FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F13.4.0 2024-08-07T15:39:06Z 2024-08-07T15:39:06Z Ed Maste emaste@FreeBSD.org 2024-08-01T00:04:46Z urn:sha1:bd3aa40e0a55f801abbb880c617f6c5695796d16 Under certain circumstances it may call log(3), which is not async- signal-safe. For now just remove the blacklist integration from this path, which means that blacklistd will not detect and firewall hosts that establish a connection but do nothing further. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46203 (cherry picked from commit 2739a6845031e69be7c03461a9335d8bbb9f59bd) (cherry picked from commit 3d3bae9b95388169d396adc8007585699c5a23e0) (cherry picked from commit 73466449a9bf1888147c53d622236cebc0aa591b) (cherry picked from commit d5f16ef6463d73270e4380f3498410c8ad91f495) Approved by: re (cperciva) 2024-08-01T15:03:50Z Ed Maste emaste@FreeBSD.org 2024-07-01T14:45:43Z urn:sha1:fa492c77a95f86c91be9e55a73fac05bd41e5fbc Autoconf 2.72 uses '' rather tha `' in comments in config.h, from autoconf commit 64df9b4523fe ("Autoconf now quotes 'like this' instead of `like this'"). Switch quoting style now to minimize diffs on the next OpenSSH update and config.h regen. Reviewed by: gordon, philip Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45840 (cherry picked from commit 94416c6939f431b29286a71bb2797e749df9645c) (cherry picked from commit 60f78f8ed14d5e66ce689532e18282a09a1a4e72) 2024-08-01T15:03:50Z Ed Maste emaste@FreeBSD.org 2024-07-01T13:14:15Z urn:sha1:79853e40abd8a63bd53cbf4059032d7143c69300 Cherry-pick fix: upstream: when sending ObscureKeystrokeTiming chaff packets, we can't rely on channel_did_enqueue to tell that there is data to send. This flag indicates that the channels code enqueued a packet on _this_ ppoll() iteration, not that data was enqueued in _any_ ppoll() iteration in the timeslice. ok markus@ OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136 Obtained from: openssh-portable 146c420d29d0 Reviewed by: gordon Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45823 (cherry picked from commit b81424adf7181d816c10b1345aaa3305ab0ec304) (cherry picked from commit bf9a275b24f6655616cc691555fe1a36ed5e4338) 2024-07-01T08:22:37Z Philip Paeps philip@FreeBSD.org 2024-07-01T08:20:01Z urn:sha1:25cf430cd551158135ef6f0c1aadf273ff3430c9 Reported by: Qualys Threat Research Unit (TRU) Approved by: so Security: FreeBSD-SA-24:04.openssh Security: CVE-2024-6387 (cherry picked from commit 2abea9df01655633aabbb9bf3204c90722001202) 2024-04-29T12:51:11Z Cy Schubert cy@FreeBSD.org 2014-01-10T19:18:06Z urn:sha1:a161f2405f10a5b39e87b7e9fdd5c8405462d133 Fix build when WITH_OPENLDAP defined. PR: 278430 Obtained from: Upstream c1c7da7f79 (cherry picked from commit a0d7d68a2dd818ce84e37e1ff20c8849cda6d853) 2024-04-24T21:27:27Z Dimitry Andric dim@FreeBSD.org 2024-04-17T17:49:30Z urn:sha1:15dfc47b6adc0ba6bf91f60d05c404c7621dbc11 Import upstream 6747e1628: asn1: Use unsigned bitfields for named bitsets Signed 1-bit bitfields are undefined in C. This should fix the following warnings, which for unknown reasons are errors in CI: /usr/src/crypto/heimdal/lib/hx509/ca.c:1020:22: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion] 1020 | ku.digitalSignature = 1; | ^ ~ /usr/src/crypto/heimdal/lib/hx509/ca.c:1021:21: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion] 1021 | ku.keyEncipherment = 1; | ^ ~ /usr/src/crypto/heimdal/lib/hx509/ca.c:1028:17: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion] 1028 | ku.keyCertSign = 1; | ^ ~ /usr/src/crypto/heimdal/lib/hx509/ca.c:1029:13: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion] 1029 | ku.cRLSign = 1; | ^ ~ PR: 276960 Fixes: 1b7487592987 MFC after: 1 week (cherry picked from commit 219b6e442308d5353b2af5f0771ce9b887b70754) 2024-04-24T21:26:47Z Dimitry Andric dim@FreeBSD.org 2024-04-16T18:56:37Z urn:sha1:2efe30782cd92ef975eb4d05c53bac1d8a7e9f46 Import upstream 19d378f44: ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending on whether the constraint ranges include numbers that cannot be represented in 32-bit ints and whether they include negative numbers. Template backend support included. check-template is now built with --template, so we know we're testing it. Tests included. Also adjusts the generated files: * asn1parse.c, asn1parse.h (not strictly necessary, but nice to have) * der-protos.h, which needs a bunch of new prototypes. I copied these from a der-protos.h generated by the upstream build system, which uses a perl script for this. * adjust printf format strings for int64_t. Upstream uses %lld for this, but that is not portable, and leads to lots of -Werror warnings. This should fix target-dependent differences between headers generated by asn1_compile. For example, when cross compiling world from amd64 to i386, the generated cms_asn1.h header has: CMSRC2CBCParameter ::= SEQUENCE { rc2ParameterVersion INTEGER (0..-1), iv OCTET STRING, } while a native build on i386 has: CMSRC2CBCParameter ::= SEQUENCE { rc2ParameterVersion INTEGER (0..2147483647), iv OCTET STRING, } These are _both_ wrong, since the source file, cms.asn1, has: CMSRC2CBCParameter ::= SEQUENCE { rc2ParameterVersion INTEGER (0..4294967295), iv OCTET STRING -- exactly 8 octets } PR: 276960 Reviewed by: cy, emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D44814 Differential Revision: https://reviews.freebsd.org/D44815 (cherry picked from commit 1b7487592987c91020063a311a14dc15b6e58075) 2024-03-25T22:39:14Z Ed Maste emaste@FreeBSD.org 2024-03-18T14:00:57Z urn:sha1:b16cb28aca00112db2a7b5c070ee019c100cbc20 This release contains mostly bugfixes. It also makes support for the DSA signature algorithm a compile-time option, with plans to disable it upstream later this year and remove support entirely in 2025. Full release notes at https://www.openssh.com/txt/release-9.7 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit a91a246563dffa876a52f53a98de4af9fa364c52) (cherry picked from commit 464fa66f639bdc8e340dd3f640af4309530d48ca) 2024-02-21T13:44:09Z Cy Schubert cy@FreeBSD.org 2024-02-15T15:41:07Z urn:sha1:6b421e431a2de6eb9e8bd670efffe76e6617d520 A flawed logical condition allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token. Upstream notes: Reported to Heimdal by Michał Kępień <michal@isc.org>. From the report: Acknowledgement --------------- This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND TKEY Query Heap-based Buffer Overflow Remote Code Execution Vulnerability, which was reported to ISC by Trend Micro's Zero Day Security: CVE-2022-3116 Obtained from: upstream 7a19658c1 (cherry picked from commit fc773115fa2dbb6c01377f2ed47dabf79a4e361a) 2024-02-21T13:44:09Z Cy Schubert cy@FreeBSD.org 2024-02-15T01:58:06Z urn:sha1:a311b9d70863f78c232d5622ee579c6cd45bb1d8 Import upstream 38c797e1a. Upstream notes: RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge when anonymous PKINIT is used. Failure to do so can permit an active attacker to become a man-in-the-middle. Reported by: emaste Obtained from: upstream 38c797e1a Security: CVE-2019-12098 (cherry picked from commit 60616b445eb5b01597092fef5b14549f95000130)