omniosorg · hadfl · Nov 9, 2023 · Oct 17, 2023 · Oct 17, 2023 · Oct 17, 2023
@@ -23,7 +23,7 @@ BUILD_DEPENDS_IPS="
 
 PROG=uefi-edk2
 PKG=system/bhyve/firmware
-VER=20230201
+VER=20230801
 SUMMARY="UEFI-EDK2(+CSM) firmware for bhyve"
 DESC="$SUMMARY"
 
@@ -47,7 +47,7 @@ trap "pkill -T0; exit" SIGINT
 
 # Build the UEFI firmware
 
-tag=il-edk2-stable202302-1
+tag=il-edk2-stable202308-1
 XFORM_ARGS+=" -D UEFITAG=$tag"
 
 typeset -A jobs

@@ -18,7 +18,7 @@
 . ../../lib/build.sh
 
 PROG=openssh
-VER=9.4p1
+VER=9.5p1
 PKG=network/openssh
 SUMMARY="OpenSSH Client and utilities"
 DESC="OpenSSH Secure Shell protocol Client and associated Utilities"

@@ -6,7 +6,7 @@ Subject: [PATCH 06/34] GSS store creds for Solaris
 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -1151,6 +1151,9 @@ mips-sony-bsd|mips-sony-newsos4)
+@@ -1157,6 +1157,9 @@ mips-sony-bsd|mips-sony-newsos4)
  		],
  	)
  	TEST_SHELL=$SHELL	# let configure find us a capable shell

@@ -21,7 +21,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	{ "tunnel", oTunnel },
  	{ "tunneldevice", oTunnelDevice },
  	{ "localcommand", oLocalCommand },
-@@ -1005,6 +1011,17 @@ parse_multistate_value(const char *arg,
+@@ -1006,6 +1012,17 @@ parse_multistate_value(const char *arg,
  	return -1;
  }
 
@@ -39,9 +39,9 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  /*
   * Processes a single option line as used in the configuration files. This
   * only sets those values that have not already been set.
-@@ -2280,6 +2297,13 @@ parse_pubkey_algos:
- 		intptr = &options->required_rsa_size;
- 		goto parse_int;
+@@ -2323,6 +2340,13 @@ parse_pubkey_algos:
+ 			*intptr = value;
+ 		break;
 
 +#ifdef DISABLE_BANNER
 +	case oDisableBanner:
@@ -53,7 +53,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	case oDeprecated:
  		debug("%s line %d: Deprecated option \"%s\"",
  		    filename, linenum, keyword);
-@@ -2516,6 +2540,9 @@ initialize_options(Options * options)
+@@ -2559,6 +2583,9 @@ initialize_options(Options * options)
  	options->stdin_null = -1;
  	options->fork_after_authentication = -1;
  	options->proxy_use_fdpass = -1;
@@ -63,7 +63,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	options->ignored_unknown = NULL;
  	options->num_canonical_domains = 0;
  	options->num_permitted_cnames = 0;
-@@ -2718,6 +2745,10 @@ fill_default_options(Options * options)
+@@ -2762,6 +2789,10 @@ fill_default_options(Options * options)
  		options->canonicalize_fallback_local = 1;
  	if (options->canonicalize_hostname == -1)
  		options->canonicalize_hostname = SSH_CANONICALISE_NO;
@@ -77,8 +77,8 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.h a/readconf.h
 --- a~/readconf.h	1970-01-01 00:00:00
 +++ a/readconf.h	1970-01-01 00:00:00
-@@ -182,6 +182,9 @@ typedef struct {
- 	int	enable_escape_commandline;	/* ~C commandline */
+@@ -183,6 +183,9 @@ typedef struct {
+ 	int	obscure_keystroke_timing_interval;
 
  	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
 +#ifdef DISABLE_BANNER
@@ -87,9 +87,9 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.h a/readconf.h
  }       Options;
 
  #define SSH_PUBKEY_AUTH_NO	0x00
-@@ -222,6 +225,12 @@ typedef struct {
- #define SSH_STRICT_HOSTKEY_YES	2
- #define SSH_STRICT_HOSTKEY_ASK	3
+@@ -228,6 +231,12 @@ typedef struct {
+ #define SSH_KEYSTROKE_CHAFF_MIN_MS		1024
+ #define SSH_KEYSTROKE_CHAFF_RNG_MS		2048
 
