![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / security / dropbear
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.38 / (download) - annotate - [select for diffs], Thu May 25 21:28:09 2023 UTC (3 days, 6 hours ago) by wiz
Branch: MAIN
CVS Tags: HEAD
Changes since 1.37: +2 -2
lines
Diff to previous 1.37 (colored)
dropbear: re-word a comment to avoid false positives
Revision 1.37 / (download) - annotate - [select for diffs], Sat Dec 19 11:07:10 2020 UTC (2 years, 5 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2023Q1-base,
pkgsrc-2023Q1,
pkgsrc-2022Q4-base,
pkgsrc-2022Q4,
pkgsrc-2022Q3-base,
pkgsrc-2022Q3,
pkgsrc-2022Q2-base,
pkgsrc-2022Q2,
pkgsrc-2022Q1-base,
pkgsrc-2022Q1,
pkgsrc-2021Q4-base,
pkgsrc-2021Q4,
pkgsrc-2021Q3-base,
pkgsrc-2021Q3,
pkgsrc-2021Q2-base,
pkgsrc-2021Q2,
pkgsrc-2021Q1-base,
pkgsrc-2021Q1,
pkgsrc-2020Q4-base,
pkgsrc-2020Q4
Changes since 1.36: +3 -5
lines
Diff to previous 1.36 (colored)
dropbear: Update to 2020.81
Revision 1.36 / (download) - annotate - [select for diffs], Mon Jun 10 13:44:35 2019 UTC (3 years, 11 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base,
pkgsrc-2020Q3,
pkgsrc-2020Q2-base,
pkgsrc-2020Q2,
pkgsrc-2020Q1-base,
pkgsrc-2020Q1,
pkgsrc-2019Q4-base,
pkgsrc-2019Q4,
pkgsrc-2019Q3-base,
pkgsrc-2019Q3,
pkgsrc-2019Q2-base,
pkgsrc-2019Q2
Changes since 1.35: +4 -4
lines
Diff to previous 1.35 (colored)
dropbear: Update to 2019.78 Changes: 2019.78 - 27 March 2019 - Fix dbclient regression in 2019.77. After exiting the terminal would be left in a bad state. Reported by Ryan Woodsmall 2019.77 - 23 March 2019 - Fix server -R option with ECDSA - only advertise one key size which will be accepted. Reported by Peter Krefting, 2018.76 regression. - Fix server regression in 2018.76 where multiple client -R forwards were all forwarded to the first destination. Reported by Iddo Samet. - Make failure delay more consistent to avoid revealing valid usernames, set server password limit of 100 characters. Problem reported by usd responsible disclosure team - Change handling of failed authentication to avoid disclosing valid usernames, CVE-2018-15599. - Fix dbclient to reliably return the exit code from the remote server. Reported by W. Mike Petullo - Fix export of 521-bit ECDSA keys, from Christian Hohnst¤dt - Add -o Port=xxx option to work with sshfs, from xcko - Merged fuzzing code, see FUZZER-NOTES.md - Add a DROPBEAR_SVR_MULTIUSER=0 compile option to run on single-user Linux kernels (CONFIG_MULTIUSER disabled). From Patrick Stewart - Increase allowed username to 100 characters, reported by W. Mike Petullo - Update config.sub and config.guess, should now work with RISC-V - Cygwin compile fix from karel-m - Don't require GNU sed (accidentally in 2018.76), reported by Samuel Hsu - Fix for IRIX and writev(), reported by Kazuo Kuroi - Other fixes and cleanups from Fran§ois Perrad, Andre McCurdy, Konstantin Demin, Michael Jones, Pawel Rapkiewicz 2018.76 - 27 February 2018 > > > Configuration/compatibility changes IMPORTANT Custom configuration is now specified in localoptions.h rather than options.h Available options and defaults can be seen in default_options.h To migrate your configuration, compare your customised options.h against the upstream options.h from your relevant version. Any customised options should be put in localoptions.h in the build directory. - "configure --enable-static" should now be used instead of "make STATIC=1" This will avoid 'hardened build' flags that conflict with static binaries - Set 'hardened build' flags by default if supported by the compiler. These can be disabled with configure --disable-harden if needed. -Wl,-pie -Wl,-z,now -Wl,-z,relro -fstack-protector-strong -D_FORTIFY_SOURCE=2 # spectre v2 mitigation -mfunction-return=thunk -mindirect-branch=thunk Spectre patch from Loganaden Velvindron - "dropbear -r" option for hostkeys no longer attempts to load the default hostkey paths as well. If desired these can be specified manually. Patch from CamVan Nguyen - group1-sha1 key exchange is disabled in the server by default since the fixed 1024-bit group may be susceptible to attacks - twofish ciphers are now disabled in the default configuration - Default generated ECDSA key size is now 256 (rather than 521) for better interoperability - Minimum RSA key length has been increased to 1024 bits > > > Other features and fixes - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket. See dbclient manpage for a socat example. Patch from Harald Becker - Add "-c forced_command" option. Patch from Jeremy Kerr - Restricted group -G option added with patch from stellarpower - Support server-chosen TCP forwarding ports, patch from houseofkodai - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port] Patch from houseofkodai - Makefile will now rebuild object files when header files are modified - Add group14-256 and group16 key exchange options - curve25519-sha256 also supported without @libssh.org suffix - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 This fixes building with some recent versions of clang - Set PAM_RHOST which is needed by modules such as pam_abl - Improvements to DSS and RSA public key validation, found by OSS-Fuzz. - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz - Numerous code cleanups and small issues fixed by Francois Perrad - Test for pkt_sched.h rather than SO_PRIORITY which was problematic with some musl platforms. Reported by Oliver Schneider and Andrew Bainbridge - Fix some platform portability problems, from Ben Gardner - Add EXEEXT filename suffix for building dropbearmulti, from William Foster - Support --enable-<option> properly for configure, from Stefan Hauser - configure have_openpty result can be cached, from Eric B©nard - handle platforms that return close() < -1 on failure, from Marco Wenzel - Build and configuration cleanups from Michael Witten - Fix libtomcrypt/libtommath linking order, from Andre McCurdy - Fix old Linux platforms that have SYS_clock_gettime but not CLOCK_MONOTONIC - Update curve25519-donna implementation to current version
Revision 1.35 / (download) - annotate - [select for diffs], Wed Jul 4 13:40:33 2018 UTC (4 years, 10 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base,
pkgsrc-2019Q1,
pkgsrc-2018Q4-base,
pkgsrc-2018Q4,
pkgsrc-2018Q3-base,
pkgsrc-2018Q3
Changes since 1.34: +2 -2
lines
Diff to previous 1.34 (colored)
*: Move SUBST_STAGE from post-patch to pre-configure Performing substitutions during post-patch breaks tools such as mkpatches, making it very difficult to regenerate correct patches after making changes, and often leading to substituted string replacements being committed.
Revision 1.34 / (download) - annotate - [select for diffs], Thu Nov 9 19:00:25 2017 UTC (5 years, 6 months ago) by snj
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base,
pkgsrc-2018Q2,
pkgsrc-2018Q1-base,
pkgsrc-2018Q1,
pkgsrc-2017Q4-base,
pkgsrc-2017Q4
Changes since 1.33: +2 -2
lines
Diff to previous 1.33 (colored)
dropbear: update to 2017.75 Changes: - Security: Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. Thanks to Jann Horn of Google Project Zero for reporting this. CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123 - Generate hostkeys with dropbearkey atomically and flush to disk with fsync. Thanks to Andrei Gherzan for a patch. - Fix out of tree builds with bundled libtom Thanks to Henrik Nordström and Peter Krefting for patches.
Revision 1.33 / (download) - annotate - [select for diffs], Sat Sep 23 20:14:57 2017 UTC (5 years, 8 months ago) by wiedi
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base,
pkgsrc-2017Q3
Changes since 1.32: +2 -1
lines
Diff to previous 1.32 (colored)
dropbear: fix build on SunOS Link network libs
Revision 1.31.26.1 / (download) - annotate - [select for diffs], Mon May 29 18:21:24 2017 UTC (6 years ago) by bsiegert
Branch: pkgsrc-2017Q1
Changes since 1.31: +4 -4
lines
Diff to previous 1.31 (colored) next main 1.32 (colored)
Pullup ticket #5468 - requested by sevan
security/dropbear: security fix
Revisions pulled up:
- security/dropbear/Makefile 1.32
- security/dropbear/distinfo 1.24
- security/dropbear/patches/patch-aa 1.11
- security/dropbear/patches/patch-ab 1.9
- security/dropbear/patches/patch-configure 1.1
---
Module Name: pkgsrc
Committed By: snj
Date: Tue May 16 21:54:21 UTC 2017
Modified Files:
pkgsrc/security/dropbear: Makefile distinfo
pkgsrc/security/dropbear/patches: patch-aa patch-ab
Added Files:
pkgsrc/security/dropbear/patches: patch-configure
Log Message:
update dropbear to 2016.74. changes:
2016.74 - 21 July 2016
- Security: Message printout was vulnerable to format string injection.
If specific usernames including "%" symbols can be created on a system
(validated by getpwnam()) then an attacker could run arbitrary code as
root
when connecting to Dropbear server.
A dbclient user who can control username or host arguments could
potentially
run arbitrary code as the dbclient user. This could be a problem if
scripts
or webpages pass untrusted input to the dbclient program.
CVE-2016-7406
https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb
- Security: dropbearconvert import of OpenSSH keys could run arbitrary
code as
the local dropbearconvert user when parsing malicious key files
CVE-2016-7407
https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e
- Security: dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided. This could be an issue where
dbclient is used in scripts.
CVE-2016-7408
https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6
- Security: dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v
CVE-2016-7409
https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04
The security issues were reported by an anonymous researcher working with
Beyond Security's SecuriTeam Secure Disclosure
www.beyondsecurity.com/ssd.html
- Fix port forwarding failure when connecting to domains that have both
IPv4 and IPv6 addresses. The bug was introduced in 2015.68
- Fix 100% CPU use while waiting for rekey to complete. Thanks to Zhang
Hui P
for the patch
2016.73 - 18 March 2016
- Support syslog in dbclient, option -o usesyslog=yes. Patch from
Konstantin Tokarev
- Kill a proxycommand when dbclient exits, patch from Konstantin Tokarev
- Option to exit when a TCP forward fails, patch from Konstantin Tokarev
- New "-o" option parsing from Konstantin Tokarev. This allows handling
some extra options
in the style of OpenSSH, though implementing all OpenSSH options is
not planned.
- Fix crash when fallback initshells() is used, reported by Michael
Nowak and Mike Tzou
- Allow specifying commands eg "dropbearmulti dbclient ..." instead of
symlinks
- Various cleanups for issues found by a lint tool, patch from Francois
Perrad
- Fix tab indent consistency, patch from Francois Perrad
- Fix issues found by cppcheck, reported by Mike Tzou
- Use system memset_s() or explicit_bzero() if available to clear
memory. Also make
libtomcrypt/libtommath routines use that (or Dropbear's own m_burn()).
- Prevent scp failing when the local user doesn't exist. Based on patch
from Michael Witten.
- Improved Travis CI test running, thanks to Mike Tzou
- Improve some code that was flagged by Coverity and Fortify Static Code
Analyzer
2016.72 - 9 March 2016
- Validate X11 forwarding input. Could allow bypass of authorized_keys
command= restrictions,
found by github.com/tintinweb. Thanks for Damien Miller for a patch.
CVE-2016-3116
https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
2015.71 - 3 December 2015
- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
- Fix crash on exit when -p address:port is used, broke in 2015.68,
thanks to
Frank Stollenwerk for reporting and investigation
- Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from
Konstantin Tokarev
- Fix bad configure script test which didn't work with dash shell, patch
from Juergen Daubert,
broke in 2015.70
- Fix server race condition that could cause sessions to hang on exit,
https://github.com/robotframework/SSHLibrary/issues/128
2015.70 - 26 November 2015
- Fix server password authentication on Linux, broke in 2015.69
2015.69 - 25 November 2015
- Fix crash when forwarded TCP connections fail to connect (bug
introduced in 2015.68)
- Avoid hang on session close when multiple sessions are started,
affects Qt Creator
Patch from Andrzej Szombierski
- Reduce per-channel memory consumption in common case, increase default
channel limit from 100 to 1000 which should improve SOCKS forwarding
for modern
webpages
- Handle multiple command line arguments in a single flag, thanks to
Guilhem Moulin
- Manpage improvements from Guilhem Moulin
- Build fixes for Android from Mike Frysinger
- Don't display the MOTD when an explicit command is run from Guilhem Moulin
- Check curve25519 shared secret isn't zero
2015.68 - Saturday 8 August 2015
- Reduce local data copying for improved efficiency. Measured 30%
increase in throughput for connections to localhost
- Forwarded TCP ports connect asynchronously and try all available addresses
(IPv4, IPv6, round robin DNS)
- Fix all compile warnings, many patches from Gaël Portay
Note that configure with -Werror may not be successful on some
platforms (OS X)
and some configuration options may still result in unused variable
warnings.
- Use TCP Fast Open on Linux if available. Saves a round trip at connection
to hosts that have previously been connected.
Needs a recent Linux kernel and possibly "sysctl -w
net.ipv4.tcp_fastopen=3"
Client side is disabled by default pending further compatibility testing
with networks and systems.
- Increase maximum command length to 9000 bytes
- Free memory before exiting, patch from Thorsten Horstmann. Useful for
Dropbear ports to embedded systems and for checking memory leaks
with valgrind. Only partially implemented for dbclient.
