upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-24 10:20:24 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/crypto/openssh/.github/workflows/c-cpp.yml
Ed Maste 4d3fc8b057 ssh: Update to OpenSSH 9.3p1 
This release fixes a number of security bugs and has minor new
features and bug fixes.  Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):

This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop destination constraints (ssh-add -h ...) added in OpenSSH
   8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This problem
   was reported by Luci Stanescu.

 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

Sponsored by:	The FreeBSD Foundation
2023-03-16 10:29:55 -04:00

126 lines
5.7 KiB
YAML
Raw Blame History

name: C/C++ CI
on:
push:
paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
pull_request:
paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
jobs:
ci:
if: github.repository != 'openssh/openssh-portable-selfhosted'
strategy:
fail-fast: false
matrix:
# First we test all OSes in the default configuration.
target: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022]
config: [default]
# Then we include any extra configs we want to test for specific VMs.
# Valgrind slows things down quite a bit, so start them first.
include:
- { target: windows-2019, config: cygwin-release }
- { target: windows-2022, config: cygwin-release }
- { target: ubuntu-20.04, config: valgrind-1 }
- { target: ubuntu-20.04, config: valgrind-2 }
- { target: ubuntu-20.04, config: valgrind-3 }
- { target: ubuntu-20.04, config: valgrind-4 }
- { target: ubuntu-20.04, config: valgrind-5 }
- { target: ubuntu-20.04, config: valgrind-unit }
- { target: ubuntu-20.04, config: c89 }
- { target: ubuntu-20.04, config: clang-6.0 }
- { target: ubuntu-20.04, config: clang-8 }
- { target: ubuntu-20.04, config: clang-9 }
- { target: ubuntu-20.04, config: clang-10 }
- { target: ubuntu-20.04, config: clang-11 }
- { target: ubuntu-20.04, config: clang-12-Werror }
- { target: ubuntu-20.04, config: clang-sanitize-address }
- { target: ubuntu-20.04, config: clang-sanitize-undefined }
- { target: ubuntu-20.04, config: gcc-sanitize-address }
- { target: ubuntu-20.04, config: gcc-sanitize-undefined }
- { target: ubuntu-20.04, config: gcc-7 }
- { target: ubuntu-20.04, config: gcc-8 }
- { target: ubuntu-20.04, config: gcc-10 }
- { target: ubuntu-20.04, config: gcc-11-Werror }
- { target: ubuntu-20.04, config: pam }
- { target: ubuntu-20.04, config: kitchensink }
- { target: ubuntu-20.04, config: hardenedmalloc }
- { target: ubuntu-20.04, config: tcmalloc }
- { target: ubuntu-20.04, config: musl }
- { target: ubuntu-latest, config: libressl-master }
- { target: ubuntu-latest, config: libressl-2.2.9 }
- { target: ubuntu-latest, config: libressl-2.8.3 }
- { target: ubuntu-latest, config: libressl-3.0.2 }
- { target: ubuntu-latest, config: libressl-3.2.6 }
- { target: ubuntu-latest, config: libressl-3.3.6 }
- { target: ubuntu-latest, config: libressl-3.4.3 }
- { target: ubuntu-latest, config: libressl-3.5.3 }
- { target: ubuntu-latest, config: libressl-3.6.1 }
- { target: ubuntu-latest, config: libressl-3.7.0 }
- { target: ubuntu-latest, config: openssl-master }
- { target: ubuntu-latest, config: openssl-noec }
- { target: ubuntu-latest, config: openssl-1.0.1 }
- { target: ubuntu-latest, config: openssl-1.0.1u }
- { target: ubuntu-latest, config: openssl-1.0.2u }
- { target: ubuntu-latest, config: openssl-1.1.0h }
- { target: ubuntu-latest, config: openssl-1.1.1 }
- { target: ubuntu-latest, config: openssl-1.1.1k }
- { target: ubuntu-latest, config: openssl-1.1.1n }
- { target: ubuntu-latest, config: openssl-1.1.1q }
- { target: ubuntu-latest, config: openssl-1.1.1s }
- { target: ubuntu-latest, config: openssl-3.0.0 }
- { target: ubuntu-latest, config: openssl-3.0.5 }
- { target: ubuntu-latest, config: openssl-3.0.7 }
- { target: ubuntu-latest, config: openssl-1.1.1_stable }
- { target: ubuntu-latest, config: openssl-3.0 } # stable branch
- { target: ubuntu-22.04, config: pam }
- { target: ubuntu-22.04, config: krb5 }
- { target: ubuntu-22.04, config: heimdal }
- { target: ubuntu-22.04, config: libedit }
- { target: ubuntu-22.04, config: sk }
- { target: ubuntu-22.04, config: selinux }
- { target: ubuntu-22.04, config: kitchensink }
- { target: ubuntu-22.04, config: without-openssl }
- { target: macos-11, config: pam }
- { target: macos-12, config: pam }
runs-on: ${{ matrix.target }}
steps:
- name: set cygwin git params
if: ${{ startsWith(matrix.target, 'windows') }}
run: git config --global core.autocrlf input
- name: install cygwin
if: ${{ startsWith(matrix.target, 'windows') }}
uses: cygwin/cygwin-install-action@master
- uses: actions/checkout@main
- name: setup CI system
run: sh ./.github/setup_ci.sh ${{ matrix.config }}
- name: autoreconf
run: sh -c autoreconf
- name: configure
run: sh ./.github/configure.sh ${{ matrix.config }}
- name: save config
uses: actions/upload-artifact@main
with:
name: ${{ matrix.target }}-${{ matrix.config }}-config
path: config.h
- name: make clean
run: make clean
- name: make
run: make -j2
- name: make tests
run: sh ./.github/run_test.sh ${{ matrix.config }}
env:
TEST_SSH_UNSAFE_PERMISSIONS: 1
TEST_SSH_HOSTBASED_AUTH: yes
- name: save logs
if: failure()
uses: actions/upload-artifact@main
with:
name: ${{ matrix.target }}-${{ matrix.config }}-logs
path: |
config.h
config.log
regress/*.log
regress/valgrind-out/
regress/asan.log.*
regress/msan.log.*
regress/log/*
Reference in a new issue View git blame Copy permalink