Commit Graph

991 Commits

Author SHA1 Message Date
delphij
40a7840d69 MFV r308196:
Fix OpenSSH remote Denial of Service vulnerability.

Security:	CVE-2016-8858
2016-11-02 06:49:25 +00:00
jkim
8fe6e36c80 Build OpenSSL assembly sources for aarch64. Tested with ThunderX by andrew. 2016-10-26 20:02:22 +00:00
jkim
665faf046c Merge OpenSSL 1.0.2j. 2016-09-26 14:22:17 +00:00
jkim
97091e1369 Merge OpenSSL 1.0.2i. 2016-09-22 13:27:44 +00:00
jkim
301c0382f7 Import OpenSSL 1.0.2i. 2016-09-22 13:04:03 +00:00
lidl
7235884959 Add refactored blacklist support to sshd
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file.  This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.

Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().

Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.

Reviewed by:	des
Approved by:	des
MFC after:		1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D7051
2016-08-30 14:09:24 +00:00
jkim
690cff5182 Build OpenSSL assembly sources for arm. Tested with Raspberry Pi 2 Model B.
MFC after:	1 week
2016-08-22 20:59:34 +00:00
emaste
a5b76e1c59 Remove duplicate symbol from libhx509 version-script.map
Upstream commit r21331 (7758a5d0) added semiprivate function
_hx509_request_to_pkcs10 twice. This change has been committed upstream
as 8ef0071d.
2016-08-22 18:50:57 +00:00
des
291f74b116 Try to check whether each key file exists before adding it, and bail out
if we didn't find any of them.  This reduces log spam about key files for
deprecated algorithms, which we look for but don't generate.

PR:		208254
MFC after:	3 days
2016-08-08 10:46:18 +00:00
des
7b7845b35c Remove DSA from default cipher list and disable SSH1.
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA.  Now is a good time to catch up.

MFC after:	3 days
Relnotes:	yes
2016-08-03 16:08:21 +00:00
emaste
296c49e36f Remove duplicate symbols from libroken version-script.map
Upstream commit r24759 (efed563) prefixed some symbols with rk_, but
introduced 6 duplicate symbols in the version script (because the
rk_-prefixed versions of the symbols were already present).
2016-07-21 18:12:39 +00:00
gjb
7095173950 Revert r301551, which added blacklistd(8) to sshd(8).
This change has functional impact, and other concerns raised
by the OpenSSH maintainer.

Requested by:	des
PR:		210479 (related)
Approved by:	re (marius)
Sponsored by:	The FreeBSD Foundation
2016-06-24 23:22:42 +00:00
lidl
9b5f176b51 Add blacklist support to sshd
Reviewed by:	rpaulo
Approved by:	rpaulo (earlier version of changes)
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5915
2016-06-07 16:18:09 +00:00
avg
1926b48f81 openssl: change SHLIB_VERSION_NUMBER to reflect the reality
Some consumers actually use this definition.

We probably need some procedure to ensure that SHLIB_VERSION_NUMBER
is updated whenever we change the library version in
secure/lib/libssl/Makefile.
2016-06-03 14:09:38 +00:00
cem
2bcae162c5 libkrb5: Fix potential double-free
If krb5_make_principal fails, tmp_creds.server may remain a pointer to freed
memory and then be double-freed.  After freeing it the first time, initialize
it to NULL, which causes subsequent krb5_free_principal calls to do the right
thing.

