git: 273cf7f3b32b - stable/12 - ssh: update to OpenSSH v8.8p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 14 Feb 2022 20:29:06 UTC
The branch stable/12 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=273cf7f3b32b124c2b85d6ab30c3bfaa0bd7f2b9
commit 273cf7f3b32b124c2b85d6ab30c3bfaa0bd7f2b9
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2021-12-19 16:02:02 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-02-14 20:26:46 +0000
ssh: update to OpenSSH v8.8p1
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes.
The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit e9e8876a4d6afc1ad5315faaa191b25121a813d7)
(cherry picked from commit 2ffb13149c8e46cb7d7e891b237255615906dc60)
(cherry picked from commit f40841ea9e70c8605dad4e8693fd6a8689b5e324)
---
crypto/openssh/.github/setup_ci.sh | 6 +-
crypto/openssh/.github/workflows/c-cpp.yml | 7 +-
crypto/openssh/ChangeLog | 1162 +++++++++-----------
crypto/openssh/README | 2 +-
crypto/openssh/auth-pam.c | 1 +
crypto/openssh/channels.c | 8 +-
crypto/openssh/clientloop.c | 5 +-
crypto/openssh/compat.c | 3 +-
crypto/openssh/config.h | 6 +
crypto/openssh/configure.ac | 10 +-
crypto/openssh/contrib/redhat/openssh.spec | 2 +-
crypto/openssh/contrib/redhat/sshd.init.old | 155 ---
crypto/openssh/contrib/redhat/sshd.pam.old | 8 -
crypto/openssh/contrib/suse/openssh.spec | 2 +-
crypto/openssh/log.c | 11 +-
crypto/openssh/openbsd-compat/bsd-pselect.c | 2 +-
crypto/openssh/opensshd.init.in | 22 +-
crypto/openssh/platform-tracing.c | 11 +
crypto/openssh/readconf.c | 58 +-
crypto/openssh/readconf.h | 3 +-
crypto/openssh/regress/Makefile | 3 +-
crypto/openssh/regress/agent-getpeereid.sh | 12 +-
crypto/openssh/regress/exit-status-signal.sh | 24 +
crypto/openssh/regress/hostkey-rotate.sh | 19 +
crypto/openssh/regress/keys-command.sh | 4 +-
crypto/openssh/regress/putty-ciphers.sh | 12 +-
crypto/openssh/regress/putty-kex.sh | 12 +-
crypto/openssh/regress/putty-transfer.sh | 12 +-
crypto/openssh/regress/sftp-chroot.sh | 9 +-
crypto/openssh/regress/sshfp-connect.sh | 14 +-
crypto/openssh/regress/test-exec.sh | 10 +-
crypto/openssh/scp.1 | 42 +-
crypto/openssh/scp.c | 40 +-
crypto/openssh/servconf.c | 7 +-
crypto/openssh/sftp-client.c | 3 +-
crypto/openssh/sftp-realpath.c | 3 +-
crypto/openssh/sftp.c | 25 +-
crypto/openssh/ssh-keygen.c | 5 +-
crypto/openssh/ssh.1 | 17 +-
crypto/openssh/ssh.c | 12 +-
crypto/openssh/ssh_config | 2 +-
crypto/openssh/ssh_config.5 | 25 +-
crypto/openssh/ssh_namespace.h | 1 +
crypto/openssh/sshd.8 | 11 +-
crypto/openssh/sshd_config | 2 +-
crypto/openssh/sshd_config.5 | 12 +-
crypto/openssh/version.h | 6 +-
.../tools/nanobsd/rescue/Files/etc/ssh/ssh_config | 2 +-
.../tools/nanobsd/rescue/Files/etc/ssh/sshd_config | 2 +-
49 files changed, 854 insertions(+), 978 deletions(-)
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index 70a444e4eff4..107c049c4175 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -11,6 +11,7 @@ TARGETS=$@
PACKAGES=""
INSTALL_FIDO_PPA="no"
+export DEBIAN_FRONTEND=noninteractive
#echo "Setting up for '$TARGETS'"
@@ -54,6 +55,7 @@ for TARGET in $TARGETS; do
openssl-*)
INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-)
case ${INSTALL_OPENSSL} in
+ 1.1.1_stable) INSTALL_OPENSSL="OpenSSL_1_1_1-stable" ;;
1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
esac
@@ -78,8 +80,8 @@ done
if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
sudo apt update -qq
