n - 1)) { - if (h[i] == HASH_IV) { - if (!CMP(c, IV)) { - if (check_crc(c, buf, len, IV)) - return (DEATTACK_DETECTED); - else - break; - } - } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { - if (check_crc(c, buf, len, IV)) + if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { + if (check_crc(c, buf, len)) return (DEATTACK_DETECTED); else break; @ 1.1 log @Add patches to fix the problem reported by Secunia Advisory SA22091 (also CVS-2006-4924); "OpenSSH Identical Blocks Denial of Service Vulnerability" referring to OpenBSD's CVS repository. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @Pullup ticket 1909 - requested by taca security update for openssh Revisions pulled up: - pkgsrc/security/openssh/Makefile 1.172, 1.173, 1.174 - pkgsrc/security/openssh/distinfo 1.55, 1.56, 1.57 - pkgsrc/security/openssh/hacks.mk 1.2 - pkgsrc/security/openssh/options.mk 1.9, 1.10 - pkgsrc/security/openssh/patches/patch-aa 1.42, 1.43 - pkgsrc/security/openssh/patches/patch-ab 1.24, 1.25 - pkgsrc/security/openssh/patches/patch-ac 1.16 - pkgsrc/security/openssh/patches/patch-ad 1.12 - pkgsrc/security/openssh/patches/patch-ae 1.12 - pkgsrc/security/openssh/patches/patch-af 1.10 - pkgsrc/security/openssh/patches/patch-ag 1.9 - pkgsrc/security/openssh/patches/patch-ah 1.24 - pkgsrc/security/openssh/patches/patch-ai 1.10 - pkgsrc/security/openssh/patches/patch-aj 1.7 - pkgsrc/security/openssh/patches/patch-ak 1.8 - pkgsrc/security/openssh/patches/patch-al 1.7 - pkgsrc/security/openssh/patches/patch-am 1.7 - pkgsrc/security/openssh/patches/patch-an 1.8 - pkgsrc/security/openssh/patches/patch-ao 1.9 - pkgsrc/security/openssh/patches/patch-ap 1.8 - pkgsrc/security/openssh/patches/patch-aq 1.6 - pkgsrc/security/openssh/patches/patch-ar 1.7 - pkgsrc/security/openssh/patches/patch-as 1.5 - pkgsrc/security/openssh/patches/patch-at removed - pkgsrc/security/openssh/patches/patch-au 1.3 - pkgsrc/security/openssh/patches/patch-av 1.5 - pkgsrc/security/openssh/patches/patch-aw 1.2 - pkgsrc/security/openssh/patches/patch-ax removed - pkgsrc/security/openssh/patches/patch-ay removed - pkgsrc/security/openssh/patches/patch-az removed Module Name: pkgsrc Committed By: taca Date: Tue Oct 31 03:31:20 UTC 2006 Modified Files: pkgsrc/security/openssh: Makefile distinfo hacks.mk options.mk pkgsrc/security/openssh/patches: patch-aa patch-ab patch-ac patch-ad patch-ae patch-af patch-ag patch-ah patch-ai patch-aj patch-ak patch-al patch-am patch-an patch-ao patch-ap patch-aq patch-ar patch-as patch-au patch-av patch-aw Removed Files: pkgsrc/security/openssh/patches: patch-at patch-ax patch-ay patch-az Log Message: Update openssh package to 4.4.1 (openssh-4.4p1). - A few pkglint warning clean up. - Major changes are here. For complete changes, see http://www.openssh.com/txt/release-4.4. Changes since OpenSSH 4.3: ============================ Security bugs resolved in this release: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. This release includes the following new functionality and fixes: * Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post- authentication options are supported and more are expected to be added in future releases. * Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. * Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. * Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. * Add optional logging of transactions to sftp-server(8). * ssh(1) will now record port numbers for hosts stored in ~/.ssh/authorized_keys when a non-standard port has been requested. * Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. * Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. * Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. * Many manpage fixes and improvements * New portable OpenSSH-specific features: - Add optional support for SELinux, controlled using the --with-selinux configure option (experimental) - Add optional support for Solaris process contracts, enabled using the --with-solaris-contracts configure option (experimental) This option will also include SMF metadata in Solaris packages built using the "make package" target - Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. --- Module Name: pkgsrc Committed By: taca Date: Tue Nov 7 07:08:26 UTC 2006 Modified Files: pkgsrc/security/openssh: Makefile distinfo options.mk Log Message: Update hpn-patch to hpn12v13 since old one has gone. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Wed Nov 8 01:49:22 UTC 2006 Modified Files: pkgsrc/security/openssh: Makefile distinfo pkgsrc/security/openssh/patches: patch-aa patch-ab Log Message: Update openssh package to 4.5.1 (openssh-4.5p1). Changes: Security bugs resolved in this release: * Fix a bug in the sshd privilege separation monitor that weakened its verification of successful authentication. This bug is not known to be exploitable in the absence of additional vulnerabilities. This release includes the following non-security fixes: * Several compilation fixes for portable OpenSSH * Fixes to Solaris SMF/process contract support (bugzilla #1255) @ text @d1 1 a1 1 $NetBSD: patch-ax,v 1.1 2006/09/27 16:10:59 taca Exp $ @