Authentication-Results: name.execsw.org; dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=lXvugbBa; dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=Ezg3wmNC Received: by mail.netbsd.org (Postfix, from userid 605) id 556C484E86; Thu, 4 Apr 2024 12:21:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org; s=20240131; t=1712233292; bh=RsoiJSZcNdb0vmtqGU/l2fOXVjPedrzkTX6wbMlS5lk=; h=Date:From:Subject:To:Reply-To:List-Id:List-Unsubscribe; b=lXvugbBaFOr4IQXmRdrwLWW4WoWGtqIzSZvetdZJxT0oq08i6XKdFVW617G47Lz0s k48v4EnxTOqGxbGgs1IwvU7EcGKW0kL7RV8BcomQOwqvpPp4iYq2Qpx7yjKLuXq/du +nIPbqQqB4SVSBtMosoYrTuqcZ2RbFFNRNL+M9iw= Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7A63E84E83 for ; Thu, 4 Apr 2024 12:16:34 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id IV1WhLdxQ9Gj for ; Thu, 4 Apr 2024 12:16:33 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 7589384CFA for ; Thu, 4 Apr 2024 12:16:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org; s=20240131; t=1712232993; bh=RsoiJSZcNdb0vmtqGU/l2fOXVjPedrzkTX6wbMlS5lk=; h=Date:From:Subject:To:Reply-To; b=Ezg3wmNCxS77w8eenIm6M3Xu1Bs2Jre8u5L6U5U1+eymPhl2X32s/IxyBSPyQXyIX 93LsBzO/K34czYZy//gN+h3Z7PaXf+r8ST0P5ocpHsPy0xfpekpOKd3X3wEoWjUgfD ViOhtBk8RTNtSvs5HXeJj80h9m4222Y6l1M6w3pE= Received: by cvs.NetBSD.org (Postfix, from userid 500) id A5CBDFA2C; Thu, 4 Apr 2024 12:13:28 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_171223280838730" MIME-Version: 1.0 Date: Thu, 4 Apr 2024 12:13:28 +0000 From: "Thomas Klausner" Subject: CVS commit: pkgsrc/security/dropbear To: pkgsrc-changes@NetBSD.org Reply-To: wiz@netbsd.org X-Mailer: log_accum Message-Id: <20240404121328.A5CBDFA2C@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_171223280838730 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" Module Name: pkgsrc Committed By: wiz Date: Thu Apr 4 12:13:28 UTC 2024 Modified Files: pkgsrc/security/dropbear: Makefile distinfo Added Files: pkgsrc/security/dropbear/patches: patch-src_default__options.h Removed Files: pkgsrc/security/dropbear/patches: patch-cli-session.c patch-common-algo.c patch-common-kex.c patch-default__options.h patch-kex.h patch-process-packet.c patch-ssh.h patch-svr-session.c Log Message: dropbear: update to 2024.84. 2024.84 - 4 April 2024 Features and Changes: Note >> for compatibility/configuration changes - >> Only use /etc/shadow when a user has :x: as the crypt in /etc/passwd. This is the documented behaviour of passwd(5) so should be consistent with other programs. Thanks to Paulo Cabral for the report. Note that any users without x as the crypt will not be able to log in with /etc/shadow, in cases were the existing configuration differs. - Support -o StrictHostKeyChecking, patch from Sergey Ponomarev - Support -o BatchMode, from Sergey Ponomarev and Hans Harder - Support various other -o options compatible with OpenSSH, from Sergey Ponomarev. Includes -o PasswordAuthentication - Add dbclient config file support, ~/.ssh/dropbear_config Thanks to tjkolev Disabled by default, set #define DROPBEAR_USE_SSH_CONFIG 1 - Add support for unix socket forwarding (destination) on the server, thanks to WangYi for the implementation - Add option to bind to interface, from Diederik De Coninck - Ignore unsupported arguments in dropbearkey, allow running binary as 'ssh-key'. From Sergey Ponomarev - Save a public key file on generation with dropbearkey. -C can be used