Thu Feb 2 22:52:48 UTC 2023

patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains fixes for two security problems and a memory safety
  problem. The memory safety problem is not believed to be exploitable, but
  upstream reports most network-reachable memory faults as security bugs.
  This update contains some potentially incompatible changes regarding the
  scp utility. For more information, see:
    https://www.openssh.com/releasenotes.html#9.0
  For more information, see:
    https://www.openssh.com/releasenotes.html#9.2
  (* Security fix *)

ChangeLog.rss

@@ -11,9 +11,29 @@
       <description>Tracking Slackware development in git.</description>
       <language>en-us</language>
       <id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id>
-      <pubDate>Wed,  1 Feb 2023 22:27:31 GMT</pubDate>
+      <pubDate>Thu,  2 Feb 2023 22:52:48 GMT</pubDate>
-      <lastBuildDate>Thu,  2 Feb 2023 12:30:17 GMT</lastBuildDate>
+      <lastBuildDate>Fri,  3 Feb 2023 12:30:19 GMT</lastBuildDate>
       <generator>maintain_current_git.sh v 1.17</generator>
+      <item>
+         <title>Thu,  2 Feb 2023 22:52:48 GMT</title>
+         <pubDate>Thu,  2 Feb 2023 22:52:48 GMT</pubDate>
+         <link>https://git.slackware.nl/current/tag/?h=20230202225248</link>
+         <guid isPermaLink="false">20230202225248</guid>
+         <description>
+           <![CDATA[<pre>
+patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz:  Upgraded.
+  This release contains fixes for two security problems and a memory safety
+  problem. The memory safety problem is not believed to be exploitable, but
+  upstream reports most network-reachable memory faults as security bugs.
+  This update contains some potentially incompatible changes regarding the
+  scp utility. For more information, see:
+    https://www.openssh.com/releasenotes.html#9.0
+  For more information, see:
+    https://www.openssh.com/releasenotes.html#9.2
+  (* Security fix *)
+           </pre>]]>
+         </description>
+      </item>
       <item>
          <title>Wed,  1 Feb 2023 22:27:31 GMT</title>
          <pubDate>Wed,  1 Feb 2023 22:27:31 GMT</pubDate>

ChangeLog.txt

@@ -1,3 +1,15 @@
+Thu Feb  2 22:52:48 UTC 2023
+patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz:  Upgraded.
+  This release contains fixes for two security problems and a memory safety
+  problem. The memory safety problem is not believed to be exploitable, but
+  upstream reports most network-reachable memory faults as security bugs.
+  This update contains some potentially incompatible changes regarding the
+  scp utility. For more information, see:
+    https://www.openssh.com/releasenotes.html#9.0
+  For more information, see:
+    https://www.openssh.com/releasenotes.html#9.2
+  (* Security fix *)
++--------------------------+
 Wed Feb  1 22:27:31 UTC 2023
 patches/packages/apr-1.7.2-x86_64-1_slack15.0.txz:  Upgraded.
   This update fixes security issues:

FILELIST.TXT

@@ -1,20 +1,20 @@
-Wed Feb  1 22:31:41 UTC 2023
+Thu Feb  2 22:56:31 UTC 2023
 
 Here is the file list for this directory.  If you are using a 
 mirror site and find missing or extra files in the disk 
 subdirectories, please have the archive administrator refresh
 the mirror.
 
