From patchwork Sun Aug 27 10:17:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7120 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4RYV4n12crz3wtK for ; Sun, 27 Aug 2023 10:18:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4RYV4f1nHyz2q9; Sun, 27 Aug 2023 10:17:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4RYV4d5dtSz30BH; Sun, 27 Aug 2023 10:17:53 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4RYV4b6gjrz2yqf for ; Sun, 27 Aug 2023 10:17:51 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4RYV4b35dzz1t2; Sun, 27 Aug 2023 10:17:51 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1693131471; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GlthXaBM2Aq0eiGKU7FyvZKdDCnJFDciT6Bwv23LvRk=; b=N2raW7Ehys8kzOiJO1/EJOe6HNLmGdchggTqjh5JkAO9K3eBt6pSCUtH7irAtCaGkh+W68 q3YkYNgSFRlqsKDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1693131471; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GlthXaBM2Aq0eiGKU7FyvZKdDCnJFDciT6Bwv23LvRk=; b=me0Zb7++94fGjeFuNg9ccyicDw97bd+f+hlaSJ0gp1aFIjFFvwcmeN61t5mxNOHwLTfLo8 6gArXnxnJhhA7Su2oFfmn/9exOBUSEcOKnEoaqM2mcQ8KJ4SVVvjV2GK5YyOBC850RmUIu ReYGQcGSd0QJA0qOhkIxIKQt/+zlHwsUUg9JVH//e5cbGhrEh2iXn5DVHox38tiddMdEfn 2hl2Z+/ZFSlBmUq3n4vXPWyjajO+Nf1mpzVPsL8ZTW80PiqQYMBfMyEkCCmH6qs7o/q0AZ JHaR/wAjVq/PadbY/RBfzFeNTb7ybJtWGYt5GPAR+RJO7MJjzha0keiWVbKi+w== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] openssh: Update to version 9.4p1 Date: Sun, 27 Aug 2023 12:17:39 +0200 Message-ID: <20230827101745.6483-5-adolf.belka@ipfire.org> In-Reply-To: <20230827101745.6483-1-adolf.belka@ipfire.org> References: <20230827101745.6483-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 9.3p2 to 9.4p1 - Update of rootfile not required. - The openssh check for zlib version incorrectly identifies version 1.3 as being older than the buggy zlib version. This bug was found on the oipenssh github pull request page but merged after openssh-9.4p1 was issued. Patch implemented to fix zlib version identification. This and the autoconf line can be removed when the next version of openssh is released. - Changelog 9.4p1 This release fixes a number of bugs and adds some small features. Potentially incompatible changes * This release removes support for older versions of libcrypto. OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1. Note that these versions are already deprecated by their upstream vendors. * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. New features * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection. * ssh-keygen(1): increase the default work factor (rounds) for the bcrypt KDF used to derive symmetric encryption keys for passphrase protected key files by 50%. Bugfixes * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh(1): make -f (fork after authentication) work correctly with multiplexed connections, including ControlPersist. bz3589 bz3589 * ssh(1): make ConnectTimeout apply to multiplexing sockets and not just to network connections. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears before it in sshd_config. Since OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was incorrectly ignored in this situation. bz3574 * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files. * All: fix a number of memory leaks and unreachable/harmless integer overflows. * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules; GHPR406 * sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. bz3577 * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature algorithms that are valid for CA signing. Previous behaviour was to list all signing algorithms, including certificate algorithms. * ssh-keyscan(1): gracefully handle systems where rlimits or the maximum number of open files is larger than INT_MAX; bz3581 * ssh-keygen(1): fix "no comment" not showing on when running `ssh-keygen -l` on multiple keys where one has a comment and other following keys do not. bz3580 * scp(1), sftp(1): adjust ftruncate() logic to handle servers that reorder requests. Previously, if the server reordered requests then the resultant file would be erroneously truncated. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 * scp(1): when copying local->remote, check that the source file exists before opening an SFTP connection to the server. Based on GHPR#370 Signed-off-by: Adolf Belka --- lfs/openssh | 6 +++-- ...ion_check_for_1.3_and_future_version.patch | 25 +++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch diff --git a/lfs/openssh b/lfs/openssh index 83c94ffdc..d5d67dd0e 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 9.3p2 +VER = 9.4p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f +$(DL_FILE)_BLAKE2 = d13d758129cce947d3f12edb6e88406aad10de6887b19ffa3ebd8e382b742a05f2a692a8824aec99939f6c7e13fbccc3bb14e5ee112f9a9255d4882eb87dcf53 install : $(TARGET) @@ -70,6 +70,8 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch + cd $(DIR_APP) && autoconf cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure cd $(DIR_APP) && ./configure \ --prefix=/usr \ diff --git a/src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch b/src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch new file mode 100644 index 000000000..ef3ff4dca --- /dev/null +++ b/src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch @@ -0,0 +1,25 @@ +From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Sat, 19 Aug 2023 07:39:08 +1000 +Subject: [PATCH] Fix zlib version check for 1.3 and future version. + +bz#3604. +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 07893e87065..e3128dfcbb4 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1464,7 +1464,7 @@ else + [[ + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); +- if (n != 3 && n != 4) ++ if (n < 1) + exit(1); + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + +