diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2024-07-03 08:05:42 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2024-07-03 08:05:42 +0100 |
| commit | 8435c842b9e8fbb2bcc80397ab3aa655000459e2 (patch) | |
| tree | b74558e80643a8f074c501e8b4bf7f50f7155455 /net-misc | |
| parent | 5c5e9714c851027611cb726a76ebb8be6d48cbdc (diff) | |
gentoo auto-resync : 03:07:2024 - 08:05:42
Diffstat (limited to 'net-misc')
| -rw-r--r-- | net-misc/Manifest.gz | bin | 54540 -> 54532 bytes | |||
| -rw-r--r-- | net-misc/kio-zeroconf/Manifest | 2 | ||||
| -rw-r--r-- | net-misc/kio-zeroconf/kio-zeroconf-24.05.1.ebuild | 2 | ||||
| -rw-r--r-- | net-misc/openssh-contrib/Manifest | 13 | ||||
| -rw-r--r-- | net-misc/openssh-contrib/files/openssh-9.6_p1-CVE-2024-6387.patch | 19 | ||||
| -rw-r--r-- | net-misc/openssh-contrib/files/openssh-9.6_p1-chaff-logic.patch | 16 | ||||
| -rw-r--r-- | net-misc/openssh-contrib/files/openssh-9.6_p1-fix-xmss-c99.patch | 20 | ||||
| -rw-r--r-- | net-misc/openssh-contrib/files/openssh-9.7_p1-X509-CVE-2024-6387.patch | 29 | ||||
| -rw-r--r-- | net-misc/openssh-contrib/openssh-contrib-9.6_p1.ebuild | 504 | ||||
| -rw-r--r-- | net-misc/openssh-contrib/openssh-contrib-9.7_p1-r1.ebuild | 530 | ||||
| -rw-r--r-- | net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild (renamed from net-misc/openssh-contrib/openssh-contrib-9.7_p1-r3.ebuild) | 11 | ||||
| -rw-r--r-- | net-misc/smb4k/Manifest | 2 | ||||
| -rw-r--r-- | net-misc/smb4k/smb4k-3.2.72.ebuild | 2 | ||||
| -rw-r--r-- | net-misc/yt-dlp/Manifest | 2 | ||||
| -rw-r--r-- | net-misc/yt-dlp/yt-dlp-2024.07.02.ebuild | 77 |
15 files changed, 182 insertions, 1047 deletions
diff --git a/net-misc/Manifest.gz b/net-misc/Manifest.gz Binary files differindex 02a0010b7e62..117693eb2ced 100644 --- a/net-misc/Manifest.gz +++ b/net-misc/Manifest.gz diff --git a/net-misc/kio-zeroconf/Manifest b/net-misc/kio-zeroconf/Manifest index 68dab2272bca..744f4d34e285 100644 --- a/net-misc/kio-zeroconf/Manifest +++ b/net-misc/kio-zeroconf/Manifest @@ -1,5 +1,5 @@ DIST kio-zeroconf-23.08.5.tar.xz 44360 BLAKE2B bf441b10221ba8c731756cb5455664fff5a1c8904a952e558084dadb6fe5bcc3a3da072ff58fd31f6c2c35a40ea27241c85403a3db16fd46b52e1a87586b1b5c SHA512 33ed5cb23280ba85ccd4fee149f5983e64164ff0c5f7730e2d49c80784b445c569aa7b925e2d44221854cf7588310f211920d8e4492d87f20be531dbbc9198e6 DIST kio-zeroconf-24.05.1.tar.xz 44412 BLAKE2B bcc4ec6290ec5da22db681f58bfa6377ac543ee4ab7387dd21d561554ba4913991b7fff01775cadaf9f20f3a9df9fca78ba633d994611ede6bc9f3aed60b6340 SHA512 a4c7ad5aa10ba51c51fcdc018793cba0b5e1568681a5fbc1da9592f2c279a6b4cf0b2b8dfdf6257d6cee8a9ace6f5e3a73a1469f3e332c6d219ffa1121f49790 EBUILD kio-zeroconf-23.08.5.ebuild 900 BLAKE2B 31511b68fc1fde36743d4eda7530feaa77d6a11e79dd48c920d61aee84216f910ce8c1254182d41d630343a8c288df9e9c33ab8643312c981ef72131c7d19c27 SHA512 81299817a158568a5d1f8f053d7cd57b14d5bebe207b997991b3efaff8fdd75d99c86c8f9a321b8efa35527864a11631a9c5c99c5f33f7538f5fc960972363ea -EBUILD kio-zeroconf-24.05.1.ebuild 590 BLAKE2B c6ae9638a2870ca9df49bd003bd710f13f636d3239049e3303b7f010560ab16d35654458d3408d225a1379eac9c46ebc79b2b791e4ba26d3934b6d609f0020cd SHA512 0f3daacdd7a5ce338a21a8845c6ef0cd42cbdd9d6cfac9b5135ab9b78cf1b750fec77256b70f6cb4eab5434ec45c17e57509e921e6bd9d6ed48dbbb16382416b +EBUILD kio-zeroconf-24.05.1.ebuild 597 BLAKE2B b6bff2387595619f9c1d59e6ca639a7ea905e876afdab253c4e36c21dd674fa203c99571acedca5a8212fde9d677f3fdc2f76994a88cd6a9e104f623afe2ea22 SHA512 76dea3ad4b6d66b900d292eed410afb97224f66ef22fba33b89f3933ab940c265b28a853ee54dacb66846b84b8b0d6e03047cfec84e1c7a8ac682f61cf70e148 MISC metadata.xml 501 BLAKE2B 467c829559f7cb706ba27fe6400ac8282b9270faadb574fa78ea977c35075a29e8d4c98267f3c4bfdb83d2c39dc8abd3b5db3e94acc3ffaf5cd5c1c52bd9c3bf SHA512 dba3e3de6cb07e240e7664806b196c748df3604e22e84a265b01bbdc2a56192ed1906b30a76c79d6d8c98763c8651c3a3dcff30a0fc942c22a65901234ad2740 diff --git a/net-misc/kio-zeroconf/kio-zeroconf-24.05.1.ebuild b/net-misc/kio-zeroconf/kio-zeroconf-24.05.1.ebuild index 3f68c00efb90..22ed48f20d40 100644 --- a/net-misc/kio-zeroconf/kio-zeroconf-24.05.1.ebuild +++ b/net-misc/kio-zeroconf/kio-zeroconf-24.05.1.ebuild @@ -11,7 +11,7 @@ DESCRIPTION="KIO worker to discover file systems by DNS-SD (DNS Service Discover LICENSE="GPL-2+" SLOT="6" -KEYWORDS="~amd64" +KEYWORDS="~amd64 ~arm64" IUSE="" DEPEND=" diff --git a/net-misc/openssh-contrib/Manifest b/net-misc/openssh-contrib/Manifest index c66a2cab577f..dcf5340c2a18 100644 --- a/net-misc/openssh-contrib/Manifest +++ b/net-misc/openssh-contrib/Manifest @@ -7,7 +7,11 @@ AUX openssh-8.9_p1-allow-ppoll_time64.patch 396 BLAKE2B b5bb202f79699d9037f12155 AUX openssh-9.0_p1-X509-uninitialized-delay.patch 321 BLAKE2B 19bff0fc7ecdc6350f8e6bd30f36f30b455c65b7455fe8b1d481d8fa7cdfa7cc76719931857fe2c9730b05ae8fe3e7e05c538e743e055d6594dd2fc7c3f250ee SHA512 57798621a51a60abf6985391ec73dcafdb46de75c93579e23b786aa095d8eea29ebd9ab5987b951a136b15e60896332c9717c82b42e1c22b345444aedf17a9f5 AUX openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 514 BLAKE2B