git: a25789646d71 - stable/14 - ssh: Update to OpenSSH 9.6p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Jan 2024 13:56:18 UTC
The branch stable/14 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=a25789646d7130f5be166cac63d5c8b2b07c4706
commit a25789646d7130f5be166cac63d5c8b2b07c4706
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-01-05 03:16:30 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-01-07 19:31:11 +0000
ssh: Update to OpenSSH 9.6p1
From the release notes,
> This release contains a number of security fixes, some small features
> and bugfixes.
The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol. The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.
Full release notes at https://www.openssh.com/txt/release-9.6
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d)
---
crypto/openssh/.depend | 3 +-
crypto/openssh/.github/configs | 14 +-
crypto/openssh/.github/setup_ci.sh | 53 +-
crypto/openssh/.github/workflows/c-cpp.yml | 15 +-
crypto/openssh/.github/workflows/selfhosted.yml | 21 +-
crypto/openssh/ChangeLog | 12792 +++++++++++-----------
crypto/openssh/Makefile.in | 14 +-
crypto/openssh/PROTOCOL | 23 +-
crypto/openssh/PROTOCOL.agent | 33 +-
crypto/openssh/README | 2 +-
crypto/openssh/auth2.c | 8 +-
crypto/openssh/authfd.c | 40 +-
crypto/openssh/authfd.h | 5 +-
crypto/openssh/channels.c | 36 +-
crypto/openssh/channels.h | 4 +-
crypto/openssh/cipher.c | 23 +-
crypto/openssh/cipher.h | 3 +-
crypto/openssh/clientloop.c | 34 +-
crypto/openssh/config.h | 9 +
crypto/openssh/configure.ac | 49 +-
crypto/openssh/contrib/redhat/openssh.spec | 34 +-
crypto/openssh/contrib/suse/openssh.spec | 2 +-
crypto/openssh/kex.c | 235 +-
crypto/openssh/kex.h | 7 +-
crypto/openssh/log.c | 6 +-
crypto/openssh/m4/openssh.m4 | 116 +-
crypto/openssh/misc.c | 41 +-
crypto/openssh/misc.h | 3 +-
crypto/openssh/moduli | 898 +-
crypto/openssh/monitor_wrap.c | 4 +-
crypto/openssh/mux.c | 4 +-
crypto/openssh/openbsd-compat/port-solaris.c | 24 +-
crypto/openssh/readconf.c | 57 +-
crypto/openssh/readconf.h | 7 +-
crypto/openssh/regress/Makefile | 10 +-
crypto/openssh/regress/agent-pkcs11-cert.sh | 92 +
crypto/openssh/regress/agent-pkcs11-restrict.sh | 193 +
crypto/openssh/regress/agent-pkcs11.sh | 82 +-
crypto/openssh/regress/conch-ciphers.sh | 11 +-
crypto/openssh/regress/dropbear-ciphers.sh | 33 +
crypto/openssh/regress/dropbear-kex.sh | 31 +
crypto/openssh/regress/forcecommand.sh | 56 +-
crypto/openssh/regress/sshsig.sh | 72 +-
crypto/openssh/regress/test-exec.sh | 169 +-
crypto/openssh/regress/unittests/Makefile | 3 +-
crypto/openssh/regress/unittests/Makefile.inc | 4 +-
crypto/openssh/scp.c | 12 +-
crypto/openssh/servconf.c | 40 +-
crypto/openssh/sftp-client.c | 4 +-
crypto/openssh/ssh-add.1 | 14 +-
crypto/openssh/ssh-add.c | 92 +-
crypto/openssh/ssh-agent.c | 241 +-
crypto/openssh/ssh-pkcs11-client.c | 56 +-
crypto/openssh/ssh-pkcs11.h | 5 +-
crypto/openssh/ssh.1 | 7 +-
crypto/openssh/ssh.c | 26 +-
crypto/openssh/ssh2.h | 3 +-
crypto/openssh/ssh_config.5 | 83 +-
crypto/openssh/ssh_namespace.h | 7 +-
crypto/openssh/sshconnect.c | 10 +-
crypto/openssh/sshconnect.h | 6 +-
crypto/openssh/sshconnect2.c | 63 +-
crypto/openssh/sshd.c | 4 +-
crypto/openssh/sshd_config | 2 +-
crypto/openssh/sshd_config.5 | 2 +-
crypto/openssh/sshkey.c | 40 +-
crypto/openssh/sshsig.c | 7 +-
crypto/openssh/version.h | 6 +-
secure/usr.bin/ssh-agent/Makefile | 2 +-
69 files changed, 8732 insertions(+), 7375 deletions(-)
diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend
index 259bf3b2f136..4897698ab74a 100644
--- a/crypto/openssh/.depend
+++ b/crypto/openssh/.depend
@@ -28,7 +28,8 @@ auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-
auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
auth2-pubkey.o: pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h
auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h
-auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h
+auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h kex
.h
+auth2.o: mac.h crypto_api.h
authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h log.h ssherr.h atomicio.h misc.h
authfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh.h log.h ssherr.h authfile.h misc.h atomicio.h sshkey.h sshbuf.h krl.h
bitmap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h bitmap.h
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
index c7d6a55ab962..df82faf5046b 100755
--- a/crypto/openssh/.github/configs
+++ b/crypto/openssh/.github/configs
@@ -108,9 +108,19 @@ case "$config" in
SKIP_LTESTS=sftp-chroot
;;
gcc-11-Werror)
- CC="gcc"
+ CC="gcc-11"
+ # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
+ # -Wunused-result ignores (void) so is not useful. See
+ # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
+ CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
+ CONFIGFLAGS="--with-pam --with-Werror"
+ ;;
+ gcc-12-Werror)
+ CC="gcc-12"
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
- CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
+ # -Wunused-result ignores (void) so is not useful. See
+ # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
+ CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
CONFIGFLAGS="--with-pam --with-Werror"
;;
clang*|gcc*)
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index 010a333a6642..d0ba7b4724e9 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -18,8 +18,7 @@ case "$host" in
;;
*-darwin*)
PACKAGER=brew
- brew install automake
- exit 0
+ PACKAGES="automake"
;;
*)
PACKAGER=apt
@@ -30,20 +29,30 @@ TARGETS=$@
INSTALL_FIDO_PPA="no"
export DEBIAN_FRONTEND=noninteractive
-#echo "Setting up for '$TARGETS'"
-
-set -ex
+set -e
if [ -x "`which lsb_release 2>&1`" ]; then
lsb_release -a
fi
-# Ubuntu 22.04 defaults to private home dirs which prevent the
-# agent-getpeerid test from running ssh-add as nobody. See
-# https://github.com/actions/runner-images/issues/6106
-if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then
- echo ~ is not executable by nobody, adding perms.
- chmod go+x ~
+if [ ! -z "$SUDO" ]; then
+ # Ubuntu 22.04 defaults to private home dirs which prevent the
+ # agent-getpeerid test from running ssh-add as nobody. See
+ # https://github.com/actions/runner-images/issues/6106
+ if ! "$SUDO" -u nobody test -x ~; then
+ echo ~ is not executable by nobody, adding perms.
+ chmod go+x ~
+ fi
+ # Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular
+ # sudo still works, but sudo -u doesn't. Restore the sudo rule.
+ if ! "$SUDO" grep -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then
+ echo "Restoring runner nopasswd rule to sudoers."
+ echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers
+ fi
+ if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then
+ echo "Still can't sudo to nobody."
+ exit 1
+ fi
fi
if [ "${TARGETS}" = "kitchensink" ]; then
@@ -57,6 +66,7 @@ for flag in $CONFIGFLAGS; do
esac
done
+echo "Setting up for '$TARGETS'"
for TARGET in $TARGETS; do
case $TARGET in
default|without-openssl|without-zlib|c89)
@@ -87,7 +97,9 @@ for TARGET in $TARGETS; do
esac
;;
*pam)
- PACKAGES="$PACKAGES libpam0g-dev"
+ case "$PACKAGER" in
+ apt) PACKAGES="$PACKAGES libpam0g-dev" ;;
+ esac
;;
sk)
INSTALL_FIDO_PPA="yes"
@@ -116,7 +128,7 @@ for TARGET in $TARGETS; do
1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
esac
- PACKAGES="${PACKAGES} putty-tools"
+ PACKAGES="${PACKAGES} putty-tools dropbear-bin"
;;
libressl-*)
INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
@@ -124,7 +136,7 @@ for TARGET in $TARGETS; do
master) ;;
*) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
esac
- PACKAGES="${PACKAGES} putty-tools"
+ PACKAGES="${PACKAGES} putty-tools dropbear-bin"
;;
boringssl)
INSTALL_BORINGSSL=1
@@ -156,6 +168,13 @@ while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
PACKAGES=""
fi
;;
+ brew)
+ if [ ! -z "PACKAGES" ]; then
+ if brew install $PACKAGES; then
+ PACKAGES=""
+ fi
+ fi
+ ;;
setup)
if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
PACKAGES=""
@@ -176,7 +195,7 @@ if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
(cd ${HOME} &&
git clone https://github.com/GrapheneOS/hardened_malloc.git &&