- sudo apt install software-properties-common
- sudo apt-add-repository ppa:yubico/stable
+ sudo apt install -qy software-properties-common
+ sudo apt-add-repository -y ppa:yubico/stable
fi
if [ "x" != "x$PACKAGES" ]; then
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index 289b18b7f621..152ddaa4fba6 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -31,7 +31,9 @@ jobs:
- { os: ubuntu-latest, configs: libressl-2.2.9 }
- { os: ubuntu-latest, configs: libressl-2.8.3 }
- { os: ubuntu-latest, configs: libressl-3.0.2 }
- - { os: ubuntu-latest, configs: libressl-3.2.5 }
+ - { os: ubuntu-latest, configs: libressl-3.2.6 }
+ - { os: ubuntu-latest, configs: libressl-3.3.4 }
+ - { os: ubuntu-latest, configs: libressl-3.4.0 }
- { os: ubuntu-latest, configs: openssl-master }
- { os: ubuntu-latest, configs: openssl-noec }
- { os: ubuntu-latest, configs: openssl-1.0.1 }
@@ -40,6 +42,9 @@ jobs:
- { os: ubuntu-latest, configs: openssl-1.1.0h }
- { os: ubuntu-latest, configs: openssl-1.1.1 }
- { os: ubuntu-latest, configs: openssl-1.1.1k }
+ - { os: ubuntu-latest, configs: openssl-3.0.0 }
+ - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
+ - { os: ubuntu-latest, configs: openssl-3.0 } # stable branch
- { os: ubuntu-18.04, configs: pam }
- { os: ubuntu-18.04, configs: kerberos5 }
- { os: ubuntu-18.04, configs: libedit }
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 288e90bbfe51..9e660ec37ef3 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,3 +1,538 @@
+commit bf944e3794eff5413f2df1ef37cddf96918c6bde
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Sep 27 00:03:19 2021 +1000
+
+ initgroups needs grp.h
+
+commit 8c5b5655149bd76ea21026d7fe73ab387dbc3bc7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Sep 26 14:01:11 2021 +0000
+
+ upstream: openssh-8.8
+
+ OpenBSD-Commit-ID: 12357794602ac979eb7312a1fb190c453f492ec4
+
+commit f3cbe43e28fe71427d41cfe3a17125b972710455
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Sep 26 14:01:03 2021 +0000
+
+ upstream: need initgroups() before setresgid(); reported by anton@,
+
+ ok deraadt@
+
+ OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
+
+commit 8acaff41f7518be40774c626334157b1b1c5583c
+Author: Damien Miller <djm@mindrot.org>
+Date: Sun Sep 26 22:16:36 2021 +1000
+
+ update version numbers for release
+
+commit d39039ddc0010baa91c70a0fa0753a2699bbf435
+Author: kn@openbsd.org <kn@openbsd.org>
+Date: Sat Sep 25 09:40:33 2021 +0000
+
+ upstream: RSA/SHA-1 is not used by default anymore
+
+ OK dtucker deraadt djm
+
+ OpenBSD-Commit-ID: 055c51a221c3f099dd75c95362f902da1b8678c6
+
+commit 9b2ee74e3aa8c461eb5552a6ebf260449bb06f7e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Sep 24 11:08:03 2021 +1000
+
+ Move the fgrep replacement to hostkey-rotate.sh.
+
+ The fgrep replacement for buggy greps doesn't work in the sftp-glob test
+ so move it to just where we know it's needed.
+
+commit f7039541570d4b66d76e6f574544db176d8d5c02
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Sep 24 08:04:14 2021 +1000
+
+ Replacement function for buggy fgrep.
+
+ GNU (f)grep <=2.18, as shipped by FreeBSD<=12 and NetBSD<=9 will
+ occasionally fail to find ssh host keys in the hostkey-rotate test.
+ If we have those versions, use awk instead.
+
+commit f6a660e5bf28a01962af87568e118a2d2e79eaa0
+Author: David Manouchehri <david.manouchehri@riseup.net>
+Date: Thu Sep 23 17:03:18 2021 -0400
+
+ Don't prompt for yes/no questions.
