16:05 Bryan Drewery (bdrewery) 

security/openssh-portable: Update to 8.6p1

- gssapi is disabled for now.

Changes:
 - https://www.openssh.com/txt/release-8.5
 - https://www.openssh.com/txt/release-8.6

Submitted by:	Yasuhiro Kimura [earlier version][1]
PR:		254389 [1]

    de9fffc

03:41 bdrewery 

- Add pkg-config dependency which avoids some maintainer testing errors
  and also removes a few unneeded library links such as -lcurses.
- libfido2 package is broken with pkg-config and base ssl. Workaround this
  by not using pkg-config for that library for now.
- Add USES=localbase to simplify some options
- Make crypt(3) MD5 password support optional but still on-by-default.  The
  default in FreeBSD changed in 10.0 but that does not mean
- Enable -Werror
- Remove some old baggage from the port build
 o The zlib version check has not been needed for a while.
 o sshd.8 has not had %%PREFIX%% or %$RC_SCRIPT_NAME%% since 2011
   and is not worth more patches/complexity.
 o The strnvis(3) problem noted in r311891 was fixed in OpenSSH 7.4.
 o autoreconf is run so it makes no sense to patch configure for -ldes
 o --with-md5-passwords is not needed as our crypt(3) supports it
   natively.  This is only relevant without PAM.

 

23:15 bdrewery 

- Simplify and refactor login.conf environment handling.

 

21:56 bdrewery 

Fix build without PAM option

 

03:48 bdrewery 

Update to 8.0p1

Changes: https://www.openssh.com/txt/release-8.0

With help from:	Lee Prokowich
Sponsored by:	DellEMC

 

21:55 bdrewery 

- Fix X509 build after r484765 openssl fix
- Fix patch URL for KERB_GSSAPI
- Add FLAVORs for x509 and gssapi since they are distinct types of
  OpenSSH rather than feature flags.

Approved by:	portmgr (implicit)

 

20:21 bdrewery 

Update to 7.9p1.

- Fixes build on 12, head, and openssl-devel.
- GSSAPI and HPN are currently marked BROKEN as I don't want to block
  the main update for anyone.

  http://www.openssh.com/txt/release-7.8
  http://www.openssh.com/txt/release-7.9

MFH:	2018Q4 (due to being broken on 12+head)

 

18:20 bdrewery 

Update to 7.7p1

- Update x509 patch to 11.3
- Remove SCTP option as it has not had a patch available since 7.2.

Changes: https://www.openssh.com/txt/release-7.7

Notable changes:
 * ssh(1)/sshd(8): Drop compatibility support for some very old SSH
   implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
   versions were all released in or before 2001 and predate the final
   SSH RFCs. The support in question isn't necessary for RFC-compliant
   SSH implementations.

 

19:30 bdrewery 

Update to 7.4p1.

- Update X509 patch to 9.3
- SCTP patch from soralx@cydem.org

Changes: https://www.openssh.com/txt/release-7.4

 

21:21 bdrewery 

Make portlint stop spamming me.  It's gotten quite silly.

There's no reason to regenerate these for the sake of having 'UTC' in the patch
and it also considers patches with comments to be invalid.

WARN: /root/svn/ports/security/openssh-portable/files/patch-auth.c: patch was
not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-auth2.c: patch was
not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-readconf.c: patch
was not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN:
/root/svn/ports/security/openssh-portable/files/patch-regress__test-exec.sh:
patch was not generated using ``make makepatch''.  It is recommended to use
``make makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-servconf.c: patch
was not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-session.c: patch was
not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh-agent.1: patch
was not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh-agent.c: patch
was not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh.c: patch was not
generated using ``make makepatch''.  It is recommended to use ``make makepatch''
when you need to [re-]generate a patch to ensure proper patch format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh_config: patch
was not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-ssh_config.5: patch
was not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshconnect.c: patch
was not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshd.8: patch was
not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshd.c: patch was
not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshd_config: patch
was not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.
WARN: /root/svn/ports/security/openssh-portable/files/patch-sshd_config.5: patch
was not generated using ``make makepatch''.  It is recommended to use ``make
makepatch'' when you need to [re-]generate a patch to ensure proper patch
format.

