[MacPorts] #59016: [openssh/openssl] : Apple keychain patch update should have blocked openssl upgrade
MacPorts
noreply at macports.org
Thu Sep 12 13:02:58 UTC 2019
#59016: [openssh/openssl] : Apple keychain patch update should have blocked openssl
upgrade
----------------------+----------------------
Reporter: RJVB | Owner: (none)
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords: security
Port: openssh |
----------------------+----------------------
Changes (by yan12125):
* keywords: => security
Comment:
{{{
# TODO: Update patch 0002-Apple-keychain-integration-other-changes.patch
to use OpenSSL 1.1 APIs.
}}}
This comment is misleading as that patch is disabled due to
incompatibility with OpenBSD's OpenSSH 7.9p1, not incompatibility with
OpenSSL 1.1. The last sentence in the commit message of
[c15ce48157fd32bd5362ce868b9e32a54ea4d089/macports-ports] is clearer:
{{{
Temporarily disabled macOS keychain integration until this can be updated
to 7.9p1 APIs.
}}}
For example, the main file keychain.c has #include "key.h", but there is
no key.h in OpenBSD's OpenSSH 7.9p1.
---
> Where did the 0002* patchfile come from?
From https://trac.macports.org/ticket/27250
> Patch regenerated in more clean format with git
So, most likely it's manually generated.
To get the Apple keychain patch back, there are a few options:
* Comparing OpenSSH-220.231.1 and OpenBSD's OpenSSH 7.9p1 to generate a
new patch
* Rebasing the existing patch against OpenSSH 7.9p1
* Combining the above two approaches - generate a new patch and rebase the
new patch against OpenSSH 8.0p1, which fixes several security issues found
in OpenSSH 7.9 (1) - adding the 'security' keyword to this ticket.
I may or may not have a look into this after fixing other ports that
cannot be built with openssl 1.1.
(1) https://www.cvedetails.com/vulnerability-
list/vendor_id-97/product_id-585/year-2019/Openbsd-Openssh.html
--
Ticket URL: <https://trac.macports.org/ticket/59016#comment:9>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list