Commit Graph

126 Commits

Author SHA1 Message Date
Aneesh Agrawal
2e2cbda290 openssh: 7.6p1 -> 7.7p1
Release notes at https://www.openssh.com/txt/release-7.7;
primarily bugfixes.

Update ssh-hpn as well.

Switch to salsa.debian.org (from anonscm.debian.org).
2018-05-23 12:18:15 +03:00
Silvan Mosberger
734bae2036
openssh_hpn: 7.5p1 -> 7.6p1 2018-04-07 00:32:51 +02:00
Graham Christensen
e2a54266c4
openssh: Build with Kerberos by default
This reverts commit 09696e32c390c232ec7ac506df6457fb93c1f536.
which reverted f596aa0f4a
to move it to staging
2018-01-28 16:36:01 -05:00
Graham Christensen
15a4977409
Revert "openssh: Build with Kerberos by default"
This reverts commit a232dd66ee.

Moving to staging
2018-01-28 16:36:01 -05:00
Aneesh Agrawal
716d1612af
openssh: Build with Kerberos by default
This can be disabled with the `withKerberos` flag if desired.
Make the relevant assertions lazy,
so that if an overlay is used to set kerberos to null,
a later override can explicitly set `withKerberos` to false.

Don't build with GSSAPI by default;
the patchset is large and a bit hairy,
and it is reasonable to follow upstream who has not merged it
in not enabling it by default.
2018-01-28 16:36:00 -05:00
Orivej Desh
ac522cbe95
Merge pull request #30137 from aneeshusa/update-openssh-to-7.6p1
openssh: 7.5p1 -> 7.6p1
2017-11-11 01:23:41 +00:00
Aneesh Agrawal
d473ef2ed2 openssh: 7.5p1 -> 7.6p1
Release notes are available at https://www.openssh.com/txt/release-7.6.
Mostly a bugfix release, no major backwards-incompatible changes.
2017-10-06 16:38:18 -04:00
John Ericson
531e4b80c9 misc pkgs: Basic sed to get fix pkgconfig and autoreconfHook buildInputs
Only acts on one-line dependency lists.
2017-09-21 15:49:53 -04:00
Jörg Thalheim
7786aab173 openssh: update gssapi patch 2017-09-12 14:28:33 +01:00
Silvan Mosberger
f5fa5fa4d6 pkgs: refactor needless quoting of homepage meta attribute (#27809)
* pkgs: refactor needless quoting of homepage meta attribute

A lot of packages are needlessly quoting the homepage meta attribute
(about 1400, 22%), this commit refactors all of those instances.

* pkgs: Fixing some links that were wrongfully unquoted in the previous
commit

* Fixed some instances
2017-08-01 22:03:30 +02:00
Thomas Tuegel
c1c314c36f
openssh: unset LD
Commit 093cc00cdd, sets the LD environment
variable by default, but this confuses the openssh Makefile because `configure'
does not respect it.
2017-07-21 15:44:33 -05:00
Vladimír Čunát
445b107d93
openssh: fixup build on Hydra
http://hydra.nixos.org/build/53993444
2017-06-07 09:33:56 +02:00
Tristan Helmich
c395568b7a
openssh_hpn: use new sources and version (7_5_P1)
Close #23990.
2017-04-14 12:22:15 +02:00
Aneesh Agrawal
769b991be6 openssh: 7.4p1 -> 7.5p1
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.

Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
2017-04-10 19:39:22 -04:00
Vladimír Čunát
0163f0c427
openssh: update the gssapi patch
Only building was tested.
2016-12-29 17:04:58 -05:00
Graham Christensen
11e8ed5ff4
Revert "Revert "openssh: security 7.3p1 -> 7.4p1""
This reverts commit 661b5a9875.
2016-12-29 17:04:39 -05:00
Vladimír Čunát
661b5a9875
Revert "openssh: security 7.3p1 -> 7.4p1"
This reverts commit 277080fea0.

I had tested the server on my physical machine before pushing,
but the openssh test got broken so something is clearly wrong.
http://hydra.nixos.org/build/45500080
2016-12-25 22:15:56 +01:00
Vladimír Čunát
277080fea0
openssh: security 7.3p1 -> 7.4p1
The two removed patches were for issues that should've been fixed.
Minor vulnerabilities addressed: CVE-2016-{10009,10010,10011,10012}.
https://www.openssh.com/txt/release-7.4
2016-12-25 18:42:55 +01:00
Aneesh Agrawal
7374105a96 openssh: Patch CVE-2016-8858
Also add myself as a maintainer.
2016-10-20 14:55:14 -04:00
Graham Christensen
83a8cb1dc2
openssh: apply patch to fix https://bugzilla.redhat.com/show_bug.cgi?id=1380296 2016-10-06 08:54:10 -04:00
Tuomas Tynkkynen
5bf5de58ea treewide: Fix 'lib.optional' misuses
These add a singleton list of a package to buildInputs.
2016-10-01 23:38:06 +03:00
Benjamin Staffin
43dcb662e7 openssh: update gssapi patch, fix the build 2016-09-14 23:35:26 -04:00
Robin Gloster
b7787d932e Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-12 09:46:53 +00:00
Aneesh Agrawal
f6eae2efab openssh: 7.2p2 -> 7.3p1 (#17493)
Also remove patch for CVE-2015-8325 that has been fixed upstream.
2016-08-07 19:55:20 +02:00
Robin Gloster
203846b9de Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-19 10:37:02 +00:00
Rickard Nilsson
4f8f1c30cb openssh: Use the default privilege separation dir (/var/empty)
(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)

