git: 2cd20d9bc807 - stable/13 - ssh: Update to OpenSSH 9.6p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Jan 2024 14:04:26 UTC
The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=2cd20d9bc80743d6562cb6165dc07b8391dddc27 commit 2cd20d9bc80743d6562cb6165dc07b8391dddc27 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-01-05 03:16:30 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-01-08 13:57:12 +0000 ssh: Update to OpenSSH 9.6p1 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d) (cherry picked from commit a25789646d7130f5be166cac63d5c8b2b07c4706) --- crypto/openssh/.depend | 3 +- crypto/openssh/.github/configs | 14 +- crypto/openssh/.github/setup_ci.sh | 53 +- crypto/openssh/.github/workflows/c-cpp.yml | 15 +- crypto/openssh/.github/workflows/selfhosted.yml | 21 +- crypto/openssh/ChangeLog | 12792 +++++++++++----------- crypto/openssh/Makefile.in | 14 +- crypto/openssh/PROTOCOL | 21 +- crypto/openssh/PROTOCOL.agent | 33 +- crypto/openssh/README | 2 +- crypto/openssh/auth2.c | 8 +- crypto/openssh/authfd.c | 40 +- crypto/openssh/authfd.h | 5 +- crypto/openssh/channels.c | 36 +- crypto/openssh/channels.h | 4 +- crypto/openssh/cipher.c | 23 +- crypto/openssh/cipher.h | 3 +- crypto/openssh/clientloop.c | 34 +- crypto/openssh/config.h | 9 + crypto/openssh/configure.ac | 49 +- crypto/openssh/contrib/redhat/openssh.spec | 34 +- crypto/openssh/contrib/suse/openssh.spec | 2 +- crypto/openssh/kex.c | 235 +- crypto/openssh/kex.h | 7 +- crypto/openssh/log.c | 6 +- crypto/openssh/m4/openssh.m4 | 116 +- crypto/openssh/misc.c | 41 +- crypto/openssh/misc.h | 3 +- crypto/openssh/moduli | 898 +- crypto/openssh/monitor_wrap.c | 4 +- crypto/openssh/mux.c | 4 +- crypto/openssh/openbsd-compat/port-solaris.c | 24 +- crypto/openssh/readconf.c | 57 +- crypto/openssh/readconf.h | 7 +- crypto/openssh/regress/Makefile | 10 +- crypto/openssh/regress/agent-pkcs11-cert.sh | 92 + crypto/openssh/regress/agent-pkcs11-restrict.sh | 193 + crypto/openssh/regress/agent-pkcs11.sh | 82 +- crypto/openssh/regress/conch-ciphers.sh | 11 +- crypto/openssh/regress/dropbear-ciphers.sh | 33 + crypto/openssh/regress/dropbear-kex.sh | 31 + crypto/openssh/regress/forcecommand.sh | 56 +- crypto/openssh/regress/sshsig.sh | 72 +- crypto/openssh/regress/test-exec.sh | 169 +- crypto/openssh/regress/unittests/Makefile | 3 +- crypto/openssh/regress/unittests/Makefile.inc | 4 +- crypto/openssh/scp.c | 12 +- crypto/openssh/servconf.c | 40 +- crypto/openssh/sftp-client.c | 4 +- crypto/openssh/ssh-add.1 | 14 +- crypto/openssh/ssh-add.c | 92 +- crypto/openssh/ssh-agent.c | 241 +- crypto/openssh/ssh-pkcs11-client.c | 56 +- crypto/openssh/ssh-pkcs11.h | 5 +- crypto/openssh/ssh.1 | 7 +- crypto/openssh/ssh.c | 26 +- crypto/openssh/ssh2.h | 3 +- crypto/openssh/ssh_config.5 | 83 +- crypto/openssh/ssh_namespace.h | 7 +- crypto/openssh/sshconnect.c | 10 +- crypto/openssh/sshconnect.h | 6 +- crypto/openssh/sshconnect2.c | 63 +- crypto/openssh/sshd.c | 4 +- crypto/openssh/sshd_config | 2 +- crypto/openssh/sshd_config.5 | 2 +- crypto/openssh/sshkey.c | 40 +- crypto/openssh/sshsig.c | 7 +- crypto/openssh/version.h | 6 +- secure/usr.bin/ssh-agent/Makefile | 2 +- 69 files changed, 8731 insertions(+), 7374 deletions(-) diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend index 259bf3b2f136..4897698ab74a 100644 --- a/crypto/openssh/.depend +++ b/crypto/openssh/.depend @@ -28,7 +28,8 @@ auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd- auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth2-pubkey.o: pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h -auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h +auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h kex .h +auth2.o: mac.h crypto_api.h authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h log.h ssherr.h atomicio.h misc.h authfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh.h log.h ssherr.h authfile.h misc.h atomicio.h sshkey.h sshbuf.h krl.h bitmap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h bitmap.h diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs index c7d6a55ab962..df82faf5046b 100755 --- a/crypto/openssh/.github/configs +++ b/crypto/openssh/.github/configs @@ -108,9 +108,19 @@ case "$config" in SKIP_LTESTS=sftp-chroot ;; gcc-11-Werror) - CC="gcc" + CC="gcc-11" + # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled + # -Wunused-result ignores (void) so is not useful. See + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 + CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" + CONFIGFLAGS="--with-pam --with-Werror" + ;; + gcc-12-Werror) + CC="gcc-12" # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled - CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter" + # -Wunused-result ignores (void) so is not useful. See + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 + CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" CONFIGFLAGS="--with-pam --with-Werror" ;; clang*|gcc*) diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh index 010a333a6642..d0ba7b4724e9 100755 --- a/crypto/openssh/.github/setup_ci.sh +++ b/crypto/openssh/.github/setup_ci.sh @@ -18,8 +18,7 @@ case "$host" in ;; *-darwin*) PACKAGER=brew - brew install automake - exit 0 + PACKAGES="automake" ;; *) PACKAGER=apt @@ -30,20 +29,30 @@ TARGETS=$@ INSTALL_FIDO_PPA="no" export DEBIAN_FRONTEND=noninteractive -#echo "Setting up for '$TARGETS'" - -set -ex +set -e if [ -x "`which lsb_release 2>&1`" ]; then lsb_release -a fi -# Ubuntu 22.04 defaults to private home dirs which prevent the -# agent-getpeerid test from running ssh-add as nobody. See -# https://github.com/actions/runner-images/issues/6106 -if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then - echo ~ is not executable by nobody, adding perms. - chmod go+x ~ +if [ ! -z "$SUDO" ]; then + # Ubuntu 22.04 defaults to private home dirs which prevent the + # agent-getpeerid test from running ssh-add as nobody. See + # https://github.com/actions/runner-images/issues/6106 + if ! "$SUDO" -u nobody test -x ~; then + echo ~ is not executable by nobody, adding perms. + chmod go+x ~ + fi + # Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular + # sudo still works, but sudo -u doesn't. Restore the sudo rule. + if ! "$SUDO" grep -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then + echo "Restoring runner nopasswd rule to sudoers." + echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers + fi + if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then + echo "Still can't sudo to nobody." + exit 1 + fi fi if [ "${TARGETS}" = "kitchensink" ]; then @@ -57,6 +66,7 @@ for flag in $CONFIGFLAGS; do esac done +echo "Setting up for '$TARGETS'" for TARGET in $TARGETS; do case $TARGET in default|without-openssl|without-zlib|c89) @@ -87,7 +97,9 @@ for TARGET in $TARGETS; do esac ;; *pam) - PACKAGES="$PACKAGES libpam0g-dev" + case "$PACKAGER" in + apt) PACKAGES="$PACKAGES libpam0g-dev" ;; + esac ;; sk) INSTALL_FIDO_PPA="yes" @@ -116,7 +128,7 @@ for TARGET in $TARGETS; do 1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;; 3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;; esac - PACKAGES="${PACKAGES} putty-tools" + PACKAGES="${PACKAGES} putty-tools dropbear-bin" ;; libressl-*) INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-) @@ -124,7 +136,7 @@ for TARGET in $TARGETS; do master) ;; *) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;; esac - PACKAGES="${PACKAGES} putty-tools" + PACKAGES="${PACKAGES} putty-tools dropbear-bin" ;; boringssl) INSTALL_BORINGSSL=1 @@ -156,6 +168,13 @@ while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do PACKAGES="" fi ;; + brew) + if [ ! -z "PACKAGES" ]; then + if brew install $PACKAGES; then + PACKAGES="" + fi + fi + ;; setup) if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then PACKAGES="" @@ -176,7 +195,7 @@ if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then (cd ${HOME} && git clone https://github.com/GrapheneOS/hardened_malloc.git && cd ${HOME}/hardened_malloc && - make -j2 && sudo cp out/libhardened_malloc.so /usr/lib/) + make && sudo cp out/libhardened_malloc.so /usr/lib/) fi if [ ! -z "${INSTALL_OPENSSL}" ]; then @@ -197,14 +216,14 @@ if [ ! -z "${INSTALL_LIBRESSL}" ]; then git checkout ${INSTALL_LIBRESSL} && sh update.sh && sh autogen.sh && ./configure --prefix=/opt/libressl && - make -j2 && sudo make install) + make && sudo make install) else LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL (cd ${HOME} && wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz && tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz && cd libressl-${INSTALL_LIBRESSL} && - ./configure --prefix=/opt/libressl && make -j2 && sudo make install) + ./configure --prefix=/opt/libressl && make && sudo make install) fi fi diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml index be0c97f84cfd..8f624d21016c 100644 --- a/crypto/openssh/.github/workflows/c-cpp.yml +++ b/crypto/openssh/.github/workflows/c-cpp.yml @@ -47,7 +47,8 @@ jobs: - { target: ubuntu-20.04, config: gcc-7 } - { target: ubuntu-20.04, config: gcc-8 } - { target: ubuntu-20.04, config: gcc-10 } - - { target: ubuntu-20.04, config: gcc-11-Werror } + - { target: ubuntu-22.04, config: gcc-11-Werror } + - { target: ubuntu-22.04, config: gcc-12-Werror } - { target: ubuntu-20.04, config: pam } - { target: ubuntu-20.04, config: kitchensink } - { target: ubuntu-22.04, config: hardenedmalloc } @@ -61,18 +62,20 @@ jobs: - { target: ubuntu-latest, config: libressl-3.5.3 } - { target: ubuntu-latest, config: libressl-3.6.1 } - { target: ubuntu-latest, config: libressl-3.7.2 } + - { target: ubuntu-latest, config: libressl-3.8.2 } - { target: ubuntu-latest, config: openssl-master } - { target: ubuntu-latest, config: openssl-noec } - { target: ubuntu-latest, config: openssl-1.1.1 } - - { target: ubuntu-latest, config: openssl-1.1.1k } - - { target: ubuntu-latest, config: openssl-1.1.1n } - - { target: ubuntu-latest, config: openssl-1.1.1q } - { target: ubuntu-latest, config: openssl-1.1.1t } + - { target: ubuntu-latest, config: openssl-1.1.1w } - { target: ubuntu-latest, config: openssl-3.0.0 } - - { target: ubuntu-latest, config: openssl-3.0.7 } + - { target: ubuntu-latest, config: openssl-3.0.12 } - { target: ubuntu-latest, config: openssl-3.1.0 } + - { target: ubuntu-latest, config: openssl-3.1.4 } + - { target: ubuntu-latest, config: openssl-3.2.0 } - { target: ubuntu-latest, config: openssl-1.1.1_stable } - { target: ubuntu-latest, config: openssl-3.0 } # stable branch + - { target: ubuntu-latest, config: openssl-3.2 } # stable branch - { target: ubuntu-latest, config: zlib-develop } - { target: ubuntu-22.04, config: pam } - { target: ubuntu-22.04, config: krb5 } @@ -108,7 +111,7 @@ jobs: - name: make clean run: make clean - name: make - run: make -j2 + run: make - name: make tests run: sh ./.github/run_test.sh ${{ matrix.config }} env: diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml index de0a4125bf08..be0b4ffec580 100644 --- a/crypto/openssh/.github/workflows/selfhosted.yml +++ b/crypto/openssh/.github/workflows/selfhosted.yml @@ -31,6 +31,7 @@ jobs: - fbsd10 - fbsd12 - fbsd13 + - fbsd14 - minix3 - nbsd3 - nbsd4 @@ -38,22 +39,27 @@ jobs: - nbsd9 - obsd51 - obsd67 - - obsd69 - - obsd70 - obsd72 - obsd73 + - obsd74 - obsdsnap - obsdsnap-i386 - openindiana - - sol10 - - sol11 + - ubuntu-2204 config: - default host: - libvirt include: + # Long-running/slow tests have access to high priority runners. + - { target: aix51, config: default, host: libvirt-hipri } + - { target: openindiana, config: pam, host: libvirt-hipri } + - { target: sol10, config: default, host: libvirt-hipri } + - { target: sol10, config: pam, host: libvirt-hipri } + - { target: sol11, config: default, host: libvirt-hipri } + - { target: sol11, config: pam-krb5, host: libvirt-hipri } + - { target: sol11, config: sol64, host: libvirt-hipri } # Then we include extra libvirt test configs. - - { target: aix51, config: default, host: libvirt } - { target: centos7, config: pam, host: libvirt } - { target: debian-i386, config: pam, host: libvirt } - { target: dfly30, config: without-openssl, host: libvirt} @@ -64,12 +70,9 @@ jobs: - { target: fbsd10, config: pam, host: libvirt } - { target: fbsd12, config: pam, host: libvirt } - { target: fbsd13, config: pam, host: libvirt } + - { target: fbsd14, config: pam, host: libvirt } - { target: nbsd8, config: pam, host: libvirt } - { target: nbsd9, config: pam, host: libvirt } - - { target: openindiana, config: pam, host: libvirt } - - { target: sol10, config: pam, host: libvirt } - - { target: sol11, config: pam-krb5, host: libvirt } - - { target: sol11, config: sol64, host: libvirt } # VMs with persistent disks that have their own runner. - { target: win10, config: default, host: win10 } - { target: win10, config: cygwin-release, host: win10 } diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog index 61725d3a136b..981b7ecd94b6 100644 --- a/crypto/openssh/ChangeLog +++ b/crypto/openssh/ChangeLog @@ -1,9557 +1,9505 @@ -commit 80a2f64b8c1d27383cc83d182b73920d1e6a91f1 +commit 8241b9c0529228b4b86d88b1a6076fb9f97e4a99 Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 4 15:34:10 2023 +1100 +Date: Tue Dec 19 01:59:50 2023 +1100 - crank version numbers + crank versions -commit f65f187b105d9b5c12fd750a211397d08c17c6d4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Oct 4 04:04:09 2023 +0000 +commit 2f2c65cb5f1518a9c556d3e8efa27ea0ca305c6b +Author: Damien Miller <djm@mindrot.org> +Date: Tue Dec 19 01:59:06 2023 +1100 - upstream: openssh-9.5 - - OpenBSD-Commit-ID: 