cd ${HOME}/hardened_malloc &&
- make -j2 && sudo cp out/libhardened_malloc.so /usr/lib/)
+ make && sudo cp out/libhardened_malloc.so /usr/lib/)
fi
if [ ! -z "${INSTALL_OPENSSL}" ]; then
@@ -197,14 +216,14 @@ if [ ! -z "${INSTALL_LIBRESSL}" ]; then
git checkout ${INSTALL_LIBRESSL} &&
sh update.sh && sh autogen.sh &&
./configure --prefix=/opt/libressl &&
- make -j2 && sudo make install)
+ make && sudo make install)
else
LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
(cd ${HOME} &&
wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
cd libressl-${INSTALL_LIBRESSL} &&
- ./configure --prefix=/opt/libressl && make -j2 && sudo make install)
+ ./configure --prefix=/opt/libressl && make && sudo make install)
fi
fi
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index be0c97f84cfd..8f624d21016c 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -47,7 +47,8 @@ jobs:
- { target: ubuntu-20.04, config: gcc-7 }
- { target: ubuntu-20.04, config: gcc-8 }
- { target: ubuntu-20.04, config: gcc-10 }
- - { target: ubuntu-20.04, config: gcc-11-Werror }
+ - { target: ubuntu-22.04, config: gcc-11-Werror }
+ - { target: ubuntu-22.04, config: gcc-12-Werror }
- { target: ubuntu-20.04, config: pam }
- { target: ubuntu-20.04, config: kitchensink }
- { target: ubuntu-22.04, config: hardenedmalloc }
@@ -61,18 +62,20 @@ jobs:
- { target: ubuntu-latest, config: libressl-3.5.3 }
- { target: ubuntu-latest, config: libressl-3.6.1 }
- { target: ubuntu-latest, config: libressl-3.7.2 }
+ - { target: ubuntu-latest, config: libressl-3.8.2 }
- { target: ubuntu-latest, config: openssl-master }
- { target: ubuntu-latest, config: openssl-noec }
- { target: ubuntu-latest, config: openssl-1.1.1 }
- - { target: ubuntu-latest, config: openssl-1.1.1k }
- - { target: ubuntu-latest, config: openssl-1.1.1n }
- - { target: ubuntu-latest, config: openssl-1.1.1q }
- { target: ubuntu-latest, config: openssl-1.1.1t }
+ - { target: ubuntu-latest, config: openssl-1.1.1w }
- { target: ubuntu-latest, config: openssl-3.0.0 }
- - { target: ubuntu-latest, config: openssl-3.0.7 }
+ - { target: ubuntu-latest, config: openssl-3.0.12 }
- { target: ubuntu-latest, config: openssl-3.1.0 }
+ - { target: ubuntu-latest, config: openssl-3.1.4 }
+ - { target: ubuntu-latest, config: openssl-3.2.0 }
- { target: ubuntu-latest, config: openssl-1.1.1_stable }
- { target: ubuntu-latest, config: openssl-3.0 } # stable branch
+ - { target: ubuntu-latest, config: openssl-3.2 } # stable branch
- { target: ubuntu-latest, config: zlib-develop }
- { target: ubuntu-22.04, config: pam }
- { target: ubuntu-22.04, config: krb5 }
@@ -108,7 +111,7 @@ jobs:
- name: make clean
run: make clean
- name: make
- run: make -j2
+ run: make
- name: make tests
run: sh ./.github/run_test.sh ${{ matrix.config }}
env:
diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
index de0a4125bf08..be0b4ffec580 100644
--- a/crypto/openssh/.github/workflows/selfhosted.yml
+++ b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -31,6 +31,7 @@ jobs:
- fbsd10
- fbsd12
- fbsd13
+ - fbsd14
- minix3
- nbsd3
- nbsd4
@@ -38,22 +39,27 @@ jobs:
- nbsd9
- obsd51
- obsd67
- - obsd69
- - obsd70
- obsd72
- obsd73
+ - obsd74
- obsdsnap
- obsdsnap-i386
- openindiana
- - sol10
- - sol11
+ - ubuntu-2204
config:
- default
host:
- libvirt
include:
+ # Long-running/slow tests have access to high priority runners.
+ - { target: aix51, config: default, host: libvirt-hipri }
+ - { target: openindiana, config: pam, host: libvirt-hipri }
+ - { target: sol10, config: default, host: libvirt-hipri }
+ - { target: sol10, config: pam, host: libvirt-hipri }
+ - { target: sol11, config: default, host: libvirt-hipri }
+ - { target: sol11, config: pam-krb5, host: libvirt-hipri }
+ - { target: sol11, config: sol64, host: libvirt-hipri }
# Then we include extra libvirt test configs.
- - { target: aix51, config: default, host: libvirt }
- { target: centos7, config: pam, host: libvirt }
- { target: debian-i386, config: pam, host: libvirt }
- { target: dfly30, config: without-openssl, host: libvirt}
@@ -64,12 +70,9 @@ jobs:
