From ad40d2a62a3d9772ffd95038a73f7e957c39950b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Thu, 2 Feb 2023 22:52:48 +0000 Subject: [PATCH] Thu Feb 2 22:52:48 UTC 2023 patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz: Upgraded. This release contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable, but upstream reports most network-reachable memory faults as security bugs. This update contains some potentially incompatible changes regarding the scp utility. For more information, see: https://www.openssh.com/releasenotes.html#9.0 For more information, see: https://www.openssh.com/releasenotes.html#9.2 (* Security fix *) --- ChangeLog.rss | 24 +- ChangeLog.txt | 12 + FILELIST.TXT | 121 +++++----- .../openssh-9.2p1-x86_64-1_slack15.0.txt | 11 + patches/source/openssh/doinst.sh | 53 +++++ patches/source/openssh/openssh.SlackBuild | 206 ++++++++++++++++++ .../source/openssh/openssh.tcp_wrappers.diff | 139 ++++++++++++ patches/source/openssh/openssh.url | 1 + patches/source/openssh/rc.sshd | 64 ++++++ patches/source/openssh/slack-desc | 19 ++ patches/source/openssh/sshd.default | 10 + patches/source/openssh/sshd.pam | 23 ++ patches/source/openssh/sshd_config-pam.diff | 11 + recompress.sh | 3 + 14 files changed, 642 insertions(+), 55 deletions(-) create mode 100644 patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt create mode 100644 patches/source/openssh/doinst.sh create mode 100755 patches/source/openssh/openssh.SlackBuild create mode 100644 patches/source/openssh/openssh.tcp_wrappers.diff create mode 100644 patches/source/openssh/openssh.url create mode 100644 patches/source/openssh/rc.sshd create mode 100644 patches/source/openssh/slack-desc create mode 100644 patches/source/openssh/sshd.default create mode 100644 patches/source/openssh/sshd.pam create mode 100644 patches/source/openssh/sshd_config-pam.diff diff --git a/ChangeLog.rss b/ChangeLog.rss index 308613206..431fc7e87 100644 --- a/ChangeLog.rss +++ b/ChangeLog.rss @@ -11,9 +11,29 @@ Tracking Slackware development in git. en-us urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f - Wed, 1 Feb 2023 22:27:31 GMT - Thu, 2 Feb 2023 12:30:17 GMT + Thu, 2 Feb 2023 22:52:48 GMT + Fri, 3 Feb 2023 12:30:19 GMT maintain_current_git.sh v 1.17 + + Thu, 2 Feb 2023 22:52:48 GMT + Thu, 2 Feb 2023 22:52:48 GMT + https://git.slackware.nl/current/tag/?h=20230202225248 + 20230202225248 + + +patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz: Upgraded. + This release contains fixes for two security problems and a memory safety + problem. The memory safety problem is not believed to be exploitable, but + upstream reports most network-reachable memory faults as security bugs. + This update contains some potentially incompatible changes regarding the + scp utility. For more information, see: + https://www.openssh.com/releasenotes.html#9.0 + For more information, see: + https://www.openssh.com/releasenotes.html#9.2 + (* Security fix *) + ]]> + + Wed, 1 Feb 2023 22:27:31 GMT Wed, 1 Feb 2023 22:27:31 GMT diff --git a/ChangeLog.txt b/ChangeLog.txt index 4e1b261ff..87197cf7c 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,15 @@ +Thu Feb 2 22:52:48 UTC 2023 +patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz: Upgraded. + This release contains fixes for two security problems and a memory safety + problem. The memory safety problem is not believed to be exploitable, but + upstream reports most network-reachable memory faults as security bugs. + This update contains some potentially incompatible changes regarding the + scp utility. For more information, see: + https://www.openssh.com/releasenotes.html#9.0 + For more information, see: + https://www.openssh.com/releasenotes.html#9.2 + (* Security fix *) ++--------------------------+ Wed Feb 1 22:27:31 UTC 2023 patches/packages/apr-1.7.2-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: diff --git a/FILELIST.TXT b/FILELIST.TXT index 2d3940d2b..aadccb4f7 100644 --- a/FILELIST.TXT +++ b/FILELIST.TXT @@ -1,20 +1,20 @@ -Wed Feb 1 22:31:41 UTC 2023 +Thu Feb 2 22:56:31 UTC 2023 Here is the file list for this directory. If you are using a mirror site and find missing or extra files in the disk subdirectories, please have the archive administrator refresh the mirror. -drwxr-xr-x 12 root root 4096 2023-02-01 22:27 . +drwxr-xr-x 12 root root 4096 2023-02-02 22:52 . -rw-r--r-- 1 root root 5767 2022-02-02 22:44 ./ANNOUNCE.15.0 -rw-r--r-- 1 root root 16609 2022-03-30 19:03 ./CHANGES_AND_HINTS.TXT --rw-r--r-- 1 root root 1169262 2023-01-26 00:37 ./CHECKSUMS.md5 --rw-r--r-- 1 root root 163 2023-01-26 00:37 ./CHECKSUMS.md5.asc +-rw-r--r-- 1 root root 1170544 2023-02-01 22:32 ./CHECKSUMS.md5 +-rw-r--r-- 1 root root 163 2023-02-01 22:32 ./CHECKSUMS.md5.asc -rw-r--r-- 1 root root 17976 1994-06-10 02:28 ./COPYING -rw-r--r-- 1 root root 35147 2007-06-30 04:21 ./COPYING3 -rw-r--r-- 1 root root 19573 2016-06-23 20:08 ./COPYRIGHT.TXT -rw-r--r-- 1 root root 616 2006-10-02 04:37 ./CRYPTO_NOTICE.TXT --rw-r--r-- 1 root root 1983676 2023-02-01 22:27 ./ChangeLog.txt +-rw-r--r-- 1 root root 1984293 2023-02-02 22:52 ./ChangeLog.txt drwxr-xr-x 3 root root 4096 2013-03-20 22:17 ./EFI drwxr-xr-x 2 root root 4096 2022-02-02 08:21 ./EFI/BOOT -rw-r--r-- 1 root root 1187840 2021-06-15 19:16 ./EFI/BOOT/bootx64.efi @@ -25,7 +25,7 @@ drwxr-xr-x 2 root root 4096 2022-02-02 08:21 ./EFI/BOOT -rwxr-xr-x 1 root root 2504 2019-07-05 18:54 ./EFI/BOOT/make-grub.sh -rw-r--r-- 1 root root 10722 2013-09-21 19:02 ./EFI/BOOT/osdetect.cfg -rw-r--r-- 1 root root 1273 2013-08-12 21:08 ./EFI/BOOT/tools.cfg --rw-r--r-- 1 root root 1528042 2023-01-26 00:37 ./FILELIST.TXT +-rw-r--r-- 1 root root 1529740 2023-02-01 22:31 ./FILELIST.TXT -rw-r--r-- 1 root root 1572 2012-08-29 18:27 ./GPG-KEY -rw-r--r-- 1 root root 864745 2022-02-02 08:25 ./PACKAGES.TXT -rw-r--r-- 1 root root 8034 2022-02-02 03:36 ./README.TXT @@ -738,13 +738,13 @@ drwxr-xr-x 2 root root 4096 2008-05-07 05:21 ./pasture/source/php/pear -rwxr-xr-x 1 root root 9448 2018-05-16 22:38 ./pasture/source/php/php.SlackBuild -rw-r--r-- 1 root root 775 2017-07-07 19:25 ./pasture/source/php/php.ini-development.diff.gz -rw-r--r-- 1 root root 830 2005-12-09 05:18 ./pasture/source/php/slack-desc -drwxr-xr-x 4 root root 4096 2023-02-01 22:31 ./patches --rw-r--r-- 1 root root 64683 2023-02-01 22:31 ./patches/CHECKSUMS.md5 --rw-r--r-- 1 root root 163 2023-02-01 22:31 ./patches/CHECKSUMS.md5.asc --rw-r--r-- 1 root root 87851 2023-02-01 22:31 ./patches/FILE_LIST --rw-r--r-- 1 root root 11960342 2023-02-01 22:31 ./patches/MANIFEST.bz2 --rw-r--r-- 1 root root 46653 2023-02-01 22:31 ./patches/PACKAGES.TXT -drwxr-xr-x 3 root root 20480 2023-02-01 22:31 ./patches/packages +drwxr-xr-x 4 root root 4096 2023-02-02 22:56 ./patches +-rw-r--r-- 1 root root 65678 2023-02-02 22:56 ./patches/CHECKSUMS.md5 +-rw-r--r-- 1 root root 163 2023-02-02 22:56 ./patches/CHECKSUMS.md5.asc +-rw-r--r-- 1 root root 89152 2023-02-02 22:56 ./patches/FILE_LIST +-rw-r--r-- 1 root root 11982760 2023-02-02 22:56 ./patches/MANIFEST.bz2 +-rw-r--r-- 1 root root 47509 2023-02-02 22:56 ./patches/PACKAGES.TXT +drwxr-xr-x 3 root root 20480 2023-02-02 22:56 ./patches/packages -rw-r--r-- 1 root root 327 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txt -rw-r--r-- 1 root root 10716 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txz -rw-r--r-- 1 root root 163 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txz.asc @@ -878,6 +878,9 @@ drwxr-xr-x 2 root root 4096 2022-11-29 21:00 ./patches/packages/linux-5.15 -rw-r--r-- 1 root root 580 2023-01-13 20:05 ./patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txt -rw-r--r-- 1 root root 505144 2023-01-13 20:05 ./patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txz -rw-r--r-- 1 root root 163 2023-01-13 20:05 ./patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txz.asc +-rw-r--r-- 1 root root 672 2023-02-02 20:05 ./patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt +-rw-r--r-- 1 root root 1059960 2023-02-02 20:05 ./patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz +-rw-r--r-- 1 root root 163 2023-02-02 20:05 ./patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz.asc -rw-r--r-- 1 root root 559 2022-11-29 20:36 ./patches/packages/openssl-1.1.1s-x86_64-1_slack15.0.txt -rw-r--r-- 1 root root 3597816 2022-11-29 20:36 ./patches/packages/openssl-1.1.1s-x86_64-1_slack15.0.txz -rw-r--r-- 1 root root 163 2022-11-29 20:36 ./patches/packages/openssl-1.1.1s-x86_64-1_slack15.0.txz.asc @@ -968,7 +971,7 @@ drwxr-xr-x 2 root root 4096 2022-11-29 21:00 ./patches/packages/linux-5.15 -rw-r--r-- 1 root root 388 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txt -rw-r--r-- 1 root root 105356 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz -rw-r--r-- 1 root root 163 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz.asc -drwxr-xr-x 66 root root 4096 2023-02-01 22:15 ./patches/source +drwxr-xr-x 67 root root 4096 2023-02-02 20:22 ./patches/source drwxr-xr-x 2 root root 4096 2022-01-16 05:07 ./patches/source/aaa_base -rw-r--r-- 1 root root 11041 2022-02-15 04:49 ./patches/source/aaa_base/_aaa_base.tar.gz -rwxr-xr-x 1 root root 3894 2022-02-15 05:07 ./patches/source/aaa_base/aaa_base.SlackBuild @@ -1386,6 +1389,18 @@ drwxr-xr-x 2 root root 4096 2023-01-13 20:01 ./patches/source/netatalk -rw-r--r-- 1 root root 63 2023-01-13 19:51 ./patches/source/netatalk/netatalk.url -rw-r--r-- 1 root root 1009 2018-09-05 21:12 ./patches/source/netatalk/rc.atalk.new -rw-r--r-- 1 root root 1036 2018-02-27 06:13 ./patches/source/netatalk/slack-desc +drwxr-xr-x 2 root root 4096 2023-02-02 19:54 ./patches/source/openssh +-rw-r--r-- 1 root root 593 2020-02-07 03:05 ./patches/source/openssh/doinst.sh.gz +-rw-r--r-- 1 root root 1852380 2023-02-02 12:37 ./patches/source/openssh/openssh-9.2p1.tar.gz +-rw-r--r-- 1 root root 833 2023-02-02 12:37 ./patches/source/openssh/openssh-9.2p1.tar.gz.asc +-rwxr-xr-x 1 root root 6297 2023-02-02 20:04 ./patches/source/openssh/openssh.SlackBuild +-rw-r--r-- 1 root root 1658 2022-02-24 19:30 ./patches/source/openssh/openssh.tcp_wrappers.diff.gz +-rw-r--r-- 1 root root 54 2020-02-14 19:40 ./patches/source/openssh/openssh.url +-rw-r--r-- 1 root root 1814 2017-07-18 06:51 ./patches/source/openssh/rc.sshd +-rw-r--r-- 1 root root 1127 2018-02-27 06:13 ./patches/source/openssh/slack-desc +-rw-r--r-- 1 root root 318 2017-07-18 18:45 ./patches/source/openssh/sshd.default +-rw-r--r-- 1 root root 1228 2021-09-29 19:00 ./patches/source/openssh/sshd.pam +-rw-r--r-- 1 root root 271 2021-08-21 03:23 ./patches/source/openssh/sshd_config-pam.diff.gz drwxr-xr-x 2 root root 4096 2022-11-29 19:13 ./patches/source/openssl -rw-r--r-- 1 root root 1758 2012-08-08 22:46 ./patches/source/openssl/certwatch.gz -rw-r--r-- 1 root root 281 2007-06-13 17:20 ./patches/source/openssl/doinst.sh-openssl-solibs.gz @@ -2733,18 +2748,18 @@ drwxr-xr-x 2 root root 69632 2022-02-01 08:29 ./slackware64/kde -rw-r--r-- 1 root root 163 2022-01-06 22:57 ./slackware64/kde/itinerary-21.12.1-x86_64-1.txz.asc -rw-r--r-- 1 root root 330 2022-01-06 22:15 ./slackware64/kde/juk-21.12.1-x86_64-1.txt -rw-r--r-- 1 root root 2434772 2022-01-06 22:15 ./slackware64/kde/juk-21.12.1-x86_64-1.txz --rw-r--r-- 1 root root 163 2022-01-06 22:15 ./slackware64/kde/juk-21.12.1-x86_64-1.txz.asc --rw-r--r-- 1 root root 361 2022-01-06 22:18 ./slackware64/kde/k3b-21.12.1-x86_64-1.txt --rw-r--r-- 1 root root 11072804 2022-01-06 22:18 ./slackware64/kde/k3b-21.12.1-x86_64-1.txz --rw-r--r-- 1 root root 163 2022-01-06 22:18 ./slackware64/kde/k3b-21.12.1-x86_64-1.txz.asc --rw-r--r-- 1 root root 310 2022-01-08 22:42 ./slackware64/kde/kactivities-5.90.0-x86_64-1.txt --rw-r--r-- 1 root root 121772 2022-01-08 22:42 ./slackware64/kde/kactivities-5.90.0-x86_64-1.txz --rw-r--r-- 1 root root 163 2022-01-08 22:42 ./slackware64/kde/kactivities-5.90.0-x86_64-1.txz.asc --rw-r--r-- 1 root root 351 2022-01-08 22:42 ./slackware64/kde/kactivities-stats-5.90.0-x86_64-1.txt --rw-r--r-- 1 root root 101948 2022-01-08 22:42 ./slackware64/kde/kactivities-stats-5.90.0-x86_64-1.txz --rw-r--r-- 1 root root 163 2022-01-08 22:42 ./slackware64/kde/kactivities-stats-5.90.0-x86_64-1.txz.asc --rw-r--r-- 1 root root 411 2022-01-04 21:51 ./slackware64/kde/kactivitymanagerd-5.23.5-x86_64-1.txt --rw-r--r-- 1 root root 209732 2022-01-04 21:51 ./slackware64/kde/kactivitymanagerd-5.23.5-x86_64-1.txz +-rw-r--r-- 1 root root 163 2022-01-06 22:15 ./slackware64/kde/juk-21.12.1-x86_64-1.txz.asc +-rw-r--r-- 1 root root 361 2022-01-06 22:18 ./slackware64/kde/k3b-21.12.1-x86_64-1.txt +-rw-r--r-- 1 root root 11072804 2022-01-06 22:18 ./slackware64/kde/k3b-21.12.1-x86_64-1.txz +-rw-r--r-- 1 root root 163 2022-01-06 22:18 ./slackware64/kde/k3b-21.12.1-x86_64-1.txz.asc +-rw-r--r-- 1 root root 310 2022-01-08 22:42 ./slackware64/kde/kactivities-5.90.0-x86_64-1.txt +-rw-r--r-- 1 root root 121772 2022-01-08 22:42 ./slackware64/kde/kactivities-5.90.0-x86_64-1.txz +-rw-r--r-- 1 root root 163 2022-01-08 22:42 ./slackware64/kde/kactivities-5.90.0-x86_64-1.txz.asc +-rw-r--r-- 1 root root 351 2022-01-08 22:42 ./slackware64/kde/kactivities-stats-5.90.0-x86_64-1.txt +-rw-r--r-- 1 root root 101948 2022-01-08 22:42 ./slackware64/kde/kactivities-stats-5.90.0-x86_64-1.txz +-rw-r--r-- 1 root root 163 2022-01-08 22:42 ./slackware64/kde/kactivities-stats-5.90.0-x86_64-1.txz.asc +-rw-r--r-- 1 root root 411 2022-01-04 21:51 ./slackware64/kde/kactivitymanagerd-5.23.5-x86_64-1.txt +-rw-r--r-- 1 root root 209732 2022-01-04 21:51 ./slackware64/kde/kactivitymanagerd-5.23.5-x86_64-1.txz -rw-r--r-- 1 root root 163 2022-01-04 21:51 ./slackware64/kde/kactivitymanagerd-5.23.5-x86_64-1.txz.asc -rw-r--r-- 1 root root 210 2022-01-06 21:51 ./slackware64/kde/kaddressbook-21.12.1-x86_64-1.txt -rw-r--r-- 1 root root 3357096 2022-01-06 21:51 ./slackware64/kde/kaddressbook-21.12.1-x86_64-1.txz @@ -5464,18 +5479,18 @@ drwxr-xr-x 2 root root 65536 2022-02-01 04:47 ./slackware64/x -rw-r--r-- 1 root root 163 2021-02-13 13:19 ./slackware64/x/font-cronyx-cyrillic-1.0.3-noarch-5.txz.asc -rw-r--r-- 1 root root 423 2021-02-13 13:19 ./slackware64/x/font-cursor-misc-1.0.3-noarch-5.txt -rw-r--r-- 1 root root 13380 2021-02-13 13:19 ./slackware64/x/font-cursor-misc-1.0.3-noarch-5.txz --rw-r--r-- 1 root root 163 2021-02-13 13:19 ./slackware64/x/font-cursor-misc-1.0.3-noarch-5.txz.asc --rw-r--r-- 1 root root 423 2021-02-13 13:19 ./slackware64/x/font-daewoo-misc-1.0.3-noarch-5.txt --rw-r--r-- 1 root root 669264 2021-02-13 13:19 ./slackware64/x/font-daewoo-misc-1.0.3-noarch-5.txz --rw-r--r-- 1 root root 163 2021-02-13 13:19 ./slackware64/x/font-daewoo-misc-1.0.3-noarch-5.txz.asc --rw-r--r-- 1 root root 384 2021-02-13 13:19 ./slackware64/x/font-dec-misc-1.0.3-noarch-5.txt --rw-r--r-- 1 root root 11960 2021-02-13 13:19 ./slackware64/x/font-dec-misc-1.0.3-noarch-5.txz --rw-r--r-- 1 root root 163 2021-02-13 13:19 ./slackware64/x/font-dec-misc-1.0.3-noarch-5.txz.asc --rw-r--r-- 1 root root 399 2021-02-13 13:20 ./slackware64/x/font-ibm-type1-1.0.3-noarch-5.txt --rw-r--r-- 1 root root 287512 2021-02-13 13:20 ./slackware64/x/font-ibm-type1-1.0.3-noarch-5.txz --rw-r--r-- 1 root root 163 2021-02-13 13:20 ./slackware64/x/font-ibm-type1-1.0.3-noarch-5.txz.asc --rw-r--r-- 1 root root 397 2021-02-13 13:20 ./slackware64/x/font-isas-misc-1.0.3-noarch-5.txt --rw-r--r-- 1 root root 806412 2021-02-13 13:20 ./slackware64/x/font-isas-misc-1.0.3-noarch-5.txz +-rw-r--r-- 1 root root 163 2021-02-13 13:19 ./slackware64/x/font-cursor-misc-1.0.3-noarch-5.txz.asc +-rw-r--r-- 1 root root 423 2021-02-13 13:19 ./slackware64/x/font-daewoo-misc-1.0.3-noarch-5.txt +-rw-r--r-- 1 root root 669264 2021-02-13 13:19 ./slackware64/x/font-daewoo-misc-1.0.3-noarch-5.txz +-rw-r--r-- 1 root root 163 2021-02-13 13:19 ./slackware64/x/font-daewoo-misc-1.0.3-noarch-5.txz.asc +-rw-r--r-- 1 root root 384 2021-02-13 13:19 ./slackware64/x/font-dec-misc-1.0.3-noarch-5.txt +-rw-r--r-- 1 root root 11960 2021-02-13 13:19 ./slackware64/x/font-dec-misc-1.0.3-noarch-5.txz +-rw-r--r-- 1 root root 163 2021-02-13 13:19 ./slackware64/x/font-dec-misc-1.0.3-noarch-5.txz.asc +-rw-r--r-- 1 root root 399 2021-02-13 13:20 ./slackware64/x/font-ibm-type1-1.0.3-noarch-5.txt +-rw-r--r-- 1 root root 287512 2021-02-13 13:20 ./slackware64/x/font-ibm-type1-1.0.3-noarch-5.txz +-rw-r--r-- 1 root root 163 2021-02-13 13:20 ./slackware64/x/font-ibm-type1-1.0.3-noarch-5.txz.asc +-rw-r--r-- 1 root root 397 2021-02-13 13:20 ./slackware64/x/font-isas-misc-1.0.3-noarch-5.txt +-rw-r--r-- 1 root root 806412 2021-02-13 13:20 ./slackware64/x/font-isas-misc-1.0.3-noarch-5.txz -rw-r--r-- 1 root root 163 2021-02-13 13:20 ./slackware64/x/font-isas-misc-1.0.3-noarch-5.txz.asc -rw-r--r-- 1 root root 384 2021-02-13 13:20 ./slackware64/x/font-jis-misc-1.0.3-noarch-5.txt -rw-r--r-- 1 root root 544580 2021-02-13 13:20 ./slackware64/x/font-jis-misc-1.0.3-noarch-5.txz @@ -15064,21 +15079,21 @@ drwxr-xr-x 2 root root 12288 2020-05-18 17:50 ./source/x/x11/slack-desc -rw-r--r-- 1 root root 947 2018-02-26 22:59 ./source/x/x11/slack-desc/xev -rw-r--r-- 1 root root 810 2012-04-08 03:57 ./source/x/x11/slack-desc/xextproto -rw-r--r-- 1 root root 770 2012-04-08 03:58 ./source/x/x11/slack-desc/xeyes --rw-r--r-- 1 root root 931 2012-04-08 03:58 ./source/x/x11/slack-desc/xf86-input-acecad --rw-r--r-- 1 root root 932 2012-04-08 03:59 ./source/x/x11/slack-desc/xf86-input-aiptek --rw-r--r-- 1 root root 918 2012-04-08 03:59 ./source/x/x11/slack-desc/xf86-input-evdev --rw-r--r-- 1 root root 955 2012-04-08 04:00 ./source/x/x11/slack-desc/xf86-input-joystick --rw-r--r-- 1 root root 945 2018-02-26 23:00 ./source/x/x11/slack-desc/xf86-input-keyboard --rw-r--r-- 1 root root 938 2015-04-21 03:11 ./source/x/x11/slack-desc/xf86-input-libinput --rw-r--r-- 1 root root 895 2018-02-26 23:00 ./source/x/x11/slack-desc/xf86-input-mouse --rw-r--r-- 1 root root 955 2012-04-08 04:02 ./source/x/x11/slack-desc/xf86-input-penmount --rw-r--r-- 1 root root 961 2012-04-08 04:03 ./source/x/x11/slack-desc/xf86-input-synaptics --rw-r--r-- 1 root root 945 2012-04-08 04:03 ./source/x/x11/slack-desc/xf86-input-vmmouse --rw-r--r-- 1 root root 889 2012-04-08 04:03 ./source/x/x11/slack-desc/xf86-input-void --rw-r--r-- 1 root root 843 2018-03-23 18:27 ./source/x/x11/slack-desc/xf86-input-wacom --rw-r--r-- 1 root root 920 2015-11-19 17:17 ./source/x/x11/slack-desc/xf86-video-amdgpu --rw-r--r-- 1 root root 889 2012-04-08 04:04 ./source/x/x11/slack-desc/xf86-video-apm --rw-r--r-- 1 root root 882 2012-04-08 04:05 ./source/x/x11/slack-desc/xf86-video-ark +-rw-r--r-- 1 root root 931 2012-04-08 03:58 ./source/x/x11/slack-desc/xf86-input-acecad +-rw-r--r-- 1 root root 932 2012-04-08 03:59 ./source/x/x11/slack-desc/xf86-input-aiptek +-rw-r--r-- 1 root root 918 2012-04-08 03:59 ./source/x/x11/slack-desc/xf86-input-evdev +-rw-r--r-- 1 root root 955 2012-04-08 04:00 ./source/x/x11/slack-desc/xf86-input-joystick +-rw-r--r-- 1 root root 945 2018-02-26 23:00 ./source/x/x11/slack-desc/xf86-input-keyboard +-rw-r--r-- 1 root root 938 2015-04-21 03:11 ./source/x/x11/slack-desc/xf86-input-libinput +-rw-r--r-- 1 root root 895 2018-02-26 23:00 ./source/x/x11/slack-desc/xf86-input-mouse +-rw-r--r-- 1 root root 955 2012-04-08 04:02 ./source/x/x11/slack-desc/xf86-input-penmount +-rw-r--r-- 1 root root 961 2012-04-08 04:03 ./source/x/x11/slack-desc/xf86-input-synaptics +-rw-r--r-- 1 root root 945 2012-04-08 04:03 ./source/x/x11/slack-desc/xf86-input-vmmouse +-rw-r--r-- 1 root root 889 2012-04-08 04:03 ./source/x/x11/slack-desc/xf86-input-void +-rw-r--r-- 1 root root 843 2018-03-23 18:27 ./source/x/x11/slack-desc/xf86-input-wacom +-rw-r--r-- 1 root root 920 2015-11-19 17:17 ./source/x/x11/slack-desc/xf86-video-amdgpu +-rw-r--r-- 1 root root 889 2012-04-08 04:04 ./source/x/x11/slack-desc/xf86-video-apm +-rw-r--r-- 1 root root 882 2012-04-08 04:05 ./source/x/x11/slack-desc/xf86-video-ark -rw-r--r-- 1 root root 895 2012-04-08 04:05 ./source/x/x11/slack-desc/xf86-video-ast -rw-r--r-- 1 root root 887 2012-04-08 04:05 ./source/x/x11/slack-desc/xf86-video-ati -rw-r--r-- 1 root root 914 2012-04-08 04:06 ./source/x/x11/slack-desc/xf86-video-chips diff --git a/patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt b/patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt new file mode 100644 index 000000000..dca51ed45 --- /dev/null +++ b/patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt @@ -0,0 +1,11 @@ +openssh: openssh (Secure Shell daemon and clients) +openssh: +openssh: ssh (Secure Shell) is a program for logging into a remote machine and +openssh: for executing commands on a remote machine. It is intended to replace +openssh: rlogin and rsh, and provide secure encrypted communications between +openssh: two untrusted hosts over an insecure network. sshd (SSH Daemon) is +openssh: the daemon program for ssh. OpenSSH is based on the last free version +openssh: of Tatu Ylonen's SSH, further enhanced and cleaned up by Aaron +openssh: Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and +openssh: Dug Song. It has a homepage at http://www.openssh.com/ +openssh: diff --git a/patches/source/openssh/doinst.sh b/patches/source/openssh/doinst.sh new file mode 100644 index 000000000..ba1d1cdd3 --- /dev/null +++ b/patches/source/openssh/doinst.sh @@ -0,0 +1,53 @@ +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} +preserve_perms() { + NEW="$1" + OLD="$(dirname ${NEW})/$(basename ${NEW} .new)" + if [ -e ${OLD} ]; then + cp -a ${OLD} ${NEW}.incoming + cat ${NEW} > ${NEW}.incoming + touch -r ${NEW} ${NEW}.incoming + mv ${NEW}.incoming ${NEW} + fi + config ${NEW} +} + +if [ -r etc/pam.d/sshd.new ]; then + config etc/pam.d/sshd.new +fi +config etc/default/sshd.new +config etc/ssh/ssh_config.new +config etc/ssh/sshd_config.new +preserve_perms etc/rc.d/rc.sshd.new +if [ -e etc/rc.d/rc.sshd.new ]; then + mv etc/rc.d/rc.sshd.new etc/rc.d/rc.sshd +fi + +# If the sshd user/group/shadow don't exist, add them: + +if ! grep -q "^sshd:" etc/passwd ; then + echo "sshd:x:33:33:sshd:/:" >> etc/passwd +fi + +if ! grep -q "^sshd:" etc/group ; then + echo "sshd::33:sshd" >> etc/group +fi + +if ! grep -q "^sshd:" etc/shadow ; then + echo "sshd:*:9797:0:::::" >> etc/shadow +fi + +# Add a btmp file to store login failure if one doesn't exist: +if [ ! -r var/log/btmp ]; then + ( cd var/log ; umask 077 ; touch btmp ) +fi + diff --git a/patches/source/openssh/openssh.SlackBuild b/patches/source/openssh/openssh.SlackBuild new file mode 100755 index 000000000..aa6b09b87 --- /dev/null +++ b/patches/source/openssh/openssh.SlackBuild @@ -0,0 +1,206 @@ +#!