FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F12.4 2023-02-16T18:00:09Z 2023-02-16T18:00:09Z Gordon Tetlow gordon@FreeBSD.org 2023-02-16T17:22:14Z urn:sha1:c6444607997d64d67c888f8009aabf4e1f3d2a15 Approved by: so Security: FreeBSD-SA-23:03.openssl Security: CVE-2023-0286 Security: CVE-2023-0215 Security: CVE-2022-4450 Security: CVE-2022-4304 2022-10-31T17:15:47Z Ed Maste emaste@FreeBSD.org 2022-10-19T14:27:11Z urn:sha1:50cb877af1fb6de40baa305dca93afdbd4de6568 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3) (cherry picked from commit ac5c465b9fdff74d1a73f63d157820887ff1787f) (cherry picked from commit 4aee71578a60981de9296451b7a995b180ae23db) Approved by: re (gjb) 2022-10-12T08:37:53Z Baptiste Daroussin bapt@FreeBSD.org 2022-08-26T14:02:09Z urn:sha1:ec07cdb9243290bb8a83ed0c7faf974c87902681 most programs in ports are looking for .pc files in order to get the necessary information on how to compile and link against openssl. The ports now also has a way to hide or force a path for pkgconf. Providing .pc files along with openssl in base will allow (once all the supported version of FreeBSD has it) so improve the framework to deal with openssl in base vs openssl in ports (and libressl) This will also greatly reduce the number of patches necessary to workaround the build systems which only knows how to detect where openssl is installed via pkgconf. PR: 266051 MFC After: 3 weeks Reviewed by: jkim, delphij Exp-run by: antoine Differential Revision: https://reviews.freebsd.org/D36360 (cherry picked from commit b323fa85f15268ac44b8ff90faf90bce5d87b608) 2022-10-07T13:22:10Z Ed Maste emaste@FreeBSD.org 2022-04-13T20:00:56Z urn:sha1:bcfd209157947d63f959a729cfd978a6efd51a14 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 1323ec571215a77ddd21294f0871979d5ad6b992) (cherry picked from commit 58def461e256e3a05c3ff15a87ed702fe0c3662c) (cherry picked from commit 6ac1039d047aafcaae5fec13504ece8fdc764c5a) 2022-07-05T16:41:43Z Jung-uk Kim jkim@FreeBSD.org 2022-07-05T16:06:50Z urn:sha1:f62c92421c936535c5a1ac4400145d9d706b836e (cherry picked from commit 9576bca5834b3ccfbf7ff7d3b49db9c05c51d44c) 2022-07-05T16:40:00Z Jung-uk Kim jkim@FreeBSD.org 2022-07-05T16:01:07Z urn:sha1:e447a62c145f112a5e059723d189cfe630dc29ae (cherry picked from commit 25fb2515923796b329329b5c1c17d200ff416e84) 2022-06-21T23:13:24Z Jung-uk Kim jkim@FreeBSD.org 2022-06-21T23:13:24Z urn:sha1:c20ed7dbba589efc9167dfdcc35c98da7f4f8021 2022-06-21T23:04:06Z Jung-uk Kim jkim@FreeBSD.org 2022-06-21T18:20:33Z urn:sha1:1bc54a00ebf2a262647a31f9452211dd00e1890c (cherry picked from commit ec4d9b059ededda578be479c1d043c921907ed11) 2022-05-03T20:22:57Z Jung-uk Kim jkim@FreeBSD.org 2022-05-03T20:22:57Z urn:sha1:c0041515e0d11de76a9f66b1a6f398979ead2f30 2022-03-16T02:55:46Z Jung-uk Kim jkim@FreeBSD.org 2022-03-15T23:35:22Z urn:sha1:1be600552e5f853c0585742d6b618e66541a81c7 (cherry picked from commit 5ac766ab8ec23e780f108b7903d46e553d5e39d1) (cherry picked from commit 97fe61d5bfdee2adc4d6ffb9b65a0cfb5bc5d317)