- { target: fbsd10, config: pam, host: libvirt }
- { target: fbsd12, config: pam, host: libvirt }
- { target: fbsd13, config: pam, host: libvirt }
+ - { target: fbsd14, config: pam, host: libvirt }
- { target: nbsd8, config: pam, host: libvirt }
- { target: nbsd9, config: pam, host: libvirt }
- - { target: openindiana, config: pam, host: libvirt }
- - { target: sol10, config: pam, host: libvirt }
- - { target: sol11, config: pam-krb5, host: libvirt }
- - { target: sol11, config: sol64, host: libvirt }
# VMs with persistent disks that have their own runner.
- { target: win10, config: default, host: win10 }
- { target: win10, config: cygwin-release, host: win10 }
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 61725d3a136b..981b7ecd94b6 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,9557 +1,9505 @@
-commit 80a2f64b8c1d27383cc83d182b73920d1e6a91f1
+commit 8241b9c0529228b4b86d88b1a6076fb9f97e4a99
Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 4 15:34:10 2023 +1100
+Date: Tue Dec 19 01:59:50 2023 +1100
- crank version numbers
+ crank versions
-commit f65f187b105d9b5c12fd750a211397d08c17c6d4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Oct 4 04:04:09 2023 +0000
+commit 2f2c65cb5f1518a9c556d3e8efa27ea0ca305c6b
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Dec 19 01:59:06 2023 +1100
- upstream: openssh-9.5
-
- OpenBSD-Commit-ID: 5e0af680480bd3b6f5560cf840ad032d48fd6b16
+ depend
-commit ffe27e54a4bb18d5d3bbd3f4cc93a41b8d94dfd2
+commit e48cdee8e19059203b1aeeabec2350b8375fa61f
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Oct 4 04:03:50 2023 +0000
+Date: Mon Dec 18 14:50:08 2023 +0000
- upstream: add some cautionary text about % token expansion and
-
- shell metacharacters; based on report from vinci AT protonmail.ch
+ upstream: regress test for agent PKCS#11-backed certificates
- OpenBSD-Commit-ID: aa1450a54fcee2f153ef70368d90edb1e7019113
+ OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9
-commit 60ec3d54fd1ebfe2dda75893fa1e870b8dffbb0d
+commit 2f512f862df1d5f456f82a0334c9e8cc7208a2a1
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Oct 3 23:56:10 2023 +0000
+Date: Mon Dec 18 14:49:39 2023 +0000
- upstream: fix link to agent draft; spotted by Jann Horn
+ upstream: regress test for constrained PKCS#11 keys
- OpenBSD-Commit-ID: ff5bda21a83ec013db683e282256a85201d2dc4b
+ OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff
-commit 12e2d4b13f6f63ce2de13cbfcc9e4d0d4b4ab231
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 4 10:54:04 2023 +1100
+commit cdddd66412ca5920ed4d3ebbfa6ace12dbd9b82f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Dec 18 14:48:44 2023 +0000
- use portable provider allowlist path in manpage
+ upstream: openssh-9.6
- spotted by Jann Horn
+ OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b
-commit 6c2c6ffde75df95fd838039850d3dd3d84956d87
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Tue Sep 19 20:37:07 2023 +0000
+commit 6d51feab157cedf1e7ef5b3f8781ca8ff9c4ab1b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Dec 18 14:48:08 2023 +0000
- upstream: typo; from Jim Spath
+ upstream: ssh-agent: record failed session-bind attempts
- OpenBSD-Commit-ID: 2f5fba917b5d4fcf93d9e0b0756c7f63189e228e
+ Record failed attempts to session-bind a connection and refuse signing
+ operations on that connection henceforth.
+
+ Prevents a future situation where we add a new hostkey type that is not
+ recognised by an older ssh-agent, that consequently causes session-bind
+ to fail (this situation is only likely to arise when people mix ssh(1)
+ and ssh-agent(1) of different versions on the same host). Previously,
+ after such a failure the agent socket would be considered unbound and
+ not subject to restriction.
+
+ Spotted by Jann Horn
+
+ OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e
-commit b6b49130a0089b297245ee39e769231d7c763014
+commit 7ef3787c84b6b524501211b11a26c742f829af1a
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Sep 10 23:12:32 2023 +0000
+Date: Mon Dec 18 14:47:44 2023 +0000
- upstream: rename remote_glob() -> sftp_glob() to match other API
+ upstream: ban user/hostnames with most shell metacharacters
- OpenBSD-Commit-ID: d9dfb3708d824ec02970a84d96cf5937e0887229
+ This makes ssh(1) refuse user or host names provided on the
+ commandline that contain most shell metacharacters.
+
+ Some programs that invoke ssh(1) using untrusted data do not filter
+ metacharacters in arguments they supply. This could create
+ interactions with user-specified ProxyCommand and other directives
+ that allow shell injection attacks to occur.
+
+ It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+ but getting this stuff right can be tricky, so this should prevent
+ most obvious ways of creating risky situations. It however is not
+ and cannot be perfect: ssh(1) has no practical way of interpreting
+ what shell quoting rules are in use and how they interact with the
+ user's specified ProxyCommand.
+
+ To allow configurations that use strange user or hostnames to
+ continue to work, this strictness is applied only to names coming
+ from the commandline. Names specified using User or Hostname
+ directives in ssh_config(5) are not affected.
