openssh-selinux 8.4p1-1 update

4 files changed, 10 insertions, 173 deletions

diff --git a/.SRCINFO b/.SRCINFO
index ba77b41a7f18..39f446d8beae 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = openssh-selinux
 	pkgdesc = Premier connectivity tool for remote login with the SSH protocol, with SELinux support
-	pkgver = 8.3p1
-	pkgrel = 4
+	pkgver = 8.4p1
+	pkgrel = 1
 	url = https://www.openssh.com/portable.html
 	install = install
 	arch = x86_64
@@ -19,27 +19,23 @@ pkgbase = openssh-selinux
 	optdepends = xorg-xauth: X11 forwarding
 	optdepends = x11-ssh-askpass: input passphrase in X
 	optdepends = libfido2: FIDO/U2F support
-	provides = openssh=8.3p1-4
-	provides = selinux-openssh=8.3p1-4
+	provides = openssh=8.4p1-1
+	provides = selinux-openssh=8.4p1-1
 	conflicts = openssh
 	conflicts = selinux-openssh
 	backup = etc/ssh/ssh_config
 	backup = etc/ssh/sshd_config
 	backup = etc/pam.d/sshd
-	source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
-	source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz.asc
-	source = 67290.patch
-	source = 3122.patch
+	source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz
+	source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz.asc
 	source = sshdgenkeys.service
 	source = sshd.service
 	source = sshd.conf
 	source = sshd.pam
 	source = glibc-2.31.patch
 	validpgpkeys = 59C2118ED206D927E667EBE3D3E5F56B6D920D30
-	sha256sums = f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2
+	sha256sums = 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24
 	sha256sums = SKIP
-	sha256sums = 3ccc1c6672521782c154c89607d2c2d7a67e0f66a349260e00e28ae999ea54f5
-	sha256sums = a13330ca7560b25e4defcd4bdecf28ed37b416362e13aebcb0e57164e575e659
 	sha256sums = 4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7
 	sha256sums = e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7
 	sha256sums = 4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6
diff --git a/3122.patch b/3122.patch
deleted file mode 100644
index 0a66daddb9ff..000000000000
--- a/3122.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-diff -Naur old/servconf.c new/servconf.c
---- old/servconf.c	2020-05-26 14:38:00.000000000 -1000
-+++ new/servconf.c	2020-07-16 10:14:14.076284901 -1000
-@@ -550,6 +550,7 @@
- #define SSHCFG_MATCH		0x02	/* allowed inside a Match section */
- #define SSHCFG_ALL		(SSHCFG_GLOBAL|SSHCFG_MATCH)
- #define SSHCFG_NEVERMATCH	0x04  /* Match never matches; internal only */
-+#define SSHCFG_MATCH_ONLY	0x08  /* Match only in conditional blocks; internal only */
- 
- /* Textual representation of the tokens. */
- static struct {
-@@ -1259,7 +1260,7 @@
- static int
- process_server_config_line_depth(ServerOptions *options, char *line,
-     const char *filename, int linenum, int *activep,
--    struct connection_info *connectinfo, int inc_flags, int depth,
-+    struct connection_info *connectinfo, int *inc_flags, int depth,
-     struct include_list *includes)
- {
- 	char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
-@@ -2002,7 +2003,9 @@
- 					parse_server_config_depth(options,
- 					    item->filename, item->contents,
- 					    includes, connectinfo,
--					    (oactive ? 0 : SSHCFG_NEVERMATCH),
-+					    (*inc_flags & SSHCFG_MATCH_ONLY
-+					        ? SSHCFG_MATCH_ONLY : (oactive
-+					            ? 0 : SSHCFG_NEVERMATCH)),
- 					    activep, depth + 1);
- 				}
- 				found = 1;
-@@ -2050,7 +2053,9 @@
- 				parse_server_config_depth(options,
- 				    item->filename, item->contents,
- 				    includes, connectinfo,
--				    (oactive ? 0 : SSHCFG_NEVERMATCH),
-+				    (*inc_flags & SSHCFG_MATCH_ONLY
-+				        ? SSHCFG_MATCH_ONLY : (oactive
-+				            ? 0 : SSHCFG_NEVERMATCH)),
- 				    activep, depth + 1);
- 				*activep = oactive;
- 				TAILQ_INSERT_TAIL(includes, item, entry);
-@@ -2068,11 +2073,14 @@
- 		if (cmdline)
- 			fatal("Match directive not supported as a command-line "
- 			   "option");
--		value = match_cfg_line(&cp, linenum, connectinfo);
-+		value = match_cfg_line(&cp, linenum,
-+		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
- 		if (value < 0)
- 			fatal("%s line %d: Bad Match condition", filename,
- 			    linenum);
--		*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
-+		*activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
-+		/* The MATCH_ONLY is applicable only until the first match block */
-+		*inc_flags &= ~SSHCFG_MATCH_ONLY;
- 		break;
- 
- 	case sPermitListen:
-@@ -2375,8 +2383,10 @@
-     const char *filename, int linenum, int *activep,
-     struct connection_info *connectinfo, struct include_list *includes)
- {
-+	int inc_flags = 0;
-+
- 	return process_server_config_line_depth(options, line, filename,
--	    linenum, activep, connectinfo, 0, 0, includes);
-+	    linenum, activep, connectinfo, &inc_flags, 0, includes);
- }
- 
- 
-@@ -2581,14 +2591,15 @@
- 	if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
- 		fatal("Too many recursive configuration includes");
- 
--	debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
-+	debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
-+	    (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
- 
- 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
- 		fatal("%s: sshbuf_dup_string failed", __func__);
- 	linenum = 1;
- 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
- 		if (process_server_config_line_depth(options, cp,
--		    filename, linenum++, activep, connectinfo, flags,
-+		    filename, linenum++, activep, connectinfo, &flags,
- 		    depth, includes) != 0)
- 			bad_options++;
- 	}
-@@ -2606,7 +2617,7 @@
- {
- 	int active = connectinfo ? 0 : 1;
- 	parse_server_config_depth(options, filename, conf, includes,
--	    connectinfo, 0, &active, 0);
-+	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
- }
- 
- static const char *
diff --git a/67290.patch b/67290.patch
deleted file mode 100644
index 15ee45eb377b..000000000000
--- a/67290.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From c514f3c0522855b4d548286eaa113e209051a6d2 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Thu, 18 Jun 2020 23:33:38 +0000
-Subject: upstream: avoid spurious "Unable to load host key" message when
-
-sshd can load a private key but no public counterpart; with & ok markus@
-
-OpenBSD-Commit-ID: 0713cbdf9aa1ff8ac7b1f78b09ac911af510f81b
----
- authfile.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/authfile.c b/authfile.c
-index 35ccf576..946f50ca 100644
---- a/authfile.c
-+++ b/authfile.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: authfile.c,v 1.140 2020/04/17 07:15:11 djm Exp $ */
-+/* $OpenBSD: authfile.c,v 1.141 2020/06/18 23:33:38 djm Exp $ */
- /*
-  * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
-  *
-@@ -263,7 +263,7 @@ int
- sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
- {
- 	char *pubfile = NULL;
--	int r;
-+	int r, oerrno;
- 
- 	if (keyp != NULL)
- 		*keyp = NULL;
-@@ -283,8 +283,14 @@ sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
- 	if ((r = sshkey_load_pubkey_from_private(filename, keyp)) == 0)
- 		goto out;
- 
-+	/* Pretend we couldn't find the key */
-+	r = SSH_ERR_SYSTEM_ERROR;
-+	errno = ENOENT;
-+
-  out:
-+	oerrno = errno;
- 	free(pubfile);
-+	errno = oerrno;
- 	return r;
- }
- 
--- 
-cgit v1.2.3
-
diff --git a/PKGBUILD b/PKGBUILD
index 305d7a7479de..483484df5653 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -9,8 +9,8 @@
 # If you want to help keep it up to date, please open a Pull Request there.
 
