ssh-audit: prepare update to 3.1.0 with patch for terrapin

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: ssh-audit: prepare update to 3.1.0 with patch for terrapin
From: Dr. Thomas Orgis <thomas.orgis%uni-hamburg.de@localhost>
Date: Tue, 26 Dec 2023 14:47:30 +0000
Module Name:	pkgsrc-wip
Committed By:	Dr. Thomas Orgis <thomas.orgis%uni-hamburg.de@localhost>
Pushed By:	thor
Date:		Tue Dec 26 15:47:30 2023 +0100
Changeset:	70b6b244154860b71eff8441ea03160b77853f34

Modified Files:
	Makefile
Added Files:
	ssh-audit/DESCR
	ssh-audit/Makefile
	ssh-audit/PLIST
	ssh-audit/distinfo
	ssh-audit/patches/patch-01-upstream-44393c-more-cbc.patch

Log Message:
ssh-audit: prepare update to 3.1.0 with patch for terrapin

upstream changes since 3.0.0:

v3.2.0-dev (???)

    Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes
      more rarely found ciphers.

v3.1.0 (2023-12-20)

    Added test for the Terrapin message prefix truncation vulnerability (CVE-2023-48795).
    Dropped support for Python 3.7 (EOL was reached in June 2023).
    Added Python 3.12 support.
    In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match
      the online hardening guides (note that 3072-bit moduli provide the equivalent of
      128-bit symmetric security).
    In Ubuntu 22.04 client policy, moved host key types sk-ssh-ed25519%openssh.com@localhost and
      ssh-ed25519 to the end of all certificate types.
    Updated Ubuntu Server & Client policies for 20.04 and 22.04 to account for key exchange
      list changes due to Terrapin vulnerability patches.
    Re-organized option host key types for OpenSSH 9.2 server policy to correspond with
      updated Debian 12 hardening guide.
    Added built-in policies for OpenSSH 9.5 and 9.6.
    Added an additional_notes field to the JSON output.

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=70b6b244154860b71eff8441ea03160b77853f34

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 Makefile                                           |   1 +
 ssh-audit/DESCR                                    |  15 +++
 ssh-audit/Makefile                                 |  30 ++++++
 ssh-audit/PLIST                                    | 101 +++++++++++++++++++++
 ssh-audit/distinfo                                 |   6 ++
 .../patch-01-upstream-44393c-more-cbc.patch        |  47 ++++++++++
 6 files changed, 200 insertions(+)

