... checking for getspnam in -lgen... no checking for library containing basename... none required checking for zlib... yes checking for zlib.h... (cached) yes checking for deflate in -lz... (cached) yes checking for possibly buggy zlib... yes configure: error: *** zlib too old - check config.log *** Your reported zlib version has known security problems. It's possible your vendor has fixed these problems without changing the version number. If you are sure this is the case, you can disable the check by running "./configure --without-zlib-version-check". If you are in doubt, upgrade zlib to version 1.2.3 or greater. See http://www.gzip.org/zlib/ for details. ===> Script "configure" failed unexpectedly. Please report the problem to bdrewery@FreeBSD.org [maintainer] and attach the "/tmp/ports/usr/ports/security/openssh-portable/work-default/openssh-9.3p2/config.log" including the output of the failure of your make command. Also, it might be a good idea to provide an overview of all packages installed on your system (e.g. a /usr/local/sbin/pkg-static info -g -Ea). ... After MFC: MFV: zlib 1.3 05e3998add1c3c0cbe6a8b9162321481ce700459 at 13/stable
I seen this before in security/ncrack package bug #273578.
can you see if adding --without-zlib-version-check produces a working, and preferably CVE free OpenSSH?
(In reply to Maigurs Stalidzans from comment #1) Ups, sorry the correct bug number is #273353.
bug #273353
Created attachment 244656 [details] patch Yes, --without-zlib-version-check fix. Code expect zlib version format: "a.b.c" but got only "a.b".
This is already fixed upstream: https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621 But probably best to update openssh port to version 9.4p1.
(In reply to Herbert J. Skuhra from comment #6) Sorry, 9.4p1 still requires this patch.
(In reply to Ivan Rozhuk from comment #0) that 'fix' is broken - what i proviced actually fixes the problem instead of pretending it doesn't exist (which means with this buggy zlib versions are not used)
(In reply to Ivan Rozhuk from comment #0) that 'fix' is broken - what i proviced actually deal with the problem instead of pretending it doesn't exist (which means with this, buggy zlib versions are not accepted) --- configure.ac 2023-09-27 11:11:16.910429000 -0400 +++ configure.ac 2023-09-27 11:11:16.910429000 -0400 @@ -1464,13 +1464,13 @@ [[ int a=0, b=0, c=0, d=0, n, v; n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); - if (n != 3 && n != 4) + if ((n < 2) || (n > 4)) exit(1); v = a*1000000 + b*10000 + c*100 + d; fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); /* 1.1.4 is OK */ - if (a == 1 && b == 1 && c >= 4) + if ((a == 1) && (b == 1) && (c >= 4)) exit(0); /* 1.2.3 and up are OK */
*** Bug 274133 has been marked as a duplicate of this bug. ***
if upstream's fix is broken, maybe this is something that should be brought to upstream then, instead of discussing it here.
(In reply to Bruce Becker from comment #9) 1. OpenSSH uses zlib version detect to check minimum supported version. 2. FreeBSD uses fresh zlib and fresh OpenSSH. 3. Fresh ports will not work with old FreeBSD system where may be unsupported zlib. 1+2+3 = we do not need any zlib version check at all. That is why I just off it and do not waste time to fix ugly parser. But even if I want to fix this, my first guess was to drop ugly parser and use shell script tools (grep, sed, etc...) to extract and format version. Or just take binary version from zlib.h and print it (few lines of C code).
Is there any update on this bug? I am still unable to update my servers with the latest port
(In reply to mrmschf from comment #13) FreeBSD ports team does not fix more critical show stopper during last month: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961 If you want continue use FreeBSD and update ports from sources - better way is to make your own git repo, that will update via: git -C /usr/ports/ pull --rebase upstream main && \ git -C /usr/ports/ push -f origin main and keep you own patches and patches from bugzilla on top of this. As example: https://github.com/rozhuk-im/freebsd-ports 50+ patches to get it work for me. Same for OS.
Committed, thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=d839d49f92329b640249b7ca790cc83338814d62 commit d839d49f92329b640249b7ca790cc83338814d62 Author: Rozhuk Ivan <rozhuk.im@gmail.com> AuthorDate: 2023-09-05 09:54:30 +0000 Commit: Xin LI <delphij@FreeBSD.org> CommitDate: 2023-10-24 02:16:26 +0000 security/openssh-portable: fix build with zlib 1.3 PR: ports/273578 Approved by: maintainer timeout security/openssh-portable/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)