pkgsrc-changes: CVS commit: pkgsrc/security/openssh

Subject: CVS commit: pkgsrc/security/openssh
To: None <pkgsrc-changes@NetBSD.org>
From: Takahiro Kambe <taca@netbsd.org>
List: pkgsrc-changes
Date: 10/31/2006 03:31:20
Module Name:	pkgsrc
Committed By:	taca
Date:		Tue Oct 31 03:31:20 UTC 2006

Modified Files:
	pkgsrc/security/openssh: Makefile distinfo hacks.mk options.mk
	pkgsrc/security/openssh/patches: patch-aa patch-ab patch-ac patch-ad
	    patch-ae patch-af patch-ag patch-ah patch-ai patch-aj patch-ak
	    patch-al patch-am patch-an patch-ao patch-ap patch-aq patch-ar
	    patch-as patch-au patch-av patch-aw
Removed Files:
	pkgsrc/security/openssh/patches: patch-at patch-ax patch-ay patch-az

Log Message:
Update openssh package to 4.4.1 (openssh-4.4p1).

- A few pkglint warning clean up.
- Major changes are here.  For complete changes,
  see http://www.openssh.com/txt/release-4.4.

Changes since OpenSSH 4.3:
============================

Security bugs resolved in this release:

 * Fix a pre-authentication denial of service found by Tavis Ormandy,
   that would cause sshd(8) to spin until the login grace time
   expired.

 * Fix an unsafe signal hander reported by Mark Dowd. The signal
   handler was vulnerable to a race condition that could be exploited
   to perform a pre-authentication denial of service. On portable
   OpenSSH, this vulnerability could theoretically lead to
   pre-authentication remote code execution if GSSAPI authentication
   is enabled, but the likelihood of successful exploitation appears
   remote.

 * On portable OpenSSH, fix a GSSAPI authentication abort that could
   be used to determine the validity of usernames on some platforms.

This release includes the following new functionality and fixes:

 * Implemented conditional configuration in sshd_config(5) using the
   "Match" directive. This allows some configuration options to be
   selectively overridden if specific criteria (based on user, group,
   hostname and/or address) are met. So far a useful subset of post-
   authentication options are supported and more are expected to be
   added in future releases.

 * Add support for Diffie-Hellman group exchange key agreement with a
   final hash of SHA256.

 * Added a "ForceCommand" directive to sshd_config(5). Similar to the
   command="..." option accepted in ~/.ssh/authorized_keys, this forces
   the execution of the specified command regardless of what the user
   requested. This is very useful in conjunction with the new "Match"
   option.

 * Add a "PermitOpen" directive to sshd_config(5). This mirrors the
   permitopen="..." authorized_keys option, allowing fine-grained
   control over the port-forwardings that a user is allowed to
   establish.

 * Add optional logging of transactions to sftp-server(8).

 * ssh(1) will now record port numbers for hosts stored in
   ~/.ssh/authorized_keys when a non-standard port has been requested.

 * Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
   a non-zero exit code) when requested port forwardings could not be
   established.

 * Extend sshd_config(5) "SubSystem" declarations to allow the
   specification of command-line arguments.

 * Replacement of all integer overflow susceptible invocations of
   malloc(3) and realloc(3) with overflow-checking equivalents.

 * Many manpage fixes and improvements

 * New portable OpenSSH-specific features:

   - Add optional support for SELinux, controlled using the
     --with-selinux configure option (experimental)

   - Add optional support for Solaris process contracts, enabled
     using the --with-solaris-contracts configure option (experimental)
     This option will also include SMF metadata in Solaris packages
     built using the "make package" target

   - Add optional support for OpenSSL hardware accelerators (engines),
     enabled using the --with-ssl-engine configure option.


To generate a diff of this commit:
cvs rdiff -r1.171 -r1.172 pkgsrc/security/openssh/Makefile
cvs rdiff -r1.54 -r1.55 pkgsrc/security/openssh/distinfo
cvs rdiff -r1.1 -r1.2 pkgsrc/security/openssh/hacks.mk
cvs rdiff -r1.8 -r1.9 pkgsrc/security/openssh/options.mk
cvs rdiff -r1.41 -r1.42 pkgsrc/security/openssh/patches/patch-aa
cvs rdiff -r1.23 -r1.24 pkgsrc/security/openssh/patches/patch-ab \
    pkgsrc/security/openssh/patches/patch-ah
cvs rdiff -r1.15 -r1.16 pkgsrc/security/openssh/patches/patch-ac
cvs rdiff -r1.11 -r1.12 pkgsrc/security/openssh/patches/patch-ad \
    pkgsrc/security/openssh/patches/patch-ae
cvs rdiff -r1.9 -r1.10 pkgsrc/security/openssh/patches/patch-af \
    pkgsrc/security/openssh/patches/patch-ai
cvs rdiff -r1.8 -r1.9 pkgsrc/security/openssh/patches/patch-ag \
    pkgsrc/security/openssh/patches/patch-ao
cvs rdiff -r1.6 -r1.7 pkgsrc/security/openssh/patches/patch-aj \
    pkgsrc/security/openssh/patches/patch-al \
    pkgsrc/security/openssh/patches/patch-am \
    pkgsrc/security/openssh/patches/patch-ar
cvs rdiff -r1.7 -r1.8 pkgsrc/security/openssh/patches/patch-ak \
    pkgsrc/security/openssh/patches/patch-an \
    pkgsrc/security/openssh/patches/patch-ap
cvs rdiff -r1.5 -r1.6 pkgsrc/security/openssh/patches/patch-aq
cvs rdiff -r1.4 -r1.5 pkgsrc/security/openssh/patches/patch-as \
    pkgsrc/security/openssh/patches/patch-av
cvs rdiff -r1.3 -r0 pkgsrc/security/openssh/patches/patch-at
cvs rdiff -r1.2 -r1.3 pkgsrc/security/openssh/patches/patch-au
cvs rdiff -r1.1 -r1.2 pkgsrc/security/openssh/patches/patch-aw
cvs rdiff -r1.1 -r0 pkgsrc/security/openssh/patches/patch-ax \
    pkgsrc/security/openssh/patches/patch-ay \
    pkgsrc/security/openssh/patches/patch-az

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.