diff --git a/changelog/security/2021-12-09-openssh-8.8.md b/changelog/security/2021-12-09-openssh-8.8.md new file mode 100644 index 00000000000..4d2a415c61c --- /dev/null +++ b/changelog/security/2021-12-09-openssh-8.8.md @@ -0,0 +1 @@ +- [CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617) diff --git a/changelog/updates/2021-12-09-openssh-8.8.md b/changelog/updates/2021-12-09-openssh-8.8.md new file mode 100644 index 00000000000..4ccf56de642 --- /dev/null +++ b/changelog/updates/2021-12-09-openssh-8.8.md @@ -0,0 +1 @@ +- openssh ([8.8](http://www.openssh.com/txt/release-8.8)) diff --git a/coreos-base/coreos-init/coreos-init-0.0.1-r171.ebuild b/coreos-base/coreos-init/coreos-init-0.0.1-r172.ebuild similarity index 100% rename from coreos-base/coreos-init/coreos-init-0.0.1-r171.ebuild rename to coreos-base/coreos-init/coreos-init-0.0.1-r172.ebuild diff --git a/coreos-base/coreos-init/coreos-init-9999.ebuild b/coreos-base/coreos-init/coreos-init-9999.ebuild index e9419b49a53..de1299b28cf 100644 --- a/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - CROS_WORKON_COMMIT="58360ed0da957c2cd0ae9eeab645735d814f565c" # flatcar-master + CROS_WORKON_COMMIT="80b3b3cd021b4120cd9218b33b1f92936abe00bb" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index abbd256887f..883f7ee765b 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -1,6 +1,6 @@ -DIST openssh-8.7p1+x509-13.2.diff.gz 1068695 BLAKE2B e542e5444f8360e0e28288d6a58d66995ff90e9f6bb1490b04a205162036e371a20d612655ca1bd479b8a04d5ccbfd9b7189b090d50ccbb019848e28571b036b SHA512 342e1ee050258c99f8f206664ef756e1be2c82e5faa5f966b80385aa2c6c601974681459ddba32c1ca5c33eda530af681e753471706c71902c1045a2913cd540 -DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c -DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2 +DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6 +DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0 +DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914 diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch deleted file mode 100644 index d6f5e42027d..00000000000 --- a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff -ur '--exclude=.*.un~' a/openssh-8.7p1+x509-13.2.diff b/openssh-8.7p1+x509-13.2.diff ---- a/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:47:40.415668320 -0700 -+++ b/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:49:14.916114987 -0700 -@@ -51082,12 +51082,11 @@ - - install-files: - $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -391,6 +368,8 @@ -+@@ -391,6 +368,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -69793,7 +69792,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do - verbose "$tid: cipher $c" -@@ -69808,7 +69807,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do - verbose "$tid: kex $k" -@@ -69823,7 +69822,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - if [ "`${SSH} -Q compression`" = "none" ]; then - comp="0" -@@ -70130,9 +70129,9 @@ - - +# cross-project configuration - +if test "$sshd_type" = "pkix" ; then --+ unset_arg='' -++ unset_arg= - +else --+ unset_arg=none -++ unset_arg= - +fi - + - cat > $OBJ/sshd_config.i << _EOF -@@ -131673,16 +131672,6 @@ - +int asnmprintf(char **, size_t, int *, const char *, ...) - __attribute__((format(printf, 4, 5))); - void msetlocale(void); --diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2/version.h ----- openssh-8.7p1/version.h 2021-08-20 07:03:49.000000000 +0300 --+++ openssh-8.7p1+x509-13.2/version.h 2021-08-30 20:07:00.000000000 +0300 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_8.7" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2/version.m4 - --- openssh-8.7p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-8.7p1+x509-13.2/version.m4 2021-08-30 20:07:00.000000000 +0300 diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch new file mode 100644 index 00000000000..b6827623cd6 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch @@ -0,0 +1,63 @@ +diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff +--- a/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:17.070546984 -0700 ++++ b/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:55.086664489 -0700 +@@ -954,15 +954,16 @@ + char b[512]; + - size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512); + - u_char *hash = xmalloc(len); ++- double delay; + + int digest_alg; + + size_t len; + + u_char *hash; +- double delay; +- +++ double delay = 0; +++ + + digest_alg = ssh_digest_maxbytes(); + + len = ssh_digest_bytes(digest_alg); + + hash = xmalloc(len); +-+ ++ + (void)snprintf(b, sizeof b, "%llu%s", + (unsigned long long)options.timing_secret, user); + - if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0) +@@ -51859,12 +51860,11 @@ + + install-files: + $(MKDIR_P) $(DESTDIR)$(bindir) +-@@ -391,6 +372,8 @@ ++@@ -391,6 +372,7 @@ + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 + $(MKDIR_P) $(DESTDIR)$(libexecdir) + + $(MKDIR_P) $(DESTDIR)$(sshcadir) +-+ $(MKDIR_P) $(DESTDIR)$(piddir) + $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) +@@ -71985,7 +71985,7 @@ + +if test "$sshd_type" = "pkix" ; then + + unset_arg='' + +else +-+ unset_arg=none +++ unset_arg= + +fi + + + cat > $OBJ/sshd_config.i << _EOF +@@ -132360,16 +132360,6 @@ + +int asnmprintf(char **, size_t, int *, const char *, ...) + __attribute__((format(printf, 4, 5))); + void msetlocale(void); +-diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h +---- openssh-8.8p1/version.h 2021-09-26 17:03:19.000000000 +0300 +-+++ openssh-8.8p1+x509-13.2.3/version.h 2021-10-23 16:27:00.000000000 +0300 +-@@ -2,5 +2,4 @@ +- +- #define SSH_VERSION "OpenSSH_8.8" +- +--#define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" + diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4 + --- openssh-8.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200 + +++ openssh-8.8p1+x509-13.2.3/version.m4 2021-10-23 16:27:00.000000000 +0300 diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml index 9ce34e61070..58ff739e1d4 100644 --- a/net-misc/openssh/metadata.xml +++ b/net-misc/openssh/metadata.xml @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> <maintainer type="project"> <email>base-system@gentoo.org</email> diff --git a/net-misc/openssh/openssh-8.7_p1-r1.ebuild b/net-misc/openssh/openssh-8.8_p1-r3.ebuild similarity index 94% rename from net-misc/openssh/openssh-8.7_p1-r1.ebuild rename to net-misc/openssh/openssh-8.8_p1-r3.ebuild index 6f85969abea..49d9f7b6e12 100644 --- a/net-misc/openssh/openssh-8.7_p1-r1.ebuild +++ b/net-misc/openssh/openssh-8.8_p1-r3.ebuild @@ -1,6 +1,3 @@ -# Difference to upstream from ./update_ebuilds: -# - Ported changes from 11d6f23704e7ab84191e28e034816bfdb151d406 -# # Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 @@ -24,7 +21,7 @@ HPN_PATCHES=( ) SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" +X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" @@ -39,7 +36,7 @@ LICENSE="BSD GPL-2" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" +IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" RESTRICT="!test? ( test )" @@ -48,7 +45,7 @@ REQUIRED_USE=" ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) - X509? ( !sctp !security-key ssl !xmss ) + X509? ( !sctp ssl !xmss ) xmss? ( ssl ) test? ( ssl ) " @@ -60,23 +57,13 @@ LIB_DEPEND=" audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) + net-libs/ldns[ecdsa,ssl(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist(-)=] - <dev-libs/openssl-1.1.0:0[bindist(-)=] - ) - >=dev-libs/openssl-1.1.0g:0[bindist(-)=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] >=sys-libs/zlib-1.2.3:=[static-libs(+)] " @@ -177,7 +164,7 @@ src_prepare() { "${S}"/version.h || die "Failed to sed-in SCTP patch version" PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." + einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..." sed -i \ -e "/\t\tcfgparse \\\/d" \ "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" @@ -188,7 +175,7 @@ src_prepare() { mkdir "${hpn_patchdir}" || die cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch + eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch popd &>/dev/null || die @@ -321,11 +308,6 @@ src_configure() { ) if use elibc_musl; then - # stackprotect is broken on musl x86 and ppc - if use x86 || use ppc; then - myconf+=( --without-stackprotect ) - fi - # musl defines bogus values for UTMP_FILE and WTMP_FILE # https://bugs.gentoo.org/753230 myconf+=( --disable-utmp --disable-wtmp ) diff --git a/profiles/coreos/base/package.accept_keywords b/profiles/coreos/base/package.accept_keywords index 52119d2ca90..b16b2d15a13 100644 --- a/profiles/coreos/base/package.accept_keywords +++ b/profiles/coreos/base/package.accept_keywords @@ -31,7 +31,7 @@ dev-util/checkbashisms =net-libs/gnutls-3.7.1 ~amd64 ~arm64 -=net-misc/openssh-8.7_p1-r1 ~amd64 ~arm64 +=net-misc/openssh-8.8_p1-r3 ~amd64 ~arm64 =net-misc/rsync-3.2.3-r5 ~amd64 ~arm64