-drwxr-xr-x 12 root root      4096 2023-02-01 22:27 .
+drwxr-xr-x 12 root root      4096 2023-02-02 22:52 .
 -rw-r--r--  1 root root      5767 2022-02-02 22:44 ./ANNOUNCE.15.0
 -rw-r--r--  1 root root     16609 2022-03-30 19:03 ./CHANGES_AND_HINTS.TXT
--rw-r--r--  1 root root   1169262 2023-01-26 00:37 ./CHECKSUMS.md5
+-rw-r--r--  1 root root   1170544 2023-02-01 22:32 ./CHECKSUMS.md5
--rw-r--r--  1 root root       163 2023-01-26 00:37 ./CHECKSUMS.md5.asc
+-rw-r--r--  1 root root       163 2023-02-01 22:32 ./CHECKSUMS.md5.asc
 -rw-r--r--  1 root root     17976 1994-06-10 02:28 ./COPYING
 -rw-r--r--  1 root root     35147 2007-06-30 04:21 ./COPYING3
 -rw-r--r--  1 root root     19573 2016-06-23 20:08 ./COPYRIGHT.TXT
 -rw-r--r--  1 root root       616 2006-10-02 04:37 ./CRYPTO_NOTICE.TXT
--rw-r--r--  1 root root   1983676 2023-02-01 22:27 ./ChangeLog.txt
+-rw-r--r--  1 root root   1984293 2023-02-02 22:52 ./ChangeLog.txt
 drwxr-xr-x  3 root root      4096 2013-03-20 22:17 ./EFI
 drwxr-xr-x  2 root root      4096 2022-02-02 08:21 ./EFI/BOOT
 -rw-r--r--  1 root root   1187840 2021-06-15 19:16 ./EFI/BOOT/bootx64.efi
@@ -25,7 +25,7 @@ drwxr-xr-x  2 root root      4096 2022-02-02 08:21 ./EFI/BOOT
 -rwxr-xr-x  1 root root      2504 2019-07-05 18:54 ./EFI/BOOT/make-grub.sh
 -rw-r--r--  1 root root     10722 2013-09-21 19:02 ./EFI/BOOT/osdetect.cfg
 -rw-r--r--  1 root root      1273 2013-08-12 21:08 ./EFI/BOOT/tools.cfg
--rw-r--r--  1 root root   1528042 2023-01-26 00:37 ./FILELIST.TXT
+-rw-r--r--  1 root root   1529740 2023-02-01 22:31 ./FILELIST.TXT
 -rw-r--r--  1 root root      1572 2012-08-29 18:27 ./GPG-KEY
 -rw-r--r--  1 root root    864745 2022-02-02 08:25 ./PACKAGES.TXT
 -rw-r--r--  1 root root      8034 2022-02-02 03:36 ./README.TXT
@@ -738,13 +738,13 @@ drwxr-xr-x  2 root root      4096 2008-05-07 05:21 ./pasture/source/php/pear
 -rwxr-xr-x  1 root root      9448 2018-05-16 22:38 ./pasture/source/php/php.SlackBuild
 -rw-r--r--  1 root root       775 2017-07-07 19:25 ./pasture/source/php/php.ini-development.diff.gz
 -rw-r--r--  1 root root       830 2005-12-09 05:18 ./pasture/source/php/slack-desc
-drwxr-xr-x  4 root root      4096 2023-02-01 22:31 ./patches
+drwxr-xr-x  4 root root      4096 2023-02-02 22:56 ./patches
--rw-r--r--  1 root root     64683 2023-02-01 22:31 ./patches/CHECKSUMS.md5
+-rw-r--r--  1 root root     65678 2023-02-02 22:56 ./patches/CHECKSUMS.md5
--rw-r--r--  1 root root       163 2023-02-01 22:31 ./patches/CHECKSUMS.md5.asc
+-rw-r--r--  1 root root       163 2023-02-02 22:56 ./patches/CHECKSUMS.md5.asc
--rw-r--r--  1 root root     87851 2023-02-01 22:31 ./patches/FILE_LIST
+-rw-r--r--  1 root root     89152 2023-02-02 22:56 ./patches/FILE_LIST
--rw-r--r--  1 root root  11960342 2023-02-01 22:31 ./patches/MANIFEST.bz2
+-rw-r--r--  1 root root  11982760 2023-02-02 22:56 ./patches/MANIFEST.bz2
--rw-r--r--  1 root root     46653 2023-02-01 22:31 ./patches/PACKAGES.TXT
+-rw-r--r--  1 root root     47509 2023-02-02 22:56 ./patches/PACKAGES.TXT
-drwxr-xr-x  3 root root     20480 2023-02-01 22:31 ./patches/packages
+drwxr-xr-x  3 root root     20480 2023-02-02 22:56 ./patches/packages
 -rw-r--r--  1 root root       327 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txt
 -rw-r--r--  1 root root     10716 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txz
 -rw-r--r--  1 root root       163 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txz.asc
@@ -878,6 +878,9 @@ drwxr-xr-x  2 root root      4096 2022-11-29 21:00 ./patches/packages/linux-5.15