+
+ feedback/ok millert@ markus@ dtucker@ deraadt@
+
+ OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
-commit 21b79af6c8d2357c822c84cef3fbdb8001ed263b
+commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Sep 10 03:51:55 2023 +0000
+Date: Mon Dec 18 14:47:20 2023 +0000
- upstream: typo in comment
+ upstream: stricter handling of channel window limits
- OpenBSD-Commit-ID: 69285e0ce962a7c6b0ab5f17a293c60a0a360a18
-
-commit 41232d25532b4d2ef6c5db62efc0cf50a79d26ca
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sun Sep 10 15:45:38 2023 +1000
-
- Use zero-call-used-regs=used with Apple compilers.
+ This makes ssh/sshd more strict in handling non-compliant peers that
+ send more data than the advertised channel window allows. Previously
+ the additional data would be silently discarded. This change will
+ cause ssh/sshd to terminate the connection if the channel window is
+ exceeded by more than a small grace allowance.
- Apple's versions of clang have version numbers that do not match the
- corresponding upstream clang versions. Unfortunately, they do still
- have the clang-15 zero-call-used-regs=all bug, so for now use the value
- that doesn't result in segfaults. We could allowlist future versions
- that are known to work. bz#3584 (and probably also our github CI
- failures).
+ ok markus@
+
+ OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
-commit 90ccc5918ea505bf156c31148b6b59a1bf5d6dc6
+commit 4448a2938abc76e6bd33ba09b2ec17a216dfb491
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Sep 10 03:25:53 2023 +0000
+Date: Mon Dec 18 14:46:56 2023 +0000
- upstream: randomise keystroke obfuscation intervals and average
+ upstream: Make it possible to load certs from PKCS#11 tokens
- interval rate. ok dtucker@
+ Adds a protocol extension to allow grafting certificates supplied by
+ ssh-add to keys loaded from PKCS#11 tokens in the agent.
- OpenBSD-Commit-ID: 05f61d051ab418fcfc4857ff306e420037502382
+ feedback/ok markus@
+
+ OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
-commit bd1b9e52f5fa94d87223c90905c5fdc1a7c32aa6
+commit 881d9c6af9da4257c69c327c4e2f1508b2fa754b
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 8 06:34:24 2023 +0000
+Date: Mon Dec 18 14:46:12 2023 +0000
- upstream: fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here
+ upstream: apply destination constraints to all p11 keys
- is char**, so harmless); spotted in CID 416964
+ Previously applied only to the first key returned from each token.
- OpenBSD-Commit-ID: c61caa4a5a667ee20bb1042098861e6c72c69002
+ ok markus@
+
+ OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
-commit c4f966482983e18601eec70a1563115de836616f
+commit a7ed931caeb68947d30af8a795f4108b6efad761
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 8 06:10:57 2023 +0000
+Date: Mon Dec 18 14:45:49 2023 +0000
- upstream: regress test recursive remote-remote directories copies where
+ upstream: add "ext-info-in-auth@openssh.com" extension
- the directory contains a symlink to another directory.
+ This adds another transport protocol extension to allow a sshd to send
+ SSH2_MSG_EXT_INFO during user authentication, after the server has
+ learned the username that is being logged in to.
- also remove errant `set -x` that snuck in at some point
+ This lets sshd to update the acceptable signature algoritms for public
+ key authentication, and allows these to be varied via sshd_config(5)
+ "Match" directives, which are evaluated after the server learns the
+ username being authenticated.
- OpenBSD-Regress-ID: 1c94a48bdbd633ef2285954ee257725cd7bc456f
+ Full details in the PROTOCOL file
+
+ OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
-commit 5e1dfe5014ebc194641678303e22ab3bba15f4e5
+commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 8 06:10:02 2023 +0000
+Date: Mon Dec 18 14:45:17 2023 +0000
- upstream: fix recursive remote-remote copies of directories that
+ upstream: implement "strict key exchange" in ssh and sshd
- contain symlinks to other directories (similar to bz3611)
+ This adds a protocol extension to improve the integrity of the SSH
+ transport protocol, particular in and around the initial key exchange
+ (KEX) phase.
- OpenBSD-Commit-ID: 7e19d2ae09b4f941bf8eecc3955c9120171da37f
+ Full details of the extension are in the PROTOCOL file.
+
+ with markus@
+
+ OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
-commit 7c0ce2bf98b303b6ad91493ee3247d96c18ba1f6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 8 05:50:57 2023 +0000
+commit 59d691b886c79e70b1d1c4ab744e81fd176222fd
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Dec 18 14:49:11 2023 +1100
- upstream: regress test for recursive copies of directories containing
+ better detection of broken -fzero-call-used-regs
- symlinks to other directories. bz3611, ok dtucker@
+ Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend
+ test program to exercise varargs, which seems to catch more stuff.
- OpenBSD-Regress-ID: eaa4c29cc5cddff4e72a16bcce14aeb1ecfc94b9
+ ok dtucker@
-commit 2de990142a83bf60ef694378b8598706bc654b08
+commit aa7b21708511a6d4aed3839fc9f6e82e849dd4a1
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 8 05:56:13 2023 +0000
+Date: Wed Dec 13 03:28:19 2023 +0000
- upstream: the sftp code was one of my first contributions to
+ upstream: when invoking KnownHostsCommand to determine the order of
- OpenSSH and it shows - the function names are terrible.
+ host key algorithms to request, ensure that the hostname passed to the
+ command is decorated with the port number for ports other than 22.
- Rename do_blah() to sftp_blah() to make them less so.
+ This matches the behaviour of KnownHostsCommand when invoked to look
+ up the actual host key.
- Completely mechanical except for sftp_stat() and sftp_lstat() which
- change from returning a pointer to a static variable (error-prone) to
- taking a pointer to a caller-provided receiver.
+ bz3643, ok dtucker@
- OpenBSD-Commit-ID: eb54d6a72d0bbba4d623e2175cf5cc4c75dc2ba4
+ OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1
-commit 249d8bd0472b53e3a2a0e138b4c030a31e83346a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Sep 8 05:50:12 2023 +0000
+commit 4086bd6652c0badccc020218a62190a7798fb72c
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Fri Dec 8 09:18:39 2023 +0000
- upstream: fix scp in SFTP mode recursive upload and download of
-
- directories that contain symlinks to other directories. In scp mode, the
- links would be followed, but in SFTP mode they were not. bz3611, ok dtucker@
+ upstream: prevent leak in sshsig_match_principals; ok djm@
- OpenBSD-Commit-ID: 9760fda668eaa94a992250d7670dfbc62a45197c
+ OpenBSD-Commit-ID: 594f61ad4819ff5c72dfe99ba666a17f0e1030ae
-commit 0e1f4401c466fa4fdaea81b6dadc8dd1fc4cf0af
+commit 19d3ee2f3adf7d9a606ff015c1e153744702c4c9
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Sep 6 23:36:09 2023 +0000
+Date: Wed Dec 6 21:06:48 2023 +0000
- upstream: regression test for override of subsystem in match blocks
+ upstream: short circuit debug log processing early if we're not going
- OpenBSD-Regress-ID: 5f8135da3bfda71067084c048d717b0e8793e87c
+ to log anything. From Kobe Housen
+
+ OpenBSD-Commit-ID: 2bcddd695872a1bef137cfff7823044dcded90ea
-commit 8a1450c62035e834d8a79a5d0d1c904236f9dcfe
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Sep 6 23:35:35 2023 +0000
+commit 947affad4831df015c498c00c6351ea6f13895d5
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Nov 27 09:37:28 2023 +1100
- upstream: allow override of Sybsystem directives in sshd Match
-
- blocks
+ Add tests for OpenSSL 3.2.0 and 3.2 stable branch.
+
+commit 747dce36206675ca6b885010a835733df469351b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Nov 25 09:03:38 2023 +1100
+
+ Use non-zero arg in compiler test program.
- OpenBSD-Commit-ID: 3911d18a826a2d2fe7e4519075cf3e57af439722
+ Now that we're running the test program, passing zero to the test function
+ can cause divide-by-zero exceptions which might show up in logs.
-commit 6e52826e2a74d077147a82ead8d4fbd5b54f4e3b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Sep 6 23:26:37 2023 +0000
+commit 3d44a5c56585d1c351dbc006240a591b6da502b1
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Nov 24 00:31:30 2023 +0000
- upstream: allocate the subsystems array as necessary and remove the
+ upstream: Plug mem leak of msg when processing a quit message.
- fixed limit of subsystems. Saves a few kb of memory in the server and makes
- it more like the other options.
+ Coverity CID#427852, ok djm@
- OpenBSD-Commit-ID: e683dfca6bdcbc3cc339bb6c6517c0c4736a547f
+ OpenBSD-Commit-ID: bf85362addbe2134c3d8c4b80f16601fbff823b7
-commit e19069c9fac4c111d6496b19c7f7db43b4f07b4f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Sep 6 23:23:53 2023 +0000
+commit 1d7f9b6e297877bd00973e6dc5c0642dbefc3b5f
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Nov 23 03:37:05 2023 +0000
- upstream: preserve quoting of Subsystem commands and arguments.
+ upstream: Include existing mux path in debug message.
- This may change behaviour of exotic configurations, but the most common
- subsystem configuration (sftp-server) is unlikely to be affected.
+ OpenBSD-Commit-ID: 1c3641be10c2f4fbad2a1b088a441d072e18bf16
+
+commit f29934066bd0e561a2e516b7e584fb92d2eedee0
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Nov 23 19:41:27 2023 +1100
+
+ Add an Ubuntu 22.04 test VM.
