webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
d67eff100219498902c20159025dc7227cd4d2ca
bpfire/lfs/openssh
Adolf Belka f877c07e4d openssh: Update to version 8.8p1 
- Update from 8.7p1 to 8.8p1
- Update of rootfile not required
- Changelog
   OpenSSH 8.8p1
    Future deprecation notice
     A near-future release of OpenSSH will switch scp(1) from using the
      legacy scp/rcp protocol to using SFTP by default.
     Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
      "scp host:* .") through the remote shell. This has the side effect of
      requiring double quoting of shell meta-characters in file names
      included on scp(1) command-lines, otherwise they could be interpreted
      as shell commands on the remote side.
     This creates one area of potential incompatibility: scp(1) when using
      the SFTP protocol no longer requires this finicky and brittle quoting,
      and attempts to use it may cause transfers to fail. We consider the
      removal of the need for double-quoting shell characters in file names
      to be a benefit and do not intend to introduce bug- compatibility for
      legacy scp/rcp in scp(1) when using the SFTP protocol.
     Another area of potential incompatibility relates to the use of remote
      paths relative to other user's home directories, for example -
      "scp host:~user/file /tmp". The SFTP protocol has no native way to
      expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
      support a protocol extension "expand-path@openssh.com" to support
      this.
    Security
     sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
      supplemental groups when executing an AuthorizedKeysCommand or
      AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
      AuthorizedPrincipalsCommandUser directive has been set to run the
      command as a different user. Instead these commands would inherit
      the groups that sshd(8) was started with.
     Depending on system configuration, inherited groups may allow
      AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
      gain unintended privilege.
     Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
      enabled by default in sshd_config(5).
    Potentially-incompatible changes
     This release disables RSA signatures using the SHA-1 hash algorithm
     by default. This change has been made as the SHA-1 hash algorithm is
      cryptographically broken, and it is possible to create chosen-prefix
      hash collisions for <USD$50K [1]
     For most users, this change should be invisible and there is
      no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
      RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
      will automatically use the stronger algorithm where possible.
    Changes since OpenSSH 8.7p1
      This release is motivated primarily by the above deprecation and
       security fix.
      New features
        * ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
          directive to accept a "none" argument to specify the default
          behaviour.
      Bugfixes
        * scp(1): when using the SFTP protocol, continue transferring files
          after a transfer error occurs, better matching original scp/rcp
          behaviour.
        * ssh(1): fixed a number of memory leaks in multiplexing,
        * ssh-keygen(1): avoid crash when using the -Y find-principals
          command.
        * A number of documentation and manual improvements, including
          bz#3340, PR139, PR215, PR241, PR257
      Portability
        * ssh-agent(1): on FreeBSD, use procctl to disable ptrace(2)
        * ssh(1)/sshd(8): some fixes to the pselect(2) replacement
          compatibility code. bz#3345

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
2021-11-19 07:12:14 +01:00

96 lines
3.6 KiB
Plaintext
Raw Blame History

###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 8.8p1
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 8ce5f390958baeeab635aafd0ef41453
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/openssh \
--with-md5-passwords \
--with-privsep-path=/var/empty \
--with-superuser-path=/sbin:/usr/sbin:/bin:/usr/bin
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
# install custom OpenSSH server configuration
install -v -m 644 $(DIR_SRC)/config/ssh/sshd_config \
/etc/ssh/sshd_config
# install custom OpenSSH client configuration
install -v -m 644 $(DIR_SRC)/config/ssh/ssh_config \
/etc/ssh/ssh_config
@rm -rf $(DIR_APP)
@$(POSTBUILD)
Reference in New Issue View Git Blame Copy Permalink