d0dadfc57736cd4d2b04e46f5c0f6d5a1db1cfc7ee70d32afaa0f65269b82e66a72c46d33c9cbf7237f541a0485b25669cd2f4b34393e3a3ef0c9b4334092fe5 SHA512 f8badde54501340bde275951bc1cf653919bec02c760bf771308f10697b9ad2a483e30ae74ad124a737341f5c64657ab193a4d7fdf2baf24029b9447099da04b AUX openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch 1647 BLAKE2B 9d55e9060e6eae041176bef27acc58d6026c8fb68c65c71c11c1acbe4e6840a63fba3dbc113a8981da66901717c1f3b4f2211a2cb322d3d4e5eba8c86f4e269c SHA512 d8fc604795d8bb4228ccbfe5714d5503bb1e0d63818d2fac65d533530d01fe4ce4fac0743b8b415f646322fec859b699fa7365beba8a42bd880d737b7c6bd7df +AUX openssh-9.6_p1-CVE-2024-6387.patch 508 BLAKE2B 592b671107692b2be1e181e0be60b693485b430355f77dd0da49ad63a26824efac82ac09d58d0ca6085b3af3204410a5433409dc880de91212870d3a520efb75 SHA512 86083f30781df293666442ab597a8c16f6e84581be4ea4371c32aeeac7efb985b78dcb8c9ae749b6747d196c7c90cd99cd946fea0cf990f06446a71ff9465858 +AUX openssh-9.6_p1-chaff-logic.patch 696 BLAKE2B c4823f78e5cc381fb65e14512917965c0118490e5b430a28f0322fff013b7b0f40f8a0b664e748a3c1317776f22ed1411655c2fa52532c444741e8f600b582a7 SHA512 6a839546c618f00c297ac9b5b2ae46bd13ac495e5a093a3aa4d0cda81152db94706c4e9ce6b132a038e4febd05b7c19693c98ac91cc142073a06d9960efe29e4 +AUX openssh-9.6_p1-fix-xmss-c99.patch 696 BLAKE2B db9ad0e9340ee241d28310b438e90a909bea551fe136f2e6855f00067e63f3558a773005359454b14315dd46ac508397ad8f081b4aaae9f7ccf0bbc30b263d85 SHA512 1e7c2b7aec655ba312a9c0edb9db5f79323aace53f5531d69d60672e1f5bb329543558d8abea5e7a21cea1c438c5ae228f6e2a0fc39a78524b6f7f005b8011e3 AUX openssh-9.6_p1-hpn-version.patch 552 BLAKE2B 4fccbb5239b9e856b01c796216ef73aaeeee0676cafc9274d225047b0196d26601073d06c8bb443361cdf89229fb052b6760273facec3e505d2bf80135f15235 SHA512 46dc0cf3bf94237d582f1c363723f22e0bbf6c435f649776766690d2595f07012e2e65a3e73f1c18dbe564885e690ce1449c3e6bf63778fe4220b4c897928f9c +AUX openssh-9.7_p1-X509-CVE-2024-6387.patch 867 BLAKE2B b893ae06b6ae99a6575303cfe227a9e23de4fc4b21fdf7784e3dd22e599af1854b3155935985c5e636dfeaec201ce751dd2317b7ee065f7bb26c75f0ea43650a SHA512 91ec4bc58cd410a2374fd3c3023e15925ee53164e22b8babb9a4d720d9c5857298f3614345ac4ad48ddfdd0a8fdde0322a307431fca7d21a8b7ca4643f5915ad AUX openssh-9.7_p1-config-tweaks.patch 1032 BLAKE2B 52f20d412722b00a452b92c8b45a8884b3e8d76c05be45431de3c7a0401dcbbf4587b65703e28a389ee05066af73cb6c1845626342b059fac463dc2ea38d0535 SHA512 bfc39aa573dd3934bae2a496a8a730f99dd7d6217c4d6e146ca4c401151f5e803f704719f29213548c67db015ba9f4cae749dd7ee5bc3b8cee0395892abae01f AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe AUX sshd-r1.initd 2675 BLAKE2B 47e87cec2d15b90aae362ce0c8e8ba08dada9ebc244e28be1fe67d24deb00675d3d9b8fef40def8a9224a3e2d15ab717574a3d837e099133c1cf013079588b55 SHA512 257d6437162b76c4a3a648ecc5d4739ca7eaa60b192fde91422c6c05d0de6adfa9635adc24d57dc3da6beb92b1b354ffe8fddad3db453efb610195d5509a4e27 @@ -17,18 +21,11 @@ AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6f AUX sshd_at.service.1 163 BLAKE2B b5c77d69e3860d365ba96a5b2fe14514bda9425e170fc7f324dcaf95fb02756ef9c5c2658904e812232f40fac9a3c2f4abf61b9129038bde66bb7d3a992d2606 SHA512 fbfe0aed3a5e99f15dc68838975cc49a206d697fb3549d8b31db25617dc7b7b8dd2397d865d89f305d5da391cd56a69277c2215c4335fccb4dd6a9b95ba34e2f DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914 -DIST openssh-9.6_p1-X509-glue-14.4.2.patch.xz 1516 BLAKE2B 49f1d100e1b84f051aee599547562bab17b313d097b9b16b7c3ad94fb76e31b04fc101b1824f011507033e9c5744ee0207cb751865576f92501bc442076afe8b SHA512 a09bd2ed9b9d0edfa691c2f99699261c17c9441e188ba870c1f2ceff28817af979a29a7b5c1bbfe9fbeb343241cc00b232099791cc30d665700fcbebdae07139 -DIST openssh-9.6_p1-hpn-15.2-X509-14.4.2-glue.patch.xz 5472 BLAKE2B a92ca0746cd48b1580e0a73dcae5d6e141988d3239d09a2f07de376833d14ca2434185b5fdb444fb6821da9ff75ce0c63c86404299e977d3c86050d3a116fc47 SHA512 2690f158bf1f5d1512f80c9c8d86006339a461a0bf229e41c62b75d28a9b45cb5392680fbb633415c27c3abfaa1906c170cd1d18679a2be81a1367361fd98afa DIST openssh-9.6_p1-hpn-15.2-glue.patch.xz 5028 BLAKE2B 74970dc9f244eea2e35270c9abe67bdf0f05a3ddb33ffe6ce54056ade3fbec2abe9cb60e92ea889b01be7429dfd754f2986b175cdb014aab721421e1a4952c87 SHA512 1edafed18b1fd5d64844a3d121aacbf38dcde2b90adc9b4533f3192f1335365736e9cfd82f7c847980c9b1c1b72ee39470b38d6758b3a8f5ed59796d5005492b -DIST openssh-9.6p1+x509-14.4.2.diff.gz 1243845 BLAKE2B 19ed0e174d06f4722b0f244e2c41098422fec88372d77e7c64bed2c00f4d4842b8f517d3f49958febd7a640f0582497fcaf64774fd0a04fbdc8c06b7f0ce5311 SHA512 247a088bbe7fe2bced0ec6e7f3d1fc34c3b81ce43ade9312a769c4495c7adf60d8a9ad2afb25e52fdea2f60888330de05375fbe24cd5b86a2f173e160ddb7bb8 -DIST openssh-9.6p1.tar.gz 1857862 BLAKE2B dd7f6747fe89f7b386be4faaf7fc43398a9bf439e45608ae61c2126cf8743c64ef7b5af45c75e9007b0bda525f8809261ca0f2fc47ce60177ba769a5324719dd SHA512 0ebf81e39914c3a90d7777a001ec7376a94b37e6024baf3e972c58f0982b7ddef942315f5e01d56c00ff95603b4a20ee561ab918ecc55511df007ac138160509 -DIST openssh-9.6p1.tar.gz.asc 833 BLAKE2B 9363d02f85457aa90069020827306a2f49d8406e32f5ee1d231844648dd2ffa02fa9b7325b8677a11e46a0ba0d9ffc86d9c989435d691a02f5354a956c49f9f9 SHA512 aec5a5bd6ce480a8e5b5879dc55f8186aec90fe61f085aa92ad7d07f324574aa781be09c83b7443a32848d091fd44fb12c1842d49cee77afc351e550ffcc096d DIST openssh-9.7_p1-X509-glue-15.0.patch.xz 1532 BLAKE2B ff2c5ca97607da84345342bec31435304780503d4f066bf181407c85981d8e73b622ca1107b303d0cf7bc61a262f6e8f38d5372a60d8389b8caf671cfa55b94b SHA512 48ec8e54e6e670ee2d2783fb38befd4101869cc7fc1a4e7b72058034a716170da62cae7e94a48acb575a1cec2604d5c02da629fbe482b7dbc5e28cf4d7ef7c01 DIST openssh-9.7_p1-hpn-15.2-X509-15.0-glue.patch.xz 5472 BLAKE2B 6ebbc663aaaa54d3af3c204f0c2f11d8b3d4e5c842b38b82263d21659cebcceaaa6502c04bb5e06c4200b9aef9d267b61e33f94001efe30f8e57760d43df5292 SHA512 e90ceda65ccfc80c4dec580b6e64f3bd889443d6e7d627dc4fca4900776621d33f3da0856998a63560f195b1ed98e47c4401e40d6840518ee1ccb8ea150f21fe DIST openssh-9.7p1+x509-15.0.diff.gz 1239003 BLAKE2B 98f6a6d531a9afb70d6f34dcd6609115e017d4b1738a0683dbabf66aba02382cf727db4fb07fd2a62534aa87318982e9d1c41991fdbf7cc3e6593d376ad08208 SHA512 c141bddd73fb78a8f0c92bbed6900bab6617768fc124c10ec4ea70491e1b545bbd962fa35ee5efd134a9851a1b807a5b8bae8e46585cf87a60e0311b49de3226 DIST openssh-9.7p1.tar.gz 1848766 BLAKE2B 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b SHA512 0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55 DIST openssh-9.7p1.tar.gz.asc 833 BLAKE2B a95e952be48bd55a07d0a95a49dc06c326816c67b8b5d40bd3f64c28aa43122253817b8a088e7a3b8a190375ea39f9fc3400b22d035561f9643c1d32b5caef27 SHA512 e028978e4266de9ad513626b13d70249e4166923fc15f38751178e2b3522ff6ebb9a7ca7dc32d1bb42d42fb92adf9903dba1b734bec083010ed7323aadad8baf -EBUILD openssh-contrib-9.6_p1.ebuild 17830 BLAKE2B a99f2b5b8a6ad4557c0b26bd173471dd5091973b3c7d91e2817cfb93e3f4aed48833fbfda5cd83e9d8cd4231d7785c381ee091e10c4f9c4bcb775fcc53fd6a89 SHA512 729cf8d95395836998ac0433c7c43718dd764cb3af8767a1bf5fb5dbb8c119cacb9bfb2db041cfc5e25f12fd389c3dbfaf355b2faadd373387fdabf25ca714be -EBUILD openssh-contrib-9.7_p1-r1.ebuild 18480 BLAKE2B bec8883ea8439c99050c3552d7761465f283fc149e6cd39acce517f10c8f616b86f2b3a8dbf96c0c0ae4a97a493df493c1aa45584c7cc603e52c6112f65c19d9 SHA512 b2fb79bd1732936f1fce7c2ee80fa6de309c4e1050aa4985ade5274a04d4495dca2bb489edd3ae7584eae57bfd7ee1ca764c2ca9fad2d7a7e347fed69c74dbb8 -EBUILD openssh-contrib-9.7_p1-r3.ebuild 18488 BLAKE2B 48399860bd7f81ffa43abf63f4402da352a6fa84974bf9f8df5256b74175ea895c715f5f3bd885e1a67eac7d8e4a4af08e01d2ea4361df6bb162ce6a769e4815 SHA512 ead3af131a810d1f8dedca35ad3ebb7b89c38058641c380d8ac442f170813fae40a9823b14163ad4772e97618141809ea4289491edf83b66b0d18fa42d609d28 +EBUILD openssh-contrib-9.7_p1-r4.ebuild 18723 BLAKE2B 1eee2c7f965159897b21794438854a11388bbd5f1a3b302feb755f8deb20419774199761f6c4a455cec8f2dd8816ebb06c8965b11ffd2c28adb30d6e1c96e0e6 SHA512 0f78bbfed8afd9ec9b5ffb167bf699b85754204ad21627797561fa6fa3fe196684ed1b0d3b6b125c8f9e679edfda99917285765cdf3f1af24f4a5be19cccb4bb MISC metadata.xml 2975 BLAKE2B 068d52ba2e5de0b696e7fe995e4c2a041206a59258f24704ca3a72fe1d85323c2aad7899f055b48a4045d6303491822c59f2b86b85fc428a26f8259ea583796a SHA512 83fef701188c00af53382b5099fc2ebf83c903c3edefc3d2cf6deb0a667c0d0d9531c18728eef9b5b703903d31fbdb55a68e5b76890ea090bc1d79fef3ae6b89 diff --git a/net-misc/openssh-contrib/files/openssh-9.6_p1-CVE-2024-6387.patch b/net-misc/openssh-contrib/files/openssh-9.6_p1-CVE-2024-6387.patch new file mode 100644 index 000000000000..7b7fb70380d9 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.6_p1-CVE-2024-6387.patch @@ -0,0 +1,19 @@ +https://bugs.gentoo.org/935271 +Backport proposed by upstream at https://marc.info/?l=oss-security&m=171982317624594&w=2. +--- a/log.c ++++ b/log.c +@@ -451,12 +451,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#ifdef SYSLOG_R_SAFE_IN_SIGHAND + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + diff --git a/net-misc/openssh-contrib/files/openssh-9.6_p1-chaff-logic.patch b/net-misc/openssh-contrib/files/openssh-9.6_p1-chaff-logic.patch new file mode 100644 index 000000000000..90544d1a457e --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.6_p1-chaff-logic.patch @@ -0,0 +1,16 @@ +"Minor logic error in ObscureKeystrokeTiming" +https://marc.info/?l=oss-security&m=171982317624594&w=2 +--- a/clientloop.c ++++ b/clientloop.c +@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout, + if (timespeccmp(&now, &chaff_until, >=)) { + /* Stop if there have been no keystrokes for a while */ + stop_reason = "chaff time expired"; +- } else if (timespeccmp(&now, &next_interval, >=)) { +- /* Otherwise if we were due to send, then send chaff */ ++ } else if (timespeccmp(&now, &next_interval, >=) && ++ !ssh_packet_have_data_to_write(ssh)) { ++ /* If due to send but have no data, then send chaff */ + if (send_chaff(ssh)) + nchaff++; + } diff --git a/net-misc/openssh-contrib/files/openssh-9.6_p1-fix-xmss-c99.patch b/net-misc/openssh-contrib/files/openssh-9.6_p1-fix-xmss-c99.patch new file mode 100644 index 000000000000..cf06b80cd5fa --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.6_p1-fix-xmss-c99.patch @@ -0,0 +1,20 @@ +xmss_hash.c: In function ‘core_hash_SHA2’: +xmss_hash.c:56:5: error: implicit declaration