This is disabled by default, enable with DROPBEAR_CLEANUP in sysoptions.h
- DROPBEAR_DEFAULT_CLI_AUTHKEY setting now always prepends home
directory unless
there is a leading slash (~ isn't treated specially)
- Fix small ECC memory leaks
- Tighten validation of Diffie-Hellman parameters, from Florent Daigniere of
Matta Consulting. Odds of bad values are around 2**-512 -- improbable.
- Twofish-ctr cipher is supported though disabled by default
- Fix pre-authentication timeout when waiting for client SSH-2.0 banner,
thanks
to CL Ouyang
- Fix null pointer crash with restrictions in authorized_keys without a
command, patch from
Guilhem Moulin
- Ensure authentication timeout is handled while reading the initial banner,
thanks to CL Ouyang for finding it.
- Fix null pointer crash when handling bad ECC keys. Found by afl-fuzz
2015.67 - Wednesday 28 January 2015
- Call fsync() after generating private keys to ensure they aren't lost if a
reboot occurs. Thanks to Peter Korsgaard
- Disable non-delayed zlib compression by default on the server. Can be
enabled if required for old clients with DROPBEAR_SERVER_DELAY_ZLIB
- Default client key path ~/.ssh/id_dropbear
- Prefer stronger algorithms by default, from Fedor Brunner.
AES256 over 3DES
Diffie-hellman group14 over group1
- Add option to disable CBC ciphers.
- Disable twofish in default options.h
- Enable sha2 HMAC algorithms by default, the code was already required
for ECC key exchange. sha1 is the first preference still for performance.
- Fix installing dropbear.8 in a separate build directory, from Like Ma
- Allow configure to succeed if libtomcrypt/libtommath are missing, from
Elan Ruusamäe
- Don't crash if ssh-agent provides an unknown type of key. From Catalin
Patulea
- Minor bug fixes, a few issues found by Coverity scan
2014.66 - Thursday 23 October 2014
- Use the same keepalive handling behaviour as OpenSSH. This will work
better
with some SSH implementations that have different behaviour with unknown
message types.
- Don't reply with SSH_MSG_UNIMPLEMENTED when we receive a reply to our own
keepalive message
- Set $SSH_CLIENT to keep bash happy, patch from Ryan Cleere
- Fix wtmp which broke since 2013.62, patch from Whoopie
2014.65 - Friday 8 August 2014
- Fix 2014.64 regression, server session hang on exit with scp (and probably
others), thanks to NiLuJe for tracking it down
- Fix 2014.64 regression, clock_gettime() error handling which broke on
older
Linux kernels, reported by NiLuJe
- Fix 2014.64 regression, writev() could occassionally fail with EAGAIN
which
wasn't caught
- Avoid error message when trying to set QoS on proxycommand or multihop
pipes
- Use /usr/bin/xauth, thanks to Mike Frysinger
- Don't exit the client if the local user entry can't be found, thanks
to iquaba
2014.64 - Sunday 27 July 2014
- Fix compiling with ECDSA and DSS disabled
- Don't exit abruptly if too many outgoing packets are queued for
writev(). Patch
thanks to Ronny Meeus
- The -K keepalive option now behaves more like OpenSSH's
"ServerAliveInterval".
If no response is received after 3 keepalives then the session is
terminated. This
will close connections faster than waiting for a TCP timeout.
- Rework TCP priority setting. New settings are
if (connecting || ptys || x11) tos = LOWDELAY
else if (tcp_forwards) tos = 0
else tos = BULK
Thanks to Catalin Patulea for the suggestion.
- Improve handling of many concurrent new TCP forwarded connections,
should now
be able to handle as many as MAX_CHANNELS. Thanks to Eduardo Silva for
reporting
and investigating it.
- Make sure that exit messages from the client are printed, regression
in 2013.57
- Use monotonic clock where available, timeouts won't be affected by
system time
changes
- Add -V for version
2014.63 - Wednesday 19 February 2014
- Fix ~. to terminate a client interactive session after waking a laptop
from sleep.
- Changed port separator syntax again, now using host^port. This is because
IPv6 link-local addresses use %. Reported by Gui Iribarren
- Avoid constantly relinking dropbearmulti target, fix "make install"
for multi target, thanks to Mike Frysinger
- Avoid getting stuck in a loop writing huge key files, reported by Bruno
Thomsen
- Don't link dropbearkey or dropbearconvert to libz or libutil,
thanks to Nicolas Boos
- Fix linking -lcrypt on systems without /usr/lib, thanks to Nicolas Boos
- Avoid crash on exit due to cleaned up keys before last packets are sent,
debugged by Ronald Wahl
- Fix a race condition in rekeying where Dropbear would exit if it
received a
still-in-flight packet after initiating rekeying. Reported by Oliver Metz.
This is a longstanding bug but is triggered more easily since 2013.57
- Fix README for ecdsa keys, from Catalin Patulea
- Ensure that generated RSA keys are always exactly the length
requested. Previously Dropbear always generated N+16 or N+15 bit keys.
Thanks to Unit 193
- Fix DROPBEAR_CLI_IMMEDIATE_AUTH mode which saves a network round trip
if the
first public key succeeds. Still not enabled by default, needs more
compatibility testing with other implementations.
- Fix for port 0 forwarding in the client and port forwarding with
Apache MINA SSHD.
- Fix for bad system linux/pkt-sched.h header file with older Linux
kernels, from Steve Dover
- Fix signal handlers so that errno is saved, thanks to Erik Ahl�î for a
patch
and Mark Wickham for independently spotting the same problem.