diffs:
diff --git a/Makefile b/Makefile
index 825fac20c7..9bac8fd845 100644
--- a/Makefile
+++ b/Makefile
@@ -5190,6 +5190,7 @@ SUBDIR+=	src
 SUBDIR+=	srecord
 SUBDIR+=	srvx
 SUBDIR+=	sselp
+SUBDIR+=	ssh-audit
 SUBDIR+=	ssh_ping
 SUBDIR+=	ssid
 SUBDIR+=	ssiv-git
diff --git a/ssh-audit/DESCR b/ssh-audit/DESCR
new file mode 100644
index 0000000000..c4eb8de610
--- /dev/null
+++ b/ssh-audit/DESCR
@@ -0,0 +1,15 @@
+ssh-audit is a tool for ssh server & client configuration auditing.
+
+Features:
+* SSH1 and SSH2 protocol server support
+* analyze SSH client configuration
+* grab banner, recognize device or software and OS, detect compression
+* gather key-exchange, host-key, encryption and MAC algorithms
+* output algorithm information
+  (available since, removed/disabled, unsafe/weak/legacy, etc)
+* output algorithm recommendations
+  (append or remove based on recognized software version)
+* output security information (related issues, assigned CVE list, etc)
+* analyze SSH version compatibility based on algorithm information
+* historical information from OpenSSH, Dropbear SSH and libssh
+* policy scans to ensure adherence to a hardened/standard configuration
diff --git a/ssh-audit/Makefile b/ssh-audit/Makefile
new file mode 100644
index 0000000000..9feff1c778
--- /dev/null
+++ b/ssh-audit/Makefile
@@ -0,0 +1,30 @@
+# $NetBSD: Makefile,v 1.5 2023/10/19 12:58:34 wiz Exp $
+
+DISTNAME=	ssh-audit-3.1.0
+# revision 1 because of added patch from upstream
+PKGREVISION=	1
+CATEGORIES=	security
+MASTER_SITES=	${MASTER_SITE_GITHUB:=jtesta/}
+GITHUB_RELEASE=	v${PKGVERSION_NOREV}
+
+MAINTAINER=	pkgsrc-users%NetBSD.org@localhost
+HOMEPAGE=	https://github.com/jtesta/ssh-audit/
+COMMENT=	Tool for SSH server & client configuration auditing
+LICENSE=	mit
+
+TEST_DEPENDS+=	${PYPKGPREFIX}-test-[0-9]*:../../devel/py-test
+
+USE_LANGUAGES=	# none
+
+INSTALLATION_DIRS+=	${PKGMANDIR}/man1
+
+post-install:
+	${RUN}${INSTALL_MAN} ${WRKSRC}/ssh-audit.1 \
+		${DESTDIR}${PREFIX}/${PKGMANDIR}/man1
+
+TEST_ENV+=	PYTHONPATH=${WRKSRC}/build/lib
+do-test:
+	cd ${WRKSRC} && ${SETENV} ${TEST_ENV} pytest-${PYVERSSUFFIX}
+
+.include "../../lang/python/egg.mk"
+.include "../../mk/bsd.pkg.mk"
diff --git a/ssh-audit/PLIST b/ssh-audit/PLIST
new file mode 100644
index 0000000000..1141a41cff
--- /dev/null
+++ b/ssh-audit/PLIST
@@ -0,0 +1,101 @@
+@comment $NetBSD: PLIST,v 1.2 2022/11/15 15:08:22 fcambus Exp $
+bin/ssh-audit
+${PYSITELIB}/${EGG_INFODIR}/PKG-INFO
+${PYSITELIB}/${EGG_INFODIR}/SOURCES.txt
+${PYSITELIB}/${EGG_INFODIR}/dependency_links.txt
+${PYSITELIB}/${EGG_INFODIR}/entry_points.txt
+${PYSITELIB}/${EGG_INFODIR}/top_level.txt
+${PYSITELIB}/ssh_audit/__init__.py
+${PYSITELIB}/ssh_audit/__init__.pyc
+${PYSITELIB}/ssh_audit/__init__.pyo
+${PYSITELIB}/ssh_audit/__main__.py
+${PYSITELIB}/ssh_audit/__main__.pyc
+${PYSITELIB}/ssh_audit/__main__.pyo
+${PYSITELIB}/ssh_audit/algorithm.py
+${PYSITELIB}/ssh_audit/algorithm.pyc
+${PYSITELIB}/ssh_audit/algorithm.pyo
+${PYSITELIB}/ssh_audit/algorithms.py
+${PYSITELIB}/ssh_audit/algorithms.pyc
+${PYSITELIB}/ssh_audit/algorithms.pyo
+${PYSITELIB}/ssh_audit/auditconf.py
+${PYSITELIB}/ssh_audit/auditconf.pyc
