Index: /branches/rel_apv_10_7/usr/click/bin/openssh/CVE-2023-48795-mitigation.patch =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/CVE-2023-48795-mitigation.patch (revision 39252) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/CVE-2023-48795-mitigation.patch (working copy) @@ -1,14 +1,14 @@ -diff --git a/myproposal.h b/myproposal.h -index 3196c53..16a93d4 100644 ---- a/myproposal.h +diff --git a/myproposal.h.orig b/myproposal.h +index 3d30ce1..3f83359 100644 +--- a/myproposal.h.orig +++ b/myproposal.h @@ -59,16 +59,12 @@ "rsa-sha2-256" #define KEX_SERVER_ENCRYPT \ - "chacha20-poly1305@openssh.com," \ - "aes128-ctr,aes192-ctr,aes256-ctr," \ - "aes128-gcm@openssh.com,aes256-gcm@openssh.com" + "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ + "aes128-ctr,aes192-ctr,aes256-ctr" #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT Index: /branches/rel_apv_10_7/usr/click/bin/openssh/Makefile =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/Makefile (revision 39252) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/Makefile (working copy) @@ -1,4 +1,5 @@ ANROOT=${.CURDIR}/../../../../anroot +OPENSSH_FOLDER=openssh-10.0p2 .if defined(UOS_X86) || defined(KYLIN) @@ -16,11 +17,12 @@ all: ./build.sh all clean: - rm -rf openssh-9.9p1 + rm -rf ${OPENSSH_FOLDER} realclean: git clean -dfx . install: - install -Dm 0755 -t ${ANROOT}/ca/bin/ ${.CURDIR}/openssh-9.9p1/sshd ${.CURDIR}/openssh-9.9p1/ssh ${.CURDIR}/openssh-9.9p1/ssh-keygen + install -Dm 0755 -t ${ANROOT}/ca/bin/ ${.CURDIR}/${OPENSSH_FOLDER}/sshd ${.CURDIR}/${OPENSSH_FOLDER}/ssh ${.CURDIR}/${OPENSSH_FOLDER}/ssh-keygen install -Dm 0755 -t ${ANROOT}/ca/etc/ ${.CURDIR}/sshd_config - install -Dm 0755 ${.CURDIR}/openssh-9.9p1/sshd-session ${ANROOT}/ca/libexec/sshd-session + install -Dm 0755 ${.CURDIR}/${OPENSSH_FOLDER}/sshd-session ${ANROOT}/ca/libexec/sshd-session + install -Dm 0755 ${.CURDIR}/${OPENSSH_FOLDER}/sshd-auth ${ANROOT}/ca/libexec/sshd-auth .endif Index: /branches/rel_apv_10_7/usr/click/bin/openssh/array.patch =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/array.patch (revision 39252) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/array.patch (working copy) @@ -1,17 +1,17 @@ diff --git a/Makefile.in b/Makefile.in -index 4243006..774d49d 100644 +index 4617ceb..a1343d6 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -71,7 +71,7 @@ MKDIR_P=@MKDIR_P@ +@@ -74,7 +74,7 @@ MKDIR_P=@MKDIR_P@ .SUFFIXES: .lo --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) synconfigd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) synconfigd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE) XMSS_OBJS=\ ssh-xmss.o \ -@@ -167,8 +167,11 @@ MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out +@@ -183,8 +183,11 @@ MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 MANTYPE = @MANTYPE@ @@ -25,7 +25,7 @@ PATHSUBS = \ -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ -@@ -193,7 +196,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) +@@ -209,7 +212,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ @UNSUPPORTED_ALGORITHMS@ @@ -35,7 +35,7 @@ $(LIBSSH_OBJS): Makefile.in config.h $(SSHOBJS): Makefile.in config.h -@@ -215,10 +219,13 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +@@ -231,13 +235,16 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) @@ -46,9 +46,13 @@ + /bin/cp sshd$(EXEEXT) $@ sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS) -- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) +- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) + $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lldap -lssl -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog + sshd-auth$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_AUTH_OBJS) +- $(LD) -o $@ $(SSHD_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) ++ $(LD) -o $@ $(SSHD_AUTH_OBJS) $(LDFLAGS) -lssh -lldap -lssl -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog + scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/auth-passwd.c b/auth-passwd.c @@ -1359,10 +1363,10 @@ freezero(password, strlen(password)); diff --git a/sshd-session.c b/sshd-session.c -index 4b79b9b..3a69164 100644 +index c64eb29..ee4ab9e 100644 --- a/sshd-session.c +++ b/sshd-session.c -@@ -110,6 +110,40 @@ +@@ -109,6 +109,40 @@ #include "srclimit.h" #include "dh.h" @@ -1402,8 +1406,8 @@ + /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) - #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -@@ -862,6 +896,173 @@ set_process_rdomain(struct ssh *ssh, const char *name) + #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 2) +@@ -828,6 +862,173 @@ set_process_rdomain(struct ssh *ssh, const char *name) #endif } @@ -1577,7 +1581,7 @@ /* * Main program for the daemon. */ -@@ -913,7 +1114,7 @@ main(int ac, char **av) +@@ -879,7 +1080,7 @@ main(int ac, char **av) /* Parse command-line arguments. */ while ((opt = getopt(ac, av, @@ -1586,7 +1590,7 @@ switch (opt) { case '4': options.address_family = AF_INET; -@@ -950,6 +1151,9 @@ main(int ac, char **av) +@@ -916,6 +1117,9 @@ main(int ac, char **av) case 'r': /* ignore */ break; @@ -1596,7 +1600,7 @@ case 'R': rexeced_flag = 1; break; -@@ -1061,6 +1265,12 @@ main(int ac, char **av) +@@ -1035,6 +1239,12 @@ main(int ac, char **av) SYSLOG_FACILITY_AUTH : options.log_facility, log_stderr || !inetd_flag || debug_flag); @@ -1605,11 +1609,11 @@ + debug("uhi_shared_mem_attach() failed. "); + exit(1); + } -+ - debug("sshd version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION); - ++ /* Fetch our configuration */ -@@ -1347,6 +1557,13 @@ main(int ac, char **av) + if ((cfg = sshbuf_new()) == NULL) + fatal("sshbuf_new config buf failed"); +@@ -1317,6 +1527,13 @@ main(int ac, char **av) if (options.routing_domain != NULL) set_process_rdomain(ssh, options.routing_domain); @@ -1623,7 +1627,7 @@ #ifdef SSH_AUDIT_EVENTS audit_event(ssh, SSH_AUTH_SUCCESS); #endif -@@ -1393,6 +1610,9 @@ main(int ac, char **av) +@@ -1363,6 +1580,9 @@ main(int ac, char **av) finish_pam(); #endif /* USE_PAM */ @@ -1634,13 +1638,13 @@ mm_audit_event(ssh, SSH_CONNECTION_CLOSE); #endif diff --git a/sshd.c b/sshd.c -index df76dc7..fcd6b6c 100644 +index 4a93e29..ff588d8 100644 --- a/sshd.c +++ b/sshd.c -@@ -91,6 +91,14 @@ - #include "sk-api.h" +@@ -94,6 +94,14 @@ #include "addr.h" #include "srclimit.h" + #include "atomicio.h" +#include +#include +#if defined(__linux__) @@ -1652,7 +1656,7 @@ /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) -@@ -138,6 +146,27 @@ struct { +@@ -140,6 +148,27 @@ struct { int have_ssh2_key; } sensitive_data; @@ -1680,7 +1684,7 @@ /* This is set to true when a signal is received. */ static volatile sig_atomic_t received_siginfo = 0; static volatile sig_atomic_t received_sigchld = 0; -@@ -843,6 +872,123 @@ server_listen(void) +@@ -905,6 +934,123 @@ server_listen(void) fatal("Cannot bind any address."); } @@ -1804,7 +1808,7 @@ /* * The main TCP accept loop. Note that, for the non-debug case, returns * from this function are in a forked subprocess. -@@ -862,6 +1008,14 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, +@@ -927,6 +1073,14 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, u_char rnd[256]; sigset_t nsigset, osigset; @@ -1819,30 +1823,28 @@ /* pipes connected to unauthenticated child sshd processes */ child_alloc(); startup_pollfd = xcalloc(options.max_startups, sizeof(int)); -@@ -1010,6 +1164,13 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, +@@ -1133,6 +1287,11 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, usleep(100 * 1000); continue; } + if (options.synconfig == 0 && !is_permit_source((struct sockaddr *)&from)) { + printf("deny connection"); + close(*newsock); -+ close(startup_p[0]); -+ close(startup_p[1]); + continue; + } if (unset_nonblock(*newsock) == -1) { close(*newsock); continue; -@@ -1236,7 +1397,7 @@ main(int ac, char **av) - +@@ -1346,7 +1507,7 @@ main(int ac, char **av) /* Parse command-line arguments. */ + args = argv_assemble(ac, av); /* logged later */ while ((opt = getopt(ac, av, - "C:E:b:c:f:g:h:k:o:p:u:46DGQRTdeiqrtV")) != -1) { + "C:E:b:c:f:g:h:k:o:p:u:46DGQRTdeiqrtVs")) != -1) { switch (opt) { case '4': options.address_family = AF_INET; -@@ -1276,6 +1437,9 @@ main(int ac, char **av) +@@ -1386,6 +1547,9 @@ main(int ac, char **av) case 'r': logit("-r option is deprecated"); break; Index: /branches/rel_apv_10_7/usr/click/bin/openssh/build.sh =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/build.sh (revision 39252) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/build.sh (working copy) @@ -1,17 +1,17 @@ #!/usr/bin/env bash -if [ ! -d openssh-9.9p1 ] +if [ ! -d openssh-10.0p2 ] then - if [ -f openssh-9.9p1.tar.gz ] + if [ -f openssh-10.0p2.tar.gz ] then - tar -zxvf openssh-9.9p1.tar.gz - cd openssh-9.9p1 + tar -zxvf openssh-10.0p2.tar.gz + cd openssh-10.0p2 else echo "source tar.gz file not exist!" exit 1 fi else - cd openssh-9.9p1 + cd openssh-10.0p2 fi if [ Makefile -nt configure ] Index: /branches/rel_apv_10_7/usr/click/bin/openssh/openssh-10.0p2.tar.gz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/x-gzip Index: /branches/rel_apv_10_7/usr/click/bin/openssh/openssh-10.0p2.tar.gz =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/openssh-10.0p2.tar.gz (revision 0) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/openssh-10.0p2.tar.gz (working copy) Property changes on: usr/click/bin/openssh/openssh-10.0p2.tar.gz ___________________________________________________________________ Added: svn:mime-type ## -0,0 +1 ## +application/x-gzip \ No newline at end of property Index: /branches/rel_apv_10_7/usr/click/bin/openssh/sshd_config =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/sshd_config (revision 39252) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/sshd_config (working copy) @@ -110,7 +110,7 @@ #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation no +#UsePrivilegeSeparation no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0