Mon Dec 3 15:19:51 2018 UTC ()

libssh: updated to 0.8.5

version 0.8.5:
* Added support to get known_hosts locations with ssh_options_get()
* Fixed preferred algorithm for known hosts negotiations
* Fixed KEX with some server implementations (e.g. Cisco)
* Fixed issues with MSVC
* Fixed keyboard-interactive auth in server mode
  (regression from CVE-2018-10933)
* Fixed gssapi auth in server mode (regression from CVE-2018-10933)
* Fixed socket fd handling with proxy command
* Fixed a memory leak with OpenSSL

version 0.8.4:
* Fixed CVE-2018-10933
* Fixed building without globbing support
* Fixed possible memory leaks
* Avoid SIGPIPE on sockets

version 0.8.3:
* Added support for rsa-sha2
* Added support to parse private keys in openssh container format
  (other than ed25519)
* Added support for diffie-hellman-group18-sha512 and
  diffie-hellman-group16-sha512
* Added ssh_get_fingerprint_hash()
* Added ssh_pki_export_privkey_base64()
* Added support for Match keyword in config file
* Improved performance and reduced memory footprint for sftp
* Fixed ecdsa publickey auth
* Fixed reading a closed channel
* Added support to announce posix-rename@openssh.com and
  hardlink@openssh.com in the sftp server

version 0.8.2:
* Added sha256 fingerprints for pubkeys
* Improved compiler flag detection
* Fixed race condition in reading sftp messages
* Fixed doxygen generation and added modern style
* Fixed library initialization on Windows
* Fixed __bounded__ attribute detection
* Fixed a bug in the options parser
* Fixed documentation for new knwon_hosts API

version 0.8.1:
* Fixed version number in the header
* Fixed version number in pkg-config and cmake config
* Fixed library initialization
* Fixed attribute detection

version 0.8.0:
* Removed support for deprecated SSHv1 protocol
* Added new connector API for clients
* Added new known_hosts parsing API
* Added support for OpenSSL 1.1
* Added support for chacha20-poly1305 cipher
* Added crypto backend for mbedtls crypto library
* Added ECDSA support with gcrypt backend
* Added advanced client and server testing using cwrap.org
* Added support for curve25519-sha256 alias
* Added support for global known_hosts file
* Added support for symbol versioning
* Improved ssh_config parsing
* Improved threading support


(adam)

diff -r1.24 -r1.25 pkgsrc/security/libssh/Makefile
diff -r1.8 -r1.9 pkgsrc/security/libssh/PLIST
diff -r1.17 -r1.18 pkgsrc/security/libssh/buildlink3.mk
diff -r1.13 -r1.14 pkgsrc/security/libssh/distinfo
diff -r1.3 -r1.4 pkgsrc/security/libssh/options.mk
diff -r0 -r1.1 pkgsrc/security/libssh/patches/patch-CompilerChecks.cmake
diff -r1.6 -r0 pkgsrc/security/libssh/patches/patch-aa
diff -r1.1 -r0 pkgsrc/security/libssh/patches/patch-cmake_Modules_DefineCompilerFlags.cmake

--- pkgsrc/security/libssh/Makefile 2018/10/16 20:25:25 1.24
+++ pkgsrc/security/libssh/Makefile 2018/12/03 15:19:51 1.25

 @@ -1,31 +1,36 @@
-# $NetBSD: Makefile,v 1.24 2018/10/16 20:25:25 maya Exp $
+# $NetBSD: Makefile,v 1.25 2018/12/03 15:19:51 adam Exp $
+#
 # history: upstream renamed 0.11 to 0.1.1;
 # we have to use the old-style convention so that version compares work.
 VER=			0.7.6
 DISTNAME=		libssh-${VER}
 PKGNAME=		libssh-0.76
 CATEGORIES=		security
 MASTER_SITES=		https://www.libssh.org/files/0.7/
 EXTRACT_SUFX=		.tar.xz
 MAINTAINER=		is@NetBSD.org
 HOMEPAGE=		http://www.libssh.org/
 COMMENT=		SSHv2+v1 protocol library
 LICENSE=		2-clause-bsd
-DIST_SUBDIR=		security
+VER=		0.8.5
 DISTNAME=	libssh-${VER}
 PKGNAME=	libssh-0.85
 CATEGORIES=	security
 MASTER_SITES=	https://www.libssh.org/files/${VER:R}/
 EXTRACT_SUFX=	.tar.xz
 MAINTAINER=	is@NetBSD.org
 HOMEPAGE=	http://www.libssh.org/
 COMMENT=	SSHv2+v1 protocol library
 LICENSE=	2-clause-bsd
 USE_CMAKE=		yes
 USE_LANGUAGES=		c c++
 CMAKE_ARGS+=		WITH_TESTING=yes
 PKGCONFIG_OVERRIDE+=	libssh.pc.in
-TEST_TARGET=		check
+TEST_TARGET=		test
 CONFIGURE_DIRS=		${WRKDIR}/build
 CMAKE_ARG_PATH=		${WRKSRC}
 CMAKE_ARGS+=		-DUNIT_TESTING=ON
 .include "options.mk"
 post-extract:
 	${MKDIR} ${WRKDIR}/build
 .include "../../devel/argp/buildlink3.mk"
 .include "../../devel/cmocka/buildlink3.mk"
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../mk/krb5.buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"

--- pkgsrc/security/libssh/PLIST 2018/10/16 20:25:25 1.8
+++ pkgsrc/security/libssh/PLIST 2018/12/03 15:19:51 1.9

 @@ -1,18 +1,14 @@
-@comment $NetBSD: PLIST,v 1.8 2018/10/16 20:25:25 maya Exp $
+@comment $NetBSD: PLIST,v 1.9 2018/12/03 15:19:51 adam Exp $
 include/libssh/callbacks.h
 include/libssh/legacy.h
 include/libssh/libssh.h
 include/libssh/libsshpp.hpp
 include/libssh/server.h
 include/libssh/sftp.h
 include/libssh/ssh2.h
 lib/cmake/libssh/libssh-config-version.cmake
 lib/cmake/libssh/libssh-config.cmake
 lib/libssh.so
 lib/libssh.so.4
-lib/libssh.so.4.4.3
+lib/libssh.so.4.7.2
 lib/libssh_threads.so
 lib/libssh_threads.so.4
 lib/libssh_threads.so.4.4.3
 lib/pkgconfig/libssh.pc
 lib/pkgconfig/libssh_threads.pc

--- pkgsrc/security/libssh/buildlink3.mk 2016/10/09 22:02:07 1.17
+++ pkgsrc/security/libssh/buildlink3.mk 2018/12/03 15:19:51 1.18

 @@ -1,26 +1,24 @@
-# $NetBSD: buildlink3.mk,v 1.17 2016/10/09 22:02:07 kamil Exp $
+# $NetBSD: buildlink3.mk,v 1.18 2018/12/03 15:19:51 adam Exp $
 BUILDLINK_TREE+=	libssh
 .if !defined(LIBSSH_BUILDLINK3_MK)
 LIBSSH_BUILDLINK3_MK:=
 BUILDLINK_API_DEPENDS.libssh+=	libssh>=0.54
 BUILDLINK_ABI_DEPENDS.libssh+=	libssh>=0.73nb1
 BUILDLINK_PKGSRCDIR.libssh?=	../../security/libssh
 pkgbase := libssh
 .include "../../mk/pkg-build-options.mk"
 .if !empty(PKG_BUILD_OPTIONS.libssh:Mzlib)
 .include "../../devel/zlib/buildlink3.mk"
 .endif
 .if !empty(PKG_BUILD_OPTIONS.libssh:Mopenssl)
 .include "../../security/openssl/buildlink3.mk"
 .endif
 .include "../../devel/argp/buildlink3.mk"
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../mk/krb5.buildlink3.mk"
 .endif # LIBSSH_BUILDLINK3_MK
 BUILDLINK_TREE+=	-libssh

--- pkgsrc/security/libssh/distinfo 2018/10/16 20:25:25 1.13
+++ pkgsrc/security/libssh/distinfo 2018/12/03 15:19:51 1.14