of function ‘SHA256’ [-Wimplicit-function-declaration] + 56 | SHA256(buf, inlen + keylen + n, out); + | ^~~~~~ +xmss_hash.c:61:7: error: implicit declaration of function ‘SHA512’ [-Wimplicit-function-declaration] + 61 | SHA512(buf, inlen + keylen + n, out); + | ^~~~~~ + +diff --git a/xmss_hash.c b/xmss_hash.c +index 70c126ae2..cb17de2af 100644 +--- a/xmss_hash.c ++++ b/xmss_hash.c +@@ -12,6 +12,7 @@ Public domain. + #include "xmss_hash_address.h" + #include "xmss_commons.h" + #include "xmss_hash.h" ++#include <openssl/sha.h> + + #include <stddef.h> + #ifdef HAVE_STDINT_H diff --git a/net-misc/openssh-contrib/files/openssh-9.7_p1-X509-CVE-2024-6387.patch b/net-misc/openssh-contrib/files/openssh-9.7_p1-X509-CVE-2024-6387.patch new file mode 100644 index 000000000000..7de772777107 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.7_p1-X509-CVE-2024-6387.patch @@ -0,0 +1,29 @@ +diff -u a/openssh-9.7p1+x509-15.0.diff b/openssh-9.7p1+x509-15.0.diff +--- a/openssh-9.7p1+x509-15.0.diff 2024-07-02 08:34:12.300470515 -0700 ++++ b/openssh-9.7p1+x509-15.0.diff 2024-07-02 08:35:27.016991183 -0700 +@@ -69916,7 +69916,7 @@ + closelog(); + #endif + } +-@@ -424,81 +473,121 @@ ++@@ -424,81 +473,113 @@ + } + + void +@@ -69955,15 +69955,7 @@ + +sshsigdie(const char *file, const char *func, int line, + + const char *fmt,...) + { +-+#if 1 +-+/* NOTE: "OpenSSH bug 3286". See grace_alarm_handler() in sshd.c. +-+ * Logging in signal handler cannot be considered as safe. +-+ * Let enable log as now daemon does not sent explicitly alarm +-+ * signal. This should avoid logging in child signal handler. +-+ */ +-+# define DO_LOG_SAFE_IN_SIGHAND +-+#endif +-+#ifdef DO_LOG_SAFE_IN_SIGHAND +++#ifdef SYSLOG_R_SAFE_IN_SIGHAND + va_list args; + + va_start(args, fmt); diff --git a/net-misc/openssh-contrib/openssh-contrib-9.6_p1.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.6_p1.ebuild deleted file mode 100644 index 6aca37ef3cb8..000000000000 --- a/net-misc/openssh-contrib/openssh-contrib-9.6_p1.ebuild +++ /dev/null @@ -1,504 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig - -# Make it more portable between straight releases -# and _p? releases. -MY_P=${P/-contrib/} -PARCH=${MY_P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - openssh-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - openssh-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) -HPN_GLUE_PATCH="openssh-9.6_p1-hpn-${HPN_VER}-glue.patch" -HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}" - -X509_VER="14.4.2" -X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" -X509_PATCH="${X509_PATCH/p2/p1}" -X509_GLUE_PATCH="openssh-${PV}-X509-glue-${X509_VER}.patch" -#X509_HPN_GLUE_PATCH="${MY_P}-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch" -X509_HPN_GLUE_PATCH="${MY_P}-hpn-${HPN_VER}-X509-${X509_VER%.1}-glue.patch" - -DESCRIPTION="Port of OpenBSD's free SSH release with HPN/X509 patches" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${HPN_VER:+hpn? ( - $(printf "https://downloads.sourceforge.net/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}") - https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz - )} - ${X509_VER:+X509? ( - https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} - https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz - ${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )} - )} - verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) -" -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~amd64" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - hpn? ( ssl ) - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - net-libs/ldns[ecdsa(+),ssl(+)] - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - !net-misc/openssh - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - !prefix? ( sys-apps/shadow ) - X? ( x11-apps/xauth ) -" -# Weird dep construct for newer gcc-config for bug #872416 -BDEPEND=" - dev-build/autoconf - virtual/pkgconfig - || ( - >=sys-devel/gcc-config-2.6 - >=sys-devel/clang-toolchain-symlinks-16-r1:* - >=sys-devel/clang-toolchain-symlinks-15-r1:15 - ) - verify-sig? ( sec-keys/openpgp-keys-openssh ) -" - -PATCHES=( - "${FILESDIR}/openssh-7.9_p1-include-stdlib.patch" - "${FILESDIR}/openssh-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex - "${FILESDIR}/openssh-6.7_p1-openssl-ignore-status.patch" - "${FILESDIR}/openssh-7.5_p1-disable-conch-interop-tests.patch" - "${FILESDIR}/openssh-8.0_p1-fix-putty-tests.patch" - "${FILESDIR}/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" - "${FILESDIR}/openssh-8.9_p1-allow-ppoll_time64.patch" #834019 -) - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - local missing=() - check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); } - check_feature hpn HPN_VER - check_feature X509 X509_PATCH - if [[ ${#missing[@]} -ne 0 ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${missing[*]}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_unpack() { - default - - # We don't have signatures for HPN, X509, so we have to write this ourselves - use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc} -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply -- "${PATCHES[@]}" - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${WORKDIR}/${X509_GLUE_PATCH}" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}/openssh-9.0_p1-X509-uninitialized-delay.patch" - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use hpn ; then - local hpn_patchdir="${T}/openssh-${PV}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${WORKDIR}/${HPN_GLUE_PATCH}" - use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}" - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-9.