+${PYSITELIB}/ssh_audit/auditconf.pyo
+${PYSITELIB}/ssh_audit/banner.py
+${PYSITELIB}/ssh_audit/banner.pyc
+${PYSITELIB}/ssh_audit/banner.pyo
+${PYSITELIB}/ssh_audit/exitcodes.py
+${PYSITELIB}/ssh_audit/exitcodes.pyc
+${PYSITELIB}/ssh_audit/exitcodes.pyo
+${PYSITELIB}/ssh_audit/fingerprint.py
+${PYSITELIB}/ssh_audit/fingerprint.pyc
+${PYSITELIB}/ssh_audit/fingerprint.pyo
+${PYSITELIB}/ssh_audit/gextest.py
+${PYSITELIB}/ssh_audit/gextest.pyc
+${PYSITELIB}/ssh_audit/gextest.pyo
+${PYSITELIB}/ssh_audit/globals.py
+${PYSITELIB}/ssh_audit/globals.pyc
+${PYSITELIB}/ssh_audit/globals.pyo
+${PYSITELIB}/ssh_audit/hostkeytest.py
+${PYSITELIB}/ssh_audit/hostkeytest.pyc
+${PYSITELIB}/ssh_audit/hostkeytest.pyo
+${PYSITELIB}/ssh_audit/kexdh.py
+${PYSITELIB}/ssh_audit/kexdh.pyc
+${PYSITELIB}/ssh_audit/kexdh.pyo
+${PYSITELIB}/ssh_audit/outputbuffer.py
+${PYSITELIB}/ssh_audit/outputbuffer.pyc
+${PYSITELIB}/ssh_audit/outputbuffer.pyo
+${PYSITELIB}/ssh_audit/policy.py
+${PYSITELIB}/ssh_audit/policy.pyc
+${PYSITELIB}/ssh_audit/policy.pyo
+${PYSITELIB}/ssh_audit/product.py
+${PYSITELIB}/ssh_audit/product.pyc
+${PYSITELIB}/ssh_audit/product.pyo
+${PYSITELIB}/ssh_audit/protocol.py
+${PYSITELIB}/ssh_audit/protocol.pyc
+${PYSITELIB}/ssh_audit/protocol.pyo
+${PYSITELIB}/ssh_audit/readbuf.py
+${PYSITELIB}/ssh_audit/readbuf.pyc
+${PYSITELIB}/ssh_audit/readbuf.pyo
+${PYSITELIB}/ssh_audit/software.py
+${PYSITELIB}/ssh_audit/software.pyc
+${PYSITELIB}/ssh_audit/software.pyo
+${PYSITELIB}/ssh_audit/ssh1.py
+${PYSITELIB}/ssh_audit/ssh1.pyc
+${PYSITELIB}/ssh_audit/ssh1.pyo
+${PYSITELIB}/ssh_audit/ssh1_crc32.py
+${PYSITELIB}/ssh_audit/ssh1_crc32.pyc
+${PYSITELIB}/ssh_audit/ssh1_crc32.pyo
+${PYSITELIB}/ssh_audit/ssh1_kexdb.py
+${PYSITELIB}/ssh_audit/ssh1_kexdb.pyc
+${PYSITELIB}/ssh_audit/ssh1_kexdb.pyo
+${PYSITELIB}/ssh_audit/ssh1_publickeymessage.py
+${PYSITELIB}/ssh_audit/ssh1_publickeymessage.pyc
+${PYSITELIB}/ssh_audit/ssh1_publickeymessage.pyo
+${PYSITELIB}/ssh_audit/ssh2_kex.py
+${PYSITELIB}/ssh_audit/ssh2_kex.pyc
+${PYSITELIB}/ssh_audit/ssh2_kex.pyo
+${PYSITELIB}/ssh_audit/ssh2_kexdb.py
+${PYSITELIB}/ssh_audit/ssh2_kexdb.pyc
+${PYSITELIB}/ssh_audit/ssh2_kexdb.pyo
+${PYSITELIB}/ssh_audit/ssh2_kexparty.py
+${PYSITELIB}/ssh_audit/ssh2_kexparty.pyc
+${PYSITELIB}/ssh_audit/ssh2_kexparty.pyo
+${PYSITELIB}/ssh_audit/ssh_audit.py
+${PYSITELIB}/ssh_audit/ssh_audit.pyc
+${PYSITELIB}/ssh_audit/ssh_audit.pyo
+${PYSITELIB}/ssh_audit/ssh_socket.py
+${PYSITELIB}/ssh_audit/ssh_socket.pyc
+${PYSITELIB}/ssh_audit/ssh_socket.pyo
+${PYSITELIB}/ssh_audit/timeframe.py
+${PYSITELIB}/ssh_audit/timeframe.pyc
+${PYSITELIB}/ssh_audit/timeframe.pyo
+${PYSITELIB}/ssh_audit/utils.py
+${PYSITELIB}/ssh_audit/utils.pyc
+${PYSITELIB}/ssh_audit/utils.pyo
+${PYSITELIB}/ssh_audit/versionvulnerabilitydb.py
+${PYSITELIB}/ssh_audit/versionvulnerabilitydb.pyc
+${PYSITELIB}/ssh_audit/versionvulnerabilitydb.pyo
+${PYSITELIB}/ssh_audit/writebuf.py
+${PYSITELIB}/ssh_audit/writebuf.pyc
+${PYSITELIB}/ssh_audit/writebuf.pyo
+man/man1/ssh-audit.1
diff --git a/ssh-audit/distinfo b/ssh-audit/distinfo
new file mode 100644
index 0000000000..8459a4885f
