openssh: Update to version 9.3p1

- Update from version 9.2p1 to 9.3p1
- Update of rootfile not required
- Removal of patch as this was only required for i586 builds which are no longer done in
   IPFire
- Changelog
9.3p1 (2023-03-15)
  This release fixes a number of security bugs.
    Security
	This release contains fixes for a security problem and a memory
	safety problem. The memory safety problem is not believed to be
	exploitable, but we report most network-reachable memory faults as
	security bugs.
	 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
	   per-hop destination constraints (ssh-add -h ...) added in OpenSSH
	   8.9, a logic error prevented the constraints from being
	   communicated to the agent. This resulted in the keys being added
	   without constraints. The common cases of non-smartcard keys and
	   keys without destination constraints are unaffected. This problem
	   was reported by Luci Stanescu.
	 * ssh(1): Portable OpenSSH provides an implementation of the
	   getrrsetbyname(3) function if the standard library does not
	   provide it, for use by the VerifyHostKeyDNS feature. A
	   specifically crafted DNS response could cause this function to
	   perform an out-of-bounds read of adjacent stack data, but this
	   condition does not appear to be exploitable beyond denial-of-
	   service to the ssh(1) client.
	   The getrrsetbyname(3) replacement is only included if the system's
	   standard library lacks this function and portable OpenSSH was not
	   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
	   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
	   problem was found by the Coverity static analyzer.
    New features
	 * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
	   outputting SSHFP fingerprints to allow algorithm selection. bz3493
	 * sshd(8): add a `sshd -G` option that parses and prints the
	   effective configuration without attempting to load private keys
	   and perform other checks. This allows usage of the option before
	   keys have been generated and for configuration evaluation and
	   verification by unprivileged users.
    Bugfixes
	 * scp(1), sftp(1): fix progressmeter corruption on wide displays;
	   bz3534
	 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
	   of private keys as some systems are starting to disable RSA/SHA1
	   in libcrypto.
	 * sftp-server(8): fix a memory leak. GHPR363
	 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
	   compatibility code and simplify what's left.
	 * Fix a number of low-impact Coverity static analysis findings.
	   These include several reported via bz2687
	 * ssh_config(5), sshd_config(5): mention that some options are not
	   first-match-wins.
	 * Rework logging for the regression tests. Regression tests will now
	   capture separate logs for each ssh and sshd invocation in a test.
	 * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
	   says it should; bz3532.
	 * ssh(1): ensure that there is a terminating newline when adding a
	   new entry to known_hosts; bz3529
    Portability
	 * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
	   mmap(2), madvise(2) and futex(2) flags, removing some concerning
	   kernel attack surface.
	 * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
	   bz3537

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/lfs/openssh b/lfs/openssh
index 89f486a7901aeed7f31063ca8b45b0a708afe74d..5a18edd709e996576c585411d0971d4e2e5334ec 100644 (file)
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 9.2p1
+VER        = 9.3p1
 
 THISAPP    = openssh-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21
+$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d
 
 install : $(TARGET)
 
@@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
        cd $(DIR_APP) && ./configure \
                --prefix=/usr \
                --sysconfdir=/etc/ssh \

diff --git a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch b/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
deleted file mode 100644 (file)
index 5199872..0000000
--- a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -Naur openssh-8.2p1.org/sandbox-seccomp-filter.c openssh-8.2p1/sandbox-seccomp-filter.c
---- openssh-8.2p1.org/sandbox-seccomp-filter.c 2020-04-10 18:14:56.152309584 +0200
-+++ openssh-8.2p1/sandbox-seccomp-filter.c     2020-04-10 21:05:45.827921765 +0200
-@@ -253,6 +253,9 @@
- #endif
- #ifdef __NR_clock_nanosleep_time64
-       SC_ALLOW(__NR_clock_nanosleep_time64),
-+#else
-+      /* on i586 glibc call syscall 407 which is not defined */
-+      SC_ALLOW(407),
- #endif
- #ifdef __NR_clock_gettime64
-       SC_ALLOW(__NR_clock_gettime64),