 @@ -1,8 +1,7 @@
-$NetBSD: distinfo,v 1.13 2018/10/16 20:25:25 maya Exp $
+$NetBSD: distinfo,v 1.14 2018/12/03 15:19:51 adam Exp $
-SHA1 (security/libssh-0.7.6.tar.xz) = 8e5f23a861f84fa214ca1da0e3f98b839ff7c051
+SHA1 (libssh-0.8.5.tar.xz) = b5564774f986e396a7288a593595455bf10d9ce8
-RMD160 (security/libssh-0.7.6.tar.xz) = 7316fae4a5355cf2c511cd91a5a65d7354ab361f
+RMD160 (libssh-0.8.5.tar.xz) = a118e08705257814531ce6c01d2d48cf0d6e59ce
-SHA512 (security/libssh-0.7.6.tar.xz) = 2a01402b5a9fab9ecc29200544ed45d3f2c40871ed1c8241ca793f8dc7fdb3ad2150f6a522c4321affa9b8778e280dc7ed10f76adfc4a73f0751ae735a42f56c
+SHA512 (libssh-0.8.5.tar.xz) = f1e90a5046e006d44a48ab36675167761d8e308ada7a1d7a1f7ba2825d222a2fab7e19dbc78b1371fee9ba74d9c55d9856a623f97842c9b9ad4c79215e344124
-Size (security/libssh-0.7.6.tar.xz) = 366556 bytes
+Size (libssh-0.8.5.tar.xz) = 427372 bytes
-SHA1 (patch-aa) = 2f9a7c8a629188f40f3c94d4304b1e44720e45ae
+SHA1 (patch-CompilerChecks.cmake) = 86de41ab778d25368691c1b0b9ecfa653f24cc5d
 SHA1 (patch-cmake_Modules_DefineCompilerFlags.cmake) = 9f140ad664363953e4c7ff4e3bede74c693da993

--- pkgsrc/security/libssh/options.mk 2018/01/25 19:52:38 1.3
+++ pkgsrc/security/libssh/options.mk 2018/12/03 15:19:51 1.4

 @@ -1,27 +1,20 @@
-# $NetBSD: options.mk,v 1.3 2018/01/25 19:52:38 markd Exp $
+# $NetBSD: options.mk,v 1.4 2018/12/03 15:19:51 adam Exp $
 PKG_OPTIONS_VAR=		PKG_OPTIONS.libssh
 PKG_OPTIONS_REQUIRED_GROUPS=	crypto
 PKG_OPTIONS_GROUP.crypto=	openssl libgcrypt
-#PKG_SUPPORTED_OPTIONS=		compression
+PKG_SUGGESTED_OPTIONS=		openssl
 PKG_SUGGESTED_OPTIONS=		openssl # XXX zlib
 .include "../../mk/bsd.options.mk"
 .if !empty(PKG_OPTIONS:Mzlib)
 BUILDLINK_API_DEPENDS.zlib+=	zlib>=1.2
 CONFIGURE_ARGS+=		--with-libz=${BUILDLINK_PREFIX.zlib:Q}
 .include "../../devel/zlib/buildlink3.mk"
 .endif
 .if !empty(PKG_OPTIONS:Mopenssl)
 BUILDLINK_API_DEPENDS.openssl+=	openssl>=0.9.8
 CMAKE_ARGS+=		-DWITH_GCRYPT:BOOL=OFF
 .include "../../security/openssl/buildlink3.mk"
 .endif
 .if !empty(PKG_OPTIONS:Mlibgcrypt)
 BUILDLINK_API_DEPENDS.libgcrypt+=	libgcrypt>=1.4
 CMAKE_ARGS+=		-DWITH_GCRYPT:BOOL=ON
 .include "../../security/libgcrypt/buildlink3.mk"
 .endif

$NetBSD: patch-CompilerChecks.cmake,v 1.1 2018/12/03 15:19:51 adam Exp $

Let PkgSrc handle security features.

--- CompilerChecks.cmake.orig	2018-12-03 09:27:44.000000000 +0000
+++ CompilerChecks.cmake
@@ -62,20 +62,7 @@ if (UNIX)
         endif()
     endif()
 
-    check_c_compiler_flag_ssp("-fstack-protector-strong" WITH_STACK_PROTECTOR_STRONG)
-    if (WITH_STACK_PROTECTOR_STRONG)
-        list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-protector-strong")
-    else (WITH_STACK_PROTECTOR_STRONG)
-        check_c_compiler_flag_ssp("-fstack-protector" WITH_STACK_PROTECTOR)
-        if (WITH_STACK_PROTECTOR)
-            list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-protector")
-        endif()
-    endif (WITH_STACK_PROTECTOR_STRONG)
 
-    check_c_compiler_flag_ssp("-fstack-clash-protection" WITH_STACK_CLASH_PROTECTION)
-    if (WITH_STACK_CLASH_PROTECTION)
-        list(APPEND SUPPORTED_COMPILER_FLAGS "-fstack-clash-protection")
-    endif()
 
     if (PICKY_DEVELOPER)
         add_c_compiler_flag("-Wno-error=deprecated-declarations" SUPPORTED_COMPILER_FLAGS)