Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 3A1287A265
	for <mhonarc+pkgsrc-changes@mail-index.netbsd.org>; Sun, 18 Sep 2016 17:30:13 +0000 (UTC)
Received: by mail.netbsd.org (Postfix, from userid 605)
	id A0BE585F11; Sun, 18 Sep 2016 17:30:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id 3232C85EE4
	for <pkgsrc-changes@NetBSD.org>; Sun, 18 Sep 2016 17:30:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id WERuF54FAP-b for <pkgsrc-changes@netbsd.org>;
	Sun, 18 Sep 2016 17:30:11 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197])
	by mail.netbsd.org (Postfix) with ESMTP id 43F1D84CEC
	for <pkgsrc-changes@NetBSD.org>; Sun, 18 Sep 2016 17:30:11 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id 3EAB8FBD1; Sun, 18 Sep 2016 17:30:11 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1474219811217240"
MIME-Version: 1.0
Date: Sun, 18 Sep 2016 17:30:11 +0000
From: "Takahiro Kambe" <taca@netbsd.org>
Subject: CVS commit: pkgsrc/security/openssh
To: pkgsrc-changes@NetBSD.org
Reply-To: taca@netbsd.org
X-Mailer: log_accum
Message-Id: <20160918173011.3EAB8FBD1@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: pkgsrc-changes.NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1474219811217240
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	taca
Date:		Sun Sep 18 17:30:11 UTC 2016

Modified Files:
	pkgsrc/security/openssh: Makefile distinfo
	pkgsrc/security/openssh/patches: patch-auth-passwd.c patch-session.c

Log Message:
Update openssh to 7.3.1 (OpenSSH 7.3p1).

OpenSSH 7.3p1 is primarily a bugfix release and here is summary.

Changes since OpenSSH 7.2
=========================

Security
--------

 * sshd(8): Mitigate a potential denial-of-service attack against
   the system's crypt(3) function via sshd(8). An attacker could
   send very long passwords that would cause excessive CPU use in
   crypt(3). sshd(8) now refuses to accept password authentication
   requests of length greater than 1024 characters. Independently
   reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.

 * sshd(8): Mitigate timing differences in password authentication
   that could be used to discern valid from invalid account names
   when long passwords were sent and particular password hashing
   algorithms are in use on the server. CVE-2016-6210, reported by
   EddieEzra.Harari at verint.com

 * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
   oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
   Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
   are disabled by default and only included for legacy compatibility.

 * ssh(1), sshd(8): Improve operation ordering of MAC verification for
   Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
   MAC before decrypting any ciphertext. This removes the possibility
   of timing differences leaking facts about the plaintext, though no
   such leakage has been observed.  Reported by Jean Paul Degabriele,
   Kenny Paterson, Torben Hansen and Martin Albrecht.

 * sshd(8): (portable only) Ignore PAM environment vars when
   UseLogin=yes. If PAM is configured to read user-specified
   environment variables and UseLogin=yes in sshd_config, then a
   hostile local user may attack /bin/login via LD_PRELOAD or
   similar environment variables set via PAM. CVE-2015-8325,
   found by Shayan Sadigh.

New Features
------------

 * ssh(1): Add a ProxyJump option and corresponding -J command-line
   flag to allow simplified indirection through a one or more SSH
   bastions or "jump hosts".

 * ssh(1): Add an IdentityAgent option to allow specifying specific
   agent sockets instead of accepting one from the environment.

 * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
   optionally overridden when using ssh -W. bz#2577

 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
   per draft-sgtatham-secsh-iutf8-00.

 * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
   2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.

 * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
   signatures in certificates;

 * ssh(1): Add an Include directive for ssh_config(5) files.

 * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
   from the server. bz#2058

Bugfixes
--------

 * ssh(1), sshd(8): Reduce the syslog level of some relatively common
   protocol events from LOG_CRIT. bz#2585

 * sshd(8): Refuse AuthenticationMethods="" in configurations and
   accept AuthenticationMethods=any for the default behaviour of not
   requiring multiple authentication. bz#2398

 * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
   ATTEMPT!" message when forward and reverse DNS don't match. bz#2585

 * ssh(1): Close ControlPersist background process stderr except
   in debug mode or when logging to syslog. bz#1988

 * misc: Make PROTOCOL description for direct-streamlocal@openssh.com
   channel open messages match deployed code. bz#2529

 * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
   failures when both ExitOnForwardFailure and hostname
   canonicalisation are enabled. bz#2562

 * sshd(8): Remove fallback from moduli to obsolete "primes" file
   that was deprecated in 2001. bz#2559.

