Bug 254389 - security/openssh-portable: Update to 8.5p1
Summary: security/openssh-portable: Update to 8.5p1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Bryan Drewery
URL: https://www.openssh.com/txt/release-8.5
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-18 19:15 UTC by Yasuhiro Kimura
Modified: 2021-04-29 16:08 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (bdrewery)


Attachments
Patch file (14.39 KB, patch)
2021-03-18 19:15 UTC, Yasuhiro Kimura
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura 2021-03-18 19:15:23 UTC
Created attachment 223403 [details]
Patch file

Update to 8.5p1.

Release Notes: https://www.openssh.com/txt/release-8.5

Please keep in mind that currently following options are broken.

* HPN
* KERB_GSSAPI
* NONECIPHER
* HEIMDAL_BASE

Vulnerability fixed in this release is documented in bug #254258. So please commit it together.
Comment 1 Bryan Drewery freebsd_committer 2021-03-18 19:17:53 UTC
Please never wait to commit a vuxml entry. It makes no sense to not tell users about the problem until we have a fix. They deserve to know there is a problem and address it however they can regardless of us having a fix. We're not talking about an unpublished issue here so we should not hide it from our users.
Comment 2 Bryan Drewery freebsd_committer 2021-03-18 19:20:34 UTC
Thank you for this. I'll get it in with fixing the other patches. They are usually more trivial than they appear.
Comment 3 Yasuhiro Kimura 2021-03-18 19:30:04 UTC
(In reply to Bryan Drewery from comment #2)

As for HPN option, I updated extra-patch-hpn so at least it can be applied cleanly. But I couldn't fix the build error that caused by `datafellows` variable in hpn_options_init() function.

Just FYI.
Comment 4 Bryan Drewery freebsd_committer 2021-03-18 19:33:46 UTC
For the CVE I am going to apply the more limited patch from upstream at https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig

And then spend a few days on 8.5 making sure `make test` passes. Thanks for the initial work. It will speed it up a lot.
Comment 5 Yasuhiro Kimura 2021-03-18 19:52:23 UTC
(In reply to Yasuhiro Kimura from comment #3)

One more comment about extra-patch-hpn. There is non-trivial change about compat.c and I'm not fully sure if it is proper. So please double-check it.
Comment 6 commit-hook freebsd_committer 2021-04-29 16:08:18 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=de9fffcec89b58fb6f77b72a55975eccb01eb480

commit de9fffcec89b58fb6f77b72a55975eccb01eb480
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2021-04-28 20:15:54 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2021-04-29 16:05:55 +0000

    security/openssh-portable: Update to 8.6p1

    - gssapi is disabled for now.

    Changes:
     - https://www.openssh.com/txt/release-8.5
     - https://www.openssh.com/txt/release-8.6

    Submitted by:   Yasuhiro Kimura [earlier version][1]
    PR:             254389 [1]

 security/openssh-portable/Makefile                 |   8 +-
 security/openssh-portable/distinfo                 |   8 +-
 .../openssh-portable/files/extra-patch-blacklistd  |  44 +++----
 security/openssh-portable/files/extra-patch-hpn    | 144 +++++++++------------
 .../openssh-portable/files/extra-patch-hpn-compat  |   8 +-
 .../openssh-portable/files/patch-auth.c (gone)     |  21 ---
 .../openssh-portable/files/patch-readconf.c (gone) |  22 ----
 security/openssh-portable/files/patch-session.c    |  20 +--
 security/openssh-portable/files/patch-ssh-agent.c  |  27 ++--
 security/openssh-portable/files/patch-ssh_config.5 |  14 --
 security/openssh-portable/files/patch-sshd.c       |  43 +++---
 .../files/patch-zz-8.4-CVE-2021-28041 (gone)       |  32 -----
 12 files changed, 143 insertions(+), 248 deletions(-)