| Age | Commit message (Collapse) | Author |
|---|
|
This reverts commit 5b56bd0affea7b02b540bdbc4d1d271b0e4fc885. The bug
reporter wasn't actually using x32, but rather an ordinary 32-bit
userspace on a 64-bit kernel; this patch broke the seccomp sandbox on
the actual x32 architecture.
Patch-Name: revert-x32-sandbox-breakage.patch
|
|
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2017-08-22
Patch-Name: systemd-readiness.patch
|
|
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2019-06-05
Patch-Name: restore-tcp-wrappers.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Author: Simon Wilkinson <simon@sxw.org.uk>
Author: Colin Watson <cjwatson@debian.org>
Author: Jakub Jelen <jjelen@redhat.com>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2020-06-07
Patch-Name: gssapi.patch
|
|
when testing, make sure to include the relevant header files that
declare the types of the functions used by the test:
- stdio.h for printf();
- stdlib.h for exit();
- string.h for strcmp();
- unistd.h for unlink(), _exit(), fork(), getppid(), sleep().
|
|
The `aclocal' step is skipped during `autoreconf' because aclocal.m4 is
present.
Move the current aclocal.m4 which contains local macros into the m4/
folder. With this change the aclocal.m4 will be re-created during
changes to the m4/ macro.
This is needed so the `aclocal' can fetch m4 macros from the system if
they are references in the configure script. This is a prerequisite to
use PKG_CHECK_MODULES.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
|
|
- HAVE_FIDO_CRED_PROD -> HAVE_FIDO_CRED_PROT;
- check for fido_dev_get_touch_begin(), so that
HAVE_FIDO_DEV_GET_TOUCH_BEGIN gets defined.
|
|
|
|
|
|
It was added in 8d1fd57a9 for measuring entropy of ssh_prng_cmds which
has long since been removed and there are no other references to it.
|
|
bz#960, ok dtucker
|
|
It hasn't been useful since we switched to git in 2014. ok djm@
|
|
configure.ac is not detecting -Wextra in compilers that implement the
option. The problem is that -Wextra implies -Wunused-parameter, and the
C excerpt used by aclocal.m4 does not use argv. Patch from pedro at
ambientworks.net, ok djm@
|
|
This is a frankenstein monster of AMD64 instructions/calling conventions
but with a 4GB address space. Allegedly deprecated but people still run
into it causing weird sandbox failures, e.g. bz#3085
|
|
|
|
outside ~/.ssh; with dtucker@
OpenBSD-Commit-ID: ac0c662d44607e00ec78c266ee60752beb1c7e08
|
|
|
|
|
|
When the test's child signals its parent and it exits the result of
getppid changes. On Ubuntu 20.04 this results in the ppid being that
of the GDM session, causing it to exit. Analysis and testing from pedro
at ambientworks.net
|
|
On at least HP-UX 11.11, the localtime_r declararation is behind
ifdef _REENTRANT. Check for and add if needed.
|
|
If we don't have LLONG_{MIN,MAX} but do have LONG_LONG_{MIN,MAX}
then use those instead. We do calculate these values in configure,
but it turns out that at least one compiler (old HP ANSI C) can't
parse "-9223372036854775808LL" without mangling it. (It can parse
"-9223372036854775807LL" which is presumably why its limits.h defines
LONG_LONG_MIN as the latter minus 1.)
Fixes rekey test when compiled with the aforementioned compiler.
|
|
On some platforms (at least older HP-UXes such as 11.11, possibly others)
setting SA_RESTART on signal handers will cause it to not interrupt
select(), at least for calls that do not specify a timeout. Try to
detect this and if found, don't use SA_RESTART.
POSIX says "If SA_RESTART has been set for the interrupting signal, it
is implementation-dependent whether select() restarts or returns with
[EINTR]" so this behaviour is within spec.
|
|
These are usually in netinet/in.h but on HP-UX they are not defined if
_XOPEN_SOURCE_EXTENDED is set. Only needed for netcat in the regression
tests.
|
|
|
|
It's required for fido_dev_t, otherwise configure fails with
when given --with-security-key-builtin.
|
|
OpenBSD-Commit-ID: 166ea64f6d84f7bac5636dbd38968592cb5eb924
|
|
Check in sys/socket.h (AIX) and unistd.h (FreeBSD, DragonFLy and OS X).
Prevents undeclared function warning on at least some versions of AIX.
|
|
... unless we are actually going to use it. Fixes build on HP-UX
without the potential impact to other platforms of a header change
shortly before release.
|
|
Should prevent warnings on at least some AIX versions.
|
|
|
|
This allows zlib support to be disabled by ./configure --without-zlib.
|
|
When running ./configure --with-ldns, if ldns-config cannot be found, we
add -Iyes/include to CPPFLAGS and -Lyes/lib to LDFLAGS. Fix that.
|
|
Make struct timespec test consistent with existing timeval test.
Include time.h for timespec in compat header where required.
|
|
RIPEMD160 support was removed upstream in 2017, however we still had
a configure test and compat code for it, so clean those up now.
|
|
|
|
If the system (or one of the dependencies) implements memmem but does
not define the header, we would not declare it either resulting in
compiler warnings. Check for declaration explicitly. bz#3102.
|
|
This lets it pick up the -L path to libcrypto for example.
|
|
Check for -fPIC support from compiler
Compile libopenbsd-compat -fPIC
Don't mix -fPIE and -fPIC when compiling
|
|
Suggested by djm.
|
|
Wrappers protect against multiple inclusions for headers that don't do
it themselves.
|
|
|
|
Require --with-security-key-builtin before enabling the built-in
security key support (and consequent dependency on libfido2).
|
|
spotted by dtucker@
|
|
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
|
|
eg on old NetBSDs.
|
|
This requires moving the U2F bits to below the OpenSSL parts so we have
the required information. ok djm@
|
|
|
|
|
|
|
|
Should build with the default flags with ./configure
|