Revision 1.32 / (download) - annotate - [select for diffs], Tue May 16 21:54:21 2017 UTC (6 years ago) by snj
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base,
pkgsrc-2017Q2
Changes since 1.31: +4 -4
lines
Diff to previous 1.31 (colored)
update dropbear to 2016.74. changes: 2016.74 - 21 July 2016 - Security: Message printout was vulnerable to format string injection. If specific usernames including "%" symbols can be created on a system (validated by getpwnam()) then an attacker could run arbitrary code as root when connecting to Dropbear server. A dbclient user who can control username or host arguments could potentially run arbitrary code as the dbclient user. This could be a problem if scripts or webpages pass untrusted input to the dbclient program. CVE-2016-7406 https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as the local dropbearconvert user when parsing malicious key files CVE-2016-7407 https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e - Security: dbclient could run arbitrary code as the local dbclient user if particular -m or -c arguments are provided. This could be an issue where dbclient is used in scripts. CVE-2016-7408 https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6 - Security: dbclient or dropbear server could expose process memory to the running user if compiled with DEBUG_TRACE and running with -v CVE-2016-7409 https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04 The security issues were reported by an anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html - Fix port forwarding failure when connecting to domains that have both IPv4 and IPv6 addresses. The bug was introduced in 2015.68 - Fix 100% CPU use while waiting for rekey to complete. Thanks to Zhang Hui P for the patch 2016.73 - 18 March 2016 - Support syslog in dbclient, option -o usesyslog=yes. Patch from Konstantin Tokarev - Kill a proxycommand when dbclient exits, patch from Konstantin Tokarev - Option to exit when a TCP forward fails, patch from Konstantin Tokarev - New "-o" option parsing from Konstantin Tokarev. This allows handling some extra options in the style of OpenSSH, though implementing all OpenSSH options is not planned. - Fix crash when fallback initshells() is used, reported by Michael Nowak and Mike Tzou - Allow specifying commands eg "dropbearmulti dbclient ..." instead of symlinks - Various cleanups for issues found by a lint tool, patch from Francois Perrad - Fix tab indent consistency, patch from Francois Perrad - Fix issues found by cppcheck, reported by Mike Tzou - Use system memset_s() or explicit_bzero() if available to clear memory. Also make libtomcrypt/libtommath routines use that (or Dropbear's own m_burn()). - Prevent scp failing when the local user doesn't exist. Based on patch from Michael Witten. - Improved Travis CI test running, thanks to Mike Tzou - Improve some code that was flagged by Coverity and Fortify Static Code Analyzer 2016.72 - 9 March 2016 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116 https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff 2015.71 - 3 December 2015 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 - Fix crash on exit when -p address:port is used, broke in 2015.68, thanks to Frank Stollenwerk for reporting and investigation - Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev - Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert, broke in 2015.70 - Fix server race condition that could cause sessions to hang on exit, https://github.com/robotframework/SSHLibrary/issues/128 2015.70 - 26 November 2015 - Fix server password authentication on Linux, broke in 2015.69 2015.69 - 25 November 2015 - Fix crash when forwarded TCP connections fail to connect (bug introduced in 2015.68) - Avoid hang on session close when multiple sessions are started, affects Qt Creator Patch from Andrzej Szombierski - Reduce per-channel memory consumption in common case, increase default channel limit from 100 to 1000 which should improve SOCKS forwarding for modern webpages - Handle multiple command line arguments in a single flag, thanks to Guilhem Moulin - Manpage improvements from Guilhem Moulin - Build fixes for Android from Mike Frysinger - Don't display the MOTD when an explicit command is run from Guilhem Moulin - Check curve25519 shared secret isn't zero 2015.68 - Saturday 8 August 2015 - Reduce local data copying for improved efficiency. Measured 30% increase in throughput for connections to localhost - Forwarded TCP ports connect asynchronously and try all available addresses (IPv4, IPv6, round robin DNS) - Fix all compile warnings, many patches from Gaël Portay Note that configure with -Werror may not be successful on some platforms (OS X) and some configuration options may still result in unused variable warnings. - Use TCP Fast Open on Linux if available. Saves a round trip at connection to hosts that have previously been connected. Needs a recent Linux kernel and possibly "sysctl -w net.ipv4.tcp_fastopen=3" Client side is disabled by default pending further compatibility testing with networks and systems. - Increase maximum command length to 9000 bytes - Free memory before exiting, patch from Thorsten Horstmann. Useful for Dropbear ports to embedded systems and for checking memory leaks with valgrind. Only partially implemented for dbclient. This is disabled by default, enable with DROPBEAR_CLEANUP in sysoptions.h - DROPBEAR_DEFAULT_CLI_AUTHKEY setting now always prepends home directory unless there is a leading slash (~ isn't treated specially) - Fix small ECC memory leaks - Tighten validation of Diffie-Hellman parameters, from Florent Daigniere of Matta Consulting. Odds of bad values are around 2**-512 -- improbable. - Twofish-ctr cipher is supported though disabled by default - Fix pre-authentication timeout when waiting for client SSH-2.0 banner, thanks to CL Ouyang - Fix null pointer crash with restrictions in authorized_keys without a command, patch from Guilhem Moulin - Ensure authentication timeout is handled while reading the initial banner, thanks to CL Ouyang for finding it. - Fix null pointer crash when handling bad ECC keys. Found by afl-fuzz 2015.67 - Wednesday 28 January 2015 - Call fsync() after generating private keys to ensure they aren't lost if a reboot occurs. Thanks to Peter Korsgaard - Disable non-delayed zlib compression by default on the server. Can be enabled if required for old clients with DROPBEAR_SERVER_DELAY_ZLIB - Default client key path ~/.ssh/id_dropbear - Prefer stronger algorithms by default, from Fedor Brunner. AES256 over 3DES Diffie-hellman group14 over group1 - Add option to disable CBC ciphers. - Disable twofish in default options.h - Enable sha2 HMAC algorithms by default, the code was already required for ECC key exchange. sha1 is the first preference still for performance. - Fix installing dropbear.8 in a separate build directory, from Like Ma - Allow configure to succeed if libtomcrypt/libtommath are missing, from Elan Ruusamäe - Don't crash if ssh-agent provides an unknown type of key. From Catalin Patulea - Minor bug fixes, a few issues found by Coverity scan 2014.66 - Thursday 23 October 2014 - Use the same keepalive handling behaviour as OpenSSH. This will work better with some SSH implementations that have different behaviour with unknown message types. - Don't reply with SSH_MSG_UNIMPLEMENTED when we receive a reply to our own keepalive message - Set $SSH_CLIENT to keep bash happy, patch from Ryan Cleere - Fix wtmp which broke since 2013.62, patch from Whoopie 2014.65 - Friday 8 August 2014 - Fix 2014.64 regression, server session hang on exit with scp (and probably others), thanks to NiLuJe for tracking it down - Fix 2014.64 regression, clock_gettime() error handling which broke on older Linux kernels, reported by NiLuJe - Fix 2014.64 regression, writev() could occassionally fail with EAGAIN which wasn't caught - Avoid error message when trying to set QoS on proxycommand or multihop pipes - Use /usr/bin/xauth, thanks to Mike Frysinger - Don't exit the client if the local user entry can't be found, thanks to iquaba 2014.64 - Sunday 27 July 2014 - Fix compiling with ECDSA and DSS disabled - Don't exit abruptly if too many outgoing packets are queued for writev(). Patch thanks to Ronny Meeus - The -K keepalive option now behaves more like OpenSSH's "ServerAliveInterval". If no response is received after 3 keepalives then the session is terminated. This will close connections faster than waiting for a TCP timeout. - Rework TCP priority setting. New settings are if (connecting || ptys || x11) tos = LOWDELAY else if (tcp_forwards) tos = 0 else tos = BULK Thanks to Catalin Patulea for the suggestion. - Improve handling of many concurrent new TCP forwarded connections, should now be able to handle as many as MAX_CHANNELS. Thanks to Eduardo Silva for reporting and investigating it. - Make sure that exit messages from the client are printed, regression in 2013.57 - Use monotonic clock where available, timeouts won't be affected by system time changes - Add -V for version 2014.63 - Wednesday 19 February 2014 - Fix ~. to terminate a client interactive session after waking a laptop from sleep. - Changed port separator syntax again, now using host^port. This is because IPv6 link-local addresses use %. Reported by Gui Iribarren - Avoid constantly relinking dropbearmulti target, fix "make install" for multi target, thanks to Mike Frysinger - Avoid getting stuck in a loop writing huge key files, reported by Bruno Thomsen - Don't link dropbearkey or dropbearconvert to libz or libutil, thanks to Nicolas Boos - Fix linking -lcrypt on systems without /usr/lib, thanks to Nicolas Boos - Avoid crash on exit due to cleaned up keys before last packets are sent, debugged by Ronald Wahl - Fix a race condition in rekeying where Dropbear would exit if it received a still-in-flight packet after initiating rekeying. Reported by Oliver Metz. This is a longstanding bug but is triggered more easily since 2013.57 - Fix README for ecdsa keys, from Catalin Patulea - Ensure that generated RSA keys are always exactly the length requested. Previously Dropbear always generated N+16 or N+15 bit keys. Thanks to Unit 193 - Fix DROPBEAR_CLI_IMMEDIATE_AUTH mode which saves a network round trip if the first public key succeeds. Still not enabled by default, needs more compatibility testing with other implementations. - Fix for port 0 forwarding in the client and port forwarding with Apache MINA SSHD. - Fix for bad system linux/pkt-sched.h header file with older Linux kernels, from Steve Dover - Fix signal handlers so that errno is saved, thanks to Erik Ahléî for a patch and Mark Wickham for independently spotting the same problem.