/bin/bash + +# Copyright 2000 BSDi, Inc. Concord, CA, USA +# Copyright 2001, 2002, 2003, 2004 Slackware Linux, Inc. Concord, CA, USA +# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2018, 2020, 2021 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +cd $(dirname $0) ; CWD=$(pwd) + +# Set initial variables: +TMP=${TMP:-/tmp} +PKG=$TMP/package-openssh + +PKGNAM=openssh +VERSION=${VERSION:-$(echo openssh-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-1_slack15.0} + +NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i586 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz" + exit 0 +fi + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +elif [ "$ARCH" = "arm" ]; then + SLKCFLAGS="-O2 -march=armv4 -mtune=xscale" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "armel" ]; then + SLKCFLAGS="-O2 -march=armv4t" + LIBDIRSUFFIX="" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +# Clean target location: +rm -rf $PKG +mkdir -p $PKG + +# Prepare the framework and extract the package: +cd $TMP +rm -rf $PKG openssh-$VERSION +tar xvf $CWD/openssh-$VERSION.tar.?z || tar xvf $CWD/openssh-$VERSION.tar.bz2 || exit 1 +cd openssh-$VERSION || exit 1 +chown -R root:root . + +# Restore support for tcpwrappers: +zcat $CWD/openssh.tcp_wrappers.diff.gz | patch -p1 --verbose || exit 1 + +# Choose correct options depending on whether PAM is installed: +if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then + PAM_OPTIONS="--with-pam --with-kerberos5" + unset SHADOW_OPTIONS + # Enable PAM in sshd_config: + zcat $CWD/sshd_config-pam.diff.gz | patch -p1 --verbose || exit 1 +else + unset PAM_OPTIONS + SHADOW_OPTIONS="--without-pam" +fi + +autoreconf -vif + +# Compile package: +CFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --mandir=/usr/man \ + --sysconfdir=/etc/ssh \ + $PAM_OPTIONS \ + $SHADOW_OPTIONS \ + --with-md5-passwords \ + --with-libedit \ + --with-tcp-wrappers \ + --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \ + --with-privsep-path=/var/empty \ + --with-privsep-user=sshd \ + --build=$ARCH-slackware-linux || exit 1 + +make $NUMJOBS || make || exit 1 + +# Install the package: +make install DESTDIR=$PKG || exit 1 + +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + +# Compress and if needed symlink the man pages: +if [ -d $PKG/usr/man ]; then + ( cd $PKG/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.? + ) + done + ) +fi + +# Install directory used with PrivilegeSeparation option: +mkdir -p $PKG/var/empty +chmod 755 $PKG/var/empty + +# Install defaults file +mkdir -p $PKG/etc/default +cat $CWD/sshd.default > $PKG/etc/default/sshd.new + +# Install docs: +mkdir -p $PKG/usr/doc/openssh-$VERSION +cp -a \ + CREDITS ChangeLog INSTALL LICENCE OVERVIEW \ + README README.privsep README.smartcard RFC.nroff TODO WARNING.RNG \ + $PKG/usr/doc/openssh-$VERSION +chmod 644 $PKG/usr/doc/openssh-$VERSION/* + +# If there's a ChangeLog, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r ChangeLog ]; then + DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION) + cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog + touch -r ChangeLog $DOCSDIR/ChangeLog +fi + +# Install also 'ssh-copy-id' and its manpage from contrib: +( cd contrib + cp -a ssh-copy-id $PKG/usr/bin/ssh-copy-id + chmod 755 $PKG/usr/bin/ssh-copy-id + cat ssh-copy-id.1 | gzip -9c > $PKG/usr/man/man1/ssh-copy-id.1.gz +) + +( cd $PKG + + # Ditch the new host keys, since these have to be uniquely prepared on each machine: + rm -f etc/ssh/ssh_host_dsa_key + rm -f etc/ssh/ssh_host_dsa_key.pub + rm -f etc/ssh/ssh_host_rsa_key + rm -f etc/ssh/ssh_host_rsa_key.pub + rm -f etc/ssh/ssh_host_key + rm -f etc/ssh/ssh_host_key.pub + + # Set up the config script installation: + mv etc/ssh/ssh_config etc/ssh/ssh_config.new + mv etc/ssh/sshd_config etc/ssh/sshd_config.new + + # Add the init script: + mkdir -p etc/rc.d + cat $CWD/rc.sshd > etc/rc.d/rc.sshd.new + chmod 755 etc/rc.d/rc.sshd.new + + if [ ! -z "$PAM_OPTIONS" ]; then + # Add the pam stuff: + mkdir -p etc/pam.d + cat $CWD/sshd.pam > etc/pam.d/sshd.new + fi + + # Copy runtime installation files: + mkdir -p install + zcat $CWD/doinst.sh.gz > install/doinst.sh + cat $CWD/slack-desc > install/slack-desc +) + +# Create the package itself: +cd $PKG +/sbin/makepkg -l y -c n $TMP/openssh-$VERSION-$ARCH-$BUILD.txz + diff --git a/patches/source/openssh/openssh.tcp_wrappers.diff b/patches/source/openssh/openssh.tcp_wrappers.diff new file mode 100644 index 000000000..3b530a5b7 --- /dev/null +++ b/patches/source/openssh/openssh.tcp_wrappers.diff @@ -0,0 +1,139 @@ +--- ./sshd.8.orig 2022-02-23 05:31:11.000000000 -0600 ++++ ./sshd.8 2022-02-24 13:28:36.533888569 -0600 +@@ -908,6 +908,12 @@ + This file should be writable only by the user, and need not be + readable by anyone else. + .Pp ++.It Pa /etc/hosts.allow ++.It Pa /etc/hosts.deny ++Access controls that should be enforced by tcp-wrappers are defined here. ++Further details are described in ++.Xr hosts_access 5 . ++.Pp + .It Pa /etc/hosts.equiv + This file is for host-based authentication (see + .Xr ssh 1 ) . +@@ -1010,6 +1016,7 @@ + .Xr ssh-keygen 1 , + .Xr ssh-keyscan 1 , + .Xr chroot 2 , ++.Xr hosts_access 5 , + .Xr login.conf 5 , + .Xr moduli 5 , + .Xr sshd_config 5 , +--- ./configure.ac.orig 2022-02-23 05:31:11.000000000 -0600 ++++ ./configure.ac 2022-02-24 13:30:10.535883370 -0600 +@@ -1599,6 +1599,62 @@ + AC_MSG_RESULT([no]) + fi + ++# Check whether user wants TCP wrappers support ++TCPW_MSG="no" ++AC_ARG_WITH([tcp-wrappers], ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], ++ [ ++ if test "x$withval" != "xno" ; then ++ saved_LIBS="$LIBS" ++ saved_LDFLAGS="$LDFLAGS" ++ saved_CPPFLAGS="$CPPFLAGS" ++ if test -n "${withval}" && \ ++ test "x${withval}" != "xyes"; then ++ if test -d "${withval}/lib"; then ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}" ++ fi ++ else ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval} ${LDFLAGS}" ++ fi ++ fi ++ if test -d "${withval}/include"; then ++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" ++ else ++ CPPFLAGS="-I${withval} ${CPPFLAGS}" ++ fi ++ fi ++ LIBS="-lwrap -lnsl $LIBS" ++ AC_MSG_CHECKING([for libwrap]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++#include ++#include ++#include ++#include ++int deny_severity = 0, allow_severity = 0; ++ ]], [[ ++ hosts_access(0); ++ ]])], [ ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([LIBWRAP], [1], ++ [Define if you want ++ TCP Wrappers support]) ++ SSHDLIBS="$SSHDLIBS -lwrap -lnsl" ++ TCPW_MSG="yes" ++ ], [ ++ AC_MSG_ERROR([*** libwrap missing]) ++ ++ ]) ++ LIBS="$saved_LIBS" ++ fi ++ ] ++) ++ + # Check whether user wants to use ldns + LDNS_MSG="no" + AC_ARG_WITH(ldns, +@@ -5593,6 +5649,7 @@ + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" + echo " SELinux support: $SELINUX_MSG" ++echo " TCP Wrappers support: $TCPW_MSG" + echo " libedit support: $LIBEDIT_MSG" + echo " libldns support: $LDNS_MSG" + echo " Solaris process contract support: $SPC_MSG" +--- ./sshd.c.orig 2022-02-23 05:31:11.000000000 -0600 ++++ ./sshd.c 2022-02-24 13:28:36.533888569 -0600 +@@ -129,6 +129,13 @@ + #include "srclimit.h" + #include "dh.h" + ++#ifdef LIBWRAP ++#include ++#include ++int allow_severity; ++int deny_severity; ++#endif /* LIBWRAP */ ++ + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) + #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) +@@ -2138,6 +2145,26 @@ + the_active_state = ssh; + ssh_packet_set_server(ssh); + ++/* Moved LIBWRAP check here */ ++#ifdef LIBWRAP ++ allow_severity = options.log_facility|LOG_INFO; ++ deny_severity = options.log_facility|LOG_WARNING; ++ /* Check whether logins are denied from this host. */ ++ if (ssh_packet_connection_is_on_socket(ssh)) { /* This check must be after ssh_packet_set_connection() */ ++ struct request_info req; ++ ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); ++ fromhost(&req); ++ ++ if (!hosts_access(&req)) { ++ debug("Connection refused by tcp wrapper"); ++ refuse(&req); ++ /* NOTREACHED */ ++ fatal("libwrap refuse returns"); ++ } ++ } ++#endif /* LIBWRAP */ ++ + check_ip_options(ssh); + + /* Prepare the channels layer */ diff --git a/patches/source/openssh/openssh.url b/patches/source/openssh/openssh.url new file mode 100644 index 000000000..9c8a0ceaf --- /dev/null +++ b/patches/source/openssh/openssh.url @@ -0,0 +1 @@ +https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ diff --git a/patches/source/openssh/rc.sshd b/patches/source/openssh/rc.sshd new file mode 100644 index 000000000..eea6c6a74 --- /dev/null +++ b/patches/source/openssh/rc.sshd @@ -0,0 +1,64 @@ +#!/bin/sh +# Start/stop/restart the secure shell server: + +# Source options +if [ -r /etc/default/sshd ]; then + . /etc/default/sshd +fi + +sshd_start() { + # Create host keys if needed. + if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then + /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' + fi + if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then + /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' + fi + if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then + /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' + fi + if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then + /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' + fi + # Catch any new host key types not yet created above: + /usr/bin/ssh-keygen -A + # Start the sshd daemon: + /usr/sbin/sshd $SSHD_OPTS +} + +sshd_stop() { + killall sshd +} + +sshd_restart() { + if [ -r /var/run/sshd.pid ]; then + echo "WARNING: killing listener process only. To kill every sshd process, you must" + echo " use 'rc.sshd stop'. 