Merge pull request #8 from tigeli/upgrade-7.1

[security] Upgrade to 7.1p1. MER#839
sailfishos · Sep 21, 2015 · 08be131 · 08be131
2 parents 820ab53 + f79ca9d
commit 08be131
Show file tree

Hide file tree

Showing 605 changed files with 65,241 additions and 66,326 deletions.
diff --git a/openssh/.cvsignore b/openssh/.cvsignore
@@ -0,0 +1,28 @@
+*.0
+*.out
+Makefile
+autom4te.cache
+buildit.sh
+buildpkg.sh
+config.cache
+config.h
+config.h.in
+config.log
+config.status
+configure
+openssh.xml
+opensshd.init
+scp
+sftp
+sftp-server
+ssh
+ssh-add
+ssh-agent
+ssh-keygen
+ssh-keyscan
+ssh-keysign
+ssh-pkcs11-helper
+sshd
+stamp-h.in
+survey
+survey.sh
diff --git a/openssh/ChangeLog b/openssh/ChangeLog
diff --git a/openssh/INSTALL b/openssh/INSTALL
@@ -1,24 +1,26 @@
 1. Prerequisites
 ----------------
 
-You will need working installations of Zlib and OpenSSL.
+You will need working installations of Zlib and libcrypto (LibreSSL /
+OpenSSL)
 
 Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
 http://www.gzip.org/zlib/
 
-OpenSSL 0.9.6 or greater:
-http://www.openssl.org/
+libcrypto (LibreSSL or OpenSSL >= 0.9.8f)
+LibreSSL http://www.libressl.org/ ; or
+OpenSSL http://www.openssl.org/
 
-(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
-Blowfish) do not work correctly.)
+LibreSSL/OpenSSL should be compiled as a position-independent library
+(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
+If you must use a non-position-independent libcrypto, then you may need
+to configure OpenSSH --without-pie.
 
 The remaining items are optional.
 
 NB. If you operating system supports /dev/random, you should configure
-OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
-/dev/random, or failing that, either prngd or egd.  If you don't have
-any of these you will have to rely on ssh-rand-helper, which is inferior
-to a good kernel-based solution or prngd.
+libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
+direct support of /dev/random, or failing that, either prngd or egd
 
 PRNGD:
 
@@ -29,10 +31,10 @@ http://prngd.sourceforge.net/
 
 EGD:
 
-The Entropy Gathering Daemon (EGD) is supported if you have a system which
-lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
+If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
+supported only if libcrypto supports it.
 
-http://www.lothar.com/tech/crypto/
+http://egd.sourceforge.net/
 
 PAM:
 
@@ -57,15 +59,6 @@ passphrase requester. This is maintained separately at:
 
 http://www.jmknoble.net/software/x11-ssh-askpass/
 
-TCP Wrappers:
-
-If you wish to use the TCP wrappers functionality you will need at least
-tcpd.h and libwrap.a, either in the standard include and library paths,
-or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
-known to work.
-
-http://ftp.porcupine.org/pub/security/index.html
-
 S/Key Libraries:
 
 If you wish to use --with-skey then you will need the library below
@@ -82,10 +75,16 @@ these multi-platform ports:
 http://www.thrysoee.dk/editline/
 http://sourceforge.net/projects/libedit/
 
+LDNS:
+
+LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
+
+http://nlnetlabs.nl/projects/ldns/
+
 Autoconf:
 
 If you modify configure.ac or configure doesn't exist (eg if you checked
-the code out of CVS yourself) then you will need autoconf-2.61 to rebuild
+the code out of CVS yourself) then you will need autoconf-2.68 to rebuild
 the automatically generated files by running "autoreconf".  Earlier
 versions may also work but this is not guaranteed.
 
@@ -176,9 +175,6 @@ Integration Architecture.  The default for OSF1 machines is enable.
 --with-skey=PATH will enable S/Key one time password support. You will
 need the S/Key libraries and header files installed for this to work.
 
---with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
-support.
-
 --with-md5-passwords will enable the use of MD5 passwords. Enable this
 if your operating system uses MD5 passwords and the system crypt() does
 not support them directly (see the crypt(3/3c) man page). If enabled, the
@@ -200,10 +196,11 @@ created.
 
 --with-xauth=PATH specifies the location of the xauth binary
 
---with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
+--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
+libraries
 are installed.
 
---with-ssl-engine enables OpenSSL's (hardware) ENGINE support
+--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
 
 --with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
 real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
@@ -262,4 +259,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/
 
 
-$Id: INSTALL,v 1.85 2010/02/11 22:34:22 djm Exp $
+$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $
diff --git a/openssh/LICENCE b/openssh/LICENCE
@@ -206,6 +206,8 @@ OpenSSH contains no GPL code.
 	Sun Microsystems
 	The SCO Group
 	Daniel Walsh
+	Red Hat, Inc
+	Simon Vallet / Genoscope
 
      * Redistribution and use in source and binary forms, with or without
      * modification, are permitted provided that the following conditions