 -rw-r--r--  1 root root       580 2023-01-13 20:05 ./patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txt
 -rw-r--r--  1 root root    505144 2023-01-13 20:05 ./patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txz
 -rw-r--r--  1 root root       163 2023-01-13 20:05 ./patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txz.asc
+-rw-r--r--  1 root root       672 2023-02-02 20:05 ./patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt
+-rw-r--r--  1 root root   1059960 2023-02-02 20:05 ./patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz
+-rw-r--r--  1 root root       163 2023-02-02 20:05 ./patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz.asc
 -rw-r--r--  1 root root       559 2022-11-29 20:36 ./patches/packages/openssl-1.1.1s-x86_64-1_slack15.0.txt
 -rw-r--r--  1 root root   3597816 2022-11-29 20:36 ./patches/packages/openssl-1.1.1s-x86_64-1_slack15.0.txz
 -rw-r--r--  1 root root       163 2022-11-29 20:36 ./patches/packages/openssl-1.1.1s-x86_64-1_slack15.0.txz.asc
@@ -968,7 +971,7 @@ drwxr-xr-x  2 root root      4096 2022-11-29 21:00 ./patches/packages/linux-5.15
 -rw-r--r--  1 root root       388 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txt
 -rw-r--r--  1 root root    105356 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz
 -rw-r--r--  1 root root       163 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz.asc
-drwxr-xr-x 66 root root      4096 2023-02-01 22:15 ./patches/source
+drwxr-xr-x 67 root root      4096 2023-02-02 20:22 ./patches/source
 drwxr-xr-x  2 root root      4096 2022-01-16 05:07 ./patches/source/aaa_base
 -rw-r--r--  1 root root     11041 2022-02-15 04:49 ./patches/source/aaa_base/_aaa_base.tar.gz
 -rwxr-xr-x  1 root root      3894 2022-02-15 05:07 ./patches/source/aaa_base/aaa_base.SlackBuild
@@ -1386,6 +1389,18 @@ drwxr-xr-x  2 root root      4096 2023-01-13 20:01 ./patches/source/netatalk
 -rw-r--r--  1 root root        63 2023-01-13 19:51 ./patches/source/netatalk/netatalk.url
 -rw-r--r--  1 root root      1009 2018-09-05 21:12 ./patches/source/netatalk/rc.atalk.new
 -rw-r--r--  1 root root      1036 2018-02-27 06:13 ./patches/source/netatalk/slack-desc
+drwxr-xr-x  2 root root      4096 2023-02-02 19:54 ./patches/source/openssh
+-rw-r--r--  1 root root       593 2020-02-07 03:05 ./patches/source/openssh/doinst.sh.gz
+-rw-r--r--  1 root root   1852380 2023-02-02 12:37 ./patches/source/openssh/openssh-9.2p1.tar.gz
+-rw-r--r--  1 root root       833 2023-02-02 12:37 ./patches/source/openssh/openssh-9.2p1.tar.gz.asc
+-rwxr-xr-x  1 root root      6297 2023-02-02 20:04 ./patches/source/openssh/openssh.SlackBuild
+-rw-r--r--  1 root root      1658 2022-02-24 19:30 ./patches/source/openssh/openssh.tcp_wrappers.diff.gz
+-rw-r--r--  1 root root        54 2020-02-14 19:40 ./patches/source/openssh/openssh.url
+-rw-r--r--  1 root root      1814 2017-07-18 06:51 ./patches/source/openssh/rc.sshd
+-rw-r--r--  1 root root      1127 2018-02-27 06:13 ./patches/source/openssh/slack-desc
+-rw-r--r--  1 root root       318 2017-07-18 18:45 ./patches/source/openssh/sshd.default
+-rw-r--r--  1 root root      1228 2021-09-29 19:00 ./patches/source/openssh/sshd.pam
+-rw-r--r--  1 root root       271 2021-08-21 03:23 ./patches/source/openssh/sshd_config-pam.diff.gz
 drwxr-xr-x  2 root root      4096 2022-11-29 19:13 ./patches/source/openssl
 -rw-r--r--  1 root root      1758 2012-08-08 22:46 ./patches/source/openssl/certwatch.gz
 -rw-r--r--  1 root root       281 2007-06-13 17:20 ./patches/source/openssl/doinst.sh-openssl-solibs.gz

patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txt

@@ -0,0 +1,11 @@
+openssh: openssh (Secure Shell daemon and clients)
+openssh:
+openssh: ssh (Secure Shell) is a program for logging into a remote machine and
+openssh: for executing commands on a remote machine. It is intended to replace
+openssh: rlogin and rsh, and provide secure encrypted communications between
+openssh: two untrusted hosts over an insecure network. sshd (SSH Daemon) is
+openssh: the daemon program for ssh. OpenSSH is based on the last free version
+openssh: of Tatu Ylonen's SSH, further enhanced and cleaned up by Aaron
+openssh: Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and
+openssh: Dug Song. It has a homepage at http://www.openssh.com/
+openssh:

patches/source/openssh/doinst.sh

@@ -0,0 +1,53 @@
+config() {
+  NEW="$1"
+  OLD="`dirname $NEW`/`basename $NEW .new`"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+preserve_perms() {
+  NEW="$1"
+  OLD="$(dirname ${NEW})/$(basename ${NEW} .new)"
+  if [ -e ${OLD} ]; then
+    cp -a ${OLD} ${NEW}.incoming
+    cat ${NEW} > ${NEW}.incoming
+    touch -r ${NEW} ${NEW}.incoming
+    mv ${NEW}.incoming ${NEW}
+  fi
+  config ${NEW}
+}
+
+if [ -r etc/pam.d/sshd.new ]; then
+  config etc/pam.d/sshd.new
+fi
+config etc/default/sshd.new
+config etc/ssh/ssh_config.new
+config etc/ssh/sshd_config.new
+preserve_perms etc/rc.d/rc.sshd.new
+if [ -e etc/rc.d/rc.sshd.new ]; then
+  mv etc/rc.d/rc.sshd.new etc/rc.d/rc.sshd
+fi
+
+# If the sshd user/group/shadow don't exist, add them:
+
+if ! grep -q "^sshd:" etc/passwd ; then
+  echo "sshd:x:33:33:sshd:/:" >> etc/passwd
+fi
+
+if ! grep -q "^sshd:" etc/group ; then
+  echo "sshd::33:sshd" >> etc/group
+fi
+
+if ! grep -q "^sshd:" etc/shadow ; then
+  echo "sshd:*:9797:0:::::" >> etc/shadow
+fi
+
+# Add a btmp file to store login failure if one doesn't exist:
+if [ ! -r var/log/btmp ]; then
+  ( cd var/log ; umask 077 ; touch btmp )
+fi
+