for a comment, and choose a default key type (ed25519 first preference). Thanks to Sergey Ponomarev - Allow inetd to run in non-syslog modes. Thanks to Laurent Bercot for the report - Allow user's own gid in PTY permissions, lets Dropbear work as non-root even if /dev/pts isn't mounted with gid=5 - src/distrooptions.h can now be used as another config file. This can be used by distributions for customisations (separate to the build directory's localoptions.h) Fixes: - "dbclient host >> output" would previously overwrite "output", instead of appending. Thanks for the report from eSotoIoT - Add "Strict KEX" support. This mitigates a SSH protocol flaw which lets a MITM attacker silently remove packets immediately after the first key exchange. At present the flaw does not seem to reduce Dropbear's security (the only packet affected would be a server-sig-algs extension, which is used for compatibility not security). For Dropbear, chacha20-poly1305 is the only affected cipher. Both sides of the connection must support Strict KEX for it to be used. The protocol flaw is tracked as CVE-2023-48795, details at https://terrapin-attack.com . Thanks to the researchers Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk. Thanks to OpenSSH for specifying strict KEX mode. - Fix blocking while closing forwarded TCP sessions. Noticable when many connections are being forwarded. Reported and tested by GektorUA. Github #230 - Don't offer RSA (then fail) if there is no RSA key. Regression in 2020.79 Github #219 - Fix missing response to remote TCP requests when it is disabled. Patch from Justin Chen. Github #254 - Fix building with DROPBEAR_RSA disabled - /proc/timer_list is no longer used for entropy, it was a bottleneck. Thanks to Aleksei Plotnikov for the report. - Don't unconditionally enable DROPBEAR_DSS - Make banner reading failure non-fatal - Fix DROPBEAR_SVR_MULTIUSER. This appears to have been broken since when it was added in 2019. If you're using this let me know (it might be removed if I don't hear otherwise). Thanks to davidatrsp - Fix Y2038 issues Infrastructure: - Move source files to src/ subdirectory. Thanks to tjkolev - Remove more files with "make distclean" - Add tests for disabled options To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 pkgsrc/security/dropbear/Makefile cvs rdiff -u -r1.30 -r1.31 pkgsrc/security/dropbear/distinfo cvs rdiff -u -r1.1 -r0 pkgsrc/security/dropbear/patches/patch-cli-session.c \ pkgsrc/security/dropbear/patches/patch-common-algo.c \ pkgsrc/security/dropbear/patches/patch-common-kex.c \ pkgsrc/security/dropbear/patches/patch-default__options.h \ pkgsrc/security/dropbear/patches/patch-kex.h \ pkgsrc/security/dropbear/patches/patch-process-packet.c \ pkgsrc/security/dropbear/patches/patch-ssh.h \ pkgsrc/security/dropbear/patches/patch-svr-session.c cvs rdiff -u -r0 -r1.1 \ pkgsrc/security/dropbear/patches/patch-src_default__options.