Reported by:	Coverity
CID:		1273430
Sponsored by:	EMC / Isilon Storage Division
2016-05-11 23:25:59 +00:00
jkim
00a878d06e Merge OpenSSL 1.0.2h.
Relnotes:	yes
2016-05-03 18:50:10 +00:00
jkim
acb827e308 Import OpenSSL 1.0.2h. 2016-05-03 18:00:27 +00:00
des
ba453f42f3 Re-add AES-CBC ciphers to the default cipher list on the server.
PR:		207679
2016-03-11 00:23:10 +00:00
des
bb6f58c772 Upgrade to OpenSSH 7.2p2. 2016-03-11 00:15:29 +00:00
jkim
de2249f81c Merge OpenSSL 1.0.2g.
Relnotes:	yes
2016-03-01 22:08:28 +00:00
jkim
72d32bf80d Import OpenSSL 1.0.2g. 2016-03-01 17:57:01 +00:00
des
d381a76dda Document our modified default value for PermitRootLogin. 2016-02-02 10:02:38 +00:00
jkim
f91c9c2798 Merge OpenSSL 1.0.2f.
Relnotes:	yes
2016-01-28 20:15:22 +00:00
jkim
71cece53f2 Import OpenSSL 1.0.2f. 2016-01-28 18:41:59 +00:00
des
bf4d314681 Switch UseDNS back on 2016-01-27 13:40:44 +00:00
des
84fe0a03f6 r294563 was incomplete; re-add the client-side options as well. 2016-01-22 14:22:11 +00:00
des
150b570cfa Instead of removing the NoneEnabled option, mark it as unsupported.
(should have done this in r291198, but didn't think of it until now)
2016-01-22 13:13:46 +00:00
des
316c45f5be Update the instructions and the list of major local modifications. 2016-01-21 12:42:31 +00:00
des
e5b44dd19f Explain why we don't include VersionAddendum in the debug mode banner. 2016-01-21 12:41:02 +00:00
des
0c80faa259 Upgrade to OpenSSH 7.1p2. 2016-01-21 11:54:34 +00:00
des
65f3eb83cd Enable DSA keys by default. They were disabled in OpenSSH 6.9p1.
Noticed by:	glebius
2016-01-21 11:10:14 +00:00
des
d53b167ff8 Take care not to pick up the wrong version of OpenSSL when running in an
environment that has OpenSSL from ports in addition to the base version.
2016-01-21 10:57:45 +00:00
des
75cd33d704 Remove RCS tags from files in which we no longer have any local
modifications, and add them to two files in which we do.
2016-01-20 23:23:08 +00:00
des
dfe3d69533 Remove a number of generated files which are either out-of-date (because
they are never regenerated to reflect our changes) or in the way of
freebsd-configure.sh.
2016-01-20 23:08:57 +00:00
des
9b2207f860 Upgrade to OpenSSH 7.0p1. 2016-01-20 22:57:10 +00:00
des
b856a45731 Upgrade to OpenSSH 6.9p1. 2016-01-19 18:55:44 +00:00
des
76107b0880 Re-add HPN configuration options as deprecated options to avoid breaking
existing configurations that use them.  Note that there is no functional
difference between OpenSSH with HPN and OpenSSH without HPN.
2016-01-19 18:38:17 +00:00
des
7a7bc643b5 Upgrade to OpenSSH 6.8p1. 2016-01-19 18:28:23 +00:00
des
0a44f26c1c Now that we have local modifications in configure.ac and configure, run
autoheader and autoconf to avoid having to patch configure manually.
2016-01-19 17:20:07 +00:00
des
14172c52f8 Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
upstream) and a number of security fixes which we had already backported.

MFC after:	1 week
2016-01-19 16:18:26 +00:00
des
43b4a69321 As previously threatened, remove the HPN patch from OpenSSH. 2016-01-19 14:38:20 +00:00
des
23cbd2460d Use 'svn list -R' instead of find, and recognize comments in shell scripts
and {ssh,sshd}_config.
2016-01-19 14:25:22 +00:00
des
1fb8b3ddb1 Recognize *roff comments. 2016-01-19 13:15:57 +00:00
des
a5f4b9478d Update the pre- and post-merge scripts to work correctly after the recent
cleanup.  A round-trip (./freebsd-pre-merge.sh ; ./freebsd-post-merge.sh)
now results in an unchanged working copy.
2016-01-19 12:38:53 +00:00
glebius
6185680860 Fix OpenSSH client information leak.
Security:	SA-16:07.openssh
Security:	CVE-2016-0777
2016-01-14 22:40:46 +00:00
des
0a0682484a Incorrect length in calloc() call, already fixed upstream.
PR:		204769
Submitted by:	David Binderman <dcb314@hotmail.com>
MFC after:	1 week
2015-12-17 19:36:25 +00:00
jkim
8d77ecefb7 Merge OpenSSL 1.0.2e. 2015-12-03 21:13:35 +00:00
jkim
afd52a5fc9 Import OpenSSL 1.0.2e. 2015-12-03 17:22:58 +00:00
des
954c038d83 r291198 inadvertantly reverted a local patch for the default location
of ssh-askpass and xauth, breaking X11 forwarding.
2015-11-26 23:05:40 +00:00
des
a02e9843fe Revert inadvertent commit of an incorrect patch 2015-11-24 16:07:03 +00:00