patches/source/openssh/openssh.SlackBuild

@@ -0,0 +1,206 @@
+#!/bin/bash
+
+# Copyright 2000 BSDi, Inc. Concord, CA, USA
+# Copyright 2001, 2002, 2003, 2004  Slackware Linux, Inc. Concord, CA, USA
+# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2018, 2020, 2021  Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+#  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
+#  EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+#  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+#  OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+#  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+#  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+cd $(dirname $0) ; CWD=$(pwd)
+
+# Set initial variables:
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-openssh
+
+PKGNAM=openssh
+VERSION=${VERSION:-$(echo openssh-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-1_slack15.0}
+
+NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+  case "$( uname -m )" in
+    i?86) export ARCH=i586 ;;
+    arm*) export ARCH=arm ;;
+    # Unless $ARCH is already set, use uname -m for all other archs:
+       *) export ARCH=$( uname -m ) ;;
+  esac
+fi
+
+# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
+# the name of the created package would be, and then exit. This information
+# could be useful to other scripts.
+if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
+  echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
+  exit 0
+fi
+
+if [ "$ARCH" = "i586" ]; then
+  SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "s390" ]; then
+  SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+  SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
+elif [ "$ARCH" = "arm" ]; then
+  SLKCFLAGS="-O2 -march=armv4 -mtune=xscale"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "armel" ]; then
+  SLKCFLAGS="-O2 -march=armv4t"
+  LIBDIRSUFFIX=""
+else
+  SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
+fi
+
+# Clean target location:
+rm -rf $PKG
+mkdir -p $PKG
+
+# Prepare the framework and extract the package:
+cd $TMP
+rm -rf $PKG openssh-$VERSION
+tar xvf $CWD/openssh-$VERSION.tar.?z || tar xvf $CWD/openssh-$VERSION.tar.bz2 || exit 1
+cd openssh-$VERSION || exit 1
+chown -R root:root .
+
+# Restore support for tcpwrappers:
+zcat $CWD/openssh.tcp_wrappers.diff.gz | patch -p1 --verbose || exit 1
+
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--with-pam --with-kerberos5"
+  unset SHADOW_OPTIONS
+  # Enable PAM in sshd_config:
+  zcat $CWD/sshd_config-pam.diff.gz | patch -p1 --verbose || exit 1
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--without-pam"
+fi
+
+autoreconf -vif
+
+# Compile package:
+CFLAGS="$SLKCFLAGS" \
+./configure \
+  --prefix=/usr \
+  --mandir=/usr/man \
+  --sysconfdir=/etc/ssh \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
+  --with-md5-passwords \
+  --with-libedit \
+  --with-tcp-wrappers \
+  --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \
+  --with-privsep-path=/var/empty \
+  --with-privsep-user=sshd \
+  --build=$ARCH-slackware-linux || exit 1
+
+make $NUMJOBS || make || exit 1
+
+# Install the package:
+make install DESTDIR=$PKG || exit 1
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+  | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+
+# Compress and if needed symlink the man pages:
+if [ -d $PKG/usr/man ]; then
+  ( cd $PKG/usr/man
+    for manpagedir in $(find . -type d -name "man*") ; do
+      ( cd $manpagedir
+        for eachpage in $( find . -type l -maxdepth 1) ; do
+          ln -s $( readlink $eachpage ).gz $eachpage.gz
+          rm $eachpage
+        done
+        gzip -9 *.?
+      )
+    done
+  )
+fi
+
+# Install directory used with PrivilegeSeparation option:
+mkdir -p $PKG/var/empty
+chmod 755 $PKG/var/empty
+
+# Install defaults file
+mkdir -p $PKG/etc/default
+cat $CWD/sshd.default > $PKG/etc/default/sshd.new
+
+# Install docs:
+mkdir -p $PKG/usr/doc/openssh-$VERSION
+cp -a \
+  CREDITS ChangeLog INSTALL LICENCE OVERVIEW \
+  README README.privsep README.smartcard RFC.nroff TODO WARNING.RNG \
+  $PKG/usr/doc/openssh-$VERSION
+chmod 644 $PKG/usr/doc/openssh-$VERSION/*
+
+# If there's a ChangeLog, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r ChangeLog ]; then
+  DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION)
+  cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
+  touch -r ChangeLog $DOCSDIR/ChangeLog
+fi
+
+# Install also 'ssh-copy-id' and its manpage from contrib:
+( cd contrib
+  cp -a ssh-copy-id $PKG/usr/bin/ssh-copy-id
+  chmod 755 $PKG/usr/bin/ssh-copy-id
+  cat ssh-copy-id.1 | gzip -9c > $PKG/usr/man/man1/ssh-copy-id.1.gz
+)
+
+( cd $PKG
+
+  # Ditch the new host keys, since these have to be uniquely prepared on each machine:
+  rm -f etc/ssh/ssh_host_dsa_key
+  rm -f etc/ssh/ssh_host_dsa_key.pub
+  rm -f etc/ssh/ssh_host_rsa_key
+  rm -f etc/ssh/ssh_host_rsa_key.pub
+  rm -f etc/ssh/ssh_host_key
+  rm -f etc/ssh/ssh_host_key.pub
+
+  # Set up the config script installation:
+  mv etc/ssh/ssh_config etc/ssh/ssh_config.new
+  mv etc/ssh/sshd_config etc/ssh/sshd_config.new
+
+  # Add the init script:
+  mkdir -p etc/rc.d
+  cat $CWD/rc.sshd > etc/rc.d/rc.sshd.new
+  chmod 755 etc/rc.d/rc.sshd.new
+
+  if [ ! -z "$PAM_OPTIONS" ]; then
+    # Add the pam stuff:
+    mkdir -p etc/pam.d
+    cat $CWD/sshd.pam > etc/pam.d/sshd.new
+  fi
+
+  # Copy runtime installation files:
+  mkdir -p install
+  zcat $CWD/doinst.sh.gz > install/doinst.sh
+  cat $CWD/slack-desc > install/slack-desc
+)
+
+# Create the package itself:
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/openssh-$VERSION-$ARCH-$BUILD.txz
+

