Commit a0341ac8 authored by Daniel Néri's avatar Daniel Néri

main/openssh: upgrade to 8.5p1

Fixes double-free bug in ssh-agent(1).
parent 064e9d0d
Pipeline #74439 passed with stages
in 31 minutes and 33 seconds
From 2e0beff67def2120f4b051b1016d7fbf84823e78 Mon Sep 17 00:00:00 2001
From: Luca Weiss <luca@z3ntu.xyz>
Date: Sun, 8 Nov 2020 14:19:23 +0100
Subject: [PATCH] Deny (non-fatal) statx in preauth privsep child.
---
sandbox-seccomp-filter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 5065ae7efc..d942b5e167 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -181,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_ipc
SC_DENY(__NR_ipc, EACCES),
#endif
+#ifdef __NR_statx
+ SC_DENY(__NR_statx, EACCES),
+#endif
/* Syscalls to permit */
#ifdef __NR_brk
......@@ -2,9 +2,9 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openssh
pkgver=8.4_p1
pkgver=8.5_p1
_myver=${pkgver%_*}${pkgver#*_}
pkgrel=3
pkgrel=0
pkgdesc="Port of OpenBSD's free SSH release"
url="https://www.openssh.com/portable.html"
arch="all"
......@@ -35,12 +35,11 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar
sftp-interactive.patch
disable-forwarding-by-default.patch
fix-verify-dns-segfault.patch
d9e727dcc04a52caaac87543ea1d230e9e6b5604.patch
2e0beff67def2120f4b051b1016d7fbf84823e78.patch
sshd.initd
sshd.confd
"
# secfixes:
# 8.4_p1-r0:
# - CVE-2020-14145
......@@ -210,12 +209,10 @@ _pkg_flavour() {
done
}
sha512sums="d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce openssh-8.4p1.tar.gz
sha512sums="af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f openssh-8.5p1.tar.gz
f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1 fix-utmp.patch
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch
b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d fix-verify-dns-segfault.patch
711f564b4bc5b156b699795230b9909c979407517daabc2304975dfea4838fdd426bff7d424254d4a7f9162205f3d8931bd5e25d4006bfbe670a900e2bd05967 d9e727dcc04a52caaac87543ea1d230e9e6b5604.patch
2edfc28f2782ee61f31528ce9dcfa4e2b263917957364948719e3c9ee6e08659fe13dcd4d274b32bc55f00cbc149a8e1e8d9daeafda2145e6127a0e191d45746 2e0beff67def2120f4b051b1016d7fbf84823e78.patch
8122ac1838586a1487dad1f70ed2ec8161ae57b4a7ee8bfef9757b590aa76a887a6c5e5f2575728da4c6c2f00d2a924360e23d84a4df204d7021b44b690cb2f8 sshd.initd
ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd"
From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001
From: Oleg <Fallmay@users.noreply.github.com>
Date: Thu, 1 Oct 2020 12:09:08 +0300
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
---
contrib/ssh-copy-id | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 392f64f942..a769077172 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -247,7 +247,7 @@ installkeys_sh() {
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
# the cat adds the keys we're getting via STDIN
# and if available restorecon is used to restore the SELinux context
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
cd;
umask 077;
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
@@ -258,6 +258,7 @@ installkeys_sh() {
restorecon -F .ssh ${AUTH_KEY_FILE};
fi
EOF
+ )
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment