FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F14.3.0 2025-03-11T14:39:36Z 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-04-12T13:18:20Z urn:sha1:74776eba28d86b9384faa7fce5a699a73afced99 Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS handling there. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31896 (cherry picked from commit d71e7e57fc1472e3ea6d31c44e187c2819d2c71e) 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-03-02T14:45:23Z urn:sha1:be7b176511003be3d47ae463fd6bea5659446c70 Centralize optional krb5_config.h handling in ssh.mk. Do not add headers (that are committed to the src tree) to SRCS as there is no need. Reviewed by: imp, jlduran, kevans (all earlier) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34409 (cherry picked from commit 7f916236044d9a733de8b3c47b5dcbf71988cb03) 2025-02-19T14:58:47Z Ed Maste emaste@FreeBSD.org 2025-02-09T20:37:24Z urn:sha1:73dd56ffcd7b2c46de58980ac888c0421e3ec0b6 XAUTH_PATH is normally set (in the upstream build infrastructure) in config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE is set, and over time have sometimes also defined it in config.h. Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so that it will be set when building all ssh libraries and programs but still be set by LOCALBASE. Reviewed by: jlduran Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48907 (cherry picked from commit a63701848fe5462c4e8bbff0131bb42979e603ec) 2024-01-07T19:31:11Z Ed Maste emaste@FreeBSD.org 2024-01-05T03:16:30Z urn:sha1:a25789646d7130f5be166cac63d5c8b2b07c4706 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d) 2023-10-12T18:46:11Z Pierre Pronchery pierre@freebsdfoundation.org 2023-10-09T19:00:25Z urn:sha1:bbecb0ff6c9e2fc05c096ce2ca5387df0d8e99fe OpenSSL 3.0.11 addresses: POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) Relnotes: Yes Pull request: https://github.com/freebsd/freebsd-src/pull/852 Sponsored by: The FreeBSD Foundation (cherry picked from commit 6f1af0d7d2af54b339b5212434cd6d4fda628d80) 2023-08-16T17:55:03Z Warner Losh imp@FreeBSD.org 2023-08-16T17:55:03Z urn:sha1:d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ 2023-08-10T16:07:32Z Pierre Pronchery pierre@freebsdfoundation.org 2023-08-10T16:07:32Z urn:sha1:aa7957345732816fb0ba8308798d2f79f45597f9 OpenSSL 3.0.10 addresses: - CVE-2023-3817 - CVE-2023-3446 - CVE-2023-2975 (Note that the vendor branch commit incorrectly referenced 3.0.9.) Relnotes: Yes Pull request: https://github.com/freebsd/freebsd-src/pull/808 Sponsored by: The FreeBSD Foundation 2023-06-23T22:53:36Z Pierre Pronchery pierre@freebsdfoundation.org 2023-06-23T22:53:35Z urn:sha1:b077aed33b7b6aefca7b17ddb250cf521f938613 Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the version we were previously using) will be EOL as of 2023-09-11. Most of the base system has already been updated for a seamless switch to OpenSSL 3.0. For many components we've added `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version, which avoids deprecation warnings from OpenSSL 3.0. Changes have also been made to avoid OpenSSL APIs that were already deprecated in OpenSSL 1.1.1. The process of updating to contemporary APIs can continue after this merge. Additional changes are still required for libarchive and Kerberos- related libraries or tools; workarounds will immediately follow this commit. Fixes are in progress in the upstream projects and will be incorporated when those are next updated. There are some performance regressions in benchmarks (certain tests in `openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy). Investigation will continue for these. Netflix's testing showed no functional regression and a rather small, albeit statistically significant, increase in CPU consumption with OpenSSL 3.0. Thanks to ngie@ and des@ for updating base system components, to antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to Netflix and everyone who tested prior to commit or contributed to this update in other ways. PR: 271615 PR: 271656 [exp-run] Relnotes: Yes Sponsored by: The FreeBSD Foundation 2023-05-30T15:03:10Z Jung-uk Kim jkim@FreeBSD.org 2023-05-30T15:03:10Z urn:sha1:5b1268252c56d96d3858969108a8cd6add9d5776 2023-04-19T00:14:23Z Simon J. Gerraty sjg@FreeBSD.org 2023-04-19T00:14:23Z urn:sha1:d9a42747950146bf03cda7f6e25d219253f8a57a