If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
2016-07-16 10:15:58 +02:00
Bjørn Forsman
2ad0a84751 Revert "openssh: Use the default privilege separation dir (/var/empty)"
This reverts commit a927709a35 because it
doesn't build:

$ nix-build -A openssh
...
mkdir /nix/store/yl2xap8n1by3dqxgc4rmrc4s753676a3-openssh-7.2p2/libexec
(umask 022 ; ./mkinstalldirs /var/empty)
mkdir /var
mkdir: cannot create directory '/var': Permission denied
mkdir /var/empty
mkdir: cannot create directory '/var/empty': No such file or directory
make: *** [Makefile:304: install-files] Error 1
builder for ‘/nix/store/ifygp4mqpv7l8cgp0njp8w7lmrl6brpp-openssh-7.2p2.drv’ failed with exit code 2
2016-07-15 12:42:37 +02:00
Rickard Nilsson
a927709a35 openssh: Use the default privilege separation dir (/var/empty)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
2016-07-14 20:54:06 +02:00
Robin Gloster
d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Aneesh Agrawal
6e4d06873f openssh: fix CVE-2015-8325
Debian Security Advisory: https://www.debian.org/security/2016/dsa-3550
Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
2016-04-15 23:45:10 -04:00
Robin Gloster
696d85a62d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-03 11:01:57 +00:00
Eelco Dolstra
3fb1708427 ssh: Fix support for ssh-dss host keys 2016-04-01 15:54:52 +02:00
Robin Gloster
3f45f0948d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-15 01:44:24 +00:00
Aneesh Agrawal
2dd09b634e openssh: update homepage link
Unfortunately, the site is not available over HTTPS.
2016-03-10 18:40:00 -05:00
Aneesh Agrawal
e5ca25eb7a openssh: 7.2p1 -> 7.2p2 for OSA x11fwd.adv
Fixes OpenSSH Security Advisory x11fwd.adv, which is available at
http://www.openssh.com/txt/x11fwd.adv.
2016-03-10 18:01:33 -05:00
Aneesh Agrawal
ce74aac132 openssh: update GSSAPI patch to openssh 7.2 2016-03-08 16:11:56 -05:00
Aneesh Agrawal
9e86984fe0 openssh: decouple gssapi patch from kerberos
The GSSAPI patch is useful but maintained by Debian, not upstream, and
can be slow to update. To avoid breaking openssh_with_kerberos when
the openssh version is bumped but the GSSAPI patch has not been updated,
don't enable the GSSAPI patch implicitly but require it to be explicitly
enabled.
2016-03-08 15:14:25 -05:00
Franz Pletz
e9fc4e7db6 Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-03-07 22:08:27 +01:00
joachifm
453686a24a Merge pull request #13705 from aneeshusa/use-bin-instead-of-sbin-for-openssh
openssh: use bin instead of sbin folder
2016-03-07 12:03:37 +00:00
Aneesh Agrawal
14201da332 openssh: allow building without linking openssl
http://undeadly.org/cgi?action=article&sid=20140430045723 has the
original announcement of this option. Note, openssl headers are still
required at build time, see this comment:
http://www.gossamer-threads.com/lists/openssh/dev/61125#61125
2016-03-06 16:36:55 -05:00
Aneesh Agrawal
bb39304ce6 openssh: use bin instead of sbin folder
References #11939.
2016-03-05 23:56:32 -05:00
Franz Pletz
aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Robin Gloster
33f7d0b3f6 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-01 22:46:39 +00:00
Eelco Dolstra
cc71804ab0 openssh: Fix build 2016-03-01 22:25:17 +01:00
Aneesh Agrawal
7f8d50b443 openssh: 7.1p2 -> 7.2p1 2016-03-01 22:25:16 +01:00
Robin Gloster
b6279950bd openssh: enable pie hardening 2016-02-26 16:30:26 +00:00
Benjamin Staffin
29711967a2 openssh: update gssapi patch to match openssh version
Should fix the openssh_with_kerberos build.

Fixes #13140

(cherry picked from commit 3dae6c7e1e1eb64b3ceb2796eea1ad0ae1596688)
2016-02-20 22:22:01 -08:00
Eelco Dolstra
a7b7ac8bfb openssh: Enable DSA host/client keys
This applies a patch from Fedora to make HostKeyAlgorithms do the
right thing, fixing the issue described in
401782cb67.
2016-02-01 16:31:43 +01:00
koral
a7f09e9773 openssh: 6.9p1 -> 7.1p2 2016-02-01 16:31:43 +01:00
Franz Pletz
2d65772950 openssh: Disable roaming (security fix)
Fixes CVE-2016-0777 and CVE-0216-0778.

Closes #12385.
2016-01-14 16:40:27 +01:00