[PATCH] openssh: Update to version 9.4p1

27 Aug 2023

- Update from version 9.3p2 to 9.4p1
- Update of rootfile not required.
- The openssh check for zlib version incorrectly identifies version 1.3 as being older
   than the buggy zlib version. This bug was found on the oipenssh github pull request page
   but merged after openssh-9.4p1 was issued. Patch implemented to fix zlib version
   identification. This and the autoconf line can be removed when the next version of
   openssh is released.
- Changelog
    9.4p1
    This release fixes a number of bugs and adds some small features.
    Potentially incompatible changes
    	 * This release removes support for older versions of libcrypto.
    	   OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
    	   Note that these versions are already deprecated by their upstream
    	   vendors.
    	 * ssh-agent(1): PKCS#11 modules must now be specified by their full
    	   paths. Previously dlopen(3) could search for them in system
    	   library directories.
    New features
    	 * ssh(1): allow forwarding Unix Domain sockets via ssh -W.
    	 * ssh(1): add support for configuration tags to ssh(1).
    	   This adds a ssh_config(5) "Tag" directive and corresponding
    	   "Match tag" predicate that may be used to select blocks of
    	   configuration similar to the pf.conf(5) keywords of the same
    	   name.
    	 * ssh(1): add a "match localnetwork" predicate. This allows matching
    	   on the addresses of available network interfaces and may be used to
    	   vary the effective client configuration based on network location.
    	 * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
    	   extensions.  This defines wire formats for optional KRL extensions
    	   and implements parsing of the new submessages. No actual extensions
    	   are supported at this point.
    	 * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
    	   accept two additional %-expansion sequences: %D which expands to
    	   the routing domain of the connected session and %C which expands
    	   to the addresses and port numbers for the source and destination
    	   of the connection.
    	 * ssh-keygen(1): increase the default work factor (rounds) for the
    	   bcrypt KDF used to derive symmetric encryption keys for passphrase
    	   protected key files by 50%.
    Bugfixes
    	 * ssh-agent(1): improve isolation between loaded PKCS#11 modules
    	   by running separate ssh-pkcs11-helpers for each loaded provider.
    	 * ssh(1): make -f (fork after authentication) work correctly with
    	   multiplexed connections, including ControlPersist. bz3589 bz3589
    	 * ssh(1): make ConnectTimeout apply to multiplexing sockets and not
    	   just to network connections.
    	 * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
    	   modules being loaded by checking that the requested module
    	   contains the required symbol before loading it.
    	 * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
    	   appears before it in sshd_config. Since OpenSSH 8.7 the
    	   AuthorizedPrincipalsCommand directive was incorrectly ignored in
    	   this situation. bz3574
    	 * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
    	   signatures When the KRL format was originally defined, it included
    	   support for signing of KRL objects. However, the code to sign KRLs
    	   and verify KRL signatues was never completed in OpenSSH. This
    	   release removes the partially-implemented code to verify KRLs.
    	   All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
    	   KRL files.
    	 * All: fix a number of memory leaks and unreachable/harmless integer
    	   overflows.
    	 * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
    	   modules; GHPR406
    	 * sshd(8), ssh(1): better validate CASignatureAlgorithms in
    	   ssh_config and sshd_config. Previously this directive would accept
    	   certificate algorithm names, but these were unusable in practice as
    	   OpenSSH does not support CA chains. bz3577
    	 * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
    	   algorithms that are valid for CA signing. Previous behaviour was
    	   to list all signing algorithms, including certificate algorithms.
    	 * ssh-keyscan(1): gracefully handle systems where rlimits or the
    	   maximum number of open files is larger than INT_MAX; bz3581
    	 * ssh-keygen(1): fix "no comment" not showing on when running
    	   `ssh-keygen -l` on multiple keys where one has a comment and other
    	   following keys do not. bz3580
    	 * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
    	   reorder requests. Previously, if the server reordered requests then
    	   the resultant file would be erroneously truncated.
    	 * ssh(1): don't incorrectly disable hostname canonicalization when
    	   CanonicalizeHostname=yes and ProxyJump was expicitly set to
    	   "none". bz3567
    	 * scp(1): when copying local->remote, check that the source file
    	   exists before opening an SFTP connection to the server. Based on
    	   GHPR#370
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
---
 lfs/openssh                                   |  6 +++--
 ...ion_check_for_1.3_and_future_version.patch | 25 +++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch

diff --git a/lfs/openssh b/lfs/openssh
index 83c94ffdc..d5d67dd0e 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -24,7 +24,7 @@
include Config
-VER        = 9.3p2
+VER        = 9.4p1
THISAPP    = openssh-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f
+$(DL_FILE)_BLAKE2 = d13d758129cce947d3f12edb6e88406aad10de6887b19ffa3ebd8e382b742a05f2a692a8824aec99939f6c7e13fbccc3bb14e5ee112f9a9255d4882eb87dcf53
install : $(TARGET)
@@ -70,6 +70,8 @@ $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    @$(PREBUILD)
    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch
+	cd $(DIR_APP) && autoconf
    cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
    cd $(DIR_APP) && ./configure \
    	--prefix=/usr \
diff --git a/src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch b/src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch
new file mode 100644
index 000000000..ef3ff4dca
--- /dev/null
+++ b/src/patches/openssh-9.4p1_Fix_zlib_version_check_for_1.3_and_future_version.patch
@@ -0,0 +1,25 @@
+From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
+From: Darren Tucker dtucker@dtucker.net
+Date: Sat, 19 Aug 2023 07:39:08 +1000
+Subject: [PATCH] Fix zlib version check for 1.3 and future version.
+
+bz#3604.
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 07893e87065..e3128dfcbb4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1464,7 +1464,7 @@ else
+ 	[[
+ 	int a=0, b=0, c=0, d=0, n, v;
+ 	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
+-	if (n != 3 && n != 4)
++	if (n < 1)
+ 		exit(1);
+ 	v = a*1000000 + b*10000 + c*100 + d;
+ 	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
+
+
-- 
2.42.0


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[PATCH] openssh: Update to version 9.4p1