 

02:20 bdrewery 

- Update to 6.3p1
  Changelog: http://www.openssh.org/txt/release-6.3
- Use options helpers where possible
- Use upstream patch mirror for x509 and HPN
- Update HPN patch to v14 and use upstream version
- Add option NONECIPHER to allow disabling NONE in HPN patch
- Update x509 patch from 7.4.1 to 7.6
- Add support for LDNS and enable by it and VerifyHostKeyDNS/SSHFP by default.
  See
http://lists.freebsd.org/pipermail/freebsd-security/2013-September/007180.html
  which describes this change, but is supported on releases before 10 as well
  with LDNS option.
- Update SCTP to patchlevel 2329
- Update recommendation on secure usage of SSH
- Add pkg-message warning about ECDSA key possibly being incorrect due to
  previously being written as DSA by the rc script and fixed in r299902 in
  2012

 

19:47 bdrewery 

- Update to 6.2p2

- The LPK patch has been updated but is obsolete, deprecated and
  untested. It has been replaced by AuthorizedKeysCommand
- The upstream HPN's last update was for 6.1 and is mostly
  abandoned. The patch has had bugs since 5.9. I have reworked
  it and split into into HPN and AES_THREADED options. The
  debugging/logging part of the patch is incomplete. I may
  change the patch to more closely match our base version
  eventually.
- The KERB_GSSAPI option has been removed as the patch has not
  been updated by upstream since 5.7
- sshd VersionAddendum is currently not working as intended;
  it will be fixed later to allow removing the port/pkg version.
- Update our patchset to match latest base version
- Bring in ssh-agent -x support from base
- I incrementally updated the port from 5.8 up to 6.2p2 along
  with patches. You can find all of the versions at
  https://github.com/bdrewery/openssh

Changes:
    http://www.openssh.com/txt/release-5.9
    http://www.openssh.org/txt/release-6.0
    http://www.openssh.org/txt/release-6.1
    http://www.openssh.org/txt/release-6.2
    http://www.openssh.org/txt/release-6.2p2

 

14:16 bdrewery 

- Remove copyright as it was a base customization that was removed in
  base r213250

 

13:56 bdrewery 

- Remove CHROOT option and patch. ChrootDirectory was added in 5.0
  to achieve the same thing.

 

00:35 bdrewery 

- Remove compatibiliy for FreeBSD <4.x
  * /var/empty has been in hier(7) since 4.x
  * User sshd has been in base since 4.x
  * Simplify a patch for realhostname_sa(3) usage
- Remove SUID_SSH - It was removed from ssh in 2002
- Fix 'make test'
- Add some hints into the patches on where they came from
- Mirror all patches
- Move LPK patch out of files/
- Remove the need for 2 patches
  * Removal of 'host-key check-config' in install phase
  * Adding -lutil
- Add SCTP support [1]
- Remove FILECONTROL as it has not been supported since the 5.8
  update
- Replace tab with space pkg-descr
- Remove default WRKSRC
- Add 'configtest' command to rc script
- Mark X509 broken with other patches due to PATCH_DIST_STRIP=-p1

PR:		ports/174570 [1]
Submitted by:	oleg <proler@gmail.com> [1]
Obtained from:	https://bugzilla.mindrot.org/show_bug.cgi?id=2016 (upstream) [1]
Feature safe:	yes

 

16:18 flo 

- update to 5.8p2 [1]
- fix Kerberos knob [2]
- fix build on 9.0 [3]
- fix deinstall with various knobs [4]
- fix LPK knob [5]

PR:             ports/161818 [1], ports/144597 [2], ports/160389 [3]
                ports/150493, ports/156926 [4], ports/155456 [5]

Submitted by:   "Grzegorz Blach" <magik@roorback.net> [1], [2], [4], [5]
                pluknet [3]
Reported by:    Jonathan <lordsith49@hotmail.com> [2]
                Kevin Thompson <antiduh@csh.rit.edu> [4]
                Alexey Remizov <alexey@remizov.org> [5]

17:26 pav 

- Update to 5.1p1

PR:             ports/128679
Submitted by:   Sunpoet Po-Chuan Hsieh <sunpoet@sunpoet.net>
Approved by:    maintainer timeout (mnag; 4 months)

13:46 mnag 

- Update to 5.0p1
- Port LPK patch to 5.0p1 and add to files dir
- Remove USE_PERL_BUILD since doesn't need [1]
- Update KERB_GSSAPI to 5.0p1
- Update HPN patch to 5.0p1 13v3
- Respect LOCALBASE on configure_args of LPK [2]
- Change MASTER_SITE of snapshot
- portlint(1)

PR:             121826 [2]
Submitted by:   Andrew Kolchoogin <andrew___rinet.ru> [2]
Reported by:    Björn König <bkoenig___alpha-tierchen.d [1]

14:28 mnag 

- Fix CHROOT patch using chroot() before setusercontext() and add strerror() in
message if chroot() fail.