Revision 1.31 / (download) - annotate - [select for diffs], Fri Mar 14 22:40:17 2014 UTC (9 years, 2 months ago) by agc
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base,
pkgsrc-2016Q4-base,
pkgsrc-2016Q4,
pkgsrc-2016Q3-base,
pkgsrc-2016Q3,
pkgsrc-2016Q2-base,
pkgsrc-2016Q2,
pkgsrc-2016Q1-base,
pkgsrc-2016Q1,
pkgsrc-2015Q4-base,
pkgsrc-2015Q4,
pkgsrc-2015Q3-base,
pkgsrc-2015Q3,
pkgsrc-2015Q2-base,
pkgsrc-2015Q2,
pkgsrc-2015Q1-base,
pkgsrc-2015Q1,
pkgsrc-2014Q4-base,
pkgsrc-2014Q4,
pkgsrc-2014Q3-base,
pkgsrc-2014Q3,
pkgsrc-2014Q2-base,
pkgsrc-2014Q2,
pkgsrc-2014Q1-base,
pkgsrc-2014Q1
Branch point for: pkgsrc-2017Q1
Changes since 1.30: +4 -8
lines
Diff to previous 1.30 (colored)
Use the xauth builtin.mk to find the location on the target system. Just use the security/libtomcrypt/buildlink3.mk now the BUILDLINK_API_DEPENDS has been updated.
Revision 1.30 / (download) - annotate - [select for diffs], Fri Jan 31 17:32:19 2014 UTC (9 years, 3 months ago) by agc
Branch: MAIN
Changes since 1.29: +8 -10
lines
Diff to previous 1.29 (colored)
First part of minor dropbear package cleanup - this part lets the
package build as a normal user
+ don't refer to MAKEFLAGS outside of pkgsrc/mk
+ add comments to patch files
+ use BSD_INSTALL_* definitions in the build Makefile
+ re-order some parts of the pkgsrc Makefile
+ use pkgsrc definitions for CFLAGS.${OPSYS} rather than conditionals
XXX - TO DO - fix the xauth issue here
Revision 1.29 / (download) - annotate - [select for diffs], Mon Jan 27 19:53:06 2014 UTC (9 years, 4 months ago) by drochner
Branch: MAIN
Changes since 1.28: +4 -11
lines
Diff to previous 1.28 (colored)
update to 2013.62 changes: -ECC (elliptic curve) support -curve25519-sha256@libssh.org support -misc fixes and improvements approved by The Maintainer
Revision 1.28 / (download) - annotate - [select for diffs], Sat Sep 14 03:40:01 2013 UTC (9 years, 8 months ago) by mspo
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base,
pkgsrc-2013Q4,
pkgsrc-2013Q3-base,
pkgsrc-2013Q3
Changes since 1.27: +7 -2
lines
Diff to previous 1.27 (colored)
version bump to latest 2012.55 to 2013.58
also added a netbsd-specific build option
(changes)
2013.58 - Thursday 18 April 2013
- Fix building with Zlib disabled, thanks to Hans Harder and cuma@freetz
- Use % as a separator for ports, fixes scp in multihop mode, from Hans Harder
- Reject logins for other users when running as non-root, from Hans Harder
- Disable client immediate authentication request by default, it prevents
passwordless logins from working
2013.57 - Monday 15 April 2013
- Decreased connection setup time particularly with high latency connections,
the number of round trips has been reduced for both client and server.
CPU time hasn't been changed.
- Client will send an initial key exchange guess to save a round trip.
Dropbear implements an extension kexguess2@matt.ucc.asn.au to allow the first
packet guess to succeed in wider circumstances than the standard behaviour.
When communicating with other implementations the standard behaviour is used.
- Client side: when public key or password authentication with
$DROPBEAR_PASSWORD is used an initial authentication request will
be sent immediately rather than querying the list of available methods.
This behaviour is enabled by CLI_IMMEDIATE_AUTH option (on by default),
please let the Dropbear author know if it causes any interoperability
problems.
- Implement client escape characters ~. (terminate session) and
~^Z (background session)
- Server will more reliably clean up utmp when connection is closed, reported by
Mattias Walstr<C3><B6>m
- Don't crash if /dev/urandom isn't writable (RHEL5), thanks to Scott Case
- Add "-y -y" client option to skip host key checking, thanks to Hans Harder
- scp didn't work properly on systems using vfork(), thanks to Frank Van Uffelen
- Added IUTF8 terminal mode support (Linux and Mac OS). Not standardised yet
though probably will be soon
- Some verbose DROPBEAR_TRACE output is now hidden unless $DROPBEAR_TRACE2
enviroment variable is set
- Fix using asymmetric MAC algorithms (broke in )
- Renamed configure.in to configure.ac to quieten autoconf, from Mike Frysinger
2013.56 - Thursday 21 March 2013
- Allow specifying cipher (-c) and MAC (-m) lists for dbclient
- Allow using 'none' cipher or MAC (off by default, use options.h). Encryption
is used during authentication then disabled, similar to OpenSSH HPN mode
- Allow a user in immediately if the account has a blank password and blank
passwords are enabled
- Include a few extra sources of entropy from /proc on Linux, hash private keys
as well. Dropbear will also write gathered entropy back into /dev/urandom
- Added hmac-sha2-256 and hmac-sha2-512 support (off by default, use options.h)
- Don't sent bad address "localhost" for -R forward connections,
reported by Denis Bider
- Add "-B" runtime option to allow blank passwords
- Allow using IPv6 bracket notation for addresses in server "-p" option, from Ben Jencks
- A few improvements for Android from Reimar D<C3><B6>ffinger
- Fix memory leak for TCP forwarded connections to hosts that timed out,
reported by Norbert Bencz<C3><BA>r. Appears to be a very long-standing bug.