+
+commit 7ed1a3117c09f8c3f1add35aad77d3ebe1b85b4d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Sep 20 06:53:56 2021 +0000
+
+ upstream: fix missing -s in SYNOPSYS and usage() as well as a
+
+ capitalisation mistake; spotted by jmc@
+
+ OpenBSD-Commit-ID: 0ed8ee085c7503c60578941d8b45f3a61d4c9710
+
+commit 8c07170135dde82a26886b600a8bf6fb290b633d
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Sep 20 04:02:13 2021 +0000
+
+ upstream: Fix "Allocated port" debug message
+
+ for unix domain sockets. From peder.stray at gmail.com via github PR#272,
+ ok deraadt@
+
+ OpenBSD-Commit-ID: 8d5ef3fbdcdd29ebb0792b5022a4942db03f017e
+
+commit 277d3c6adfb128b4129db08e3d65195d94b55fe7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Sep 20 01:55:42 2021 +0000
+
+ upstream: Switch scp back to use the old protocol by default, ahead of
+
+ release. We'll wait a little longer for people to pick up sftp-server(8) that
+ supports the extension that scp needs for ~user paths to continue working in
+ SFTP protocol mode. Discussed with deraadt@
+
+ OpenBSD-Commit-ID: f281f603a705fba317ff076e7b11bcf2df941871
+
+commit ace19b34cc15bea3482be90450c1ed0cd0dd0669
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Sep 18 02:03:25 2021 +0000
+
+ upstream: better error message for ~user failures when the
+
+ sftp-server lacks the expand-path extension; ok deraadt@
+
+ OpenBSD-Commit-ID: 9c1d965d389411f7e86f0a445158bf09b8f9e4bc
+
+commit 6b1238ba971ee722a310d95037b498ede5539c03
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Sep 16 15:22:22 2021 +0000
+
+ upstream: make some more scp-in-SFTP mode better match Unix idioms
+
+ suggested by deraadt@
+
+ OpenBSD-Commit-ID: 0f2439404ed4cf0b0be8bf49a1ee734836e1ac87
+
+commit e694f8ac4409931e67d08ac44ed251b20b10a957
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Sep 16 15:11:19 2021 +0000
+
+ upstream: allow log_stderr==2 to prefix log messages with argv[0]
+
+ use this to make scp's SFTP mode error messages more scp-like
+
+ prompted by and ok deraadt@
+
+ OpenBSD-Commit-ID: 0e821dbde423fc2280e47414bdc22aaa5b4e0733
+
+commit 8a7a06ee505cb833e613f74a07392e9296286c30
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Sep 17 13:03:31 2021 +1000
+
+ Test against LibreSSL 3.2.6, 3.3.4, 3.4.0.
+
+commit c25c84074a47f700dd6534995b4af4b456927150
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Sep 16 05:36:03 2021 +0000
+
+ upstream: missing space character in ssh -G output broke the
+
+ t-sshcfgparse regression test; spotted by anton@
+
+ OpenBSD-Commit-ID: bcc36fae2f233caac4baa8e58482da4aa350eed0
+
+commit a4bee1934bf5e5575fea486628f4123d6a29dff8
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Sep 15 06:56:01 2021 +0000
+
+ upstream: allow CanonicalizePermittedCNAMEs=none in ssh_config; ok
+
+ markus@
+
+ OpenBSD-Commit-ID: 668a82ba8e56d731b26ffc5703213bfe071df623
+
+commit d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd
+Author: mbuhl@openbsd.org <mbuhl@openbsd.org>
+Date: Tue Sep 14 11:04:21 2021 +0000
+
+ upstream: put back the mux_ctx memleak fix for SSH_CHANNEL_MUX_CLIENT
+
+ OK mfriedl@
+
+ OpenBSD-Commit-ID: 1aba1da828956cacaadb81a637338734697d9798
+
+commit 19b3d846f06697c85957ab79a63454f57f8e22d6
+Author: schwarze@openbsd.org <schwarze@openbsd.org>
+Date: Sat Sep 11 09:05:50 2021 +0000
+
+ upstream: Do not ignore SIGINT while waiting for input if editline(3)
+
+ is not used. Instead, in non-interactive mode, exit sftp(1), like for other
+ serious errors. As pointed out by dtucker@, when compiled without editline(3)
+ support in portable OpenSSH, the el == NULL branch is also used for
+ interactive mode. In that case, discard the input line and provide a fresh
+ prompt to the user just like in the case where editline(3) is used. OK djm@
+
+ OpenBSD-Commit-ID: 7d06f4d3ebba62115527fafacf38370d09dfb393
+
+commit ba61123eef9c6356d438c90c1199a57a0d7bcb0a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Sep 11 00:40:24 2021 +0000
+
+ upstream: when using SFTP protocol, continue transferring files after a
+
+ transfer error occurs. This matches original scp/rcp behaviour. ok dtucker@
+
+ OpenBSD-Commit-ID: dfe4558d71dd09707e9b5d6e7d2e53b793da69fa
+
+commit b0ec59a708b493c6f3940336b1a537bcb64dd2a7
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 10 11:38:38 2021 +0000
+
+ upstream: Document that non-interactive commands are run via the user's
+
+ shell using the -c flag. ok jmc@
+
