| Commit message (Collapse) | Author | Age |
... | |
|
|
|
|
|
|
|
|
|
| |
added openssh_gssapi to make it easier to test the patched version
the HPN edition isn't available on top of 7.9p1 yet
fix-host-key-algorithms-plus.patch didn't apply anymore, assuming it's
fixed.
release notes: https://www.openssh.com/txt/release-7.9
|
|
|
|
|
| |
Close #48031, fixes #48016. I didn't use the PR commit
because I think it's better to fetch the patch.
|
| |
|
|
|
|
|
|
|
|
|
| |
Release notes at https://www.openssh.com/txt/release-7.7;
primarily bugfixes.
Update ssh-hpn as well.
Switch to salsa.debian.org (from anonscm.debian.org).
|
| |
|
|
|
|
|
|
| |
This reverts commit 09696e32c390c232ec7ac506df6457fb93c1f536.
which reverted f596aa0f4a35f613422f85a4486e32ea20ca7739
to move it to staging
|
|
|
|
|
|
| |
This reverts commit a232dd66ee0b390dc4d82858af7e15713bd60327.
Moving to staging
|
|
|
|
|
|
|
|
|
|
|
|
| |
This can be disabled with the `withKerberos` flag if desired.
Make the relevant assertions lazy,
so that if an overlay is used to set kerberos to null,
a later override can explicitly set `withKerberos` to false.
Don't build with GSSAPI by default;
the patchset is large and a bit hairy,
and it is reasonable to follow upstream who has not merged it
in not enabling it by default.
|
|\
| |
| | |
openssh: 7.5p1 -> 7.6p1
|
| |
| |
| |
| |
| | |
Release notes are available at https://www.openssh.com/txt/release-7.6.
Mostly a bugfix release, no major backwards-incompatible changes.
|
|/
|
|
| |
Only acts on one-line dependency lists.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* pkgs: refactor needless quoting of homepage meta attribute
A lot of packages are needlessly quoting the homepage meta attribute
(about 1400, 22%), this commit refactors all of those instances.
* pkgs: Fixing some links that were wrongfully unquoted in the previous
commit
* Fixed some instances
|
|
|
|
|
|
| |
Commit 093cc00cdd9d8cf31ecce5bc1dd3645c460a1b98, sets the LD environment
variable by default, but this confuses the openssh Makefile because `configure'
does not respect it.
|
|
|
|
| |
http://hydra.nixos.org/build/53993444
|
|
|
|
| |
Close #23990.
|
|
|
|
|
|
|
|
| |
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.
Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
|
|
|
|
| |
Only building was tested.
|
|
|
|
| |
This reverts commit 661b5a9875cbc37310da5ee53b47a1d121bb5660.
|
|
|
|
|
|
|
|
| |
This reverts commit 277080fea0d2cf5017e4179a23e370307502c677.
I had tested the server on my physical machine before pushing,
but the openssh test got broken so something is clearly wrong.
http://hydra.nixos.org/build/45500080
|
|
|
|
|
|
| |
The two removed patches were for issues that should've been fixed.
Minor vulnerabilities addressed: CVE-2016-{10009,10010,10011,10012}.
https://www.openssh.com/txt/release-7.4
|
|
|
|
| |
Also add myself as a maintainer.
|
| |
|
|
|
|
| |
These add a singleton list of a package to buildInputs.
|
| |
|
|\ |
|
| |
| |
| | |
Also remove patch for CVE-2015-8325 that has been fixed upstream.
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(This is a rewritten version of the reverted commit
a927709a35cee56f878f0f57a932e1a6e2ebe23b, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit a927709a35cee56f878f0f57a932e1a6e2ebe23b because it
doesn't build:
$ nix-build -A openssh
...
mkdir /nix/store/yl2xap8n1by3dqxgc4rmrc4s753676a3-openssh-7.2p2/libexec
(umask 022 ; ./mkinstalldirs /var/empty)
mkdir /var
mkdir: cannot create directory '/var': Permission denied
mkdir /var/empty
mkdir: cannot create directory '/var/empty': No such file or directory
make: *** [Makefile:304: install-files] Error 1
builder for ‘/nix/store/ifygp4mqpv7l8cgp0njp8w7lmrl6brpp-openssh-7.2p2.drv’ failed with exit code 2
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
|
|\| |
|
| |
| |
| |
| |
| | |
Debian Security Advisory: https://www.debian.org/security/2016/dsa-3550
Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
|
|\| |
|
| | |
|
|\| |
|
| |
| |
| |
| | |
Unfortunately, the site is not available over HTTPS.
|
| |
| |
| |
| |
| | |
Fixes OpenSSH Security Advisory x11fwd.adv, which is available at
http://www.openssh.com/txt/x11fwd.adv.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
The GSSAPI patch is useful but maintained by Debian, not upstream, and
can be slow to update. To avoid breaking openssh_with_kerberos when
the openssh version is bumped but the GSSAPI patch has not been updated,
don't enable the GSSAPI patch implicitly but require it to be explicitly
enabled.
|
|\| |
|
| |\
| | |
| | | |
openssh: use bin instead of sbin folder
|
| | |
| | |
| | |
| | | |
References #11939.
|
| |/
| |
| |
| |
| |
| |
| | |
http://undeadly.org/cgi?action=article&sid=20140430045723 has the
original announcement of this option. Note, openssl headers are still
required at build time, see this comment:
http://www.gossamer-threads.com/lists/openssh/dev/61125#61125
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow
|
|\| |
|
| | |
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
| |
Should fix the openssh_with_kerberos build.
Fixes #13140
(cherry picked from commit 3dae6c7e1e1eb64b3ceb2796eea1ad0ae1596688)
|