- Fix "make clean" for out of tree builds
- Fix compilation when ENABLE_{SVR,CLI}_AGENTFWD are unset
Revision 1.27 / (download) - annotate - [select for diffs], Tue Oct 23 18:16:26 2012 UTC (10 years, 7 months ago) by asau
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base,
pkgsrc-2013Q2,
pkgsrc-2013Q1-base,
pkgsrc-2013Q1,
pkgsrc-2012Q4-base,
pkgsrc-2012Q4
Changes since 1.26: +1 -3
lines
Diff to previous 1.26 (colored)
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
Revision 1.26 / (download) - annotate - [select for diffs], Mon Aug 13 17:47:26 2012 UTC (10 years, 9 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base,
pkgsrc-2012Q3
Changes since 1.25: +2 -2
lines
Diff to previous 1.25 (colored)
update to 2012.55 changes: fix a use-after-free bug which could be used to potentially execute arbitrary code with root privileges, provided that the user has been authenticated using a public key and also that a command restriction is enforced (the "command" option must be used in the authorized_keys file)
Revision 1.25 / (download) - annotate - [select for diffs], Thu Mar 10 10:20:16 2011 UTC (12 years, 2 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base,
pkgsrc-2012Q2,
pkgsrc-2012Q1-base,
pkgsrc-2012Q1,
pkgsrc-2011Q4-base,
pkgsrc-2011Q4,
pkgsrc-2011Q3-base,
pkgsrc-2011Q3,
pkgsrc-2011Q2-base,
pkgsrc-2011Q2,
pkgsrc-2011Q1-base,
pkgsrc-2011Q1
Changes since 1.24: +4 -2
lines
Diff to previous 1.24 (colored)
update to 0.53.1 changes: -misc fixes and improvements -build against system libtommath/crypt
Revision 1.24 / (download) - annotate - [select for diffs], Wed Aug 26 21:10:11 2009 UTC (13 years, 9 months ago) by snj
Branch: MAIN
CVS Tags: pkgsrc-2010Q4-base,
pkgsrc-2010Q4,
pkgsrc-2010Q3-base,
pkgsrc-2010Q3,
pkgsrc-2010Q2-base,
pkgsrc-2010Q2,
pkgsrc-2010Q1-base,
pkgsrc-2010Q1,
pkgsrc-2009Q4-base,
pkgsrc-2009Q4,
pkgsrc-2009Q3-base,
pkgsrc-2009Q3
Changes since 1.23: +35 -11
lines
Diff to previous 1.23 (colored)
Update dropbear to 0.52. Build an scp binary and call it dbscp so it doesn't conflict with openssh. Changes since 0.50: 0.52 - Wed 12 November 2008 - Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to tunnel standard input/output to a TCP port-forwarded remote host. - Add "proxy command" support to dbclient, to allow using a spawned process for IO rather than a direct TCP connection. eg dbclient remotehost is equivalent to dbclient -J 'nc remotehost 22' remotehost (the hostname is still provided purely for looking up saved host keys) - Combine netcat-alike and proxy support to allow "multihop" connections, with comma-separated host syntax. Allows running dbclient user1@host1,user2@host2,user3@host3 to end up at host3 via the other two, using SSH TCP forwarding. It's a bit like onion-routing. All connections are established from the local machine. The comma-separated syntax can also be used for scp/rsync, eg rsync -a -e dbclient m@gateway,m2@host,martello:/home/matt/ ~/backup/ to bounce through a few hosts. - Add -I "idle timeout" option (contributed by Farrell Aultman) - Allow restrictions on authorized_keys logins such as restricting commands to be run etc. This is a subset of those allowed by OpenSSH, doesn't yet allow restricting source host. - Use vfork() for scp on uClinux - Default to PATH=/usr/bin:/bin for shells. - Report errors if -R forwarding fails - Add counter mode cipher support, which avoids some security problems with the standard CBC mode. - Support zlib@openssh.com delayed compression for client/server. It can be required for the Dropbear server with the '-Z' option. This is useful for security as it avoids exposing the server to attacks on zlib by unauthenticated remote users, though requires client side support. - options.h has been split into options.h (user-changable) and sysoptions.h (less commonly changed) - Support "dbclient -s sftp" to specify a subsystem - Fix a bug in replies to channel requests that could be triggered by recent versions of PuTTY 0.51 - Thu 27 March 2008 - Make a copy of password fields rather erroneously relying on getwpnam() to be safe to call multiple times - If $SSH_ASKPASS_ALWAYS environment variable is set (and $SSH_ASKPASS is as well) always use that program, ignoring isatty() and $DISPLAY - Wait until a process exits before the server closes a connection, so that an exit code can be sent. This fixes problems with exit codes not being returned, which could cause scp to fail.
Revision 1.23 / (download) - annotate - [select for diffs], Thu Sep 6 19:15:10 2007 UTC (15 years, 8 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2009Q2-base,
pkgsrc-2009Q2,
pkgsrc-2009Q1-base,
pkgsrc-2009Q1,
pkgsrc-2008Q4-base,
pkgsrc-2008Q4,
pkgsrc-2008Q3-base,
pkgsrc-2008Q3,
pkgsrc-2008Q2-base,
pkgsrc-2008Q2,
pkgsrc-2008Q1-base,
pkgsrc-2008Q1,
pkgsrc-2007Q4-base,
pkgsrc-2007Q4,
pkgsrc-2007Q3-base,
pkgsrc-2007Q3,
cwrapper,
cube-native-xorg-base,
cube-native-xorg
Changes since 1.22: +10 -2
lines
Diff to previous 1.22 (colored)
Honor PKG_SYSCONFDIR. The default host keys for dropbear are now found in
${PKG_SYSCONFDIR}/dropbear. Bump the PKGREVISION to 2.
Revision 1.22 / (download) - annotate - [select for diffs], Thu Sep 6 16:31:55 2007 UTC (15 years, 8 months ago) by jlam
Branch: MAIN
Changes since 1.21: +7 -1
lines
Diff to previous 1.21 (colored)
Install the manual pages for dropbear. Bump the PKGREVISION to 1.
Revision 1.21 / (download) - annotate - [select for diffs], Thu Sep 6 15:55:06 2007 UTC (15 years, 8 months ago) by jlam
Branch: MAIN
Changes since 1.20: +2 -1
lines
Diff to previous 1.20 (colored)
For the "pam" package option, one needs to include pam.buildlink3.mk.