 +#ifdef DISABLE_BANNER
 +#define SSH_DISABLEBANNER_NO		0

@@ -161,7 +161,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth.h a/auth.h
 diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
 --- a~/auth2.c	1970-01-01 00:00:00
 +++ a/auth2.c	1970-01-01 00:00:00
-@@ -294,9 +294,17 @@ input_userauth_request(int type, u_int32
+@@ -301,9 +301,17 @@ input_userauth_request(int type, u_int32
  #endif
  		}
  #ifdef USE_PAM
@@ -180,7 +180,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
  		ssh_packet_set_log_preamble(ssh, "%suser %s",
  		    authctxt->valid ? "authenticating " : "invalid ", user);
  		setproctitle("%s%s", authctxt->valid ? user : "unknown",
-@@ -331,6 +339,18 @@ input_userauth_request(int type, u_int32
+@@ -338,6 +346,18 @@ input_userauth_request(int type, u_int32
  	/* try to authenticate user */
  	m = authmethod_lookup(authctxt, method);
  	if (m != NULL && authctxt->failures < options.max_authtries) {
@@ -199,7 +199,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
  		debug2("input_userauth_request: try method %s", method);
  		authenticated =	m->userauth(ssh, method);
  	}
-@@ -356,6 +376,10 @@ userauth_finish(struct ssh *ssh, int aut
+@@ -363,6 +383,10 @@ userauth_finish(struct ssh *ssh, int aut
  	char *methods;
  	int r, partial = 0;
 
@@ -210,7 +210,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
  	if (authenticated) {
  		if (!authctxt->valid) {
  			fatal("INTERNAL ERROR: authenticated invalid user %s",
-@@ -379,6 +403,25 @@ userauth_finish(struct ssh *ssh, int aut
+@@ -386,6 +410,25 @@ userauth_finish(struct ssh *ssh, int aut
  	}
 
  	if (authenticated && options.num_auth_methods != 0) {
@@ -236,7 +236,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
  		if (!auth2_update_methods_lists(authctxt, method, submethod)) {
  			authenticated = 0;
  			partial = 1;
-@@ -396,7 +439,19 @@ userauth_finish(struct ssh *ssh, int aut
+@@ -403,7 +446,19 @@ userauth_finish(struct ssh *ssh, int aut
  		return;
 
  #ifdef USE_PAM
@@ -335,7 +335,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  				struct sshbuf *m;
 
  				if ((m = sshbuf_new()) == NULL)
-@@ -797,6 +839,11 @@ mm_answer_pwnamallow(struct ssh *ssh, in
+@@ -802,6 +844,11 @@ mm_answer_pwnamallow(struct ssh *ssh, in
  	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
  	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 
@@ -347,7 +347,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  #ifdef USE_PAM
  	if (options.use_pam)
  		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
-@@ -820,6 +867,27 @@ int mm_answer_auth2_read_banner(struct s
+@@ -825,6 +872,27 @@ int mm_answer_auth2_read_banner(struct s
  	return (0);
  }
 
@@ -472,7 +472,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-@@ -2575,6 +2600,37 @@ process_server_config_line_depth(ServerO
+@@ -2590,6 +2615,37 @@ process_server_config_line_depth(ServerO
  		}
  		goto parse_time;
 
@@ -513,7 +513,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.h a/servconf.h
 --- a~/servconf.h	1970-01-01 00:00:00
 +++ a/servconf.h	1970-01-01 00:00:00
-@@ -73,6 +73,10 @@ struct listenaddr {
+@@ -71,6 +71,10 @@ struct listenaddr {
  	struct addrinfo *addrs;
  };
 
@@ -524,7 +524,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.h a/servconf.h
  typedef struct {
  	u_int	num_ports;
  	u_int	ports_from_cmdline;
-@@ -225,6 +229,12 @@ typedef struct {
+@@ -223,6 +227,12 @@ typedef struct {
  	u_int	num_auth_methods;
  	char   **auth_methods;
 

