| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an API for alerting internal libc routines to the presence of
"unsafe" paths post-chroot, and use it in ftpd. [11:07]
Fix a buffer overflow in telnetd. [11:08]
Make pam_ssh ignore unpassphrased keys unless the "nullok" option is
specified. [11:09]
Add sanity checking of service names in pam_start. [11:10]
Approved by: so (cperciva)
Approved by: re (bz)
Security: FreeBSD-SA-11:06.bind
Security: FreeBSD-SA-11:07.chroot
Security: FreeBSD-SA-11:08.telnetd
Security: FreeBSD-SA-11:09.pam_ssh
Security: FreeBSD-SA-11:10.pam
|
|
|
|
|
|
| |
disconnected.
MFC after: 1 week
|
|\
| |
| |
| | |
MFC after: 3 months
|
| | |
|
| |
| |
| |
| |
| | |
Approved by: re (kib)
MFC after: 3 weeks
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
multi-threaded use of ECDH.
Security: CVE-2011-3210
Reviewed by: stas
Obtained from: OpenSSL CVS
Approved by: re (kib)
|
| |
| |
| |
| |
| | |
Reported by: pluknet
Approved by: re (implicit)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or
trans-continental links). Bandwidth-delay products up to 64MB are
supported.
Also add support (not compiled by default) for the None cypher. The
None cypher can only be enabled on non-interactive sessions (those
without a pty where -T was not used) and must be enabled in both
the client and server configuration files and on the client command
line. Additionally, the None cypher will only be activated after
authentication is complete. To enable the None cypher you must add
-DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in
/etc/make.conf.
This code is a style(9) compliant version of these features extracted
from the patches published at:
http://www.psc.edu/networking/projects/hpn-ssh/
Merging this patch has been a collaboration between me and Bjoern.
Reviewed by: bz
Approved by: re (kib), des (maintainer)
|
| |
| |
| |
| | |
Approved by: philip (mentor)
|
| | |
|
|\ \
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
cause OpenSSL to parse past the end of the message.
Note: Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".
Security: http://www.openssl.org/news/secadv_20110208.txt
Security: CVE-2011-0014
Obtained from: OpenSSL CVS
|
|\ \
| | |
| | |
| | |
| | |
| | | |
Security: CVE-2010-4180
Security: http://www.openssl.org/news/secadv_20101202.txt
MFC after: 3 days
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
Security: CVE-2010-3864
Security: http://www.openssl.org/news/secadv_20101116.txt
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It has yet to be determined if this warrants a FreeBSD Security
Advisory, but we might as well get it fixed in the normal branches.
Obtained from: OpenSSL CVS
Security: CVE-2010-2939
X-MFC after: Not long...
|
|\ \ \
| | |/
| |/| |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It is not clear to what this copyright should apply, and this is in line
with what other operating systems do.
For ssh specifically, printing of the copyright string is not in the
upstream version so this reduces our FreeBSD-local diffs.
Approved by: core, des (ssh)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Make inline assembler clang-friendly [from HEAD].
openssl/crypto/md32_common.h 1.45.2.1 -> 1.45.2.2
openssl/crypto/rc5/rc5_locl.h 1.8 -> 1.8.8.1
Approved by: simon
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
MFC after: 3 days
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
of short-living parent. Only mark the master process that accepts
connections, do not protect connection handlers spawned from inetd.
Submitted by: Mykola Dzham <i levsha me>
Reviewed by: attilio
MFC after: 1 week
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m)
but not -STABLE branches.
I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD.
This will be investigated further.
Security: CVE-2010-0433, CVE-2010-0740
Security: http://www.openssl.org/news/secadv_20100324.txt
|
| | |
| | |
| | |
| | |
| | |
| | | |
mergemaster.
Suggested by: dougb
|
|\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This also "reverts" some FreeBSD local changes so we should now
be back to using entirely stock OpenSSL. The local changes were
simple $FreeBSD$ lines additions, which were required in the CVS
days, and the patch for FreeBSD-SA-09:15.ssl which has been
superseded with OpenSSL 0.9.8m's RFC5746 'TLS renegotiation
extension' support.
MFC after: 3 weeks
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix memory consumption bug with "future epoch" DTLS records.
Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.
Security: CVE-2009-1377
Obtained from: OpenSSL CVS
http://cvs.openssl.org/chngview?cn=18187
|
|\ \ \
| | |/
| |/|
| | | |
MFC after: 1 month
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I was requested to add this string to any file that was modified by my
commit, which I forgot to do so.
Requested by: des
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Partially revert r184122 (sshd.c). Our ut_host is now big enough to
fit proper hostnames.
- Change config.h to match reality.
- defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows
the utmpx code to work. This makes no sense to me. I've already
mentioned this upstream.
- Add our own platform-specific handling of lastlog. The version I will
send to the OpenSSH folks will use proper autoconf generated
definitions instead of `#if 1'.
|
| | |
| | |
| | |
| | |
| | |
| | | |
NGROUPS.
MFC after: 1 week
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
protocol flaw. [09:15]
Correctly handle failures from unsetenv resulting from a corrupt
environment in rtld-elf. [09:16]
Fix permissions in freebsd-update in order to prevent leakage of
sensitive files. [09:17]
Approved by: so (cperciva)
Security: FreeBSD-SA-09:15.ssl
Security: FreeBSD-SA-09:16.rtld
Security: FreeBSD-SA-09:17.freebsd-udpate
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
environments.
Please note that this can't be done while such processes run in jails.
Note: in future it would be interesting to find a way to do that
selectively for any desired proccess (choosen by user himself), probabilly
via a ptrace interface or whatever.
Obtained from: Sandvine Incorporated
Reviewed by: emaste, arch@
Sponsored by: Sandvine Incorporated
MFC: 1 month
|
| | |
| | |
| | |
| | |
| | | |
Noticed by: delphij, David Cornejo <dave@dogwood.com>
Forgotten by: des
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- initialized and uninitialized data
- symbols from roaming_dummy.c which end up in pam_ssh
Update the command line used to generate the #defines.
|
|\ \ \
| |/ / |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Fix memory consumption bug with "future epoch" DTLS records.
- Fix fragment handling memory leak.
- Do not access freed data structure.
- Fix DTLS fragment bug - out-of-sequence message handling which could
result in NULL pointer dereference in
dtls1_process_out_of_seq_message().
Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.
MFC after: 1 week
Security: CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387
|
| | |
| | |
| | |
| | | |
Approved by: re (kib)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
for normal build, and doesn't export well to CVS.
If they are needed later a script will be added to recreate the symlinks
when needed at build time.
Approved by: re (rwatson)
|
| | |
| | |
| | |
| | | |
Reviewed by: des
|
|\ \ \
| | |/
| |/|
| | | |
Approved by: re
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
(last vendor import).
The file were removed in different earlier releases, but were not
removed from the CVS vendor branch at the time.
|