git: 778644b31730 - main - security/openssh-portable: Update to 9.9p1

From: Bryan Drewery <bdrewery_at_FreeBSD.org>
Date: Tue, 08 Oct 2024 18:14:50 UTC
The branch main has been updated by bdrewery:

URL: https://cgit.FreeBSD.org/ports/commit/?id=778644b31730434e01eadfbe3a13101ea5cb4156

commit 778644b31730434e01eadfbe3a13101ea5cb4156
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2024-10-08 18:05:43 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2024-10-08 18:14:10 +0000

    security/openssh-portable: Update to 9.9p1
---
 security/openssh-portable/Makefile                 | 10 ++--
 security/openssh-portable/distinfo                 | 10 ++--
 .../openssh-portable/files/extra-patch-hpn-compat  |  8 +--
 .../openssh-portable/files/patch-FreeBSD-logincap  | 69 ----------------------
 4 files changed, 14 insertions(+), 83 deletions(-)

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 97ba9e01adf9..69edba17e8cc 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	openssh
-DISTVERSION=	9.8p1
-PORTREVISION=	1
+DISTVERSION=	9.9p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -109,13 +109,13 @@ EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
-GSSAPI_DEBIAN_VERSION=	9.8p1
-GSSAPI_DEBIAN_SUBDIR=	${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-3
+GSSAPI_DEBIAN_VERSION=	9.9p1
+GSSAPI_DEBIAN_SUBDIR=	${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
 # Bump this when updating the patch location
-GSSAPI_DISTVERSION=	9.8p1
+GSSAPI_DISTVERSION=	9.9p1
 PATCHFILES+=	openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgssc.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgsss.c
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 11c1f02429d4..41138b4167db 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1722605239
-SHA256 (openssh-9.8p1.tar.gz) = dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3
-SIZE (openssh-9.8p1.tar.gz) = 1910393
-SHA256 (openssh-9.8p1-gsskex-all-debian-rh-9.8p1.patch) = f5b93bf8076aa386afa63e98bb5b39b6e477b8ccb24d2d4b700f6cd685be6f78
-SIZE (openssh-9.8p1-gsskex-all-debian-rh-9.8p1.patch) = 125084
+TIMESTAMP = 1728410939
+SHA256 (openssh-9.9p1.tar.gz) = b343fbcdbff87f15b1986e6e15d6d4fc9a7d36066be6b7fb507087ba8f966c02
+SIZE (openssh-9.9p1.tar.gz) = 1964864
+SHA256 (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = b8b590024137d54394fd46ebfe32f2b081d0744abdcdcacf6dd30d1c91339864
+SIZE (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = 125233
diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat
index 2460c27491fa..ab7617663feb 100644
--- a/security/openssh-portable/files/extra-patch-hpn-compat
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
  
  	{ NULL, oBadOption }
  };
---- servconf.c.orig	2024-06-30 21:36:28.000000000 -0700
-+++ servconf.c	2024-07-01 13:29:27.091708000 -0700
-@@ -739,6 +739,10 @@ static struct {
- 	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
+--- servconf.c.orig	2024-09-19 15:20:48.000000000 -0700
++++ servconf.c	2024-10-07 20:18:18.259726000 -0700
+@@ -746,6 +746,10 @@ static struct {
  	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
  	{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
+ 	{ "refuseconnection", sRefuseConnection, SSHCFG_ALL },
 +	{ "noneenabled", sUnsupported, SSHCFG_ALL },
 +	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
 +	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap
deleted file mode 100644
index 78d772e8a024..000000000000
--- a/security/openssh-portable/files/patch-FreeBSD-logincap
+++ /dev/null
@@ -1,69 +0,0 @@
-(pulled from the PR)
-
-commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8
-Author: Ed Maste <emaste@FreeBSD.org>
-Date:   Tue Aug 31 15:30:50 2021 -0400
-
-    openssh: simplify login class restrictions
-
-    Login class-based restrictions were introduced in 5b400a39b8ad.  The
-    code was adapted for sshd's Capsicum sandbox and received many changes
-    over time, including at least fc3c19a9fcee, bd393de91cc3, and
-    e8c56fba2926.
-
-    During an attempt to upstream the work a much simpler approach was
-    suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
-    future updates.
-
-    Submitted by:   Yuchiro Naito (against OpenSSH-portable on GitHub)
-    Obtained from:  https://github.com/openssh/openssh-portable/pull/262
-    Reviewed by:    allanjude, kevans
-    MFC after:      2 weeks
-    Differential Revision:  https://reviews.freebsd.org/D31760
-
-
---- auth.c
-+++ auth.c
-@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
- {
- #ifdef HAVE_LOGIN_CAP
- 	extern login_cap_t *lc;
-+#ifdef HAVE_AUTH_HOSTOK
-+	const char *from_host, *from_ip;
-+#endif
- #ifdef BSD_AUTH
- 	auth_session_t *as;
- #endif
-@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
- 		debug("unable to get login class: %s", user);
- 		return (NULL);
- 	}
-+#ifdef HAVE_AUTH_HOSTOK
-+	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
-+	from_ip = ssh_remote_ipaddr(ssh);
-+	if (!auth_hostok(lc, from_host, from_ip)) {
-+		debug("Denied connection for %.200s from %.200s [%.200s].",
-+		      pw->pw_name, from_host, from_ip);
-+		return (NULL);
-+	}
-+#endif /* HAVE_AUTH_HOSTOK */
-+#ifdef HAVE_AUTH_TIMEOK
-+	if (!auth_timeok(lc, time(NULL))) {
-+		debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
-+		return (NULL);
-+	}
-+#endif /* HAVE_AUTH_TIMEOK */
- #ifdef BSD_AUTH
- 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
- 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
---- configure.ac
-+++ configure.ac
-@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG])
- 
- dnl    Checks for library functions. Please keep in alphabetical order
- AC_CHECK_FUNCS([ \
-+	auth_hostok \
-+	auth_timeok \
- 	Blowfish_initstate \
- 	Blowfish_expandstate \
- 	Blowfish_expand0state \