 * sshd_config(5): Correct description of UseDNS: it affects ssh
   hostname processing for authorized_keys, not known_hosts; bz#2554

 * ssh(1): Fix authentication using lone certificate keys in an agent
   without corresponding private keys on the filesystem. bz#2550

 * sshd(8): Send ClientAliveInterval pings when a time-based
   RekeyLimit is set; previously keepalive packets were not being
   sent. bz#2252


To generate a diff of this commit:
cvs rdiff -u -r1.248 -r1.249 pkgsrc/security/openssh/Makefile
cvs rdiff -u -r1.101 -r1.102 pkgsrc/security/openssh/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/security/openssh/patches/patch-auth-passwd.c
cvs rdiff -u -r1.6 -r1.7 pkgsrc/security/openssh/patches/patch-session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1474219811217240
Content-Disposition: inline
Content-Length: 6422
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/openssh/Makefile
diff -u pkgsrc/security/openssh/Makefile:1.248 pkgsrc/security/openssh/Makefile:1.249
--- pkgsrc/security/openssh/Makefile:1.248	Sun Jul 10 10:41:38 2016
+++ pkgsrc/security/openssh/Makefile	Sun Sep 18 17:30:10 2016
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.248 2016/07/10 10:41:38 rillig Exp $
+# $NetBSD: Makefile,v 1.249 2016/09/18 17:30:10 taca Exp $
 
-DISTNAME=		openssh-7.2p2
-PKGNAME=		${DISTNAME:S/p2/.2/}
-PKGREVISION=		3
+DISTNAME=		openssh-7.3p1
+PKGNAME=		${DISTNAME:S/p1/.1/}
 CATEGORIES=		security
 MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 

Index: pkgsrc/security/openssh/distinfo
diff -u pkgsrc/security/openssh/distinfo:1.101 pkgsrc/security/openssh/distinfo:1.102
--- pkgsrc/security/openssh/distinfo:1.101	Mon Jun  6 08:55:35 2016
+++ pkgsrc/security/openssh/distinfo	Sun Sep 18 17:30:10 2016
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.101 2016/06/06 08:55:35 taca Exp $
+$NetBSD: distinfo,v 1.102 2016/09/18 17:30:10 taca Exp $
 
-SHA1 (openssh-7.2p2.tar.gz) = 70e35d7d6386fe08abbd823b3a12a3ca44ac6d38
-RMD160 (openssh-7.2p2.tar.gz) = d18d73719ceeefa5116b5b741124f3604d7ddb99
-SHA512 (openssh-7.2p2.tar.gz) = 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b
-Size (openssh-7.2p2.tar.gz) = 1499808 bytes
+SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5
+RMD160 (openssh-7.3p1.tar.gz) = 823fc1e16c5d27a2361ed0b22f5ee24be11d2c13
+SHA512 (openssh-7.3p1.tar.gz) = 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801
+Size (openssh-7.3p1.tar.gz) = 1522617 bytes
 SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
-SHA1 (patch-auth-passwd.c) = 92c487cc3c092efb56f8b4ac4ca08ccd67803a83
+SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7
 SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
 SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
 SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374
@@ -23,7 +23,7 @@ SHA1 (patch-openbsd-compat_port-tun.c) =
 SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
 SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
 SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
-SHA1 (patch-session.c) = 2a7276382278f70ac1d8f51f273e8ffa2c0c59d2
+SHA1 (patch-session.c) = 850cef27299cf8af6a19987d5e070bf501cd57fb
 SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
 SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca
 SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1

