Xin LI
56e6c4251c
MFV r308196:
...
Fix OpenSSH remote Denial of Service vulnerability.
Security: CVE-2016-8858
2016-11-02 06:49:25 +00:00
Jung-uk Kim
7518a9bd2b
Build OpenSSL assembly sources for aarch64. Tested with ThunderX by andrew.
2016-10-26 20:02:22 +00:00
Jung-uk Kim
f1fe58d376
Merge OpenSSL 1.0.2j.
2016-09-26 14:22:17 +00:00
Jung-uk Kim
e656c34a18
Import OpenSSL 1.0.2j.
2016-09-26 14:13:11 +00:00
Jung-uk Kim
aeb5019c48
Merge OpenSSL 1.0.2i.
2016-09-22 13:27:44 +00:00
Jung-uk Kim
e1b483878d
Import OpenSSL 1.0.2i.
2016-09-22 13:04:03 +00:00
Kurt Lidl
b2af61ec69
Add refactored blacklist support to sshd
...
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file. This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.
Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().
Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.
Reviewed by: des
Approved by: des
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D7051
2016-08-30 14:09:24 +00:00
Jung-uk Kim
43e4bca77d
Build OpenSSL assembly sources for arm. Tested with Raspberry Pi 2 Model B.
...
MFC after: 1 week
2016-08-22 20:59:34 +00:00
Ed Maste
4620ba2e32
Remove duplicate symbol from libhx509 version-script.map
...
Upstream commit r21331 (7758a5d0) added semiprivate function
_hx509_request_to_pkcs10 twice. This change has been committed upstream
as 8ef0071d.
2016-08-22 18:50:57 +00:00
Dag-Erling Smørgrav
144a80bd9a
Try to check whether each key file exists before adding it, and bail out
...
if we didn't find any of them. This reduces log spam about key files for
deprecated algorithms, which we look for but don't generate.
PR: 208254
MFC after: 3 days
2016-08-08 10:46:18 +00:00
Dag-Erling Smørgrav
9ded33068e
Remove DSA from default cipher list and disable SSH1.
...
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA. Now is a good time to catch up.
MFC after: 3 days
Relnotes: yes
2016-08-03 16:08:21 +00:00
Ed Maste
bb04182c90
Remove duplicate symbols from libroken version-script.map
...
Upstream commit r24759 (efed563) prefixed some symbols with rk_, but
introduced 6 duplicate symbols in the version script (because the
rk_-prefixed versions of the symbols were already present).
2016-07-21 18:12:39 +00:00
Glen Barber
faebc97a1c
Revert r301551, which added blacklistd(8) to sshd(8).
...
This change has functional impact, and other concerns raised
by the OpenSSH maintainer.
Requested by: des
PR: 210479 (related)
Approved by: re (marius)
Sponsored by: The FreeBSD Foundation
2016-06-24 23:22:42 +00:00
Kurt Lidl
c0cc364181
Add blacklist support to sshd
...
Reviewed by: rpaulo
Approved by: rpaulo (earlier version of changes)
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5915
2016-06-07 16:18:09 +00:00
Andriy Gapon
056f620e09
openssl: change SHLIB_VERSION_NUMBER to reflect the reality
...
Some consumers actually use this definition.
We probably need some procedure to ensure that SHLIB_VERSION_NUMBER
is updated whenever we change the library version in
secure/lib/libssl/Makefile.
2016-06-03 14:09:38 +00:00
Conrad Meyer
f74fc68670
libkrb5: Fix potential double-free
...
If krb5_make_principal fails, tmp_creds.server may remain a pointer to freed
memory and then be double-freed. After freeing it the first time, initialize
it to NULL, which causes subsequent krb5_free_principal calls to do the right
thing.
Reported by: Coverity
CID: 1273430
Sponsored by: EMC / Isilon Storage Division
2016-05-11 23:25:59 +00:00
Jung-uk Kim
b8721c1643
Merge OpenSSL 1.0.2h.
...
Relnotes: yes
2016-05-03 18:50:10 +00:00
Jung-uk Kim
57f1256b1a
Import OpenSSL 1.0.2h.
2016-05-03 18:00:27 +00:00
Dag-Erling Smørgrav
c3c6c935fc
Re-add AES-CBC ciphers to the default cipher list on the server.
...
PR: 207679
2016-03-11 00:23:10 +00:00
Dag-Erling Smørgrav
acc1a9ef83
Upgrade to OpenSSH 7.2p2.
2016-03-11 00:15:29 +00:00
Jung-uk Kim
4c6a0400b9
Merge OpenSSL 1.0.2g.
...
Relnotes: yes
2016-03-01 22:08:28 +00:00
Jung-uk Kim
9aeed18ad7
Import OpenSSL 1.0.2g.
2016-03-01 17:57:01 +00:00
Dag-Erling Smørgrav
b4245df0a8
Document our modified default value for PermitRootLogin.
2016-02-02 10:02:38 +00:00
Jung-uk Kim
8180e704ac
Merge OpenSSL 1.0.2f.