'rc.sshd restart' kills only the parent sshd to" + echo " allow an admin logged in through sshd to use 'rc.sshd restart' without" + echo " being cut off. If sshd has been upgraded, new connections will now" + echo " use the new version, which should be a safe enough approach." + kill `cat /var/run/sshd.pid` + else + echo "WARNING: There does not appear to be a parent instance of sshd running." + echo " If you really want to kill all running instances of sshd (including" + echo " any sessions currently in use), run '/etc/rc.d/rc.sshd stop' instead." + exit 1 + fi + sleep 1 + sshd_start +} + +case "$1" in +'start') + sshd_start + ;; +'stop') + sshd_stop + ;; +'restart') + sshd_restart + ;; +*) + echo "usage $0 start|stop|restart" +esac + diff --git a/patches/source/openssh/slack-desc b/patches/source/openssh/slack-desc new file mode 100644 index 000000000..6d5aec5e6 --- /dev/null +++ b/patches/source/openssh/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' on +# the right side marks the last column you can put a character in. You must make +# exactly 11 lines for the formatting to be correct. It's also customary to +# leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +openssh: openssh (Secure Shell daemon and clients) +openssh: +openssh: ssh (Secure Shell) is a program for logging into a remote machine and +openssh: for executing commands on a remote machine. It is intended to replace +openssh: rlogin and rsh, and provide secure encrypted communications between +openssh: two untrusted hosts over an insecure network. sshd (SSH Daemon) is +openssh: the daemon program for ssh. OpenSSH is based on the last free version +openssh: of Tatu Ylonen's SSH, further enhanced and cleaned up by Aaron +openssh: Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and +openssh: Dug Song. It has a homepage at http://www.openssh.com/ +openssh: diff --git a/patches/source/openssh/sshd.default b/patches/source/openssh/sshd.default new file mode 100644 index 000000000..6cab3ba31 --- /dev/null +++ b/patches/source/openssh/sshd.default @@ -0,0 +1,10 @@ +# Optional arguments to start sshd with. +# +# Note that using the -p flag causes any Port directives +# in sshd_config(5) to be ignored. +# +# If you want to run sshd on non-standard port(s), use: +#SSHD_OPTS="-p 12345 -p 6789" +# +# If you want to use non-standard sshd_config, use: +#SSHD_OPTS="-f /some/other/sshd_config" diff --git a/patches/source/openssh/sshd.pam b/patches/source/openssh/sshd.pam new file mode 100644 index 000000000..cc188fa56 --- /dev/null +++ b/patches/source/openssh/sshd.pam @@ -0,0 +1,23 @@ +#%PAM-1.0 +# pam_securetty.so is commented out since sshd already does a good job of +# protecting itself. You may uncomment it if you like, but then you may +# need to add additional consoles to /etc/securetty if you want to allow +# root logins on them, such as: ssh, pts/0, :0, etc +#auth required pam_securetty.so +# When using pam_faillock, print a message to the user if the account is +# locked. This lets the user know what is going on, but it also potentially +# gives additional information to attackers: +#auth requisite pam_faillock.so preauth +auth include system-auth +# To set a limit on failed authentications, the pam_faillock module +# can be enabled. See pam_faillock(8) for more information. +#auth [default=die] pam_faillock.so authfail +#auth sufficient pam_faillock.so authsucc +auth include postlogin +account required pam_nologin.so +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session required pam_loginuid.so +-session optional pam_elogind.so diff --git a/patches/source/openssh/sshd_config-pam.diff b/patches/source/openssh/sshd_config-pam.diff new file mode 100644 index 000000000..ec3cab2d1 --- /dev/null +++ b/patches/source/openssh/sshd_config-pam.diff @@ -0,0 +1,11 @@ +--- ./sshd_config.orig 2021-08-19 23:03:49.000000000 -0500 ++++ ./sshd_config 2021-08-20 22:22:55.125351390 -0500 +@@ -79,7 +79,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes diff --git a/recompress.sh b/recompress.sh index 9ea60085e..eb03ac964 100755 --- a/recompress.sh +++ b/recompress.sh @@ -1277,6 +1277,9 @@ gzip ./patches/source/polkit/CVE-2021-4115.patch gzip ./patches/source/polkit/doinst.sh gzip ./patches/source/polkit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch gzip ./patches/source/polkit/0001-configure-fix-elogind-support.patch +gzip ./patches/source/openssh/openssh.tcp_wrappers.diff +gzip ./patches/source/openssh/sshd_config-pam.diff +gzip ./patches/source/openssh/doinst.sh gzip ./patches/source/bind/doinst.sh gzip ./patches/source/pidgin/fix-gmain_h-compile-error.diff gzip ./patches/source/pidgin/doinst.sh