- Update from version 9.2p1 to 9.3p1 - Update of rootfile not required - Removal of patch as this was only required for i586 builds which are no longer done in IPFire - Changelog 9.3p1 (2023-03-15) This release fixes a number of security bugs. Security This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 * sshd(8): add a `sshd -G` option that parses and prints the effective configuration without attempting to load private keys and perform other checks. This allows usage of the option before keys have been generated and for configuration evaluation and verification by unprivileged users. Bugfixes * scp(1), sftp(1): fix progressmeter corruption on wide displays; bz3534 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of private keys as some systems are starting to disable RSA/SHA1 in libcrypto. * sftp-server(8): fix a memory leak. GHPR363 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol compatibility code and simplify what's left. * Fix a number of low-impact Coverity static analysis findings. These include several reported via bz2687 * ssh_config(5), sshd_config(5): mention that some options are not first-match-wins. * Rework logging for the regression tests. Regression tests will now capture separate logs for each ssh and sshd invocation in a test. * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says it should; bz3532. * ssh(1): ensure that there is a terminating newline when adding a new entry to known_hosts; bz3529 Portability * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of mmap(2), madvise(2) and futex(2) flags, removing some concerning kernel attack surface. * sshd(8): improve Linux seccomp-bpf sandbox for older systems; bz3537
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/openssh | 5 ++--- ...SH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch | 13 ------------- 2 files changed, 2 insertions(+), 16 deletions(-) delete mode 100644 src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
diff --git a/lfs/openssh b/lfs/openssh index 89f486a79..5a18edd70 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@
include Config
-VER = 9.2p1 +VER = 9.3p1
THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21 +$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d
install : $(TARGET)
@@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/etc/ssh \ diff --git a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch b/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch deleted file mode 100644 index 5199872d9..000000000 --- a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -Naur openssh-8.2p1.org/sandbox-seccomp-filter.c openssh-8.2p1/sandbox-seccomp-filter.c ---- openssh-8.2p1.org/sandbox-seccomp-filter.c 2020-04-10 18:14:56.152309584 +0200 -+++ openssh-8.2p1/sandbox-seccomp-filter.c 2020-04-10 21:05:45.827921765 +0200 -@@ -253,6 +253,9 @@ - #endif - #ifdef __NR_clock_nanosleep_time64 - SC_ALLOW(__NR_clock_nanosleep_time64), -+#else -+ /* on i586 glibc call syscall 407 which is not defined */ -+ SC_ALLOW(407), - #endif - #ifdef __NR_clock_gettime64 - SC_ALLOW(__NR_clock_gettime64),