patches/source/openssh/openssh.tcp_wrappers.diff

@@ -0,0 +1,139 @@
+--- ./sshd.8.orig	2022-02-23 05:31:11.000000000 -0600
++++ ./sshd.8	2022-02-24 13:28:36.533888569 -0600
+@@ -908,6 +908,12 @@
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -1010,6 +1016,7 @@
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
+--- ./configure.ac.orig	2022-02-23 05:31:11.000000000 -0600
++++ ./configure.ac	2022-02-24 13:30:10.535883370 -0600
+@@ -1599,6 +1599,62 @@
+ 	AC_MSG_RESULT([no])
+ fi
+ 
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++	[
++		if test "x$withval" != "xno" ; then
++			saved_LIBS="$LIBS"
++			saved_LDFLAGS="$LDFLAGS"
++			saved_CPPFLAGS="$CPPFLAGS"
++			if test -n "${withval}" && \
++			    test "x${withval}" != "xyes"; then
++				if test -d "${withval}/lib"; then
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++					fi
++				else
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval} ${LDFLAGS}"
++					fi
++				fi
++				if test -d "${withval}/include"; then
++					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++				else
++					CPPFLAGS="-I${withval} ${CPPFLAGS}"
++				fi
++			fi
++			LIBS="-lwrap -lnsl $LIBS"
++			AC_MSG_CHECKING([for libwrap])
++			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++				]], [[
++	hosts_access(0);
++				]])], [
++					AC_MSG_RESULT([yes])
++					AC_DEFINE([LIBWRAP], [1],
++						[Define if you want
++						TCP Wrappers support])
++					SSHDLIBS="$SSHDLIBS -lwrap -lnsl"
++					TCPW_MSG="yes"
++				], [
++					AC_MSG_ERROR([*** libwrap missing])
++				
++			])
++			LIBS="$saved_LIBS"
++		fi
++	]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5593,6 +5649,7 @@
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
++echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "                   libldns support: $LDNS_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+--- ./sshd.c.orig	2022-02-23 05:31:11.000000000 -0600
++++ ./sshd.c	2022-02-24 13:28:36.533888569 -0600
+@@ -129,6 +129,13 @@
+ #include "srclimit.h"
+ #include "dh.h"
+ 
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
+@@ -2138,6 +2145,26 @@
+ 	the_active_state = ssh;
+ 	ssh_packet_set_server(ssh);
+ 
++/* Moved LIBWRAP check here */
++#ifdef LIBWRAP
++        allow_severity = options.log_facility|LOG_INFO;
++        deny_severity = options.log_facility|LOG_WARNING;
++        /* Check whether logins are denied from this host. */
++        if (ssh_packet_connection_is_on_socket(ssh)) {	/* This check must be after ssh_packet_set_connection() */
++		struct request_info req;
++
++		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++		fromhost(&req);
++
++		if (!hosts_access(&req)) {
++			debug("Connection refused by tcp wrapper");
++			refuse(&req);
++			/* NOTREACHED */
++			fatal("libwrap refuse returns");
++		}
++	}
++#endif /* LIBWRAP */
++
+ 	check_ip_options(ssh);
+ 
+ 	/* Prepare the channels layer */

patches/source/openssh/openssh.url

@@ -0,0 +1 @@
+https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

patches/source/openssh/rc.sshd

@@ -0,0 +1,64 @@
+#!/bin/sh
+# Start/stop/restart the secure shell server:
+
+# Source options
+if [ -r /etc/default/sshd ]; then
+  . /etc/default/sshd
+fi
+
+sshd_start() {
+  # Create host keys if needed.
+  if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
+    /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
+  fi
+  if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+    /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
+  fi
+  if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
+    /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
+  fi
+  if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+    /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
+  fi
+  # Catch any new host key types not yet created above:
+  /usr/bin/ssh-keygen -A
+  # Start the sshd daemon:
+  /usr/sbin/sshd $SSHD_OPTS
+}
+
+sshd_stop() {
+  killall sshd
+}
+
+sshd_restart() {
+  if [ -r /var/run/sshd.pid ]; then
+    echo "WARNING: killing listener process only.  To kill every sshd process, you must"
+    echo "         use 'rc.sshd stop'.  'rc.sshd restart' kills only the parent sshd to"
+    echo "         allow an admin logged in through sshd to use 'rc.sshd restart' without"
+    echo "         being cut off.  If sshd has been upgraded, new connections will now"
+    echo "         use the new version, which should be a safe enough approach."
+    kill `cat /var/run/sshd.pid`
+  else
+    echo "WARNING: There does not appear to be a parent instance of sshd running."
+    echo "         If you really want to kill all running instances of sshd (including"
+    echo "         any sessions currently in use), run '/etc/rc.d/rc.sshd stop' instead."
+    exit 1
+  fi
+  sleep 1
+  sshd_start
+}
+
+case "$1" in
+'start')
+  sshd_start
+  ;;
+'stop')
+  sshd_stop
+  ;;
+'restart')
+  sshd_restart
+  ;;
+*)
+  echo "usage $0 start|stop|restart"
+esac
+