+ OpenBSD-Commit-ID: 4f0d912077732eead10423afd1acf4fc0ceec477
+
+commit 66a658b5d9e009ea11f8a0ca6e69c7feb2d851ea
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 10 10:26:02 2021 +0000
+
+ upstream: Document behaviour of arguments following non-interactive
+
+ commands. Prompted by github PR#139 from EvanTheB, feedback & ok djm@ jmc@
+
+ OpenBSD-Commit-ID: fc758d1fe0471dfab4304fcad6cd4ecc3d79162a
+
+commit 1d47e28e407d1f95fdf8f799be23f48dcfa5206b
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 10 07:11:11 2021 +0000
+
+ upstream: Clarify which file's attributes -p preserves, and that
+
+ it's specifically the file mode bits. bz#3340 from calestyo at scientia.net,
+ ok djm@ jmc@
+
+ OpenBSD-Commit-ID: f09e6098ed1c4be00c730873049825f8ee7cb884
+
+commit b344db7a413478e4c21e4cadba4a970ad3e6128a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Sep 10 05:46:09 2021 +0000
+
+ upstream: openssh-7.4 was incorrectly listed twice; spotted by
+
+ Dmitry Belyavskiy, ok dtucker@
+
+ OpenBSD-Commit-ID: 4b823ae448f6e899927ce7b04225ac9e489f58ef
+
+commit 9136d6239ad7a4a293e0418a49b69e70c76d58b8
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Thu Sep 9 06:17:39 2021 +0000
+
+ upstream: - move CAVEATS to its correct order - use the term
+
+ "legacy" protocol rather than "original", as the latter made the text
+ misleading - uppercase SCP
+
+ ok djm
+
+ OpenBSD-Commit-ID: 8479255746d5fa76a358ee59e7340fecf4245ff0
+
+commit 2d678c5e3bdc2f5c99f7af5122e9d054925d560d
+Author: David Carlier <devnexen@gmail.com>
+Date: Wed Sep 8 19:49:54 2021 +0100
+
+ Disable tracing on FreeBSD using procctl.
+
+ Placed at the start of platform_disable_tracing() to prevent declaration
+ after code errors from strict C89 compilers (in the unlikely event that
+ more than one method is enabled).
+
+commit 73050fa38fb36ae3326d768b574806352b97002d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Sep 8 23:31:39 2021 +0000
+
+ upstream: Use the SFTP protocol by default. The original scp/rcp
+
+ protocol remains available via the -O flag.
+
+ Note that ~user/ prefixed paths in SFTP mode require a protocol extension
+ that was first shipped in OpenSSH 8.7.
+
+ ok deraadt, after baking in snaps for a while without incident
+
+ OpenBSD-Commit-ID: 23588976e28c281ff5988da0848cb821fec9213c
+
+commit c4565e69ffa2485cff715aa842ea7a350296bfb6
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Sep 8 21:09:49 2021 +1000
+
+ Really fix test on OpenSSL 1.1.1 stable.
+
+commit 79f1bb5f56cef3ae9276207316345b8309248478
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Sep 8 18:51:39 2021 +1000
+
+ Correct OpenSSL 1.1.1 stable identifier.
+
+commit b6255593ed5ccbe5e7d3d4b26b2ad31ad4afc232
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Sep 8 18:39:44 2021 +1000
+
+ Increment nfds when coming from startup_pipe.
+
+ If we have to increase nfds because startup_pipe[0] is above any of the
+ descriptors passed in the fd_sets, we also need to add 1 to nfds since
+ select takes highest FD number plus one. bz#3345 from yaroslav.kuzmin
+ at vmssoftware.com.
+
+commit a3e92a6794817df6012ac8546aea19652cc91b61
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Sep 8 13:45:10 2021 +1000
+
+ Tests for OpenSSL 3.0.0 release & 1.1.1 branch.
+
+commit 4afe431da98ec1cf6a2933fe5658f4fd68dee9e2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Sep 8 03:23:44 2021 +0000
+
+ upstream: correct my mistake in previous fix; spotted by halex
+
+ OpenBSD-Commit-ID: 3cc62d92e3f70006bf02468fc146bfc36fffa183
+
+commit ca0e455b9331213ff9505a21b94c38e34faa2bba
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Sep 7 06:03:51 2021 +0000
+
+ upstream: avoid NULL deref in -Y find-principals. Report and fix
+
+ from Carlo Marcelo Arenas Belón
+ MIME-Version: 1.0
+ Content-Type: text/plain; charset=UTF-8
+ Content-Transfer-Encoding: 8bit
+
+ OpenBSD-Commit-ID: 6238486f8ecc888d6ccafcd9ad99e621bb41f1e0
+
+commit 37616807f150fb46610bbd5031c31af4857ad1e9
+Author: millert@openbsd.org <millert@openbsd.org>
+Date: Mon Sep 6 00:36:01 2021 +0000
+
+ upstream: revision 1.381 neglected to remove
+
+ sChallengeResponseAuthentication from the enum. Noticed by
+ christos@zoulas.com. OK dtucker@
+
+ OpenBSD-Commit-ID: b533283a4dd6d04a867da411a4c7a8fbc90e34ff
+
+commit 7acb3578cdfec0b3d34501408071f7a96c1684ea
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Sep 5 20:45:42 2021 +1000
+
+ Correct version_num for OpenSSL dev branch.