Revision 1.20 / (download) - annotate - [select for diffs], Wed Sep 5 21:08:06 2007 UTC (15 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.19: +2 -2
lines
Diff to previous 1.19 (colored)
update to 0.50 changes: - Add DROPBEAR_PASSWORD environment variable to specify a dbclient password - Use /dev/urandom by default, since that's what everyone does anyway - Exit with an exit code of 1 if dropbear can't bind to any ports - Improve network performance and add a -W <receive_window> argument for adjusting the tradeoff between network performance and memory consumption - Fix a problem where reply packets could be sent during key exchange, in violation of the SSH spec. This could manifest itself with connections being terminated after 8 hours with new TCP-forward connections being established - Add -K <keepalive_time> argument, ensuring that data is transmitted over the connection at least every N seconds - dropbearkey will no longer generate DSS keys of sizes other than 1024 bits, as required by the DSS specification. (Other sizes are still accepted for use to provide backwards compatibility)
Revision 1.19 / (download) - annotate - [select for diffs], Fri Mar 23 20:07:02 2007 UTC (16 years, 2 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2007Q2-base,
pkgsrc-2007Q2,
pkgsrc-2007Q1-base,
pkgsrc-2007Q1
Changes since 1.18: +2 -2
lines
Diff to previous 1.18 (colored)
update to 0.49 change: warn strongly when a hostkey mismatch occurred
Revision 1.18 / (download) - annotate - [select for diffs], Tue Mar 14 20:03:43 2006 UTC (17 years, 2 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2006Q4-base,
pkgsrc-2006Q4,
pkgsrc-2006Q3-base,
pkgsrc-2006Q3,
pkgsrc-2006Q2-base,
pkgsrc-2006Q2,
pkgsrc-2006Q1-base,
pkgsrc-2006Q1
Changes since 1.17: +2 -4
lines
Diff to previous 1.17 (colored)
update to 0.48.1 changes: -a security fix which was already in pkgsrc (0.46nb1) -bugfixes -zlib compression for dbclient -Set "low delay" TOS bit -client keyboard-interactive mode support -logging improvements -Added aes-256 cipher and sha1-96 hmac -allow connections to listening forwarded ports from remote machines
Revision 1.17 / (download) - annotate - [select for diffs], Sat Mar 4 21:30:33 2006 UTC (17 years, 2 months ago) by jlam
Branch: MAIN
Changes since 1.16: +2 -2
lines
Diff to previous 1.16 (colored)
Point MAINTAINER to pkgsrc-users@NetBSD.org in the case where no developer is officially maintaining the package. The rationale for changing this from "tech-pkg" to "pkgsrc-users" is that it implies that any user can try to maintain the package (by submitting patches to the mailing list). Since the folks most likely to care about the package are the folks that want to use it or are already using it, this would leverage the energy of users who aren't developers.
Revision 1.16 / (download) - annotate - [select for diffs], Sun Feb 5 23:10:43 2006 UTC (17 years, 3 months ago) by joerg
Branch: MAIN
Changes since 1.15: +2 -2
lines
Diff to previous 1.15 (colored)
Recursive revision bump / recommended bump for gettext ABI change.
Revision 1.13.2.1 / (download) - annotate - [select for diffs], Sat Dec 17 23:44:25 2005 UTC (17 years, 5 months ago) by salo
Branch: pkgsrc-2005Q3
Changes since 1.13: +2 -1
lines
Diff to previous 1.13 (colored) next main 1.14 (colored)
Pullup ticket 962 - requested by Jeremy C. Reed
security fix for dropbear
Revisions pulled up:
- pkgsrc/security/dropbear/Makefile 1.15
- pkgsrc/security/dropbear/distinfo 1.10
- pkgsrc/security/dropbear/patches/patch-ad 1.1
Module Name: pkgsrc
Committed By: reed
Date: Wed Dec 14 18:00:12 UTC 2005
Modified Files:
pkgsrc/security/dropbear: Makefile distinfo
Added Files:
pkgsrc/security/dropbear/patches: patch-ad
Log Message:
Add security patch from
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2005q4/000312.html
Noted by waldeck of hk2.uwaterloo.ca via pkgsrc-bugs.
Bump PKGREVISION.
Tested build on NetBSD and Linux. Tested dropbear server on NetBSD.
(This is during a freeze. Other stuff to be done later:
update to latest version. Install man pages. Mention "client" in
COMMENT and DESCR. Use CONF_FILES and sysconfdir. And maybe install the
"scp" tool also.)
Revision 1.15 / (download) - annotate - [select for diffs], Wed Dec 14 18:00:12 2005 UTC (17 years, 5 months ago) by reed
Branch: MAIN
CVS Tags: pkgsrc-2005Q4-base,
pkgsrc-2005Q4
Changes since 1.14: +2 -1
lines
Diff to previous 1.14 (colored)
Add security patch from http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2005q4/000312.html Noted by waldeck of hk2.uwaterloo.ca via pkgsrc-bugs. Bump PKGREVISION. Tested build on NetBSD and Linux. Tested dropbear server on NetBSD. (This is during a freeze. Other stuff to be done later: update to latest version. Install man pages. Mention "client" in COMMENT and DESCR. Use CONF_FILES and sysconfdir. And maybe install the "scp" tool also.)
Revision 1.14 / (download) - annotate - [select for diffs], Mon Dec 5 20:50:55 2005 UTC (17 years, 5 months ago) by rillig
Branch: MAIN
Changes since 1.13: +2 -2
lines
Diff to previous 1.13 (colored)
Fixed pkglint warnings. The warnings are mostly quoting issues, for
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in
http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
Revision 1.13 / (download) - annotate - [select for diffs], Tue Aug 9 17:31:06 2005 UTC (17 years, 9 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2005Q3-base
Branch point for: pkgsrc-2005Q3
Changes since 1.12: +9 -1
lines
Diff to previous 1.12 (colored)
add a "pam" pkg option and make it work with NetBSD's openpam if enabled
Revision 1.12 / (download) - annotate - [select for diffs], Tue Jul 19 18:07:59 2005 UTC (17 years, 10 months ago) by drochner
Branch: MAIN
Changes since 1.11: +2 -2
lines
Diff to previous 1.11 (colored)
update to 0.46 changes: -Update to LibTomCrypt 1.05 and LibTomMath 0.35 -bugfixes and code cleanup
Revision 1.11 / (download) - annotate - [select for diffs], Sun May 22 20:08:29 2005 UTC (18 years ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2005Q2-base,
pkgsrc-2005Q2
Changes since 1.10: +2 -2
lines
Diff to previous 1.10 (colored)
Remove USE_GNU_TOOLS and replace with the correct USE_TOOLS definitions: USE_GNU_TOOLS -> USE_TOOLS awk -> gawk m4 -> gm4 make -> gmake sed -> gsed yacc -> bison
Revision 1.10 / (download) - annotate - [select for diffs], Fri Apr 29 16:14:41 2005 UTC (18 years, 1 month ago) by drochner
Branch: MAIN
Changes since 1.9: +2 -2
lines
Diff to previous 1.9 (colored)
update to 0.45 changes: - Makefile no longer appends 'static' to statically linked binaries - Add optional SSH_ASKPASS support to the client - Respect HOST_LOOKUP option - Fix accidentally removed "return;" statement which was removed in 0.44 (causing clients which sent an empty terminal-modes string to fail to connect - including pssh, ssh.com, danger hiptop). (patches independently from Paul Fox, David Horwitt and Sven-Ola Tuecke) - Read "y/n" response for fingerprints from /dev/tty directly so that dbclient will work with scp.