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - # Before re-enabling, check https://bugs.gentoo.org/354113#c6 - # and be sure to have tested it. - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - --with-hardening - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl ssl-engine) - ) - - if use elibc_musl; then - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all - # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) - tc-is-clang && myconf+=( --without-hardening ) - - econf "${myconf[@]}" -} - -src_test() { - local tests=( compat-tests ) - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - ewarn "user, so we will run a subset only." - tests+=( interop-tests ) - else - tests+=( tests ) - fi - - local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 - mkdir -p "${HOME}"/.ssh || die - emake -j1 "${tests[@]}" </dev/null -} - -# Gentoo tweaks to default config files. -tweak_ssh_configs() { - local locale_vars=( - # These are language variables that POSIX defines. - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME - - # These are the GNU extensions. - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE - ) - - dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die - Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" - EOF - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die - Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" - EOF - - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die - # Send locale environment variables (bug #367017) - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM (bug #658540) - SendEnv COLORTERM - EOF - - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die - RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" - EOF - - cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die - # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - EOF - - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die - # Allow client to pass locale environment variables (bug #367017) - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM (bug #658540) - AcceptEnv COLORTERM - EOF - - if use pam ; then - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die - UsePAM yes - # This interferes with PAM. - PasswordAuthentication no - # PAM can do its own handling of MOTD. - PrintMotd no - PrintLastLog no - EOF - fi - - if use livecd ; then - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die - # Allow root login with password on livecds. - PermitRootLogin Yes - EOF - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.socket - systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service - systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then - ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" - ewarn "'Restart=on-failure', which causes the service to automatically restart if it" - ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," - ewarn "but it can increase the vulnerability of the system in the event of a future exploit." - ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" - ewarn "set 'Restart=no' in your sshd unit file." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r1.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r1.ebuild deleted file mode 100644 index f9f2c349c740..000000000000 --- a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r1.ebuild +++ /dev/null @@ -1,530 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit user-info optfeature flag-o-matic autotools pam systemd toolchain-funcs verify-sig - -# Make it more portable between straight releases -# and _p? releases. -MY_P=${P/-contrib/} -PARCH=${MY_P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - openssh-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - openssh-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) -HPN_GLUE_PATCH="openssh-9.6_p1-hpn-${HPN_VER}-glue.patch" -HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}" - -X509_VER="15.0" -X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" -X509_PATCH="${X509_PATCH/p2/p1}" -X509_GLUE_PATCH="openssh-${PV}-X509-glue-${X509_VER}.patch" -#X509_HPN_GLUE_PATCH="${MY_P}-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch" -X509_HPN_GLUE_PATCH="${MY_P}-hpn-${HPN_VER}-X509-${X509_VER%.1}-glue.patch" - -DESCRIPTION="Port of OpenBSD's free SSH release with HPN/X509 patches" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${HPN_VER:+hpn? ( - $(printf "https://downloads.sourceforge.net/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}") - https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz - )} - ${X509_VER:+X509? ( - https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} - https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz - ${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )} - )} - verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) -" -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~amd64" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - hpn? ( ssl ) - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( ssl !xmss !security-key ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - net-libs/ldns[ecdsa(+),ssl(+)] - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND=" - ${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND=" - ${RDEPEND} - !net-misc/openssh - pam? ( >=sys-auth/pambase-20081028 ) - !prefix? ( sys-apps/shadow ) -" -BDEPEND=" - dev-build/autoconf - virtual/pkgconfig - verify-sig? ( sec-keys/openpgp-keys-openssh ) -" - -PATCHES=( - "${FILESDIR}/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" - "${FILESDIR}/openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" -) - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - local missing=() - check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); } - check_feature hpn HPN_VER - check_feature X509 X509_PATCH - if [[ ${#missing[@]} -ne 0 ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${missing[*]}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_unpack() { - default - - # We don't have signatures for HPN, X509, so we have to write this ourselves - use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc} -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) - - eapply -- "${PATCHES[@]}" - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${WORKDIR}/${X509_GLUE_PATCH}" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}/openssh-9.0_p1-X509-uninitialized-delay.patch" - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use hpn ; then - local hpn_patchdir="${T}/openssh-${PV}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${WORKDIR}/${HPN_GLUE_PATCH}" - use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}" - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-9.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - # Before re-enabling, check https://bugs.gentoo.org/354113#c6 - # and be sure to have tested it. - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - # optional at runtime; guarantee a known path - --with-xauth="${EPREFIX}"/usr/bin/xauth - - # --with-hardening adds the following in addition to flags we - # already set in our toolchain: - # * -ftrapv (which is broken with GCC anyway), - # * -ftrivial-auto-var-init=zero (which is nice, but not the end of - # the world to not have) - # * -fzero-call-used-regs=used (history of miscompilations with - # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, - # gcc PR104820, gcc PR104817, gcc PR110934)). - # - # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK, - # so we cannot just disable -fzero-call-used-regs=used. - # - # Therefore, just pass --without-hardening, given it doesn't negate - # our already hardened toolchain defaults, and avoids adding flags - # which are known-broken in both Clang and GCC and haven't been - # proven reliable. - --without-hardening - - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl ssl-engine) - ) - - if use elibc_musl; then - # musl defines bogus values for UTMP_FILE and WTMP_FILE - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all - # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) - tc-is-clang && myconf+=( --without-hardening ) - - econf "${myconf[@]}" -} - -tweak_ssh_configs() { - cat <<-EOF >> ssh_config.out || die - - Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" - EOF - cat <<-EOF >> sshd_config.out || die - - Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" - EOF -} - -create_config_dropins() { - local locale_vars=( - # These are language variables that POSIX defines. - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME - - # These are the GNU extensions. - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE - ) - - mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die - # Send locale environment variables (bug #367017) - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM (bug #658540) - SendEnv COLORTERM - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die - RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die - # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die - # Allow client to pass locale environment variables (bug #367017) - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM (bug #658540) - AcceptEnv COLORTERM - EOF - - if use pam ; then - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die - UsePAM yes - # This interferes with PAM. - PasswordAuthentication no - # PAM can do its own handling of MOTD. - PrintMotd no - PrintLastLog no - EOF - fi - - if use livecd ; then - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die - # Allow root login with password on livecds. - PermitRootLogin