| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Security: FreeBSD-SA-17:01.openssh
Security: CVE-2016-10009
Security: CVE-2016-10010
Approved by: so
|
|
|
|
|
|
|
|
| |
Fix OpenSSL remote DoS vulnerability. [SA-16:35]
Security: FreeBSD-SA-16:33.openssh
Security: FreeBSD-SA-16:35.openssl
Approved by: so
|
|
|
|
|
|
|
|
|
|
| |
MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug)
MFH (r296634): re-add aes-cbc to server-side default cipher list
MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679
Security: CVE-2016-3115
Approved by: re (marius)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MFH (r285975, r287143): register mergeinfo for security fixes
MFH (r294497, r294498, r295139): internal documentation
MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap
MFH (r294332): upgrade to openssh 6.8p1
MFH (r294367): update pam_ssh for api changes
MFH (r294909): switch usedns back on
MFH (r294336): upgrade to openssh 6.9p1
MFH (r294495): re-enable dsa keys
MFH (r294464): upgrade to openssh 7.0p1
MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb)
Relnotes: yes
|
|
|
|
| |
Remove the HPN and None cipher patches.
|
|
|
|
|
|
| |
r294320, r294322, r294324, r294330, r294469, r294494, r294466)
Reduce diffs to head in preparation for removing HPN and None.
|
| |
|
|
|
|
|
| |
Security: SA-16:07.openssh
Security: CVE-2016-0777
|
|
|
|
| |
Security: FreeBSD-SA-15:22.openssh
|
|
|
|
|
|
| |
Fix resource exhaustion in TCP reassembly. [SA-15:15]
Fix OpenSSH multiple vulnerabilities. [SA-15:16]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ssh: canonicize the host name before looking it up in the host file
Re-apply r99054 by des in 2002. This was accidentally dropped
by the update to OpenSSH 6.5p1 (r261320).
This change is actually taken from r387082 of
ports/security/openssh-portable/files/patch-ssh.c
Differential Revision: https://reviews.freebsd.org/D3103
PR: 198043
Approved by: re (gjb), kib (mentor)
Sponsored by: Dell Inc.
Relnotes: yes
|
| |
|
|
|
|
| |
Use proper CHAN_TCP_PACKET_DEFAULT for agent forwarding when HPN disabled.
|
|
|
|
| |
Document "none" for VersionAddendum.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update most userspace consumers of capability.h to use capsicum.h instead.
auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.
Note that a significant fraction does not apply, as FreeBSD 10 doesn't
contain a Capsicumised ping, casperd, libcasper, etc. When these features
are merged, the capsicum.h change will need to be merged with them.
Sponsored by: Google, Inc.
|
| |
|
|
|
|
| |
MFH (r264308): restore p level in debugging output
|
|
|
|
| |
Fix installations that use kernels without CAPABILITIES support.
|
|
|
|
| |
MFH (r261340): enable sandboxing by default
|
|
|
|
| |
Approved by: re (kib)
|
|
|
|
|
|
| |
Security: CVE-2013-4548
Security: FreeBSD-SA-13:14.openssh
Approved by: re (implicit)
|
|
|
|
|
|
|
|
|
| |
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.
Approved by: re (marius)
|
|\
| |
| |
| |
| |
| |
| | |
didn't use them. This will make future merges from the vendor tree much
easier.
Approved by: re (gjb)
|
|\ \
| |/
| |
| | |
Approved by: re (gjb)
|
| |
| |
| |
| |
| |
| |
| |
| | |
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
Approved by: re (blanket)
|
|\ \
| |/
| |
| |
| |
| |
| |
| |
| | |
branch but never merged to head. They were inadvertantly left out when
6.1p1 was merged to head. It didn't make any difference at the time,
because they were unused, but one of them is required for DNS-based host
key verification.
Approved by: re (blanket)
|
| |
| |
| |
| | |
MFC after: 3 days
|
| |
| |
| |
| | |
"sandbox" to "yes", but did not update the documentation to match.
|
| |
| |
| |
| |
| |
| | |
"sandbox" instead of "yes". In sandbox mode, the privsep child is unable
to load additional libraries and will therefore crash when trying to take
advantage of crypto offloading on CPUs that support it.
|
| |
| |
| |
| | |
the issues that affected us.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
and the update to 6.1 added SSH_BUG_DYNAMIC_RPORT with the
same value.
Fix the HPN SSH_BUG_LARGEWINDOW bit so it is unique.
Approved by: des
MFC after: 2 weeks
|
| |
| |
| |
| | |
PR: bin/178060
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|\ \
| |/
| |
| | |
for a key revocation list and more fine-grained authentication control.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
has been deprecated for a while, some people still use it and were
unpleasantly surprised by this change.
I may revert this commit at a later date if I can come up with a way
to give users who still have authorized_keys2 files sufficient advance
warning.
MFC after: ASAP
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
own umask setting (from ~/.login.conf) unless running with the user's UID.
Therefore, we need to call it again with LOGIN_SETUMASK after changing UID.
PR: bin/176740
Submitted by: John Marshall <john.marshall@riverwillow.com.au>
MFC after: 1 week
|
| |
| |
| |
| | |
behave the way OpenSSH expects.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Fetch both ECDSA and RSA keys by default in ssh-keyscan(1).
Approved by: des
Obtained from: OpenSSH portable
MFC after: 1 week
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prior to this, setting VersionAddendum will be a no-op: one will
always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum
set in the config and a bare BASE_VERSION + VERSION_HPN when there
is no VersionAddendum is set.
HPN patch requires both parties to have the "hpn" inside their
advertized versions, so we add VERSION_HPN to the VERSION_BASE
if HPN is enabled and omitting it if HPN is disabled.
VersionAddendum now uses the following logics:
* unset (default value): append " " and VERSION_ADDENDUM;
* VersionAddendum is set and isn't empty: append " "
and VersionAddendum;
* VersionAddendum is set and empty: don't append anything.
Approved by: des
Reviewed by: bz
MFC after: 3 days
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Revert unneeded whitespace changes.
- Revert modifications to loginrec.c, as the upstream version already
does the right thing.
- Fix indentation and whitespace of local changes.
Approved by: des
MFC after: 1 month
|
| |
| |
| |
| |
| |
| | |
disconnected.
MFC after: 1 week
|
|\ \
| |/
| |
| | |
MFC after: 3 months
|
| | |
|