...
Relnotes: yes
2016-01-28 20:15:22 +00:00
Jung-uk Kim
c188d4cade
Import OpenSSL 1.0.2f.
2016-01-28 18:41:59 +00:00
Dag-Erling Smørgrav
c4cd1fa410
Switch UseDNS back on
2016-01-27 13:40:44 +00:00
Dag-Erling Smørgrav
6362080245
r294563 was incomplete; re-add the client-side options as well.
2016-01-22 14:22:11 +00:00
Dag-Erling Smørgrav
6f3513465d
Instead of removing the NoneEnabled option, mark it as unsupported.
...
(should have done this in r291198, but didn't think of it until now)
2016-01-22 13:13:46 +00:00
Dag-Erling Smørgrav
0591b689c2
Update the instructions and the list of major local modifications.
2016-01-21 12:42:31 +00:00
Dag-Erling Smørgrav
a067b78c9c
Explain why we don't include VersionAddendum in the debug mode banner.
2016-01-21 12:41:02 +00:00
Dag-Erling Smørgrav
fc1ba28a5c
Upgrade to OpenSSH 7.1p2.
2016-01-21 11:54:34 +00:00
Dag-Erling Smørgrav
acf8e75eb0
Enable DSA keys by default. They were disabled in OpenSSH 6.9p1.
...
Noticed by: glebius
2016-01-21 11:10:14 +00:00
Dag-Erling Smørgrav
ca04c57ca9
Take care not to pick up the wrong version of OpenSSL when running in an
...
environment that has OpenSSL from ports in addition to the base version.
2016-01-21 10:57:45 +00:00
Dag-Erling Smørgrav
0b0dd5086b
Remove RCS tags from files in which we no longer have any local
...
modifications, and add them to two files in which we do.
2016-01-20 23:23:08 +00:00
Dag-Erling Smørgrav
8688f98d23
Remove a number of generated files which are either out-of-date (because
...
they are never regenerated to reflect our changes) or in the way of
freebsd-configure.sh.
2016-01-20 23:08:57 +00:00
Dag-Erling Smørgrav
eccfee6ebc
Upgrade to OpenSSH 7.0p1.
2016-01-20 22:57:10 +00:00
Dag-Erling Smørgrav
557f75e54a
Upgrade to OpenSSH 6.9p1.
2016-01-19 18:55:44 +00:00
Dag-Erling Smørgrav
9860d96e8f
Re-add HPN configuration options as deprecated options to avoid breaking
...
existing configurations that use them. Note that there is no functional
difference between OpenSSH with HPN and OpenSSH without HPN.
2016-01-19 18:38:17 +00:00
Dag-Erling Smørgrav
bc5531debe
Upgrade to OpenSSH 6.8p1.
2016-01-19 18:28:23 +00:00
Dag-Erling Smørgrav
00912a2021
Now that we have local modifications in configure.ac and configure, run
...
autoheader and autoconf to avoid having to patch configure manually.
2016-01-19 17:20:07 +00:00
Dag-Erling Smørgrav
a0ee8cc636
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
...
upstream) and a number of security fixes which we had already backported.
MFC after: 1 week
2016-01-19 16:18:26 +00:00
Dag-Erling Smørgrav
60c59fad88
As previously threatened, remove the HPN patch from OpenSSH.
2016-01-19 14:38:20 +00:00
Dag-Erling Smørgrav
5ecdd3c4d3
Use 'svn list -R' instead of find, and recognize comments in shell scripts
...
and {ssh,sshd}_config.
2016-01-19 14:25:22 +00:00
Dag-Erling Smørgrav
c1ea5e1a86
Recognize *roff comments.
2016-01-19 13:15:57 +00:00
Dag-Erling Smørgrav
50356f4843
Update the pre- and post-merge scripts to work correctly after the recent
...
cleanup. A round-trip (./freebsd-pre-merge.sh ; ./freebsd-post-merge.sh)
now results in an unchanged working copy.
2016-01-19 12:38:53 +00:00
Gleb Smirnoff
1026c03c28
Fix OpenSSH client information leak.
...
Security: SA-16:07.openssh
Security: CVE-2016-0777
2016-01-14 22:40:46 +00:00
Dag-Erling Smørgrav
22f393c35d
Incorrect length in calloc() call, already fixed upstream.
...
PR: 204769
Submitted by: David Binderman <dcb314@hotmail.com>
MFC after: 1 week
2015-12-17 19:36:25 +00:00
Jung-uk Kim
80815a778e
Merge OpenSSL 1.0.2e.
2015-12-03 21:13:35 +00:00
Jung-uk Kim
737d7e8d39
Import OpenSSL 1.0.2e.
2015-12-03 17:22:58 +00:00
Dag-Erling Smørgrav
6dd7775dfd
r291198 inadvertantly reverted a local patch for the default location
...
of ssh-askpass and xauth, breaking X11 forwarding.
2015-11-26 23:05:40 +00:00