@@ -699,7 +699,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/audit.h a/audit.h
 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -1751,7 +1751,7 @@ AC_ARG_WITH([libedit],
+@@ -1757,7 +1757,7 @@ AC_ARG_WITH([libedit],
 
  AUDIT_MODULE=none
  AC_ARG_WITH([audit],
@@ -708,7 +708,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
  	[
  	  AC_MSG_CHECKING([for supported audit module])
  	  case "$withval" in
-@@ -1788,6 +1788,13 @@ AC_ARG_WITH([audit],
+@@ -1794,6 +1794,13 @@ AC_ARG_WITH([audit],
  		SSHDLIBS="$SSHDLIBS -laudit"
  		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
  		;;

@@ -78,7 +78,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2-hostbased.c a/auth2-hos
 diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
 --- a~/auth2.c	1970-01-01 00:00:00
 +++ a/auth2.c	1970-01-01 00:00:00
-@@ -402,6 +402,14 @@ userauth_finish(struct ssh *ssh, int aut
+@@ -409,6 +409,14 @@ userauth_finish(struct ssh *ssh, int aut
  #endif
  	}
 
@@ -96,7 +96,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
 --- a~/monitor.c	1970-01-01 00:00:00
 +++ a/monitor.c	1970-01-01 00:00:00
-@@ -386,6 +386,12 @@ monitor_child_preauth(struct ssh *ssh, s
+@@ -391,6 +391,12 @@ monitor_child_preauth(struct ssh *ssh, s
  		}
  	}
 
@@ -109,7 +109,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  	if (!authctxt->valid)
  		fatal_f("authenticated invalid user");
  	if (strcmp(auth_method, "unknown") == 0)
-@@ -589,14 +595,16 @@ monitor_reset_key_state(void)
+@@ -594,14 +600,16 @@ monitor_reset_key_state(void)
  {
  	/* reset state */
  	free(key_blob);
@@ -127,7 +127,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  	hostbased_chost = NULL;
  }
 
-@@ -1069,6 +1077,11 @@ mm_answer_pam_account(struct ssh *ssh, i
+@@ -1074,6 +1082,11 @@ mm_answer_pam_account(struct ssh *ssh, i
  	if (!options.use_pam)
  		fatal("%s: PAM not enabled", __func__);
 

@@ -196,7 +196,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/session.c a/session.c
  static char *
  sig2name(int sig)
  {
-@@ -2446,6 +2569,9 @@ session_close(struct ssh *ssh, Session *
+@@ -2453,6 +2576,9 @@ session_close(struct ssh *ssh, Session *
  	free(s->auth_display);
  	free(s->auth_data);
  	free(s->auth_proto);
@@ -206,7 +206,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/session.c a/session.c
  	free(s->subsys);
  	if (s->env != NULL) {
  		for (i = 0; i < s->num_env; i++) {
-@@ -2701,6 +2827,10 @@ do_cleanup(struct ssh *ssh, Authctxt *au
+@@ -2708,6 +2834,10 @@ do_cleanup(struct ssh *ssh, Authctxt *au
  		auth_info_file = NULL;
  	}
 

@@ -215,7 +215,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
  	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
  	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
-@@ -2631,6 +2634,18 @@ process_server_config_line_depth(ServerO
+@@ -2646,6 +2649,18 @@ process_server_config_line_depth(ServerO
  		}
  		break;
 
@@ -237,7 +237,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.h a/servconf.h
 --- a~/servconf.h	1970-01-01 00:00:00
 +++ a/servconf.h	1970-01-01 00:00:00
-@@ -237,6 +237,7 @@ typedef struct {
+@@ -235,6 +235,7 @@ typedef struct {
 
  	int	fingerprint_hash;
  	int	expose_userauth_info;