5e0af680480bd3b6f5560cf840ad032d48fd6b16 + depend -commit ffe27e54a4bb18d5d3bbd3f4cc93a41b8d94dfd2 +commit e48cdee8e19059203b1aeeabec2350b8375fa61f Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Oct 4 04:03:50 2023 +0000 +Date: Mon Dec 18 14:50:08 2023 +0000 - upstream: add some cautionary text about % token expansion and - - shell metacharacters; based on report from vinci AT protonmail.ch + upstream: regress test for agent PKCS#11-backed certificates - OpenBSD-Commit-ID: aa1450a54fcee2f153ef70368d90edb1e7019113 + OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9 -commit 60ec3d54fd1ebfe2dda75893fa1e870b8dffbb0d +commit 2f512f862df1d5f456f82a0334c9e8cc7208a2a1 Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Oct 3 23:56:10 2023 +0000 +Date: Mon Dec 18 14:49:39 2023 +0000 - upstream: fix link to agent draft; spotted by Jann Horn + upstream: regress test for constrained PKCS#11 keys - OpenBSD-Commit-ID: ff5bda21a83ec013db683e282256a85201d2dc4b + OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff -commit 12e2d4b13f6f63ce2de13cbfcc9e4d0d4b4ab231 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Oct 4 10:54:04 2023 +1100 +commit cdddd66412ca5920ed4d3ebbfa6ace12dbd9b82f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Dec 18 14:48:44 2023 +0000 - use portable provider allowlist path in manpage + upstream: openssh-9.6 - spotted by Jann Horn + OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b -commit 6c2c6ffde75df95fd838039850d3dd3d84956d87 -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Tue Sep 19 20:37:07 2023 +0000 +commit 6d51feab157cedf1e7ef5b3f8781ca8ff9c4ab1b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Dec 18 14:48:08 2023 +0000 - upstream: typo; from Jim Spath + upstream: ssh-agent: record failed session-bind attempts - OpenBSD-Commit-ID: 2f5fba917b5d4fcf93d9e0b0756c7f63189e228e + Record failed attempts to session-bind a connection and refuse signing + operations on that connection henceforth. + + Prevents a future situation where we add a new hostkey type that is not + recognised by an older ssh-agent, that consequently causes session-bind + to fail (this situation is only likely to arise when people mix ssh(1) + and ssh-agent(1) of different versions on the same host). Previously, + after such a failure the agent socket would be considered unbound and + not subject to restriction. + + Spotted by Jann Horn + + OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e -commit b6b49130a0089b297245ee39e769231d7c763014 +commit 7ef3787c84b6b524501211b11a26c742f829af1a Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Sep 10 23:12:32 2023 +0000 +Date: Mon Dec 18 14:47:44 2023 +0000 - upstream: rename remote_glob() -> sftp_glob() to match other API + upstream: ban user/hostnames with most shell metacharacters - OpenBSD-Commit-ID: d9dfb3708d824ec02970a84d96cf5937e0887229 + This makes ssh(1) refuse user or host names provided on the + commandline that contain most shell metacharacters. + + Some programs that invoke ssh(1) using untrusted data do not filter + metacharacters in arguments they supply. This could create + interactions with user-specified ProxyCommand and other directives + that allow shell injection attacks to occur. + + It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, + but getting this stuff right can be tricky, so this should prevent + most obvious ways of creating risky situations. It however is not + and cannot be perfect: ssh(1) has no practical way of interpreting + what shell quoting rules are in use and how they interact with the + user's specified ProxyCommand. + + To allow configurations that use strange user or hostnames to + continue to work, this strictness is applied only to names coming + from the commandline. Names specified using User or Hostname + directives in ssh_config(5) are not affected. + + feedback/ok millert@ markus@ dtucker@ deraadt@ + + OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 -commit 21b79af6c8d2357c822c84cef3fbdb8001ed263b +commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67 Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Sep 10 03:51:55 2023 +0000 +Date: Mon Dec 18 14:47:20 2023 +0000 - upstream: typo in comment + upstream: stricter handling of channel window limits - OpenBSD-Commit-ID: 69285e0ce962a7c6b0ab5f17a293c60a0a360a18 - -commit 41232d25532b4d2ef6c5db62efc0cf50a79d26ca -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sun Sep 10 15:45:38 2023 +1000 - - Use zero-call-used-regs=used with Apple