+
+commit 65bb01111320dfd0d25e21e1fd4d3f2b77532669
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Sep 5 19:37:39 2021 +1000
+
+ Test against OpenSSL 3 branch as well as dev.
+
+ Now that OpenSSL development has moved to 3.1, test against the most
+ recent version of the openssl-3.0 branch too.
+
+commit 864ed0d5e04a503b97202c776b7cf3f163f3eeaa
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Sep 5 19:33:22 2021 +1000
+
+ OpenSSL development is now 3.1.*
+
+commit a60209a586a928f92ab323bf23bd07f57093342e
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 3 07:43:23 2021 +0000
+
+ upstream: Use .Cm instead of .Dq in StrictHostKeyChecking list for
+
+ consistency. Patch from scop via github PR#257, ok jmc@
+
+ OpenBSD-Commit-ID: 3652a91564570779431802c31224fb4a9cf39872
+
+commit 8d1d9eb6de37331e872700e9e399a3190cca1242
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 3 07:27:03 2021 +0000
+
+ upstream: Mention using ssh -i for specifying the public key file
+
+ in the case where the private key is loaded into ssh-agent but is not present
+ locally. Based on patch from rafork via github PR#215, ok jmc@
+
+ OpenBSD-Commit-ID: 2282e83b0ff78d2efbe705883b67240745fa5bb2
+
+commit eb4362e5e3aa7ac26138b11e44d8c191910aff64
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 3 05:25:50 2021 +0000
+
+ upstream: Refer to KEX "algorithms" instead of "methods" to match
+
+ other references and improve consistency. Patch from scop via github PR#241,
+ ok djm@
+
+ OpenBSD-Commit-ID: 840bc94ff6861b28d8603c8e8c16499bfb65e32c
+
+commit b3318946ce5725da43c4bf7eeea1b73129c47d2a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 3 05:12:25 2021 +0000
+
+ upstream: Remove redundant attrib_clear in upload_dir_internal.
+
+ The subsequent call to stat_to_attrib clears the struct as its first step
+ anyway. From pmeinhardt via github PR#220, ok djm@
+
+ OpenBSD-Commit-ID: f5234fc6d7425b607e179acb3383f21716f3029e
+
+commit 7cc3fe28896e653956a6a2eed0a25d551b83a029
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Sep 3 04:11:13 2021 +0000
+
+ upstream: Add test for client termination status on signal.
+
+ Based on patch from Alexxz via github PR#235 with some tweaks, to
+ match patch in bz#3281.
+
+ OpenBSD-Regress-ID: d87c7446fb8b5f8b45894fbbd6875df326e729e2
+
+commit 5428b0d239f6b516c81d1dd15aa9fe9e60af75d4
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Thu Sep 2 21:03:54 2021 +0000
+
+ upstream: sys/param.h is not needed for any visible reason
+
+ OpenBSD-Commit-ID: 8bdea2d0c75692e4c5777670ac039d4b01c1f368
+
+commit 1ff38f34b4c4545eb28106629cafa1e0496bc726
+Author: Shchelkunov Artem <a.shchelkunov@ideco.ru>
+Date: Wed Aug 11 18:07:58 2021 +0500
+
+ Fix memory leak in error path.
+
+ *info is allocated via xstrdup but was leaked in the PAM_AUTH_ERR path.
+ From github PR#266.
+
+commit cb37e2f0c0ca4fef844ed7edc5d0e3b7d0e83f6a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Sep 1 03:16:06 2021 +0000
+
+ upstream: Fix ssh-rsa fallback for old PuTTY interop tests.
+
+ OpenBSD-Regress-ID: a19ac929da604843a5b5f0f48d2c0eb6e0773d37
+
+commit 8b02ef0f28dc24cda8cbcd8b7eb02bda8f8bbe59
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Sep 1 00:50:27 2021 +0000
+
+ upstream: Add a function to skip remaining tests.
+
+ Many tests skip tests for various reasons but not in a consistent way and
+ don't always clean up, so add that and switch the tests that do that over.
+
+ OpenBSD-Regress-ID: 72d2ec90a3ee8849486956a808811734281af735
+
+commit d486845c07324c04240f1674ac513985bd356f66
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Aug 31 07:13:59 2021 +0000
+
+ upstream: Specify path to PuTTY keys.
