openssh @7.6p1_6: CVE-2018-20685, CVE-2019-6109 and CVE-2019-6111

[piru (Harry Sintonen)]

CVE-2018-20685: ​https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2

CVE-2019-6109: ​https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c

CVE-2019-6111: ​https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc

[Schamschula (Marius Schamschula)]

The current version of openssh is 7.9p1. The blocker here is the +gsskex variant, it is non-trivial to keep it up to date.

[Schamschula (Marius Schamschula)]

Also see: #57025.

[danielluke (Daniel J. Luke)]

If the gsskex variant is the only thing holding the port back, we should just update it to the current version (which is 8.0p1 now) and put the gsskex in a different port (or drop it and let someone who is interested in it do the work of making it work for each release).

[Mihai Moldovan <ionic@…>]

In 715635bdfb881e287a52e23b298e379a4e9c03ac/macports-ports (master):

net/{openssh,ssh-copy-id}: update to 8.1p1.

Fixes: #56331
Fixes: #57025
Fixes: #58047
Fixes: #59009
Fixes: #59016

Changes:

• Rebase patches.
• Update to newer HPN patchset version. Based upon the 8.0p1 version 14.18 patch. Add a rebased OpenSSL-1.1-compat patch.
• Switch to new ObjC-based Keychain integration as provided by Apple. Might fail on older platforms. If it does, we will need to bring back the old C-based implementation as an alternative for these.
• Made the keychain integration and launchd startup patch a default one based upon request (and to be consistent with Apple's shipped OpenSSH version).
• Portfile cleanup, don't define compile constants from outside - have autotools do that correctly.
• Clarify where some of the patches come from - and especially for the gsskex patch that it is NOT a single patch taken from one location and rebased against the current OpenSSH version.
• Renamed (now used) -m/-M options to -A/-K for the keychain integration.