- OpenBSD-Commit-ID: 8ffa296aeca981de5b0945242ce75aa6dee479bf
+ This is the same version as Github's runners so most of the testing on
+ it is over there, but having a local VM makes debugging much easier.
-commit 52dfe3c72d98503d8b7c6f64fc7e19d685636c0b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Sep 6 23:21:36 2023 +0000
+commit a93284a780cd3972afe5f89086b75d564ba157f3
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Nov 23 19:36:22 2023 +1100
- upstream: downgrade duplicate Subsystem directives from being a
+ Add gcc-12 -Werror test on Ubuntu 22.04.
- fatal error to being a debug message to match behaviour with just about all
- other directives.
+ Explictly specify gcc-11 on Ubuntu 22.04 (it's the system compiler).
+
+commit 670f5a647e98b6fd95ad64f789f87ee3274b481b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Nov 23 19:34:57 2023 +1100
+
+ Check return value from write to prevent warning.
- OpenBSD-Commit-ID: fc90ed2cc0c18d4eb8e33d2c5e98d25f282588ce
+ ... and since we're testing for flags with -Werror, this caused
+ configure to mis-detect compiler flags.
-commit 1ee0a16e07b6f0847ff463d7b5221c4bf1876e25
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Sep 6 23:18:15 2023 +0000
+commit cea007d691cfedfa07a5b8599f97ce0511f53fc9
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Nov 22 21:18:55 2023 +1100
- upstream: handle cr+lf (instead of just cr) in sshsig signature
+ Run compiler test program when compiling natively.
- files
+ ok djm@
+
+commit ee0d305828f13536c0a416bbf9c3e81039d9ea55
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Nov 22 21:18:07 2023 +1100
+
+ Factor out compiler test program into a macro.
- OpenBSD-Commit-ID: 647460a212b916540016d066568816507375fd7f
+ ok djm@
-commit e1c284d60a928bcdd60bc575c6f9604663502770
-Author: job@openbsd.org <job@openbsd.org>
-Date: Mon Sep 4 10:29:58 2023 +0000
+commit de304c76316b029df460673725a9104224b9959b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Nov 22 08:55:36 2023 +1100
- upstream: Generate Ed25519 keys when invoked without arguments
+ Add fbsd14 VM to test pool.
+
+commit 99a2df5e1994cdcb44ba2187b5f34d0e9190be91
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Nov 21 16:19:29 2023 +1100
+
+ Expand -fzero-call-used-regs test to cover gcc 11.
- Ed25519 public keys are very convenient due to their small size.
- OpenSSH has supported Ed25519 since version 6.5 (January 2014).
+ It turns out that gcc also has some problems with -fzero-call-used-regs,
+ at least v11 on mips. Previously the test in OSSH_CHECK_CFLAG_COMPILE
+ was sufficient to catch it with "=all", but not sufficient for "=used".
+ Expand the testcase and include it in the other tests for good measure.
+ See bz#3629. ok djm@.
+
+commit ff220d4010717f7bfbbc02a2400666fb9d24f250
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Nov 21 14:04:34 2023 +1100
+
+ Stop using -fzero-call-used-regs=all
- OK djm@ markus@ sthen@ deraadt@
+ ... since it seems to be problematic with several different versions of
+ clang. Only use -fzero-call-used-regs=used which is less
+ problematic, except with Apple's clang where we don't use it at all.
+ bz#3629, ok djm@
+
+commit 2a19e02f36b16f0f6cc915f7d1e60ead5e36303b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Nov 21 14:02:18 2023 +1100
+
+ Allow for vendor prefix on clang version numbers.
- OpenBSD-Commit-ID: f498beaad19c8cdcc357381a60df4a9c69858b3f
+ Correctly detects the version of OpenBSD's native clang, as well as
+ Apple's. Spotted tb@, ok djm@.
-commit 694150ad92765574ff82a18f4e86322bd3231e68
+commit c52db0114826d73eff6cdbf205e9c1fa4f7ca6c6
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Sep 4 00:08:14 2023 +0000
+Date: Mon Nov 20 02:50:00 2023 +0000
- upstream: trigger keystroke timing obfucation only if the channels
-
- layer enqueud some data in the last poll() cycle; this avoids triggering the
- obfuscatior for non-channels data like ClientAlive probes and also fixes a
- related problem were the obfucations would be triggered on fully quiescent
- connections.
+ upstream: set errno=EAFNOSUPPORT when filtering addresses that don't
- Based on / tested by naddy@
+ match AddressFamily; yields slightly better error message if no address
+ matches. bz#3526
- OpenBSD-Commit-ID: d98f32dc62d7663ff4660e4556e184032a0db123
+ OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6
-commit b5fd97896b59a3a46245cf438cc8b16c795d9f74
+commit 26f3f3bbc69196d908cad6558c8c7dc5beb8d74a
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Sep 4 00:04:02 2023 +0000
+Date: Wed Nov 15 23:03:38 2023 +0000
- upstream: avoid bogus "obfuscate_keystroke_timing: stopping ..."
