git: 6c74a768ede7 - main - security/openssh-portable: Revert commit
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Jul 2024 11:05:35 UTC
The branch main has been updated by brnrd:
URL: https://cgit.FreeBSD.org/ports/commit/?id=6c74a768ede70109e336be37bf3fe2ae655cd2b6
commit 6c74a768ede70109e336be37bf3fe2ae655cd2b6
Author: Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2024-07-01 11:03:32 +0000
Commit: Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2024-07-01 11:03:32 +0000
security/openssh-portable: Revert commit
* Revert changes other than the PORTREVISION bump
* See PR 280068
---
security/openssh-portable/Makefile | 11 ++-----
.../openssh-portable/files/patch-CVE-2024-6387 | 36 ----------------------
2 files changed, 3 insertions(+), 44 deletions(-)
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 65f88b3e3f82..5cf4aa38d3e3 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -23,6 +23,7 @@ GNU_CONFIGURE= yes
GNU_CONFIGURE_MANPREFIX= ${PREFIX}/share
CONFIGURE_ARGS= --prefix=${PREFIX} \
--without-zlib-version-check \
+ --with-ssl-engine \
--with-mantype=man
ETCOLD= ${PREFIX}/etc
@@ -41,8 +42,8 @@ gssapi_PKGNAMESUFFIX= -portable-gssapi
OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
HPN KERB_GSSAPI \
- LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD OPENSSL
-OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F OPENSSL
+ LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD
+OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
.if ${FLAVOR:U} == hpn
OPTIONS_DEFAULT+= HPN NONECIPHER
.endif
@@ -63,7 +64,6 @@ NONECIPHER_DESC= NONE Cipher support
XMSS_DESC= XMSS key support (experimental)
FIDO_U2F_DESC= FIDO/U2F support (security/libfido2)
BLACKLISTD_DESC= FreeBSD blacklistd(8) support
-OPENSSL_DESC= Use of OpenSSL; when disabled use only limited internal crypto **EXPERIMENTAL**
OPTIONS_SUB= yes
@@ -94,9 +94,6 @@ FIDO_U2F_CONFIGURE_OFF= --disable-security-key
BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd
-OPENSSL_CONFIGURE_ON= --with-ssl-engine
-OPENSSL_CONFIGURE_OFF= --without-openssl
-
ETCDIR?= ${PREFIX}/etc/ssh
.include <bsd.port.pre.mk>
@@ -212,8 +209,6 @@ post-patch:
${WRKSRC}/sshd_config.5
@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \
${WRKSRC}/version.h
- @${REINPLACE_CMD} \
- -e 's|BLACKLIST_BAD_USER|BLACKLIST_AUTH_FAIL|' ${WRKSRC}/auth.c
post-configure-XMSS-on:
@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
diff --git a/security/openssh-portable/files/patch-CVE-2024-6387 b/security/openssh-portable/files/patch-CVE-2024-6387
deleted file mode 100644
index 65d0fe4323a4..000000000000
--- a/security/openssh-portable/files/patch-CVE-2024-6387
+++ /dev/null
@@ -1,36 +0,0 @@
-From 8f80def8aa085385dc4fe4668f0e29d3a0dc8510 Mon Sep 17 00:00:00 2001
-From: Philip Paeps <philip@FreeBSD.org>
-Date: Mon, 1 Jul 2024 16:20:01 +0800
-Subject: openssh: Fix pre-authentication remote code execution in sshd.
-
-Reported by: Qualys Threat Research Unit (TRU)
-Approved by: so
-Security: FreeBSD-SA-24:04.openssh
-Security: CVE-2024-6387
-
-(cherry picked from commit 2abea9df01655633aabbb9bf3204c90722001202)
-(cherry picked from commit 620a6a54bb7bb6e1c5607092b6ec49e353e0925f)
----
- crypto/openssh/log.c | 2 ++
- crypto/openssh/version.h | 2 +-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/openssh/log.c b/crypto/openssh/log.c
-index 9fc1a2e2eaf6..436c75630181 100644
---- log.c.orig
-+++ log.c
-@@ -451,12 +451,14 @@ void
- sshsigdie(const char *file, const char *func, int line, int showfunc,
- LogLevel level, const char *suffix, const char *fmt, ...)
- {
-+#if 0
- va_list args;
-
- va_start(args, fmt);
- sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
- suffix, fmt, args);
- va_end(args);
-+#endif
- _exit(1);
- }
-