compilers. + This makes ssh/sshd more strict in handling non-compliant peers that + send more data than the advertised channel window allows. Previously + the additional data would be silently discarded. This change will + cause ssh/sshd to terminate the connection if the channel window is + exceeded by more than a small grace allowance. - Apple's versions of clang have version numbers that do not match the - corresponding upstream clang versions. Unfortunately, they do still - have the clang-15 zero-call-used-regs=all bug, so for now use the value - that doesn't result in segfaults. We could allowlist future versions - that are known to work. bz#3584 (and probably also our github CI - failures). + ok markus@ + + OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037 -commit 90ccc5918ea505bf156c31148b6b59a1bf5d6dc6 +commit 4448a2938abc76e6bd33ba09b2ec17a216dfb491 Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Sep 10 03:25:53 2023 +0000 +Date: Mon Dec 18 14:46:56 2023 +0000 - upstream: randomise keystroke obfuscation intervals and average + upstream: Make it possible to load certs from PKCS#11 tokens - interval rate. ok dtucker@ + Adds a protocol extension to allow grafting certificates supplied by + ssh-add to keys loaded from PKCS#11 tokens in the agent. - OpenBSD-Commit-ID: 05f61d051ab418fcfc4857ff306e420037502382 + feedback/ok markus@ + + OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f -commit bd1b9e52f5fa94d87223c90905c5fdc1a7c32aa6 +commit 881d9c6af9da4257c69c327c4e2f1508b2fa754b Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 8 06:34:24 2023 +0000 +Date: Mon Dec 18 14:46:12 2023 +0000 - upstream: fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here + upstream: apply destination constraints to all p11 keys - is char**, so harmless); spotted in CID 416964 + Previously applied only to the first key returned from each token. - OpenBSD-Commit-ID: c61caa4a5a667ee20bb1042098861e6c72c69002 + ok markus@ + + OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d -commit c4f966482983e18601eec70a1563115de836616f +commit a7ed931caeb68947d30af8a795f4108b6efad761 Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 8 06:10:57 2023 +0000 +Date: Mon Dec 18 14:45:49 2023 +0000 - upstream: regress test recursive remote-remote directories copies where + upstream: add "ext-info-in-auth@openssh.com" extension - the directory contains a symlink to another directory. + This adds another transport protocol extension to allow a sshd to send + SSH2_MSG_EXT_INFO during user authentication, after the server has + learned the username that is being logged in to. - also remove errant `set -x` that snuck in at some point + This lets sshd to update the acceptable signature algoritms for public + key authentication, and allows these to be varied via sshd_config(5) + "Match" directives, which are evaluated after the server learns the + username being authenticated. - OpenBSD-Regress-ID: 1c94a48bdbd633ef2285954ee257725cd7bc456f + Full details in the PROTOCOL file + + OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779 -commit 5e1dfe5014ebc194641678303e22ab3bba15f4e5 +commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 8 06:10:02 2023 +0000 +Date: Mon Dec 18 14:45:17 2023 +0000 - upstream: fix recursive remote-remote copies of directories that + upstream: implement "strict key exchange" in ssh and sshd - contain symlinks to other directories (similar to bz3611) + This adds a protocol extension to improve the integrity of the SSH + transport protocol, particular in and around the initial key exchange + (KEX) phase. - OpenBSD-Commit-ID: 7e19d2ae09b4f941bf8eecc3955c9120171da37f + Full details of the extension are in the PROTOCOL file. + + with markus@ + + OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14 -commit 7c0ce2bf98b303b6ad91493ee3247d96c18ba1f6 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 8 05:50:57 2023 +0000 +commit 59d691b886c79e70b1d1c4ab744e81fd176222fd +Author: Damien Miller <djm@mindrot.org> +Date: Mon Dec 18 14:49:11 2023 +1100 - upstream: regress test for recursive copies of directories containing + better detection of broken -fzero-call-used-regs - symlinks to other directories. bz3611, ok dtucker@ + Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend + test program to exercise varargs, which seems to catch more stuff. - OpenBSD-Regress-ID: eaa4c29cc5cddff4e72a16bcce14aeb1ecfc94b9 + ok dtucker@ -commit 2de990142a83bf60ef694378b8598706bc654b08 +commit aa7b21708511a6d4aed3839fc9f6e82e849dd4a1 Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 8 05:56:13 2023 +0000 +Date: Wed Dec 13 03:28:19 2023 +0000 - upstream: the sftp code was one of my first contributions to + upstream: when invoking KnownHostsCommand to determine the order of - OpenSSH and it shows - the function names are terrible. + host key algorithms to request, ensure that the hostname passed to the + command is decorated with the port number for ports other than 22. - Rename do_blah() to sftp_blah() to make them less so. + This matches the behaviour of KnownHostsCommand when invoked to look + up the actual host key. - Completely mechanical except for sftp_stat() and sftp_lstat() which - change from returning a pointer to a static variable (error-prone) to - taking a pointer to a caller-provided receiver. + bz3643, ok dtucker@ - OpenBSD-Commit-ID: eb54d6a72d0bbba4d623e2175cf5cc4c75dc2ba4 + OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1 -commit 249d8bd0472b53e3a2a0e138b4c030a31e83346a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 8 05:50:12 2023 +0000 +commit 4086bd6652c0badccc020218a62190a7798fb72c +Author: markus@openbsd.org <markus@openbsd.org> +Date: Fri Dec 8 09:18:39 2023 +0000 - upstream: fix scp in SFTP mode recursive upload and download of - - directories that contain symlinks to other directories. In scp mode, the - links would be followed, but in SFTP mode they were not. bz3611, ok dtucker@ + upstream: prevent leak in sshsig_match_principals; ok djm@ - OpenBSD-Commit-ID: 9760fda668eaa94a992250d7670dfbc62a45197c + OpenBSD-Commit-ID: 594f61ad4819ff5c72dfe99ba666a17f0e1030ae -commit 0e1f4401c466fa4fdaea81b6dadc8dd1fc4cf0af +commit 19d3ee2f3adf7d9a606ff015c1e153744702c4c9 Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 6 23:36:09 2023 +0000 +Date: Wed Dec 6 21:06:48 2023 +0000 - upstream: regression test for override of subsystem in match blocks + upstream: short circuit debug log processing early if we're not going - OpenBSD-Regress-ID: 5f8135da3bfda71067084c048d717b0e8793e87c + to log anything. From Kobe Housen + + OpenBSD-Commit-ID: 2bcddd695872a1bef137cfff7823044dcded90ea -commit 8a1450c62035e834d8a79a5d0d1c904236f9dcfe -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 6 23:35:35 2023 +0000 +commit 947affad4831df015c498c00c6351ea6f13895d5 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Nov 27 09:37:28 2023 +1100 - upstream: allow override of Sybsystem directives in sshd Match - - blocks + Add tests for OpenSSL 3.2.0 and 3.2 stable branch. + +commit 747dce36206675ca6b885010a835733df469351b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Nov 25 09:03:38 2023 +1100 + + Use non-zero arg in compiler test program. - OpenBSD-Commit-ID: 3911d18a826a2d2fe7e4519075cf3e57af439722 + Now that we're running the test program, passing zero to the test function + can cause divide-by-zero exceptions which might show up in logs. -commit 6e52826e2a74d077147a82ead8d4fbd5b54f4e3b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 6 23:26:37 2023 +0000 +commit 3d44a5c56585d1c351dbc006240a591b6da502b1 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Nov 24 00:31:30 2023 +0000 - upstream: allocate the subsystems array as necessary and remove the + upstream: Plug mem leak of msg when processing a quit message. - fixed limit of subsystems. Saves a few kb of memory in the server and makes - it more like the other options. + Coverity CID#427852, ok djm@ - OpenBSD-Commit-ID: e683dfca6bdcbc3cc339bb6c6517c0c4736a547f + OpenBSD-Commit-ID: bf85362addbe2134c3d8c4b80f16601fbff823b7 -commit e19069c9fac4c111d6496b19c7f7db43b4f07b4f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 6 23:23:53 2023 +0000 +commit 1d7f9b6e297877bd00973e6dc5c0642dbefc3b5f +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Nov 23 03:37:05 2023 +0000 - upstream: preserve quoting of Subsystem commands and arguments. + upstream: Include existing mux path in debug message. - This may change behaviour of exotic configurations, but the most common - subsystem configuration (sftp-server) is unlikely to be affected. + OpenBSD-Commit-ID: 1c3641be10c2f4fbad2a1b088a441d072e18bf16 + +commit f29934066bd0e561a2e516b7e584fb92d2eedee0 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Nov 23 19:41:27 2023 +1100 + + Add an Ubuntu 22.04 test VM. - OpenBSD-Commit-ID: 8ffa296aeca981de5b0945242ce75aa6dee479bf + This is the same version as Github's runners so most of the testing on + it is over there, but having a local VM makes debugging much easier. -commit 