@@ -6,7 +6,7 @@ Subject: [PATCH 26/34] Don't use krb5-config to check for GSSAPI on illumos
 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -4705,6 +4705,11 @@ AC_ARG_WITH([kerberos5],
+@@ -4711,6 +4711,11 @@ AC_ARG_WITH([kerberos5],
  			AC_PATH_TOOL([KRB5CONF], [krb5-config],
  				     [$KRB5ROOT/bin/krb5-config],
  				     [$KRB5ROOT/bin:$PATH])
@@ -18,7 +18,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
  			if test -x $KRB5CONF ; then
  				K5CFLAGS="`$KRB5CONF --cflags`"
  				K5LIBS="`$KRB5CONF --libs`"
-@@ -4746,7 +4751,7 @@ AC_ARG_WITH([kerberos5],
+@@ -4752,7 +4757,7 @@ AC_ARG_WITH([kerberos5],
  						 AC_CHECK_LIB([des], [des_cbc_encrypt],
  						   [K5LIBS="$K5LIBS -ldes"])
  					       ], [ AC_MSG_RESULT([no])

@@ -53,7 +53,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	if (options->client_alive_interval == -1)
  		options->client_alive_interval = 0;
  	if (options->client_alive_count_max == -1)
-@@ -2204,8 +2231,12 @@ process_server_config_line_depth(ServerO
+@@ -2219,8 +2246,12 @@ process_server_config_line_depth(ServerO
  			if (*arg == '\0' || strchr(arg, '=') != NULL)
  				fatal("%s line %d: Invalid environment name.",
  				    filename, linenum);
@@ -66,7 +66,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  			opt_array_append(filename, linenum, keyword,
  			    &options->accept_env, &options->num_accept_env,
  			    arg);
-@@ -2900,7 +2931,7 @@ copy_set_server_options(ServerOptions *d
+@@ -2956,7 +2987,7 @@ copy_set_server_options(ServerOptions *d
  } while(0)
  #define M_CP_STRARRAYOPT(s, num_s) do {\
  	u_int i; \

@@ -1,7 +1,7 @@
 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -1646,6 +1646,62 @@ else
+@@ -1652,6 +1652,62 @@ else
  	AC_MSG_RESULT([no])
  fi
 
@@ -64,7 +64,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -5617,6 +5673,7 @@ echo "                       PAM support
+@@ -5623,6 +5679,7 @@ echo "                       PAM support
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"

@@ -20,4 +20,3 @@ sshd_config.patch
 0029-Accept-LANG-and-LC_-environment-variables-from-clien.patch
 0031-Restore-tcpwrappers-libwrap-support.patch
 test.patch
-zlib-check.patch
@@ -80,6 +80,7 @@ ok known hosts command
 ok agent restrictions
 ok channel timeout
 ok unused connection timeout
+ok sshd_config match subsystem
 test_sshbuf: ...................................................................................................... 103 tests ok
 test_sshkey: ........................................................................................................ 104 tests ok
 test_sshsig: ........ 8 tests ok

@@ -17,7 +17,7 @@
 . ../../lib/build.sh
 
 PROG=Python
-VER=3.11.5
+VER=3.11.6
 PKG=runtime/python-311
 MVER=${VER%.*}
 SUMMARY="$PROG $MVER"

@@ -7,7 +7,7 @@ However, -1 alongside EINVAL represents an error.
 diff -wpruN --no-dereference '--exclude=*.orig' a~/Modules/posixmodule.c a/Modules/posixmodule.c
 --- a~/Modules/posixmodule.c	1970-01-01 00:00:00
 +++ a/Modules/posixmodule.c	1970-01-01 00:00:00
-@@ -6867,7 +6867,11 @@ os_sched_get_priority_max_impl(PyObject
+@@ -6900,7 +6900,11 @@ os_sched_get_priority_max_impl(PyObject
      int max;
 
      max = sched_get_priority_max(policy);
@@ -19,7 +19,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/Modules/posixmodule.c a/Modul
          return posix_error();
      return PyLong_FromLong(max);
  }
-@@ -6886,7 +6890,11 @@ os_sched_get_priority_min_impl(PyObject
+@@ -6919,7 +6923,11 @@ os_sched_get_priority_min_impl(PyObject
  /*[clinic end generated code: output=7595c1138cc47a6d input=21bc8fa0d70983bf]*/
  {
      int min = sched_get_priority_min(policy);