+
+ Portable needs this and it makes no difference on OpenBSD, so resync
+ them. (Id sync only, Portable already had this.)
+
+ OpenBSD-Regress-ID: 33f6f66744455886d148527af8368811e4264162
+
+commit d22b299115e27606e846b23490746f69fdd4fb38
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Aug 31 06:13:23 2021 +0000
+
+ upstream: Better compat tests with old PuTTY.
+
+ When running PuTTY interop tests and using a PuTTY version older than
+ 0.76, re-enable the ssh-rsa host key algorithm (the 256 and 512 variants
+ of RSA were added some time between 0.73 and 0.76).
+
+ OpenBSD-Regress-ID: e6138d6987aa705fa1e4f216db0bb386e1ff38e1
+
+commit 87ad70d605c3e39c9b8aa275db27120d7cc09b77
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Aug 31 17:04:50 2021 +1000
+
+ Resync PuTTY interop tests.
+
+ Resync behaviour when REGRESS_INTEROP_PUTTY is not set with OpenBSD.
+
+commit e47b82a7bf51021afac218bf59a3be121827653d
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Aug 31 01:25:27 2021 +0000
+
+ upstream: Specify hostkeyalgorithms in SSHFP test.
+
+ Specify host key algorithms in sshd's default set for the SSHFP test,
+ from djm@. Make the reason for when the test is skipped a bit clearer.
+
+ OpenBSD-Regress-ID: 4f923dfc761480d5411de17ea6f0b30de3e32cea
+
+commit 7db3e0a9e8477c018757b59ee955f7372c0b55fb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Aug 30 01:15:45 2021 +0000
+
+ upstream: adapt to RSA/SHA1 deprectation
+
+ OpenBSD-Regress-ID: 952397c39a22722880e4de9d1c50bb1a14f907bb
+
+commit 2344750250247111a6c3c6a4fe84ed583a61cc11
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Aug 29 23:53:10 2021 +0000
+
+ upstream: After years of forewarning, disable the RSA/SHA-1
+
+ signature algorithm by default. It is feasible to create colliding SHA1
+ hashes, so we need to deprecate its use.
+
+ RSA/SHA-256/512 remains available and will be transparently selected
+ instead of RSA/SHA1 for most SSH servers released in the last five+
+ years. There is no need to regenerate RSA keys.
+
+ The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the
+ PubkeyAcceptedAlgorithms directives on the client and server.
+
+ ok dtucker deraadt
+
+ OpenBSD-Commit-ID: 189bcc4789c7254e09e23734bdd5def8354ff1d5
+
+commit 56c4455d3b54b7d481c77c82115c830b9c8ce328
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Aug 29 23:44:07 2021 +0000
+
+ upstream: wrap at 80 columns
+
+ OpenBSD-Commit-ID: 47ca2286d6b52a9747f34da16d742879e1a37bf0
+
+commit 95401eea8503943449f712e5f3de52fc0bc612c5
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Aug 20 18:14:13 2021 +1000
+
+ Replace shell function with ssh-keygen -A.
+
+ Prevents the init script in the SysV package from trying (and failing)
+ to generate unsupported key types. Remove now-unused COMMENT_OUT_ECC.
+ ok tim@
+
+commit d83ec9ed995a76ed1d5c65cf10b447222ec86131
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Aug 20 15:39:05 2021 +1000
+
+ Remove obsolete Redhat PAM config and init script.
+
commit e1a596186c81e65a34ce13076449712d3bf97eb4
Author: Damien Miller <djm@mindrot.org>
Date: Fri Aug 20 14:03:49 2021 +1000
@@ -13074,630 +13609,3 @@ Date: Fri Sep 27 15:26:22 2019 +1000
Since we've added larger fallback groups to dh.c this test will pass
even if there is no moduli file installed on the system.
-
-commit c1e0a32fa852de6d1c82ece4f76add0ab0ca0eae
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Tue Sep 24 21:17:20 2019 +1000
-
- Add more ToS bits, currently only used by netcat.
-
-commit 5a273a33ca1410351cb484af7db7c13e8b4e8e4e
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Thu Sep 19 15:41:23 2019 +1000
-
- Privsep is now required.
