d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
219,137 Commits 4 Branches 49 Tags 2 GiB
db175d7b41
Commit Graph

512 Commits

Author SHA1 Message Date
des
ba453f42f3 Re-add AES-CBC ciphers to the default cipher list on the server. 
PR:		207679
 2016-03-11 00:23:10 +00:00
des
bb6f58c772 Upgrade to OpenSSH 7.2p2. 2016-03-11 00:15:29 +00:00
des
d381a76dda Document our modified default value for PermitRootLogin. 2016-02-02 10:02:38 +00:00
des
bf4d314681 Switch UseDNS back on 2016-01-27 13:40:44 +00:00
des
84fe0a03f6 r294563 was incomplete; re-add the client-side options as well. 2016-01-22 14:22:11 +00:00
des
150b570cfa Instead of removing the NoneEnabled option, mark it as unsupported. 
(should have done this in r291198, but didn't think of it until now)
 2016-01-22 13:13:46 +00:00
des
316c45f5be Update the instructions and the list of major local modifications. 2016-01-21 12:42:31 +00:00
des
e5b44dd19f Explain why we don't include VersionAddendum in the debug mode banner. 2016-01-21 12:41:02 +00:00
des
0c80faa259 Upgrade to OpenSSH 7.1p2. 2016-01-21 11:54:34 +00:00
des
65f3eb83cd Enable DSA keys by default. They were disabled in OpenSSH 6.9p1. 
Noticed by:	glebius
 2016-01-21 11:10:14 +00:00
des
d53b167ff8 Take care not to pick up the wrong version of OpenSSL when running in an 
environment that has OpenSSL from ports in addition to the base version.
 2016-01-21 10:57:45 +00:00
des
75cd33d704 Remove RCS tags from files in which we no longer have any local 
modifications, and add them to two files in which we do.
 2016-01-20 23:23:08 +00:00
des
dfe3d69533 Remove a number of generated files which are either out-of-date (because 
they are never regenerated to reflect our changes) or in the way of
freebsd-configure.sh.
 2016-01-20 23:08:57 +00:00
des
9b2207f860 Upgrade to OpenSSH 7.0p1. 2016-01-20 22:57:10 +00:00
des
b856a45731 Upgrade to OpenSSH 6.9p1. 2016-01-19 18:55:44 +00:00
des
76107b0880 Re-add HPN configuration options as deprecated options to avoid breaking 
existing configurations that use them.  Note that there is no functional
difference between OpenSSH with HPN and OpenSSH without HPN.
 2016-01-19 18:38:17 +00:00
des
7a7bc643b5 Upgrade to OpenSSH 6.8p1. 2016-01-19 18:28:23 +00:00
des
0a44f26c1c Now that we have local modifications in configure.ac and configure, run 
autoheader and autoconf to avoid having to patch configure manually.
 2016-01-19 17:20:07 +00:00
des
14172c52f8 Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed 
upstream) and a number of security fixes which we had already backported.

MFC after:	1 week
 2016-01-19 16:18:26 +00:00
des
43b4a69321 As previously threatened, remove the HPN patch from OpenSSH. 2016-01-19 14:38:20 +00:00
des
23cbd2460d Use 'svn list -R' instead of find, and recognize comments in shell scripts 
and {ssh,sshd}_config.
 2016-01-19 14:25:22 +00:00
des
1fb8b3ddb1 Recognize *roff comments. 2016-01-19 13:15:57 +00:00
des
a5f4b9478d Update the pre- and post-merge scripts to work correctly after the recent 
cleanup.  A round-trip (./freebsd-pre-merge.sh ; ./freebsd-post-merge.sh)
now results in an unchanged working copy.
 2016-01-19 12:38:53 +00:00
glebius
6185680860 Fix OpenSSH client information leak. 
Security:	SA-16:07.openssh
Security:	CVE-2016-0777
 2016-01-14 22:40:46 +00:00
des
0a0682484a Incorrect length in calloc() call, already fixed upstream. 
PR:		204769
Submitted by:	David Binderman <dcb314@hotmail.com>
MFC after:	1 week
 2015-12-17 19:36:25 +00:00
des
954c038d83 r291198 inadvertantly reverted a local patch for the default location 
of ssh-askpass and xauth, breaking X11 forwarding.
 2015-11-26 23:05:40 +00:00
des
a02e9843fe Revert inadvertent commit of an incorrect patch 2015-11-24 16:07:03 +00:00
des
70c2c51da2 Remove description of the now-defunct NoneEnabled option. 2015-11-24 16:06:15 +00:00
des
24641fd80b Retire the NONE cipher option. 2015-11-23 12:48:13 +00:00
des
83b666668a Remove dead code. 2015-11-11 13:47:23 +00:00
des
9be32654da One more $Mdocdate$ 2015-11-11 13:27:58 +00:00
des
72179a6f4b Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). 2015-11-11 13:26:47 +00:00
des
f4baee681e Now that we have mandoc, we can leave $Mdocdate$ tags as-is. Unfortunately, 
there is (currently) no way to make Subversion generate correct $Mdocdate$
tags, but perhas we can teach mandoc to read Subversion's %d format.
 2015-11-11 13:23:07 +00:00
delphij
991c19271a Fix OpenSSH multiple vulnerabilities by backporting three changes 
from OpenSSH-portable master.