Revision 1.9 / (download) - annotate - [select for diffs], Mon Apr 11 21:47:11 2005 UTC (18 years, 1 month ago) by tv
Branch: MAIN
Changes since 1.8: +1 -2
lines
Diff to previous 1.8 (colored)
Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.
Revision 1.8 / (download) - annotate - [select for diffs], Tue Jan 18 17:30:59 2005 UTC (18 years, 4 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2005Q1-base,
pkgsrc-2005Q1
Changes since 1.7: +6 -3
lines
Diff to previous 1.7 (colored)
update to 0.44 changes: -IPv6 support -client added -bugfixes XXX dropbear wants to use /dev/random per default now which makes it unusable on systems w/o entropy source. I've patched it back to /dev/urandom. There might be security concerns.
Revision 1.7 / (download) - annotate - [select for diffs], Sun Oct 3 00:18:08 2004 UTC (18 years, 7 months ago) by tv
Branch: MAIN
CVS Tags: pkgsrc-2004Q4-base,
pkgsrc-2004Q4
Changes since 1.6: +2 -1
lines
Diff to previous 1.6 (colored)
Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10 in the process. (More information on tech-pkg.) Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and installing .la files. Bump PKGREVISION (only) of all packages depending directly on the above via a buildlink3 include.
Revision 1.6 / (download) - annotate - [select for diffs], Tue Aug 31 10:27:38 2004 UTC (18 years, 9 months ago) by martti
Branch: MAIN
CVS Tags: pkgsrc-2004Q3-base,
pkgsrc-2004Q3
Changes since 1.5: +2 -2
lines
Diff to previous 1.5 (colored)
Updated dropbear to 0.43 - SECURITY: Don't try to free() uninitialised variables in DSS verification code. Thanks to Arne Bernin for pointing out this bug. This is possibly exploitable, all users with DSS and pubkey-auth compiled in are advised to upgrade. - Clean up agent forwarding socket files correctly, patch from Gerrit Pape. - Don't go into an infinite loop when portforwarding to servers which don't send any initial data/banner. Patch from Nikola Vladov - Fix for network vs. host byte order in logging remote TCP ports, also from Gerrit Pape. - Initialise many pointers to NULL, for general safety. Also checked cleanup code for mp_ints (related to security issues above).
Revision 1.5 / (download) - annotate - [select for diffs], Sat Jun 26 19:30:58 2004 UTC (18 years, 11 months ago) by grant
Branch: MAIN
Changes since 1.4: +3 -1
lines
Diff to previous 1.4 (colored)
this uses zlib, so use buildlink3 and include zlib/buildlink3.mk.
Revision 1.4 / (download) - annotate - [select for diffs], Mon Jun 21 18:27:47 2004 UTC (18 years, 11 months ago) by drochner
Branch: MAIN
Changes since 1.3: +2 -2
lines
Diff to previous 1.3 (colored)
update to 0.42 Many fixes and feature additions since 0.38. Too many to list here.
Revision 1.3 / (download) - annotate - [select for diffs], Sat Jan 24 15:00:22 2004 UTC (19 years, 4 months ago) by grant
Branch: MAIN
CVS Tags: pkgsrc-2004Q2-base,
pkgsrc-2004Q2,
pkgsrc-2004Q1-base,
pkgsrc-2004Q1
Changes since 1.2: +2 -2
lines
Diff to previous 1.2 (colored)
replace deprecated USE_GMAKE with USE_GNU_TOOLS+=make.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Oct 30 23:22:32 2003 UTC (19 years, 7 months ago) by xtraeme
Branch: MAIN
CVS Tags: pkgsrc-2003Q4-base,
pkgsrc-2003Q4
Changes since 1.1: +4 -4
lines
Diff to previous 1.1 (colored)
Upgrade to 0.38. This closes PR pkg/22984 by Matt Jhonston.
Changes:
0.38 - Sat Oct 11 2003 16:28:13 +0800
o Default hostkey path changed to /etc/dropbear/dropbear_{rsa,dss}_host_key
rather than /etc/dropbear_{rsa,dss}_host_key
o Added SMALL and MULTI text files which have info on compiling for multiple
binaries or small binaries
o Allow for commandline definition of some options.h settings
(without warnings)
o Be more careful handling EINTR
o More fixes for channel closing
o Added multi-binary support
o Improved logging of IPs, now get logged in all cases
o Don't chew cpu when waiting for version identification string, also
make sure that we kick off people if they don't auth within 5 minutes.
o Various small fixes, warnings etc
o sftp support works (relies on OpenSSH sftp binary or similar)
o Added --disable-shadow option (requested by the floppyfw guys)
0.37 - Wed Sept 24 2003 19:42:12 +0800
o Various portability fixes, fixes for Solaris 9, Tru64 5.1, Mac OS X 10.2,
AIX, BSDs
o Updated LibTomMath to 0.27 and LibTomCrypt to 0.90
o Renamed util.{c,h} to dbutil.{c,h} to avoid conflicts with system util.h
o Added some small changes so it'll work with AIX (plus Linux Affinity).
Thanks to Shig for them.
More bugfixes, etc.
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Tue Aug 19 15:46:44 2003 UTC (19 years, 9 months ago) by agc
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0
lines
Diff to previous 1.1 (colored)
Initial import of dropbear-0.36 into the NetBSD Packages Collection.
The search for a small Secure Shell server to fit on a laptop with 4
megs ram and no hard disk was fruitless, so Matt Johnston decided to
write his own, and Dropbear is the result. It implements various
features of the SSH 2 protocol, including X11 and Authentication Agent
forwarding. Dropbear is Open Source software, distributed under a
MIT-style license.
Features
* A small memory footprint - Dropbear can compile to a 110kB
statically linked binary with uClibc (and only minimal options
selected).
* Implements X11 forwarding, and authentication-agent forwarding
for OpenSSH clients
* Compatible with OpenSSH ~/.ssh/authorized_keys public key
authentication
* Features can easily be disabled when compiling to save space.
* Preliminary TCP forwarding support (-L style only)
Revision 1.1 / (download) - annotate - [select for diffs], Tue Aug 19 15:46:44 2003 UTC (19 years, 9 months ago) by agc
Branch: MAIN
Initial revision