Yes - EOF - fi -} - -src_compile() { - default - tweak_ssh_configs - create_config_dropins -} - -src_test() { - local tests=( compat-tests ) - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - ewarn "user, so we will run a subset only." - tests+=( interop-tests ) - else - tests+=( tests ) - fi - - local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 REGRESS_INTEROP_PUTTY=1 - mkdir -p "${HOME}"/.ssh || die - emake -j1 "${tests[@]}" </dev/null -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.socket - systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service - systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service' - - # Install dropins with explicit mode, bug 906638, 915840 - diropts -m0755 - insopts -m0644 - insinto /etc/ssh - doins -r "${WORKDIR}"/etc/ssh/ssh_config.d - diropts -m0700 - insopts -m0600 - doins -r "${WORKDIR}"/etc/ssh/sshd_config.d -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - # bug #139235 - optfeature "x11 forwarding" x11-apps/xauth - - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then - ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" - ewarn "'Restart=on-failure', which causes the service to automatically restart if it" - ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," - ewarn "but it can increase the vulnerability of the system in the event of a future exploit." - ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" - ewarn "set 'Restart=no' in your sshd unit file." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r3.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild index 928f72db3060..6686d35c898f 100644 --- a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r3.ebuild +++ b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild @@ -105,11 +105,16 @@ BDEPEND=" " PATCHES=( - "${FILESDIR}/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" "${FILESDIR}/openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" + "${FILESDIR}/openssh-9.6_p1-fix-xmss-c99.patch" "${FILESDIR}/openssh-9.7_p1-config-tweaks.patch" ) +NON_X509_PATCHES=( + "${FILESDIR}/openssh-9.6_p1-chaff-logic.patch" + "${FILESDIR}/openssh-9.6_p1-CVE-2024-6387.patch" +) + pkg_pretend() { # this sucks, but i'd rather have people unable to `emerge -u openssh` # than not be able to log in to their server any more @@ -156,6 +161,7 @@ src_prepare() { if use X509 ; then pushd "${WORKDIR}" &>/dev/null || die eapply "${WORKDIR}/${X509_GLUE_PATCH}" + eapply "${FILESDIR}/openssh-9.7_p1-X509-CVE-2024-6387.patch" popd &>/dev/null || die eapply "${WORKDIR}"/${X509_PATCH%.*} @@ -174,6 +180,8 @@ src_prepare() { -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ "${S}"/version.h || die "Failed to sed-in X.509 patch version" PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) + else + eapply "${NON_X509_PATCHES[@]}" fi if use hpn ; then @@ -314,6 +322,7 @@ src_configure() { $(use_with pam) $(use_with pie) $(use_with selinux) + $(use_with security-key security-key-builtin) $(usex X509 '' "$(use_with security-key security-key-builtin)") $(use_with ssl openssl) $(use_with ssl ssl-engine) diff --git a/net-misc/smb4k/Manifest b/net-misc/smb4k/Manifest index 7ac77d1b90cc..c891a8a18e53 100644 --- a/net-misc/smb4k/Manifest +++ b/net-misc/smb4k/Manifest @@ -2,5 +2,5 @@ DIST smb4k-3.2.5-bundled-kdsoap-ws-discovery-client.patch.xz 33212 BLAKE2B 774f5 DIST smb4k-3.2.5.tar.xz 4314812 BLAKE2B 9c5ca6f3d9607be1e5673f7d32a8dc5f191045ccc5607a4ccd9d48d07fc698278db5bbe5e8ffcc4fa9a1f390d52e7ebb877bc01146754873af5d3c266aad16d2 SHA512 6273c9701cf3d65f9b1d7ce0cbe929dc8f422b6a7a308f0b3c4c08e30acf2d189bc1ef4f960dad25aaf71b38b29ce6c41ba8adf50f0bb139e25a0d65a8e67a28 DIST smb4k-3.2.72.tar.xz 4341620 BLAKE2B 8fe3a2f6e30c9565197882aed92f27db862e0e6c9df35dda1b9187d7279618cae6359c1282ba474ae5b4fe39b8446e133aa95e0f10d0d4087580813944b49ba2 SHA512 0140bca46d21f0355e0cf06ec3cc140b84bd3f334c291c7f2f7dcf379c5520c35d8e77fe7eade5b156462c3a366730405fff8f9678cc5e0e061b3ca837b9de6d EBUILD smb4k-3.2.5-r2.ebuild 2331 BLAKE2B af60be9eb3e4e56f163b794f7560d59d1781574b6379c1472f9b959d9ea8c6862d3c09a17784b054c82a9970f4e0794a9ef91b21a2fe0a07ef7ee4238998b12c SHA512 e5d598f4157f8ae0b0e436385f8859178a9b01a253dc916d1a1f0172974425619886641ca0890ac2df17823b278923a5e22913e754fd3bf1267c3be7183a9c0e -EBUILD smb4k-3.2.72.ebuild 2068 BLAKE2B a0b7ba523896953d68ca20596357e77f813173cc3db4f917e7c368f29d7312ac9d2bebd9a11f3cb108c1ce5ea16daafbd9a18b1c26d776c779aa25812b59fb85 SHA512 854532502950acee016ebcb13de1cb786aaad12f6ea10b520080afb85c2f5199e9c9de2d165129eab36d3b6c6d61d879388b21005ff798f6376164191c4e5dd8 +EBUILD smb4k-3.2.72.ebuild 2075 BLAKE2B 08ee9cb2b684677616821234213f9834941e22643cdaabdec944f835dfc7993d396a3c8a74111d3193cbb1c4d4ca0d126979cdc348e671a14345781c342326de SHA512 d6949d22e669057a75fcf80a2c509c3fdc049189ad80f472a19f69f06828beca05867b84a915fd5d68a916b739296dc42d9075a892784adbc0c8b41ca6f15993 MISC metadata.xml 593 BLAKE2B 087dedf151163d8d8f02f41a9aa08117219c50556e3e60c97bf3bf3175fbe41fe9cdc1f0ada27aacc660095b41edfcb9502d02568bcd9eea26e8cecdbceaebe9 SHA512 