Git revisions:	45b0eb752c94954a6de046bfaaf129e518ad4b5b
		5e75f5198769056089fb06c4d738ab0e5abc66f7
		d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
Reviewed by:	des
Security:	FreeBSD-SA-15:22.openssh
 2015-08-25 20:48:37 +00:00
delphij
e4eb287ad0 Fix multiple OpenSSH vulnerabilities. 
Security:	CVE-2014-2653
Security:	CVE-2015-5600
Security:	FreeBSD-SA-15:16.openssh
 2015-07-28 19:58:38 +00:00
vangyzen
2eb95738be ssh: canonicize the host name before looking it up in the host file 
Re-apply r99054 by des in 2002.  This was accidentally dropped
by the update to OpenSSH 6.5p1 (r261320).

This change is actually taken from r387082 of
ports/security/openssh-portable/files/patch-ssh.c

PR:		198043
Differential Revision:	https://reviews.freebsd.org/D3103
Reviewed by:	des
Approved by:	kib (mentor)
MFC after:	3 days
Relnotes:	yes
Sponsored by:	Dell Inc.
 2015-07-16 18:44:18 +00:00
des
c32ee7f1c5 Import new moduli from OpenBSD. Although there is no reason to distrust 
the current set, it is good hygiene to change them once in a while.

MFC after:	1 week
 2015-05-26 19:46:41 +00:00
bdrewery
a636f8f94f Use proper CHAN_TCP_PACKET_DEFAULT for agent forwarding when HPN disabled. 
The use of CHAN_TCP_WINDOW_DEFAULT here was fixed in upstream OpenSSH
in CVS 1.4810, git 5baa170d771de9e95cf30b4c469ece684244cf3e:

  - dtucker@cvs.openbsd.org 2007/12/28 22:34:47
    [clientloop.c]
    Use the correct packet maximum sizes for remote port and agent forwarding.
    Prevents the server from killing the connection if too much data is queued
    and an excessively large packet gets sent.  bz #1360, ok djm@.

The change was lost due to the the way the original upstream HPN patch
modified this code. It was re-adding the original OpenSSH code and never
was properly fixed to use the new value.

MFC after:	2 weeks
 2015-04-02 18:43:25 +00:00
bdrewery
77d6bca5e0 Document "none" for VersionAddendum. 
PR:		193127
MFC after:	2 weeks
 2015-03-23 02:45:12 +00:00
smh
d4e781f644 Change comment about HPNDisabled to match the style of other options to 
avoid confusion.

Sponsored by:	Multiplay
 2014-05-20 10:28:19 +00:00
des
e1e5f20b88 Apply upstream patch for EC calculation bug and bump version addendum. 2014-04-20 11:34:33 +00:00
des
38c767afbd Restore the pX part to the version number printed in debugging mode. 2014-04-09 20:42:00 +00:00
des
ae82763de4 Upgrade to OpenSSH 6.6p1. 2014-03-25 11:05:34 +00:00
des
fc833dce1b Add a pre-merge script which reverts mechanical changes such as added 
$FreeBSD$ tags and man page dates.

Add a post-merge script which reapplies these changes.

Run both scripts to normalize the existing code base.  As a result, many
files which should have had $FreeBSD$ tags but didn't now have them.

Partly rewrite the upgrade instructions and remove the now outdated
list of tricks.
 2014-03-24 19:15:13 +00:00
rwatson
a400e9c007 Update most userspace consumers of capability.h to use capsicum.h instead. 
auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.

MFC after:	3 weeks
 2014-03-16 11:04:44 +00:00
pjd
ed07d3e6e2 Fix installations that use kernels without CAPABILITIES support. 
Approved by:	des
 2014-02-04 21:48:09 +00:00
des
b1dd5bd906 Turn sandboxing on by default. 2014-02-01 00:07:16 +00:00
des
7573e91b12 Upgrade to OpenSSH 6.5p1. 2014-01-31 13:12:02 +00:00
delphij
454aa85277 MFV r257952: 
Upgrade to OpenSSH 6.4p1.

Bump VersionAddendum.

Approved by:	des
 2013-11-11 09:19:58 +00:00
des
476b7e3d43 Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a 
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.

Approved by:	re (marius)
 2013-09-23 20:35:54 +00:00