From 96d659bf3530b597f9ef3c9c3144f063553453f1 Mon Sep 17 00:00:00 2001 From: tripolar Date: Fri, 8 Nov 2013 15:52:08 +0000 Subject: [PATCH] [packages] openssh: update to 6.4p1 This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Signed-off-by: Peter Wagner git-svn-id: svn://svn.openwrt.org/openwrt/packages@38693 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- net/openssh/Makefile | 4 ++-- net/openssh/patches/100-no_cast_fix.patch | 4 +--- net/openssh/patches/110-no_ripemd_fix.patch | 6 ++---- net/openssh/patches/130-implicit_memset_decl_fix.patch | 2 +- net/openssh/patches/140-pam_uclibc_pthreads_fix.patch | 8 ++++---- net/openssh/patches/200-dscp-qos.patch | 2 +- 6 files changed, 11 insertions(+), 15 deletions(-) diff --git a/net/openssh/Makefile b/net/openssh/Makefile index d75a85919..ce1907f88 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh -PKG_VERSION:=6.3p1 +PKG_VERSION:=6.4p1 PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz @@ -16,7 +16,7 @@ PKG_SOURCE_URL:=ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ ftp://openbsd.wiretapped.net/pub/OpenBSD/OpenSSH/portable/ \ ftp://ftp.belnet.be/packages/openbsd/OpenSSH/portable/ \ ftp://ftp.de.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/ -PKG_MD5SUM:=225e75c9856f76011966013163784038 +PKG_MD5SUM:=a62b88b884df0b09b8a8c5789ac9e51b PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/net/openssh/patches/100-no_cast_fix.patch b/net/openssh/patches/100-no_cast_fix.patch index 2b77819a6..ad0a3170c 100644 --- a/net/openssh/patches/100-no_cast_fix.patch +++ b/net/openssh/patches/100-no_cast_fix.patch @@ -1,8 +1,6 @@ -diff --git a/cipher.c b/cipher.c -index 9ca1d00..a6c1324 100644 --- a/cipher.c +++ b/cipher.c -@@ -74,8 +74,10 @@ struct Cipher { +@@ -76,8 +76,10 @@ static const struct Cipher ciphers[] = { { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, diff --git a/net/openssh/patches/110-no_ripemd_fix.patch b/net/openssh/patches/110-no_ripemd_fix.patch index df2ad0efb..37a43037d 100644 --- a/net/openssh/patches/110-no_ripemd_fix.patch +++ b/net/openssh/patches/110-no_ripemd_fix.patch @@ -1,8 +1,6 @@ -diff --git a/mac.c b/mac.c -index 3f2dc6f..73d2d4e 100644 --- a/mac.c +++ b/mac.c -@@ -68,8 +68,10 @@ struct { +@@ -70,8 +70,10 @@ static const struct macalg macs[] = { #endif { "hmac-md5", SSH_EVP, EVP_md5, 0, 0, 0, 0 }, { "hmac-md5-96", SSH_EVP, EVP_md5, 96, 0, 0, 0 }, @@ -13,7 +11,7 @@ index 3f2dc6f..73d2d4e 100644 { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 0 }, { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 0 }, -@@ -82,7 +84,9 @@ struct { +@@ -84,7 +86,9 @@ static const struct macalg macs[] = { #endif { "hmac-md5-etm@openssh.com", SSH_EVP, EVP_md5, 0, 0, 0, 1 }, { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 }, diff --git a/net/openssh/patches/130-implicit_memset_decl_fix.patch b/net/openssh/patches/130-implicit_memset_decl_fix.patch index a2229ee81..be8bbcf9c 100644 --- a/net/openssh/patches/130-implicit_memset_decl_fix.patch +++ b/net/openssh/patches/130-implicit_memset_decl_fix.patch @@ -1,6 +1,6 @@ --- a/includes.h +++ b/includes.h -@@ -57,6 +57,9 @@ +@@ -59,6 +59,9 @@ /* *-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively */ diff --git a/net/openssh/patches/140-pam_uclibc_pthreads_fix.patch b/net/openssh/patches/140-pam_uclibc_pthreads_fix.patch index 8018de02b..c0c5a4b4a 100644 --- a/net/openssh/patches/140-pam_uclibc_pthreads_fix.patch +++ b/net/openssh/patches/140-pam_uclibc_pthreads_fix.patch @@ -44,7 +44,7 @@ { int status; -@@ -509,7 +509,7 @@ sshpam_thread(void *ctxtp) +@@ -508,7 +508,7 @@ sshpam_thread(void *ctxtp) /* XXX - can't do much about an error here */ ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -53,7 +53,7 @@ auth_fail: buffer_put_cstring(&buffer, -@@ -520,7 +520,7 @@ sshpam_thread(void *ctxtp) +@@ -519,7 +519,7 @@ sshpam_thread(void *ctxtp) else ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); buffer_free(&buffer); @@ -62,7 +62,7 @@ return (NULL); /* Avoid warning for non-pthread case */ } -@@ -532,8 +532,8 @@ sshpam_thread_cleanup(void) +@@ -531,8 +531,8 @@ sshpam_thread_cleanup(void) debug3("PAM: %s entering", __func__); if (ctxt != NULL && ctxt->pam_thread != 0) { @@ -73,7 +73,7 @@ close(ctxt->pam_psock); close(ctxt->pam_csock); memset(ctxt, 0, sizeof(*ctxt)); -@@ -698,7 +698,7 @@ sshpam_init_ctx(Authctxt *authctxt) +@@ -696,7 +696,7 @@ sshpam_init_ctx(Authctxt *authctxt) } ctxt->pam_psock = socks[0]; ctxt->pam_csock = socks[1]; diff --git a/net/openssh/patches/200-dscp-qos.patch b/net/openssh/patches/200-dscp-qos.patch index 68830cc74..85cef53dd 100644 --- a/net/openssh/patches/200-dscp-qos.patch +++ b/net/openssh/patches/200-dscp-qos.patch @@ -9,7 +9,7 @@ +#IPQoS AF21 AF11 --- a/sshd_config +++ b/sshd_config -@@ -120,6 +120,9 @@ UsePrivilegeSeparation sandbox # Default for new installations. +@@ -120,6 +120,9 @@ UsePrivilegeSeparation sandbox # Defaul # no default banner path #Banner none -- 2.11.0