Re: Call for testing: OpenSSH 6.7

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Requirement for ec.h breaks all builds on systems without the EC feature (*all
Red Hat [probably variants as well] below 6.5*).  New linking issue with
gcc on AIX before tests run.  Same systems built 6.6 release without issue.

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140819.tar.gz

OS              Build_Target                CC
OpenSSL       BUILD    TEST
==============  =========================== ================
============= ======   =================
Centos 2.1      i386-redhat-linux           gcc 2.9.6
0.9.6b-engine FAIL*1
RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
0.9.7a        FAIL*1
Fedora Core r2  i386-redhat-linux           gcc 3.3.3-7
0.9.7a        FAIL*1
RHEL 4.8        i386-redhat-linux           gcc 3.4.6-11
0.9.7a        FAIL*1
RHEL 4.8        x86_64-redhat-linux         gcc 3.4.6-11
0.9.7a        FAIL*1
RHEL 5.4        i386-redhat-linux           gcc 4.1.2-46
0.9.8e-fips   FAIL*1
RHEL 5.4        x86_64-redhat-linux         gcc 4.1.2-46
0.9.8e-fips   FAIL*1
RHEL 5.5        i386-redhat-linux           gcc 4.1.2-48
0.9.8e-fips   FAIL*1
RHEL 5.5        x86_64-redhat-linux         gcc 4.1.2-48
0.9.8e-fips   FAIL*1
RHEL 5.6        i386-redhat-linux           gcc 4.1.2-50
0.9.8e-fips   FAIL*1
RHEL 5.6        x86_64-redhat-linux         gcc 4.1.2-50
0.9.8e-fips   FAIL*1
RHEL 5.7        i386-redhat-linux           gcc 4.1.2-51
0.9.8e-fips   FAIL*1
RHEL 5.7        x86_64-redhat-linux         gcc 4.1.2-51
0.9.8e-fips   FAIL*1
RHEL 5.8        i386-redhat-linux           gcc 4.1.2-52
0.9.8e-fips   FAIL*1
RHEL 5.8        x86_64-redhat-linux         gcc 4.1.2-52
0.9.8e-fips   FAIL*1
RHEL 5.9        i386-redhat-linux           gcc 4.1.2-54
0.9.8e-fips   FAIL*1
RHEL 5.9        x86_64-redhat-linux         gcc 4.1.2-54
0.9.8e-fips   FAIL*1
RHEL 5.10       i686-redhat-linux           gcc 4.1.2-54
0.9.8e-fips   FAIL*1
RHEL 5.10       x86_64-redhat-linux         gcc 4.1.2-54
0.9.8e-fips   FAIL*1
RHEL 6.0        i686-redhat-linux           gcc 4.4.4-13
1.0.0-fips    FAIL*1
RHEL 6.0        x86_64-redhat-linux         gcc 4.4.4-13
1.0.0-fips    FAIL*1
RHEL 6.1        i686-redhat-linux           gcc 4.4.5-6
1.0.0-fips    FAIL*1
RHEL 6.1        x86_64-redhat-linux         gcc 4.4.5-6
1.0.0-fips    FAIL*1
RHEL 6.2        i686-redhat-linux           gcc 4.4.6-3
1.0.0-fips    FAIL*1
RHEL 6.2        x86_64-redhat-linux         gcc 4.4.6-3
1.0.0-fips    FAIL*1
RHEL 6.3        i686-redhat-linux           gcc 4.4.7-3
1.0.0-fips    FAIL*1
RHEL 6.3        x86_64-redhat-linux         gcc 4.4.7-3
1.0.0-fips    FAIL*1
RHEL 6.4        i686-redhat-linux           gcc 4.4.7-3
1.0.0-fips    FAIL*1
RHEL 6.4        x86_64-redhat-linux         gcc 4.4.7-3
1.0.0-fips    FAIL*1
RHEL 6.5        i686-redhat-linux           gcc 4.4.7-4
1.0.1e-fips   OK       all tests passed
RHEL 6.5        x86_64-redhat-linux         gcc 4.4.7-4
1.0.1e-fips   OK       all tests passed
RHEL 7.0        x86_64-redhat-linux         gcc 4.8.2-16
1.0.1e-fips   OK       all tests passed
Debian 7.6      x86_64-linux-gnu            gcc Debian 4.7.2-5
1.0.1e        OK       all tests passed
AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3
0.9.8k        FAIL*1
AIX 5300-12-02  powerpc-ibm-aix5.3.0.0      xlc 8.0.0.16
0.9.8k        FAIL*1
AIX 6100-07-08  powerpc-ibm-aix6.1.0.0      gcc 4.2.0
0.9.8y        FAIL*2
AIX 6100-07-08  powerpc-ibm-aix6.1.0.0      xlc 11.1.0.6
0.9.8y        OK       all tests passed
AIX 7100-03-01  powerpc-ibm-aix7.1.0.0      gcc 4.4.7
1.0.1e        FAIL*2
AIX 7100-03-01  powerpc-ibm-aix7.1.0.0      xlc 12.1.0.6
1.0.1e        OK       all tests passed
HP-UX 11.23     ia64-hp-hpux11.23           gcc 4.3.1
0.9.8w        OK       all tests passed
HP-UX 11.23     ia64-hp-hpux11.23           C/aC++ C.11.23.12
0.9.8w        OK       all tests passed
HP-UX 11.31     ia64-hp-hpux11.31           gcc 4.6.2
0.9.8t        OK       all tests passed
HP-UX 11.31     ia64-hp-hpux11.31           C/aC++ C.11.31.05
0.9.8t        OK       all tests passed