Index: pkgsrc/security/openssh/patches/patch-auth-passwd.c
diff -u pkgsrc/security/openssh/patches/patch-auth-passwd.c:1.3 pkgsrc/security/openssh/patches/patch-auth-passwd.c:1.4
--- pkgsrc/security/openssh/patches/patch-auth-passwd.c:1.3	Mon Jan 18 12:53:26 2016
+++ pkgsrc/security/openssh/patches/patch-auth-passwd.c	Sun Sep 18 17:30:11 2016
@@ -1,11 +1,11 @@
-$NetBSD: patch-auth-passwd.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-auth-passwd.c,v 1.4 2016/09/18 17:30:11 taca Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth-passwd.c.orig	2015-08-21 04:49:03.000000000 +0000
+--- auth-passwd.c.orig	2016-07-27 22:54:27.000000000 +0000
 +++ auth-passwd.c
-@@ -88,7 +88,7 @@ auth_password(Authctxt *authctxt, const 
- #endif
+@@ -93,7 +93,7 @@ auth_password(Authctxt *authctxt, const 
+ 		return 0;
  
  #ifndef HAVE_CYGWIN
 -	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
@@ -13,7 +13,7 @@ Replace uid 0 with ROOTUID macro
  		ok = 0;
  #endif
  	if (*password == '\0' && options.permit_empty_passwd == 0)
-@@ -123,7 +123,12 @@ auth_password(Authctxt *authctxt, const 
+@@ -128,7 +128,12 @@ auth_password(Authctxt *authctxt, const 
  			authctxt->force_pwchange = 1;
  	}
  #endif

Index: pkgsrc/security/openssh/patches/patch-session.c
diff -u pkgsrc/security/openssh/patches/patch-session.c:1.6 pkgsrc/security/openssh/patches/patch-session.c:1.7
--- pkgsrc/security/openssh/patches/patch-session.c:1.6	Mon Jun  6 08:55:35 2016
+++ pkgsrc/security/openssh/patches/patch-session.c	Sun Sep 18 17:30:11 2016
@@ -1,11 +1,10 @@
-$NetBSD: patch-session.c,v 1.6 2016/06/06 08:55:35 taca Exp $
+$NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $
 
 * Interix support.
-* Fix for CVE-2015-8325
 
---- session.c.orig	2016-03-09 18:04:48.000000000 +0000
+--- session.c.orig	2016-07-27 22:54:27.000000000 +0000
 +++ session.c
-@@ -1117,7 +1117,7 @@ read_etc_default_login(char ***env, u_in
+@@ -1120,7 +1120,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
  		return;
  
@@ -14,7 +13,7 @@ $NetBSD: patch-session.c,v 1.6 2016/06/0
  		var = child_get_env(tmpenv, "SUPATH");
  	else
  		var = child_get_env(tmpenv, "PATH");
-@@ -1226,7 +1226,7 @@ do_setup_env(Session *s, const char *she
+@@ -1230,7 +1230,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
  		if (path == NULL || *path == '\0') {
  			child_set_env(&env, &envsize, "PATH",
@@ -23,16 +22,7 @@ $NetBSD: patch-session.c,v 1.6 2016/06/0
  				SUPERUSER_PATH : _PATH_STDPATH);
  		}
  # endif /* HAVE_CYGWIN */
-@@ -1317,7 +1317,7 @@ do_setup_env(Session *s, const char *she
- 	 * Pull in any environment variables that may have
- 	 * been set by PAM.
- 	 */
--	if (options.use_pam) {
-+	if (options.use_pam && !options.use_login) {
- 		char **p;
- 
- 		p = fetch_pam_child_environment();
-@@ -1340,6 +1340,18 @@ do_setup_env(Session *s, const char *she
+@@ -1346,6 +1346,18 @@ do_setup_env(Session *s, const char *she
  		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
  		read_environment_file(&env, &envsize, buf);
  	}
@@ -51,7 +41,7 @@ $NetBSD: patch-session.c,v 1.6 2016/06/0
  	if (debug_flag) {
  		/* dump the environment */
  		fprintf(stderr, "Environment:\n");
-@@ -1531,11 +1543,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1537,11 +1549,13 @@ do_setusercontext(struct passwd *pw)
  			perror("setgid");
  			exit(1);
  		}
@@ -65,7 +55,7 @@ $NetBSD: patch-session.c,v 1.6 2016/06/0
  		endgrent();
  #endif
  
-@@ -2381,7 +2395,7 @@ session_pty_cleanup2(Session *s)
+@@ -2388,7 +2402,7 @@ session_pty_cleanup2(Session *s)
  		record_logout(s->pid, s->tty, s->pw->pw_name);
  
  	/* Release the pseudo-tty. */


--_----------=_1474219811217240--