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_171223280838730 Content-Disposition: inline Content-Length: 3718 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/security/dropbear/Makefile diff -u pkgsrc/security/dropbear/Makefile:1.39 pkgsrc/security/dropbear/Makefile:1.40 --- pkgsrc/security/dropbear/Makefile:1.39 Wed Dec 20 17:09:35 2023 +++ pkgsrc/security/dropbear/Makefile Thu Apr 4 12:13:27 2024 @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.39 2023/12/20 17:09:35 wiz Exp $ +# $NetBSD: Makefile,v 1.40 2024/04/04 12:13:27 wiz Exp $ -DISTNAME= dropbear-2022.83 -PKGREVISION= 1 +DISTNAME= dropbear-2024.84 CATEGORIES= security MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/ EXTRACT_SUFX= .tar.bz2 @@ -36,7 +35,7 @@ OWN_DIRS+= ${PKG_SYSCONFDIR}/dropbear SUBST_CLASSES+= config SUBST_MESSAGE.config= Fixing path to config directory. SUBST_STAGE.config= post-build -SUBST_FILES.config= dropbear.8 dropbearkey.1 +SUBST_FILES.config= manpages/dropbear.8 manpages/dropbearkey.1 SUBST_SED.config= -e "s,/etc/dropbear/,"${PKG_SYSCONFDIR:Q}"/dropbear/,g" # needed by dbscp Index: pkgsrc/security/dropbear/distinfo diff -u pkgsrc/security/dropbear/distinfo:1.30 pkgsrc/security/dropbear/distinfo:1.31 --- pkgsrc/security/dropbear/distinfo:1.30 Wed Dec 20 17:09:35 2023 +++ pkgsrc/security/dropbear/distinfo Thu Apr 4 12:13:27 2024 @@ -1,14 +1,7 @@ -$NetBSD: distinfo,v 1.30 2023/12/20 17:09:35 wiz Exp $ +$NetBSD: distinfo,v 1.31 2024/04/04 12:13:27 wiz Exp $ -BLAKE2s (dropbear-2022.83.tar.bz2) = 71657e1f82711df54fc15b4aedf48e4bc6f3b79dc67e1016aec6711863e09fb1 -SHA512 (dropbear-2022.83.tar.bz2) = c63afa615d64b0c8c5e739c758eb8ae277ecc36a4223b766bf562702de69910904cbc3ea98d22989df478ae419e1f81057fe1ee09616c80cb859f58f44175422 -Size (dropbear-2022.83.tar.bz2) = 2322904 bytes -SHA1 (patch-cli-session.c) = c994f83283c38ae966a32cb97432305d2ae61ec5 -SHA1 (patch-common-algo.c) = aca565c1bb2329466fa3e06c4602ae7750744099 -SHA1 (patch-common-kex.c) = dfa5fdec1e62913db6475ba656f92cd4df46be78 +BLAKE2s (dropbear-2024.84.tar.bz2) = 150b9d697a571dfc42fbd76430cb7324c3eed3e462871731606b9541296eb165 +SHA512 (dropbear-2024.84.tar.bz2) = 254daea819c5aeaa65bb43449386fb964f4aa13e3b3037fe11064120205c6e265925e7ef2d84f7ebe66c6a00cf0a22e6010314c065ed49a3815f47137b7aca44 +Size (dropbear-2024.84.tar.bz2) = 2306278 bytes SHA1 (patch-configure) = b17f647043b212adda53aad7fb8dc7e639be9494 -SHA1 (patch-default__options.h) = ef38d09e20b9d74abdd118901a4fc30459eb0dcb -SHA1 (patch-kex.h) = 5a59be28ca209d8da26554fdeb2fdb5b84ddaf7c -SHA1 (patch-process-packet.c) = 5f9a2c7e150786cb1cf974ffe3a294891e3b3e3e -SHA1 (patch-ssh.h) = 9e830d59e26d5411713629fb4e716265eee85efe -SHA1 (patch-svr-session.c) = 8cefae13d159e48b0834885167dfde79cd36e216 +SHA1 (patch-src_default__options.h) = af60ea91516639e055266b3dd74f100aa6100f0d Added files: Index: pkgsrc/security/dropbear/patches/patch-src_default__options.h diff -u /dev/null pkgsrc/security/dropbear/patches/patch-src_default__options.h:1.1 --- /dev/null Thu Apr 4 12:13:28 2024 +++ pkgsrc/security/dropbear/patches/patch-src_default__options.h Thu Apr 4 12:13:28 2024 @@ -0,0 +1,16 @@ +$NetBSD: patch-src_default__options.h,v 1.1 2024/04/04 12:13:28 wiz Exp $ + +comment out the path to the dropbear ssh client +- this is passed through CFLAGS + +--- src/default_options.h.orig 2024-04-04 14:30:00.000000000 +0000 ++++ src/default_options.h +@@ -324,7 +324,7 @@ group1 in Dropbear server too */ + + /* This is used by the scp binary when used as a client binary. If you're + * not using the Dropbear client, you'll need to change it */ +-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient" ++/*#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"*/ + + /* Whether to log commands executed by a client. This only logs the + * (single) command sent to the server, not what a user did in a --_----------=_171223280838730--