Notified by:    Chris Gardner <chris_g_g___hotmail.com>

02:15 mnag 

- Update to 4.4p1.
- Disable temporary HPN patch until HPN release new version.
- Fix rc.d script path in sshd.8
- Add FreeBSD-${PKGNAME} in SSH_VERSION and SSH_RELEASE like src does.
- Sync patches with src.

Security:       CVE-2006-4924, CVE-2006-5051

01:00 ahze 

- Update to 4.0p1

PR:             ports/79029
Submitted by:   Dimitry Andric <dimitry@andric.com>

19:16 pav 

- sshd child process crashes when user with expired password logs in.
  Fix unitialized pointer in our local patch.

PR:             ports/75204
Submitted by:   Andriy Gapon <avg@icyb.net.ua>

04:43 dinoex 

- new option WITH_OPENSSH_CHROOT
Submitted by:   KANAI Makoto

11:35 dinoex 

- update to 3.9p1

set PORTVERSION 3.9.0.1 to avoid another
bump of PORTEPOCH if 3.9.1p1 come out.

- new option OPENSSH_SNAPSHOT

18:13 dinoex 

- update to 3.7.1p2
more regressions tests successfull

16:07 nectar 

Add Solar Designer's additional fixes to buffer management.

03:02 dinoex 

- Update to 3.6p1

03:56 dinoex 

- cleanup of mor patches
- fix Makefile to avoid key-generation on bento.

04:40 dinoex 

Update to 3.5p1

19:37 dinoex 

Cleanup patch to avoid conflicts with GSSAPI patches

19:31 dinoex 

give Enviroment from login.conf priority over all others,
problem found by drs@rucus.ru.ac.za.

17:40 dinoex 

update patch for 3.4

12:22 dinoex 

Thanks to max@wide.ad.jp, maxim, obraun@informatik.unibw-muenchen.de, fjoe
Patch from current, noted by drs@rucus.ru.ac.za:
environment variables in the 'setenv' field of login.conf are set now.

07:28 dinoex 

Update to OpenSSH 3.2.3

- patch openssh-3.1-adv.token.patch is now obsolete.
- remerged PAM changes form previous port
- declare CMSG_* macros.
- fixed bad type in function input_userauth_passwd_changereq

Update to OpenSSH-portable-3.2.3p1

- patch openssh-3.1p1-adv.token.patch is now obsolete
- keep previously declared CONFIGURE_ARGS
- remove openssh-mit-krb5-20020326.diff (should be in the distribution now)
- patch patch-readpassphrase.c is now in teh distribution
- merged previous patches.
- extend CONFIGURE_ARGS so it find OPENSSL again.
- new patches for GSSAPI, not fully tested.

If you have the patch applied:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/36080

Builds with openssl-0.9.6d under:
2.2.8-RELEASE
3.2-RELEASE
4.2-RELEASE
4.6-RC

20:02 dinoex 

Updated Patch on openBSD website,
patch openssh/files/patch-cipher.c is now obsolete.

05:39 dinoex 

- Fix problem with auth_ttyok and ttyname
- Make KERBEROS patch build with heimdal port

20:24 dinoex 

Merged patches for HAVE_LOGIN_CAP from stable

PR:             35904

05:54 dinoex 

Update to OpenSSH 3.1 OpennSSH-portable 3.1p1    

16:19 dinoex 

- Update to OpenSSH 2.9.9p2   - security-patch for cookie files obsolete   - MD5
password support activated    

21:08 dwcjr 

Fix FreeBSD specific patch, exit now if change of password fails.    

15:49 dinoex 

New port:   OpenSSH portable, which has GNU-configure and more.   Diffs to
OpenSSH-OPenBSD are huge.   So this is here a complete diffrent branch, no
repro-copy   - Did a bit cleanup in the Makefile