52dfe3c72d98503d8b7c6f64fc7e19d685636c0b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 6 23:21:36 2023 +0000 +commit a93284a780cd3972afe5f89086b75d564ba157f3 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Nov 23 19:36:22 2023 +1100 - upstream: downgrade duplicate Subsystem directives from being a + Add gcc-12 -Werror test on Ubuntu 22.04. - fatal error to being a debug message to match behaviour with just about all - other directives. + Explictly specify gcc-11 on Ubuntu 22.04 (it's the system compiler). + +commit 670f5a647e98b6fd95ad64f789f87ee3274b481b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Nov 23 19:34:57 2023 +1100 + + Check return value from write to prevent warning. - OpenBSD-Commit-ID: fc90ed2cc0c18d4eb8e33d2c5e98d25f282588ce + ... and since we're testing for flags with -Werror, this caused + configure to mis-detect compiler flags. -commit 1ee0a16e07b6f0847ff463d7b5221c4bf1876e25 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 6 23:18:15 2023 +0000 +commit cea007d691cfedfa07a5b8599f97ce0511f53fc9 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Nov 22 21:18:55 2023 +1100 - upstream: handle cr+lf (instead of just cr) in sshsig signature + Run compiler test program when compiling natively. - files + ok djm@ + +commit ee0d305828f13536c0a416bbf9c3e81039d9ea55 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Nov 22 21:18:07 2023 +1100 + + Factor out compiler test program into a macro. - OpenBSD-Commit-ID: 647460a212b916540016d066568816507375fd7f + ok djm@ -commit e1c284d60a928bcdd60bc575c6f9604663502770 -Author: job@openbsd.org <job@openbsd.org> -Date: Mon Sep 4 10:29:58 2023 +0000 +commit de304c76316b029df460673725a9104224b9959b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Nov 22 08:55:36 2023 +1100 - upstream: Generate Ed25519 keys when invoked without arguments + Add fbsd14 VM to test pool. + +commit 99a2df5e1994cdcb44ba2187b5f34d0e9190be91 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Nov 21 16:19:29 2023 +1100 + + Expand -fzero-call-used-regs test to cover gcc 11. - Ed25519 public keys are very convenient due to their small size. - OpenSSH has supported Ed25519 since version 6.5 (January 2014). + It turns out that gcc also has some problems with -fzero-call-used-regs, + at least v11 on mips. Previously the test in OSSH_CHECK_CFLAG_COMPILE + was sufficient to catch it with "=all", but not sufficient for "=used". + Expand the testcase and include it in the other tests for good measure. + See bz#3629. ok djm@. + +commit ff220d4010717f7bfbbc02a2400666fb9d24f250 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Nov 21 14:04:34 2023 +1100 + + Stop using -fzero-call-used-regs=all - OK djm@ markus@ sthen@ deraadt@ + ... since it seems to be problematic with several different versions of + clang. Only use -fzero-call-used-regs=used which is less + problematic, except with Apple's clang where we don't use it at all. + bz#3629, ok djm@ + +commit 2a19e02f36b16f0f6cc915f7d1e60ead5e36303b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Nov 21 14:02:18 2023 +1100 + + Allow for vendor prefix on clang version numbers. - OpenBSD-Commit-ID: f498beaad19c8cdcc357381a60df4a9c69858b3f + Correctly detects the version of OpenBSD's native clang, as well as + Apple's. Spotted tb@, ok djm@. -commit 694150ad92765574ff82a18f4e86322bd3231e68 +commit c52db0114826d73eff6cdbf205e9c1fa4f7ca6c6 Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Sep 4 00:08:14 2023 +0000 +Date: Mon Nov 20 02:50:00 2023 +0000 - upstream: trigger keystroke timing obfucation only if the channels - - layer enqueud some data in the last poll() cycle; this avoids triggering the - obfuscatior for non-channels data like ClientAlive probes and also fixes a - related problem were the obfucations would be triggered on fully quiescent - connections. + upstream: set errno=EAFNOSUPPORT when filtering addresses that don't - Based on / tested by naddy@ + match AddressFamily; yields slightly better error message if no address + matches. bz#3526 - OpenBSD-Commit-ID: d98f32dc62d7663ff4660e4556e184032a0db123 + OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6 -commit b5fd97896b59a3a46245cf438cc8b16c795d9f74 +commit 26f3f3bbc69196d908cad6558c8c7dc5beb8d74a Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Sep 4 00:04:02 2023 +0000 +Date: Wed Nov 15 23:03:38 2023 +0000 - upstream: avoid bogus "obfuscate_keystroke_timing: stopping ..." + upstream: when connecting via socket (the default case), filter - debug messages when keystroke timing obfuscation was never