patches/source/openssh/slack-desc

@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|' on
+# the right side marks the last column you can put a character in. You must make
+# exactly 11 lines for the formatting to be correct. It's also customary to
+# leave one space after the ':'.
+
+       |-----handy-ruler------------------------------------------------------|
+openssh: openssh (Secure Shell daemon and clients)
+openssh:
+openssh: ssh (Secure Shell) is a program for logging into a remote machine and
+openssh: for executing commands on a remote machine. It is intended to replace
+openssh: rlogin and rsh, and provide secure encrypted communications between
+openssh: two untrusted hosts over an insecure network. sshd (SSH Daemon) is
+openssh: the daemon program for ssh. OpenSSH is based on the last free version
+openssh: of Tatu Ylonen's SSH, further enhanced and cleaned up by Aaron
+openssh: Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and
+openssh: Dug Song. It has a homepage at http://www.openssh.com/
+openssh:

patches/source/openssh/sshd.default

@@ -0,0 +1,10 @@
+# Optional arguments to start sshd with.
+#
+# Note that using the -p flag causes any Port directives 
+# in sshd_config(5) to be ignored.
+#
+# If you want to run sshd on non-standard port(s), use:
+#SSHD_OPTS="-p 12345 -p 6789"
+#
+# If you want to use non-standard sshd_config, use:
+#SSHD_OPTS="-f /some/other/sshd_config"

patches/source/openssh/sshd.pam

@@ -0,0 +1,23 @@
+#%PAM-1.0
+# pam_securetty.so is commented out since sshd already does a good job of
+# protecting itself. You may uncomment it if you like, but then you may
+# need to add additional consoles to /etc/securetty if you want to allow
+# root logins on them, such as: ssh, pts/0, :0, etc
+#auth            required        pam_securetty.so
+# When using pam_faillock, print a message to the user if the account is
+# locked. This lets the user know what is going on, but it also potentially
+# gives additional information to attackers:
+#auth            requisite       pam_faillock.so preauth
+auth            include         system-auth
+# To set a limit on failed authentications, the pam_faillock module
+# can be enabled. See pam_faillock(8) for more information.
+#auth            [default=die]   pam_faillock.so authfail
+#auth            sufficient      pam_faillock.so authsucc
+auth            include         postlogin
+account         required        pam_nologin.so
+account         include         system-auth
+password        include         system-auth
+session         include         system-auth
+session         include         postlogin
+session         required        pam_loginuid.so
+-session        optional        pam_elogind.so

patches/source/openssh/sshd_config-pam.diff

@@ -0,0 +1,11 @@
+--- ./sshd_config.orig	2021-08-19 23:03:49.000000000 -0500
++++ ./sshd_config	2021-08-20 22:22:55.125351390 -0500
+@@ -79,7 +79,7 @@
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and KbdInteractiveAuthentication to 'no'.
+-#UsePAM no
++UsePAM yes
+ 
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes

recompress.sh

@@ -1277,6 +1277,9 @@ gzip ./patches/source/polkit/CVE-2021-4115.patch
 gzip ./patches/source/polkit/doinst.sh
 gzip ./patches/source/polkit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
 gzip ./patches/source/polkit/0001-configure-fix-elogind-support.patch
+gzip ./patches/source/openssh/openssh.tcp_wrappers.diff
+gzip ./patches/source/openssh/sshd_config-pam.diff
+gzip ./patches/source/openssh/doinst.sh
 gzip ./patches/source/bind/doinst.sh
 gzip ./patches/source/pidgin/fix-gmain_h-compile-error.diff
 gzip ./patches/source/pidgin/doinst.sh