-
-commit 8aa2aa3cd4d27d14e74b247c773696349472ef20
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Sep 16 03:23:02 2019 +0000
-
- upstream: Allow testing signature syntax and validity without verifying
-
- that a signature came from a trusted signer. To discourage accidental or
- unintentional use, this is invoked by the deliberately ugly option name
- "check-novalidate"
-
- from Sebastian Kinne
-
- OpenBSD-Commit-ID: cea42c36ab7d6b70890e2d8635c1b5b943adcc0b
-
-commit 7047d5afe3103f0f07966c05b810682d92add359
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 13 04:52:34 2019 +0000
-
- upstream: clarify that IdentitiesOnly also applies to the default
-
- ~/.ssh/id_* keys; bz#3062
-
- OpenBSD-Commit-ID: 604be570e04646f0f4a17026f8b2aada6a585dfa
-
-commit b36ee3fcb2f1601693b1b7fd60dd6bd96006ea75
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Sep 13 04:36:43 2019 +0000
-
- upstream: Plug mem leaks on error paths, based in part on github
-
- pr#120 from David Carlier. ok djm@.
-
- OpenBSD-Commit-ID: c57adeb1022a8148fc86e5a88837b3b156dbdb7e
-
-commit 2aefdf1aef906cf7548a2e5927d35aacb55948d4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 13 04:31:19 2019 +0000
-
- upstream: whitespace
-
- OpenBSD-Commit-ID: 57a71dd5f4cae8d61e0ac631a862589fb2bfd700
-
-commit fbe24b142915331ceb2a3a76be3dc5b6d204fddf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 13 04:27:35 2019 +0000
-
- upstream: allow %n to be expanded in ProxyCommand strings
-
- From Zachary Harmany via github.com/openssh/openssh-portable/pull/118
- ok dtucker@
-
- OpenBSD-Commit-ID: 7eebf1b7695f50c66d42053d352a4db9e8fb84b6
-
-commit 2ce1d11600e13bee0667d6b717ffcc18a057b821
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 13 04:07:42 2019 +0000
-
- upstream: clarify that ConnectTimeout applies both to the TCP
-
- connection and to the protocol handshake/KEX. From Jean-Charles Longuet via
- Github PR140
-
- OpenBSD-Commit-ID: ce1766abc6da080f0d88c09c2c5585a32b2256bf
-
-commit df780114278f406ef7cb2278802a2660092fff09
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon Sep 9 02:31:19 2019 +0000
-
- upstream: Fix potential truncation warning. ok deraadt.
-
- OpenBSD-Commit-ID: d87b7e3a94ec935e8194e7fce41815e22804c3ff
-
-commit ec0e6243660bf2df30c620a6a0d83eded376c9c6
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Sep 13 13:14:39 2019 +1000
-
- memleak of buffer in sshpam_query
-
- coverity report via Ed Maste; ok dtucker@
-
-commit c17e4638e5592688264fc0349f61bfc7b4425aa5
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Sep 13 13:12:42 2019 +1000
-
- explicitly test set[ug]id() return values
-
- Legacy !_POSIX_SAVED_IDS path only; coverity report via Ed Maste
- ok dtucker@
-
-commit 91a2135f32acdd6378476c5bae475a6e7811a6a2
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date: Fri Sep 6 14:45:34 2019 +0000
-
- upstream: Allow prepending a list of algorithms to the default set
-
- by starting the list with the '^' character, e.g.
-
- HostKeyAlgorithms ^ssh-ed25519
- Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
-
- ok djm@ dtucker@
-
- OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
-
-commit c8bdd2db77ac2369d5cdee237656f266c8f41552
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 6 07:53:40 2019 +0000
-
- upstream: key conversion should fail for !openssl builds, not fall
-
- through to the key generation code
-
- OpenBSD-Commit-ID: b957436adc43c4941e61d61958a193a708bc83c9
-
-commit 823f6c37eb2d8191d45539f7b6fa877a4cb4ed3d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 6 06:08:11 2019 +0000
-
- upstream: typo in previous
-
- OpenBSD-Commit-ID: 7c3b94110864771a6b80a0d8acaca34037c3c96e
-
-commit 6a710d3e06fd375e2c2ae02546b9541c488a2cdb
-Author: Damien Miller <djm@mindrot.org>
-Date: Sun Sep 8 14:48:11 2019 +1000
-
- needs time.h for --without-openssl
-
-commit f61f29afda6c71eda26effa54d3c2e5306fd0833
-Author: Damien Miller <djm@mindrot.org>
-Date: Sat Sep 7 19:25:00 2019 +1000
-
- make unittests pass for no-openssl case
-
-commit 105e1c9218940eb53473f55a9177652d889ddbad
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 6 05:59:41 2019 +0000
-
- upstream: avoid compiling certain files that deeply depend on
-
- libcrypto when WITH_OPENSSL isn't set
-
- OpenBSD-Commit-ID: 569f08445c27124ec7c7f6c0268d844ec56ac061
-
-commit 670104b923dd97b1c06c0659aef7c3e52af571b2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 6 05:23:55 2019 +0000
-
- upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@
-
- OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
-
-commit be02d7cbde3d211ec2ed2320a1f7d86b2339d758
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 6 04:53:27 2019 +0000
-
- upstream: lots of things were relying on libcrypto headers to
-
- transitively include various system headers (mostly stdlib.h); include them
- explicitly
-
- OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080
-
-commit d05aaaaadcad592abfaa44540928e0c61ef72ebb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 6 03:30:42 2019 +0000
-
- upstream: remove leakmalloc reference; we used this early when
-
- refactoring but not since
-
- OpenBSD-Commit-ID: bb28ebda8f7c490b87b37954044a6cdd43a7eb2c
-
-commit 1268f0bcd8fc844ac6c27167888443c8350005eb
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Sep 6 04:24:06 2019 +0000
-
- upstream: Check for RSA support before using it for the user key,
-
- otherwise use ed25519 which is supported when built without OpenSSL.