started; spotted - by naddy@ + addresses by AddressFamily if one was specified. Fixes the case where, if + CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok + dtucker - OpenBSD-Commit-ID: 5c270d35f7d2974db5c1646e9c64188f9393be31 + OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439 -commit ccf7d913db34e49b7a6db1b8331bd402004c840d +commit 050c335c8da43741ed0df2570ebfbd5d1dfd0a31 Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Sep 4 00:01:46 2023 +0000 +Date: Wed Nov 15 22:51:49 2023 +0000 - upstream: make channel_output_poll() return a flag indicating + upstream: when deciding whether to enable keystroke timing - whether channel data was enqueued. Will be used to improve keystroke timing - obfuscation. Problem spotted by / tested by naddy@ + obfuscation, only consider enabling it when a channel with a tty is open. - OpenBSD-Commit-ID: f9776c7b0065ba7c3bbe50431fd3b629f44314d0 + Avoids turning on the obfucation when X11 forwarding only is in use, + which slows it right down. Reported by Roger Marsh + + OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1 -commit 43254b326ac6e2131dbd750f9464dc62c14bd5a7 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Sep 3 23:59:32 2023 +0000 +commit 676377ce67807a24e08a54cd60ec832946cc6cae +Author: tobhe@openbsd.org <tobhe@openbsd.org> +Date: Mon Nov 13 09:18:19 2023 +0000 - upstream: set interactive mode for ControlPersist sessions if they + upstream: Make sure sftp_get_limits() only returns 0 if 'limits' - originally requested a tty; enables keystroke timing obfuscation for most - ControlPersist sessions. Spotted by naddy@ + was initialized. This fixes a potential uninitialized use of 'limits' in + sftp_init() if sftp_get_limits() returned early because of an unexpected + message type. - OpenBSD-Commit-ID: 72783a26254202e2f3f41a2818a19956fe49a772 + ok djm@ + + OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c -commit ff3eda68ceb2e2bb8f48e3faceb96076c3e85c20 +commit 64e0600f23c6dec36c3875392ac95b8a9100c2d6 Author: Darren Tucker <dtucker@dtucker.net> -Date: Thu Aug 31 23:02:35 2023 +1000 +Date: Mon Nov 13 20:03:31 2023 +1100 - Set LLONG_MAX for C89 test. + Test current releases of LibreSSL and OpenSSL. - If we don't have LLONG_MAX, configure will figure out that it can get it - by setting -std=gnu99, at which point we won't be testing C89 any more. - To avoid this, feed it in via CFLAGS. + Retire some of the older releases. -commit f98031773db361424d59e3301aa92aacf423d920 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Aug 29 02:50:10 2023 +0000 +commit c8ed7cc545879ac15f6ce428be4b29c35598bb2a +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Nov 1 02:08:38 2023 +0000 - upstream: make PerSourceMaxStartups first-match-wins; ok dtucker@ + upstream: Specify ssh binary to use - OpenBSD-Commit-ID: dac0c24cb709e3c595b8b4f422a0355dc5a3b4e7 + ... instead of relying on installed one. Fixes test failures in -portable + when running tests prior to installation. + + OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685 -commit cfa66857db90cd908de131e0041a50ffc17c7df8 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Aug 28 09:52:09 2023 +0000 +commit e9fc2c48121cada1b4dcc5dadea5d447fe0093c3 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Nov 1 13:11:31 2023 +1100 - upstream: descriptive text shouldn't be under .Cm + Put long-running test targets on hipri runners. - OpenBSD-Commit-ID: b1afaeb456a52bc8a58f4f9f8b2f9fa8f6bf651b + Some of the selfhosted test targets take a long time to run for various + reasons, so label them for "libvirt-hipri" runners so that they can + start immediately. This should reduce the time to complete all tests. -commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec +commit 7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2 Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Aug 28 09:48:11 2023 +0000 +Date: Wed Nov 1 00:29:46 2023 +0000 - upstream: limit artificial login delay to a reasonable maximum (5s) + upstream: add some tests of forced commands overriding Subsystem - and don't delay at all for the "none" authentication mechanism. Patch by - Dmitry Belyavskiy in bz3602 with polish/ok dtucker@ + directives - OpenBSD-Commit-ID: 85b364676dd84cf1de0e98fc2fbdcb1a844ce515 + OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b -commit 528da5b9d7c5da01ed7a73ff21c722e1b5326006 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Mon Aug 28 05:32:28 2023 +0000 +commit fb06f9b5a065dfbbef5916fc4accc03c0bf026dd *** 20737 LINES SKIPPED ***