+ upstream: when connecting via socket (the default case), filter
- debug messages when keystroke timing obfuscation was never started; spotted
- by naddy@
+ addresses by AddressFamily if one was specified. Fixes the case where, if
+ CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok
+ dtucker
- OpenBSD-Commit-ID: 5c270d35f7d2974db5c1646e9c64188f9393be31
+ OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439
-commit ccf7d913db34e49b7a6db1b8331bd402004c840d
+commit 050c335c8da43741ed0df2570ebfbd5d1dfd0a31
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Sep 4 00:01:46 2023 +0000
+Date: Wed Nov 15 22:51:49 2023 +0000
- upstream: make channel_output_poll() return a flag indicating
+ upstream: when deciding whether to enable keystroke timing
- whether channel data was enqueued. Will be used to improve keystroke timing
- obfuscation. Problem spotted by / tested by naddy@
+ obfuscation, only consider enabling it when a channel with a tty is open.
- OpenBSD-Commit-ID: f9776c7b0065ba7c3bbe50431fd3b629f44314d0
+ Avoids turning on the obfucation when X11 forwarding only is in use,
+ which slows it right down. Reported by Roger Marsh
+
+ OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1
-commit 43254b326ac6e2131dbd750f9464dc62c14bd5a7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Sep 3 23:59:32 2023 +0000
+commit 676377ce67807a24e08a54cd60ec832946cc6cae
+Author: tobhe@openbsd.org <tobhe@openbsd.org>
+Date: Mon Nov 13 09:18:19 2023 +0000
- upstream: set interactive mode for ControlPersist sessions if they
+ upstream: Make sure sftp_get_limits() only returns 0 if 'limits'
- originally requested a tty; enables keystroke timing obfuscation for most
- ControlPersist sessions. Spotted by naddy@
+ was initialized. This fixes a potential uninitialized use of 'limits' in
+ sftp_init() if sftp_get_limits() returned early because of an unexpected
+ message type.
- OpenBSD-Commit-ID: 72783a26254202e2f3f41a2818a19956fe49a772
+ ok djm@
+
+ OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c
-commit ff3eda68ceb2e2bb8f48e3faceb96076c3e85c20
+commit 64e0600f23c6dec36c3875392ac95b8a9100c2d6
Author: Darren Tucker <dtucker@dtucker.net>
-Date: Thu Aug 31 23:02:35 2023 +1000
+Date: Mon Nov 13 20:03:31 2023 +1100
- Set LLONG_MAX for C89 test.
+ Test current releases of LibreSSL and OpenSSL.
- If we don't have LLONG_MAX, configure will figure out that it can get it
- by setting -std=gnu99, at which point we won't be testing C89 any more.
- To avoid this, feed it in via CFLAGS.
+ Retire some of the older releases.
-commit f98031773db361424d59e3301aa92aacf423d920
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Aug 29 02:50:10 2023 +0000
+commit c8ed7cc545879ac15f6ce428be4b29c35598bb2a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Nov 1 02:08:38 2023 +0000
- upstream: make PerSourceMaxStartups first-match-wins; ok dtucker@
+ upstream: Specify ssh binary to use
- OpenBSD-Commit-ID: dac0c24cb709e3c595b8b4f422a0355dc5a3b4e7
+ ... instead of relying on installed one. Fixes test failures in -portable
+ when running tests prior to installation.
+
+ OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685
-commit cfa66857db90cd908de131e0041a50ffc17c7df8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Aug 28 09:52:09 2023 +0000
+commit e9fc2c48121cada1b4dcc5dadea5d447fe0093c3
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Nov 1 13:11:31 2023 +1100
- upstream: descriptive text shouldn't be under .Cm
+ Put long-running test targets on hipri runners.
- OpenBSD-Commit-ID: b1afaeb456a52bc8a58f4f9f8b2f9fa8f6bf651b
+ Some of the selfhosted test targets take a long time to run for various
+ reasons, so label them for "libvirt-hipri" runners so that they can
+ start immediately. This should reduce the time to complete all tests.
-commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec
+commit 7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Aug 28 09:48:11 2023 +0000
+Date: Wed Nov 1 00:29:46 2023 +0000
- upstream: limit artificial login delay to a reasonable maximum (5s)
+ upstream: add some tests of forced commands overriding Subsystem
- and don't delay at all for the "none" authentication mechanism. Patch by
- Dmitry Belyavskiy in bz3602 with polish/ok dtucker@
+ directives
- OpenBSD-Commit-ID: 85b364676dd84cf1de0e98fc2fbdcb1a844ce515
+ OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b
-commit 528da5b9d7c5da01ed7a73ff21c722e1b5326006
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Mon Aug 28 05:32:28 2023 +0000
+commit fb06f9b5a065dfbbef5916fc4accc03c0bf026dd
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
*** 20745 LINES SKIPPED ***