forked from mirrors/nixpkgs
openssh: security 7.3p1 -> 7.4p1
The two removed patches were for issues that should've been fixed. Minor vulnerabilities addressed: CVE-2016-{10009,10010,10011,10012}. https://www.openssh.com/txt/release-7.4
This commit is contained in:
parent
f2df4cef5c
commit
277080fea0
|
@ -1,37 +0,0 @@
|
|||
diff --git a/kex.c b/kex.c
|
||||
index 50c7a0f..823668b 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -419,6 +419,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
|
||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||
return r;
|
||||
+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
|
||||
+ return r;
|
||||
kex->done = 1;
|
||||
sshbuf_reset(kex->peer);
|
||||
/* sshbuf_reset(kex->my); */
|
||||
diff --git a/packet.c b/packet.c
|
||||
index d6dad2d..f96566b 100644
|
||||
--- a/packet.c
|
||||
+++ b/packet.c
|
||||
@@ -38,7 +38,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
-
|
||||
+
|
||||
#include <sys/param.h> /* MIN roundup */
|
||||
#include <sys/types.h>
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
return r;
|
||||
return SSH_ERR_PROTOCOL_ERROR;
|
||||
}
|
||||
- if (*typep == SSH2_MSG_NEWKEYS)
|
||||
- r = ssh_set_newkeys(ssh, MODE_IN);
|
||||
- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
|
||||
+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
|
||||
r = ssh_packet_enable_delayed_compress(ssh);
|
||||
else
|
||||
r = 0;
|
|
@ -29,11 +29,11 @@ stdenv.mkDerivation rec {
|
|||
# Please ensure that openssh_with_kerberos still builds when
|
||||
# bumping the version here!
|
||||
name = "openssh-${version}";
|
||||
version = "7.3p1";
|
||||
version = "7.4p1";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
|
||||
sha256 = "1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz";
|
||||
sha256 = "1l8r3x4fr2kb6xm95s7kjdif1wp6f94d4kljh4qjj9109shw87qv";
|
||||
};
|
||||
|
||||
prePatch = optionalString hpnSupport
|
||||
|
@ -44,13 +44,11 @@ stdenv.mkDerivation rec {
|
|||
|
||||
patches =
|
||||
[
|
||||
./RH-1380296-NEWKEYS-null-pointer-deref.patch
|
||||
./locale_archive.patch
|
||||
./fix-host-key-algorithms-plus.patch
|
||||
|
||||
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
|
||||
./dont_create_privsep_path.patch
|
||||
./fix-CVE-2016-8858.patch
|
||||
]
|
||||
++ optional withGssapiPatches gssapiSrc;
|
||||
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
diff -u -r1.126 -r1.127
|
||||
--- ssh/kex.c 2016/09/28 21:44:52 1.126
|
||||
+++ ssh/kex.c 2016/10/10 19:28:48 1.127
|
||||
@@ -461,6 +461,7 @@
|
||||
if (kex == NULL)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
|
||||
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
|
||||
ptr = sshpkt_ptr(ssh, &dlen);
|
||||
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
|
||||
return r;
|
Loading…
Reference in a new issue