 pkgname=openssh-selinux
-pkgver=8.3p1
-pkgrel=4
+pkgver=8.4p1
+pkgrel=1
 pkgdesc='Premier connectivity tool for remote login with the SSH protocol, with SELinux support'
 url='https://www.openssh.com/portable.html'
 license=('custom:BSD')
@@ -28,17 +28,13 @@ groups=('selinux')
 validpgpkeys=('59C2118ED206D927E667EBE3D3E5F56B6D920D30')
 #source=("git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1"
 source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz"{,.asc}
-        '67290.patch'
-        '3122.patch'
         'sshdgenkeys.service'
         'sshd.service'
         'sshd.conf'
         'sshd.pam'
         'glibc-2.31.patch')
-sha256sums=('f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2'
+sha256sums=('5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24'
             'SKIP'
-            '3ccc1c6672521782c154c89607d2c2d7a67e0f66a349260e00e28ae999ea54f5'
-            'a13330ca7560b25e4defcd4bdecf28ed37b416362e13aebcb0e57164e575e659'
             '4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7'
             'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7'
             '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6'
@@ -52,14 +48,6 @@ install=install
 prepare() {
 	cd "${srcdir}/${pkgname/-selinux}-${pkgver}"
 
-	# Fix FS#67290
-	# From https://anongit.mindrot.org/openssh.git/patch/?id=c514f3c0522855b4d548286eaa113e209051a6d2
-	patch -p1 -i ../67290.patch
-
-	# Fix https://bugzilla.mindrot.org/show_bug.cgi?id=3122
-	# Backported from https://anongit.mindrot.org/openssh.git/patch/?id=7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01'
-	patch -p1 -i ../3122.patch
-
 	patch -p1 -i ../glibc-2.31.patch
 	autoreconf
 }