-
- OpenBSD-Regress-ID: 3d23ddfe83c5062f00ac845d463f19a2ec78c0f7
-
-commit fd7a2dec652b9efc8e97f03f118f935dce732c60
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Sep 6 14:07:10 2019 +1000
-
- Provide explicit path to configure-check.
-
- On some platforms (at least OpenBSD) make won't search VPATH for target
- files, so building out-of-tree will fail at configure-check. Provide
- explicit path. ok djm@
-
-commit 00865c29690003b4523cc09a0e104724b9f911a4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 6 01:58:50 2019 +0000
-
- upstream: better error code for bad arguments; inspired by
-
- OpenBSD-Commit-ID: dfc263b6041de7f0ed921a1de0b81ddebfab1e0a
-
-commit afdf27f5aceb4973b9f5308f4310c6e3fd8db1fb
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Sep 5 21:38:40 2019 +1000
-
- revert config.h/config.h.in freshness checks
-
- turns out autoreconf and configure don't touch some files if their content
- doesn't change, so the mtime can't be relied upon in a makefile rule
-
-commit a97609e850c57bd2cc2fe7e175fc35cb865bc834
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Sep 5 20:54:39 2019 +1000
-
- extend autoconf freshness test
-
- make it cover config.h.in and config.h separately
-
-commit 182297c10edb21c4856c6a38326fd04d81de41a5
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Sep 5 20:34:54 2019 +1000
-
- check that configure/config.h is up to date
-
- Ensure they are newer than the configure.ac / aclocal.m4 source
-
-commit 7d6034bd020248e9fc0f8c39c71c858debd0d0c1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 5 10:05:51 2019 +0000
-
- upstream: if a PKCS#11 token returns no keys then try to login and
-
- refetch them. Based on patch from Jakub Jelen; bz#2430 ok markus@
-
- OpenBSD-Commit-ID: ab53bd6ddd54dd09e54a8bfbed1a984496f08b43
-
-commit 76f09bd95917862101b740afb19f4db5ccc752bf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 5 09:35:19 2019 +0000
-
- upstream: sprinkle in some explicit errors here, otherwise the
-
- percolate all the way up to dispatch_run_fatal() and lose all meaninful
- context
-
- to help with bz#3063; ok dtucker@
-
- OpenBSD-Commit-ID: 5b2da83bb1c4a3471444b7910b2120ae36438a0a
-
-commit 0ea332497b2b2fc3995f72f6bafe9d664c0195b3
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 5 09:25:13 2019 +0000
-
- upstream: only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
-
- OpenBSD-Commit-ID: 00f5c6062f6863769f5447c6346f78c05d2e4a63
-
-commit f23d91f9fa7f6f42e70404e000fac88aebfe3076
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Thu Sep 5 05:47:23 2019 +0000
-
- upstream: macro fix; ok djm
-
- OpenBSD-Commit-ID: e891dd6c7996114cb32f0924cb7898ab55efde6e
-
-commit 8b57337c1c1506df2bb9f039d0628a6de618566b
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Sep 5 15:46:39 2019 +1000
-
- update fuzzing makefile to more recent clang
-
-commit ae631ad77daf8fd39723d15a687cd4b1482cbae8
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Sep 5 15:45:32 2019 +1000
-
- fuzzer for sshsig allowed_signers option parsing
-
-commit 69159afe24120c97e5ebaf81016c85968afb903e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 5 05:42:59 2019 +0000
-
- upstream: memleak on error path; found by libfuzzer
-
- OpenBSD-Commit-ID: 34d44cb0fb5bdb5fcbc6b02b804e71b20a7a5fc7
-
-commit bab6feb01f9924758ca7129dba708298a53dde5f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 5 04:55:32 2019 +0000
-
- upstream: expose allowed_signers options parsing code in header for
-
- fuzzing
-
*** 1946 LINES SKIPPED ***