From patchwork Tue Mar 12 08:55:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7602 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Tv6t573TPz3wdY for ; Tue, 12 Mar 2024 08:55:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Tv6t33MWlz1R3; Tue, 12 Mar 2024 08:55:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Tv6t31cn8z2yys; Tue, 12 Mar 2024 08:55:23 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Tv6t02Tyqz2xD9 for ; Tue, 12 Mar 2024 08:55:20 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Tv6sz0rXKz12c; Tue, 12 Mar 2024 08:55:18 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1710233719; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=dJ8SxA5PPHPTbH8WVYYsr1Ws9PWMYVylWaeUhQLzZYE=; b=mNmsIrrVAIAe7PQ2A8WXcyTmK4K+5bSgZhhzf9C8Kd91Ub+CgF6EwM4MzjulNipdAJ2kvk Fpdz3Lw2kSQXQ5AA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1710233719; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=dJ8SxA5PPHPTbH8WVYYsr1Ws9PWMYVylWaeUhQLzZYE=; b=QRIhH7y/gjoJIkK37jQhlUEi3rdqlWs2FT3nSNGvU6B7Xy7En2INSomD46euuJNPG9Ed2x LA51b1mhbi+wCf0zxwf2eSqs8XiSFsV1V1Axc+7Xt8CBqh2PKlQ1h4x55M6zjAeCYDIael VnVCfkmbS/6+/PWyTc0R7NKkbatPArN2iYq4Klsq+mtttE8mHaCZ7Nlfhe+TDme68lM67o ISVcjMihFF4l9oemgevAAUMfalgjcipzm5GH8cT3PxQbid2o1VuBo5FQ+dQmQMP3Yh33aS KdEUzm8/NmjdLXjKNCKzH30egmcCdh9F9Dt3XjLTLwak3lWPKXWNHcYWSZt9Nw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] openssh: Update to version 9.7p1 Date: Tue, 12 Mar 2024 09:55:14 +0100 Message-ID: <20240312085514.87310-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ZQLWYZX5AWMWBJTEUUSY7GSUIHIKHIWU X-Message-ID-Hash: ZQLWYZX5AWMWBJTEUUSY7GSUIHIKHIWU X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 9.6p1 to 9.7p1 - Update of rootfile not required - Changelog 9.7p1 Future deprecation notice OpenSSH plans to remove support for the DSA signature algorithm in early 2025 and compile-time disable it later this year. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs[3], mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. This release makes DSA support in OpenSSH compile-time optional, defaulting to on. We intend the next release to change the default to disable DSA at compile time. The first OpenSSH release of 2025 will remove DSA support entirely. This release contains mostly bugfixes. New features * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all open channels and will close all open channels if there is no traffic on any of them for the specified interval. This is in addition to the existing per-channel timeouts added recently. This supports situations like having both session and x11 forwarding channels open where one may be idle for an extended period but the other is actively used. The global timeout could close both channels when both have been idle for too long. * All: make DSA key support compile-time optional, defaulting to on. Bugfixes * sshd(8): don't append an unnecessary space to the end of subsystem arguments (bz3667) * ssh(1): fix the multiplexing "channel proxy" mode, broken when keystroke timing obfuscation was added. (GHPR#463) * ssh(1), sshd(8): fix spurious configuration parsing errors when options that accept array arguments are overridden (bz3657). * ssh-agent(1): fix potential spin in signal handler (bz3670) * Many fixes to manual pages and other documentation, including GHPR#462, GHPR#454, GHPR#442 and GHPR#441. * Greatly improve interop testing against PuTTY. Portability * Improve the error message when the autoconf OpenSSL header check fails (bz#3668) * Improve detection of broken toolchain -fzero-call-used-regs support (bz3645). * Fix regress/misc/fuzz-harness fuzzers and make them compile without warnings when using clang16 Signed-off-by: Adolf Belka --- lfs/openssh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/openssh b/lfs/openssh index 3833f2ca7..315b1a70b 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 9.6p1 +VER = 9.7p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = dd7f6747fe89f7b386be4faaf7fc43398a9bf439e45608ae61c2126cf8743c64ef7b5af45c75e9007b0bda525f8809261ca0f2fc47ce60177ba769a5324719dd +$(DL_FILE)_BLAKE2 = 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b install : $(TARGET)