openssh 7.5p1 release

[danielluke (Daniel J. Luke)]

(for 7.4p1):
As per usual, a simple version bump works for me (but I did not test the +hpn or +gsskex variants - which usually need some attention).
(for 7.5p1):
Unfortunately, a simple version bump fails earlier now (launchd.patch for channels.c fails).

[danielluke (Daniel J. Luke)]

simple version bump

[myrkraverk (Johann 'Myrkraverk' Oskarsson)]

There are at least two relevant CVEs so I'd like to bump up the priority.

​https://bugs.chromium.org/p/project-zero/issues/detail?id=1010

​https://bugs.chromium.org/p/project-zero/issues/detail?id=1009

[raimue (Rainer Müller)]

Replying to myrkraverk:

There are at least two relevant CVEs so I'd like to bump up the priority.

​https://bugs.chromium.org/p/project-zero/issues/detail?id=1010

Bug against sshd.

​https://bugs.chromium.org/p/project-zero/issues/detail?id=1009

Bug against ssh-agent.

Both of these binaries are usually the version provided by Apple, unless you explicitly exposed the MacPorts version by changing your system configuration. Upgrading MacPorts will not remove the attack vector.

[myrkraverk (Johann 'Myrkraverk' Oskarsson)]

Replying to raimue:

Both of these binaries are usually the version provided by Apple, unless you explicitly exposed the MacPorts version by changing your system configuration. Upgrading MacPorts will not remove the attack vector.

Ok, so purely installing MacPorts is not sufficient, but can I still use the provided ssh-agent by changing my system config to use it? Or is it incompatible somehow?

Right now I'm less concerned about the SSH daemon than the agent.

[Ionic (Mihai Moldovan)]

You could, but it doesn't make a whole lot of sense. In theory, the MacPorts ssh-agent binary should be compatible to the Apple-provided one, although I've had reports of it crashing for users with me being unable to reproduce it.

The gist is that switching to the MacPorts-provided ssh-agent binary as your system daemon only really makes sense if you want to use key types that are not supported by the system version, especially on older systems, as Apple is generally not updating software they ship within a release (short of bugfixes.)

I can't promise an update soonishly, will probably take me few weeks.

[Schamschula (Marius Schamschula)]

I'm more concerned about missing security fixes, than I am about the latest key types. Apple's sshd for Sierra currently is 7.3p1 - libressl 2.4.1, but on my El Capitan machine it is only 6.9p1 - libressl 2.1.8.

For the same reason I don't run the OS openssh under FreeBSD either (currently OpenSSH_7.2p2, OpenSSL 1.0.2j-freebsd vs. OpenSSH_7.4p1, OpenSSL 1.0.2k from the openssh-portable package).

[danielluke (Daniel J. Luke)]

7.5p1 is out now.

Unfortunately, a simple version bump fails earlier now (launchd.patch for channels.c fails). I don't know when I'll have time to look at it, but I'll try and get the default build working if no one beats me to it).