openssh: Update to version 9.3p1

  - Update from version 9.2p1 to 9.3p1
- Update of rootfile not required
- Removal of patch as this was only required for i586 builds which are no longer done in
   IPFire
- Changelog
9.3p1 (2023-03-15)
  This release fixes a number of security bugs.
    Security
	This release contains fixes for a security problem and a memory
	safety problem. The memory safety problem is not believed to be
	exploitable, but we report most network-reachable memory faults as
	security bugs.
	 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
	   per-hop destination constraints (ssh-add -h ...) added in OpenSSH
	   8.9, a logic error prevented the constraints from being
	   communicated to the agent. This resulted in the keys being added
	   without constraints. The common cases of non-smartcard keys and
	   keys without destination constraints are unaffected. This problem
	   was reported by Luci Stanescu.
	 * ssh(1): Portable OpenSSH provides an implementation of the
	   getrrsetbyname(3) function if the standard library does not
	   provide it, for use by the VerifyHostKeyDNS feature. A
	   specifically crafted DNS response could cause this function to
	   perform an out-of-bounds read of adjacent stack data, but this
	   condition does not appear to be exploitable beyond denial-of-
	   service to the ssh(1) client.
	   The getrrsetbyname(3) replacement is only included if the system's
	   standard library lacks this function and portable OpenSSH was not
	   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
	   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
	   problem was found by the Coverity static analyzer.
    New features
	 * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
	   outputting SSHFP fingerprints to allow algorithm selection. bz3493
	 * sshd(8): add a `sshd -G` option that parses and prints the
	   effective configuration without attempting to load private keys
	   and perform other checks. This allows usage of the option before
	   keys have been generated and for configuration evaluation and
	   verification by unprivileged users.
    Bugfixes
	 * scp(1), sftp(1): fix progressmeter corruption on wide displays;
	   bz3534
	 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
	   of private keys as some systems are starting to disable RSA/SHA1
	   in libcrypto.
	 * sftp-server(8): fix a memory leak. GHPR363
	 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
	   compatibility code and simplify what's left.
	 * Fix a number of low-impact Coverity static analysis findings.
	   These include several reported via bz2687
	 * ssh_config(5), sshd_config(5): mention that some options are not
	   first-match-wins.
	 * Rework logging for the regression tests. Regression tests will now
	   capture separate logs for each ssh and sshd invocation in a test.
	 * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
	   says it should; bz3532.
	 * ssh(1): ensure that there is a terminating newline when adding a
	   new entry to known_hosts; bz3529
    Portability
	 * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
	   mmap(2), madvise(2) and futex(2) flags, removing some concerning
	   kernel attack surface.
	 * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
	   bz3537

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/openssh                                         |  5 ++---
 ...SH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch | 13 -------------
 2 files changed, 2 insertions(+), 16 deletions(-)
 delete mode 100644 src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
  

As always, thank you very much!

Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

> - Update from version 9.2p1 to 9.3p1
> - Update of rootfile not required
> - Removal of patch as this was only required for i586 builds which are no longer done in
>    IPFire
> - Changelog
> 9.3p1 (2023-03-15)
>   This release fixes a number of security bugs.
>     Security
> 	This release contains fixes for a security problem and a memory
> 	safety problem. The memory safety problem is not believed to be
> 	exploitable, but we report most network-reachable memory faults as
> 	security bugs.
> 	 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
> 	   per-hop destination constraints (ssh-add -h ...) added in OpenSSH
> 	   8.9, a logic error prevented the constraints from being
> 	   communicated to the agent. This resulted in the keys being added
> 	   without constraints. The common cases of non-smartcard keys and
> 	   keys without destination constraints are unaffected. This problem
> 	   was reported by Luci Stanescu.
> 	 * ssh(1): Portable OpenSSH provides an implementation of the
> 	   getrrsetbyname(3) function if the standard library does not
> 	   provide it, for use by the VerifyHostKeyDNS feature. A
> 	   specifically crafted DNS response could cause this function to
> 	   perform an out-of-bounds read of adjacent stack data, but this
> 	   condition does not appear to be exploitable beyond denial-of-
> 	   service to the ssh(1) client.
> 	   The getrrsetbyname(3) replacement is only included if the system's
> 	   standard library lacks this function and portable OpenSSH was not
> 	   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
> 	   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
> 	   problem was found by the Coverity static analyzer.
>     New features
> 	 * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
> 	   outputting SSHFP fingerprints to allow algorithm selection. bz3493
> 	 * sshd(8): add a `sshd -G` option that parses and prints the
> 	   effective configuration without attempting to load private keys
> 	   and perform other checks. This allows usage of the option before
> 	   keys have been generated and for configuration evaluation and
> 	   verification by unprivileged users.
>     Bugfixes
> 	 * scp(1), sftp(1): fix progressmeter corruption on wide displays;
> 	   bz3534
> 	 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
> 	   of private keys as some systems are starting to disable RSA/SHA1
> 	   in libcrypto.
> 	 * sftp-server(8): fix a memory leak. GHPR363
> 	 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
> 	   compatibility code and simplify what's left.
> 	 * Fix a number of low-impact Coverity static analysis findings.
> 	   These include several reported via bz2687
> 	 * ssh_config(5), sshd_config(5): mention that some options are not
> 	   first-match-wins.
> 	 * Rework logging for the regression tests. Regression tests will now
> 	   capture separate logs for each ssh and sshd invocation in a test.
> 	 * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
> 	   says it should; bz3532.
> 	 * ssh(1): ensure that there is a terminating newline when adding a
> 	   new entry to known_hosts; bz3529
>     Portability
> 	 * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
> 	   mmap(2), madvise(2) and futex(2) flags, removing some concerning
> 	   kernel attack surface.
> 	 * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
> 	   bz3537
> 
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>  lfs/openssh                                         |  5 ++---
>  ...SH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch | 13 -------------
>  2 files changed, 2 insertions(+), 16 deletions(-)
>  delete mode 100644 src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
> 
> diff --git a/lfs/openssh b/lfs/openssh
> index 89f486a79..5a18edd70 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 9.2p1
> +VER        = 9.3p1
>  
>  THISAPP    = openssh-$(VER)
>  DL_FILE    = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21
> +$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d
>  
>  install : $(TARGET)
>  
> @@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	@$(PREBUILD)
>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
>  	cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
> -	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
>  	cd $(DIR_APP) && ./configure \
>  		--prefix=/usr \
>  		--sysconfdir=/etc/ssh \
> diff --git a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch b/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
> deleted file mode 100644
> index 5199872d9..000000000
> --- a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
> +++ /dev/null
> @@ -1,13 +0,0 @@
> -diff -Naur openssh-8.2p1.org/sandbox-seccomp-filter.c openssh-8.2p1/sandbox-seccomp-filter.c
> ---- openssh-8.2p1.org/sandbox-seccomp-filter.c	2020-04-10 18:14:56.152309584 +0200
> -+++ openssh-8.2p1/sandbox-seccomp-filter.c	2020-04-10 21:05:45.827921765 +0200
> -@@ -253,6 +253,9 @@
> - #endif
> - #ifdef __NR_clock_nanosleep_time64
> - 	SC_ALLOW(__NR_clock_nanosleep_time64),
> -+#else
> -+	/* on i586 glibc call syscall 407 which is not defined */
> -+	SC_ALLOW(407),
> - #endif
> - #ifdef __NR_clock_gettime64
> - 	SC_ALLOW(__NR_clock_gettime64),