--- /dev/null
+++ b/ssh-audit/distinfo
@@ -0,0 +1,6 @@
+$NetBSD: distinfo,v 1.3 2023/10/19 12:58:34 wiz Exp $
+
+BLAKE2s (ssh-audit-3.1.0.tar.gz) = 65a44a1573eb309986bf7c59425b587b060141b4fdd28594cd62fc8ee3ecdc2e
+SHA512 (ssh-audit-3.1.0.tar.gz) = ea42aa93272cb1881d8c5882b2f68655606fe73f64a708bc0f9f743f14137aab1026eabf10a813f3919de179117c1a9b4c8325d511e25afd60caee273cb32deb
+Size (ssh-audit-3.1.0.tar.gz) = 154296 bytes
+SHA1 (patch-01-upstream-44393c-more-cbc.patch) = 82486cbfd878c7c12cecadfd019b18fe5575c229
diff --git a/ssh-audit/patches/patch-01-upstream-44393c-more-cbc.patch b/ssh-audit/patches/patch-01-upstream-44393c-more-cbc.patch
new file mode 100644
index 0000000000..6fd40bd160
--- /dev/null
+++ b/ssh-audit/patches/patch-01-upstream-44393c-more-cbc.patch
@@ -0,0 +1,47 @@
+From 44393c56b3238daf43215504f5f4272e1bd9d1bb Mon Sep 17 00:00:00 2001
+From: Joe Testa <jtesta%positronsecurity.com@localhost>
+Date: Thu, 21 Dec 2023 15:30:43 -0500
+Subject: [PATCH] Expanded filter of CBC ciphers to flag for the Terrapin
+ vulnerability.
+
+---
+ README.md                  | 3 +++
+ src/ssh_audit/ssh_audit.py | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git README.md README.md
+index a8d0c2b8..d748db01 100644
+--- README.md
++++ README.md
+@@ -178,6 +178,9 @@ For convenience, a web front-end on top of the command-line tool is available at
+ 
+ ## ChangeLog
+ 
++### v3.2.0 (???)
++ - Expanded filter of CBC ciphers to flag for the Terrapin vulnerability.  It now includes more rarely found ciphers.
++
+ ### v3.1.0 (2023-12-20)
+  - Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
+  - Dropped support for Python 3.7 (EOL was reached in June 2023).
+diff --git src/ssh_audit/ssh_audit.py src/ssh_audit/ssh_audit.py
+index 481fc8e5..61e8c10d 100755
+--- src/ssh_audit/ssh_audit.py
++++ src/ssh_audit/ssh_audit.py
+@@ -491,7 +491,7 @@ def _get_cbc_ciphers_enabled(algs: Algorithms) -> List[str]:
+         if algs.ssh2kex is not None:
+             ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption
+             for cipher in ciphers_supported:
+-                if cipher.endswith("-cbc"):
++                if cipher.endswith("-cbc") or cipher.endswith("-cbc%openssh.org@localhost") or cipher.endswith("-cbc%ssh.com@localhost") or cipher == "rijndael-cbc%lysator.liu.se@localhost":
+                     ret.append(cipher)
+ 
+         return ret
+@@ -501,7 +501,7 @@ def _get_cbc_ciphers_not_enabled(db: Dict[str, Dict[str, List[List[Optional[str]
+         ret = []
+ 
+         for cipher in db["enc"]:
+-            if cipher.endswith("-cbc") and cipher not in _get_cbc_ciphers_enabled(algs):
++            if (cipher.endswith("-cbc") or cipher.endswith("-cbc%openssh.org@localhost") or cipher.endswith("-cbc%ssh.com@localhost") or cipher == "rijndael-cbc%lysator.liu.se@localhost") and cipher not in _get_cbc_ciphers_enabled(algs):
+                 ret.append(cipher)
+ 
+         return ret
Prev by Date: plink: Update to 1.9b6.17
Next by Date: ssh-audit was imported
Previous by Thread: plink: Update to 1.9b6.17
Next by Thread: ssh-audit was imported
Indexes:
Home | Main Index | Thread Index | Old Index