f090b6f9b968087c912cc88187089a0eb891e77713fd5aabed03931b9da6f2f6673e48b37edf57de5da3a421f25d82371f9568db302e9e35e64f5f8200a2418e diff --git a/net-misc/smb4k/smb4k-3.2.72.ebuild b/net-misc/smb4k/smb4k-3.2.72.ebuild index 797a9d0554c5..e5dd90cb9a9c 100644 --- a/net-misc/smb4k/smb4k-3.2.72.ebuild +++ b/net-misc/smb4k/smb4k-3.2.72.ebuild @@ -14,7 +14,7 @@ https://sourceforge.net/p/smb4k/home/Home/" if [[ ${KDE_BUILD_TYPE} = release ]]; then SRC_URI="https://downloads.sourceforge.net/${PN}/Development/${P}.tar.xz" - KEYWORDS="~amd64" + KEYWORDS="~amd64 ~arm64" fi LICENSE="GPL-2" diff --git a/net-misc/yt-dlp/Manifest b/net-misc/yt-dlp/Manifest index d0d676b5aa1e..225901922a67 100644 --- a/net-misc/yt-dlp/Manifest +++ b/net-misc/yt-dlp/Manifest @@ -1,4 +1,6 @@ DIST yt-dlp-2024.07.01.tar.gz 5667870 BLAKE2B fec104c68ac2a465370a6c4270154fd18f496e0ed319c8b2a1a48cb43d8ba55f438f3b83182a8feece23d36aea180ba2f00412872cad92afab5be7ce46480e44 SHA512 1b99d82eb838fb654082c8bad7bdbd87ed2cdf3d80f38288eb1cf7f7112981eb5f45b6fc7cf861d7b10cec89626a2a7bebf20d32ba53b9dcb5d37275e3f02d6f +DIST yt-dlp-2024.07.02.tar.gz 5671980 BLAKE2B 63fd9a938fe1a07de7c9a762f42a1276260dc5c7c248c0a8b32953cd6184978e691aa778fa98eb0175f48dc6692793f85fac04decbdffec7f9bd637e2b4ee842 SHA512 7b9c41a5dccaf9188680cac88010b7695e0809f2b3cdea398af3c507717634067e8f9d0fe02f4d51828c026bce5a31d0ae2b89a2bcc83f51ca703b627dbb995e EBUILD yt-dlp-2024.07.01.ebuild 2269 BLAKE2B eb46ced81ec2279b0566c33f5b3b0e2128ba8a28404c54154eb3a69a365d302881b230b31ac0a97901f0772ece54ac7bd4c6a20d828b61bf7dd1e87144753ce4 SHA512 a9a4c068f027e9fe169e6a7fc9656ad68d2cab8543f85e47f2b045025f3b14d60b20ac42cb571c7e663ec661e3713aeb86d72d9afb04002b96a63d8f8d896ff7 +EBUILD yt-dlp-2024.07.02.ebuild 2269 BLAKE2B eb46ced81ec2279b0566c33f5b3b0e2128ba8a28404c54154eb3a69a365d302881b230b31ac0a97901f0772ece54ac7bd4c6a20d828b61bf7dd1e87144753ce4 SHA512 a9a4c068f027e9fe169e6a7fc9656ad68d2cab8543f85e47f2b045025f3b14d60b20ac42cb571c7e663ec661e3713aeb86d72d9afb04002b96a63d8f8d896ff7 EBUILD yt-dlp-9999.ebuild 2436 BLAKE2B 3be5da21d8b1ffef30cb8c204121d7c7ce59ca12d0e369ce6c232dba59a1cf8c057c7f6b09b6bca4289533f04db6075c72843d5154221b0c8f18dd6cea809d4f SHA512 c83a141c85ac1fb1091525f6f3b7600d3fc9132b2a4cff39f5460fb2c20c5d9094e2176450cdcde24b05877c2306462045929ea6e3690d9d48012e234a8381ca MISC metadata.xml 392 BLAKE2B d2aa6fc43f7f9038d320197a18107f15e56ed5e242e6c3cdc1b7111184580ab14fae8cbd16776794d207dd39ea0ca65975c08a54449f4cf90370ea95a66083d9 SHA512 867c61c1e41d7594decd5e10a2b45d934313cb751ba22356fc1ab61e0a40b2543847b195d20c7a39ba92370d8b3908e6f90d690915579b55808872efe8d3cebe diff --git a/net-misc/yt-dlp/yt-dlp-2024.07.02.ebuild b/net-misc/yt-dlp/yt-dlp-2024.07.02.ebuild new file mode 100644 index 000000000000..68214ba4c2eb --- /dev/null +++ b/net-misc/yt-dlp/yt-dlp-2024.07.02.ebuild @@ -0,0 +1,77 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_USE_PEP517=hatchling +PYTHON_COMPAT=( python3_{10..13} ) +inherit bash-completion-r1 distutils-r1 optfeature wrapper + +DESCRIPTION="youtube-dl fork with additional features and fixes" +HOMEPAGE="https://github.com/yt-dlp/yt-dlp/" +SRC_URI=" + https://github.com/yt-dlp/yt-dlp/releases/download/${PV}/${PN}.tar.gz + -> ${P}.tar.gz +" +S="${WORKDIR}/${PN}" + +LICENSE="Unlicense" +SLOT="0" +KEYWORDS="amd64 arm arm64 ~hppa ppc ppc64 ~riscv x86 ~arm64-macos ~x64-macos" + +RDEPEND=" + dev-python/pycryptodome[${PYTHON_USEDEP}] + !net-misc/youtube-dl[-yt-dlp(-)] +" + +distutils_enable_tests pytest + +src_prepare() { + distutils-r1_src_prepare + + # adjust pycryptodome and drop optional dependencies (bug #828466) + sed -Ei pyproject.toml \ + -e 's/("pycryptodome)x/\1/' \ + -e '/"(brotli.*|certifi|mutagen|requests|urllib3|websockets)/d' || die +} + +python_test() { + local EPYTEST_DESELECT=( + # fails with FEATURES=network-sandbox + test/test_networking.py::TestHTTPRequestHandler::test_connect_timeout + # fails with FEATURES=distcc, bug #915614 + test/test_networking.py::TestYoutubeDLNetworking::test_proxy\[None-expected2\] + ) + + epytest -m 'not download' +} + +python_install_all() { + dodoc README.md Changelog.md supportedsites.md + doman yt-dlp.1 + + dobashcomp completions/bash/yt-dlp + + insinto /usr/share/fish/vendor_completions.d + doins completions/fish/yt-dlp.fish + + insinto /usr/share/zsh/site-functions + doins completions/zsh/_yt-dlp + + rm -r "${ED}"/usr/share/doc/yt_dlp || die + + make_wrapper youtube-dl "yt-dlp --compat-options youtube-dl" +} + +pkg_postinst() { + optfeature "various features (merging tracks, streamed content)" media-video/ffmpeg + has_version media-video/atomicparsley || # allow fallback but don't advertise + optfeature "embedding metadata thumbnails in MP4/M4A files" media-libs/mutagen + optfeature "decrypting cookies from Chromium-based browsers" dev-python/secretstorage + + if [[ ! ${REPLACING_VERSIONS} ]]; then + elog 'A wrapper using "yt-dlp --compat-options youtube-dl" was installed' + elog 'as "youtube-dl". This is strictly for compatibility and it is' + elog 'recommended to use "yt-dlp" directly, it may be removed in the future.' + fi +} |