RHL     Red Hat Linux
RHEL    Red Hat Enterprise Linux

F*1  Requires openssl with ec.h (not in RHEL 6.4 and before), HP-UX 11.23+
and AIX 5.3+ have in-place upgrades
     make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
     gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
arc4random.c
     In file included from ../buffer.h:24,
                      from ../entropy.h:30,
                      from ../includes.h:177,
                      from arc4random.c:27:
     ../sshbuf.h:25:24: openssl/ec.h: No such file or directory
     make[1]: *** [arc4random.o] Error 1
     make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
     make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

F*2 gcc on AIX - linking fails just before tests start - i.e.
    gcc -o regress/unittests/sshbuf/test_sshbuf -L. -Lopenbsd-compat/
-Wl,-blibpath:/usr/lib:/lib regress/unittests/sshbuf/tests.o
regress/unittests/sshbuf/test_sshbuf.o
regress/unittests/sshbuf/test_sshbuf_getput_basic.o
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
regress/unittests/sshbuf/test_sshbuf_misc.o
regress/unittests/sshbuf/test_sshbuf_fuzz.o
regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o
regress/unittests/sshbuf/test_sshbuf_fixed.o \
 -L regress/unittests/test_helper -ltest_helper \
 -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lpthread
collect2: library libtest_helper not found
gmake: *** [regress/unittests/sshbuf/test_sshbuf] Error 1




On Mon, Aug 18, 2014 at 10:00 AM, Kevin Brott <kevin.brott@xxxxxxxxx> wrote:

>
> So apparently openssl/ec.h didn't show up earlier than 0.9.8m right now
> it's looking like any system with earlier versions will configure, but fail
> to build off the bat.
>
>
> On Mon, Aug 18, 2014 at 9:18 AM, Kevin Brott <kevin.brott@xxxxxxxxx>
> wrote:
>
>> Ugh - so, forgot to RT the list ... and another failed buildhost ...
>>
>> I know these are legacy OS version - but they're still in use here so ...
>>
>> OS           Build_Target        CC             OpenSSL       BUILD  TEST
>> ===========  =================   ============   ============= =====
>> =================
>> Centos 2.1   i386-redhat-linux   gcc 2.9.6      0.9.6b-engine FAIL*1
>> RHEL 3.4     i386-redhat-linux   gcc 3.2.3-47   0.9.7a        FAIL*1
>>
>> make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
>> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
>> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
>> arc4random.c
>> In file included from ../buffer.h:24,
>>                  from ../entropy.h:30,
>>                  from ../includes.h:177,
>>                  from arc4random.c:27:
>> ../sshbuf.h:25:24: openssl/ec.h: No such file or directory
>> make[1]: *** [arc4random.o] Error 1
>> make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>> make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>> [root@localhost openssh]# find ec.h
>> find: ec.h: No such file or directory
>>
>>
>>
>>
>> On Sun, Aug 17, 2014 at 6:23 PM, Damien Miller <djm@xxxxxxxxxxx> wrote:
>>
>>> Hi,
>>>
>>> OpenSSH 6.7 is almost ready for release, so we would appreciate testing
>>> on as many platforms and systems as possible. This is a big release
>>> containing a number of features, a lot of internal refactoring and some
>>> potentially-incompatible changes.
>>>
>>> Snapshot releases for portable OpenSSH are available from
>>> http://www.mindrot.org/openssh_snap/
>>>
>>> The OpenBSD version is available in CVS HEAD:
>>> http://www.openbsd.org/anoncvs.html
>>>
>>> Portable OpenSSH is also available via anonymous CVS using the
>>> instructions at http://www.openssh.com/portable.html#cvs or
>>> via Git at https://anongit.mindrot.org/openssh.git/
>>>
>>> Running the regression tests supplied with Portable OpenSSH does not
>>> require installation and is a simply:
>>>
>>> $ ./configure && make tests
>>>
>>> Live testing on suitable non-production systems is also
>>> appreciated. Please send reports of success or failure to
>>> openssh-unix-dev@xxxxxxxxxxx.
>>>
>>> Below is a summary of changes. More detail may be found in the ChangeLog
>>> in the portable OpenSSH tarballs.
>>>
>>> Thanks to the many people who contributed to this release.
>>>
>>> Changes since OpenSSH 6.6
>>> =========================
>>>
>>> Potentially-incompatible changes
>>>
>>>  * sshd(8): The default set of ciphers and MACs has been altered to
>>>    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
>>>    are disabled by default.
>>>
>>>    The full set of algorithms remains available if configured
>>>    explicitly via the Ciphers and MACs sshd_config options.
>>>
>>>  * sshd(8): Support for tcpwrappers/libwrap has been removed.
>>>
>>>  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
>>>    using the curve25519-sha256@xxxxxxxxxx KEX exchange method to fail
>>>    when connecting with something that implements the specification
>>>    correctly. OpenSSH 6.7 disables this KEX method when speaking to
>>>    one of the affected versions.
>>>
>>> New Features
>>>
>>>  * Major internal refactoring to begin to make part of OpenSSH usable
>>>    as a library. So far the wire parsing, key handling and KRL code
>>>    has been refactored. Please note that we do not consider the API
>>>    stable yet, nor do we offer the library in separable form.
>>>
>>>  * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
>>>    A remote TCP port may be forwarded to a local Unix domain socket
>>>    and vice versa or both ends may be a Unix domain socket.
>>>
>>>  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
>>>    ED25519 key types.
>>>
>>>  * sftp(1): Allow resumption of interrupted uploads.
>>>
>>>  * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
>>>    is the same as the one sent during initial key exchange; bz#2154
>>>
>>>  * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
>>>    addresses when GatewayPorts=no; allows client to choose address
>>>    family; bz#2222
>>>
>>>  * sshd(8): Add a sshd_config PermitUserRC option to control whether
>>>    ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
>>>    option; bz#2160
>>>
>>>  * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
>>>    that expands to a unique identifer based on a hash of the tuple of
>>>    (local host, remote user, hostname, port). Helps avoid exceeding
>>>    miserly pathname limits for Unix domain sockets in multiplexing
>>>    control paths; bz#2220
>>>
>>>  * sshd(8): Make the "Too many authentication failures" message
>>>    include the user, source address, port and protocol in a format
>>>    similar to the authentication success / failure messages; bz#2199
>>>
>>>  * Added unit and fuzz tests for refactored code. These are run
>>>    automatically in portable OpenSSH via the "make tests" target.
>>>
>>> Bugfixes
>>>
>>>  * sshd(8): Fix remote fwding with same listen port but different
>>>    listen address.
>>>
>>>  * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>>>    explicitly listed in ssh_config or on the commandline not to be
>>>    preferred.
>>>
>>>  * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
>>>    revoked certificate serial number ranges could be serialised to an
>>>    invalid format. Readers of a broken KRL caused by this bug will
>>>    fail closed, so no should-have-been-revoked key will be accepted.
>>>
>>>  * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
>>>    exit status. Previously we were always returning 0; bz#2255
>>>
>>>  * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
>>>    randomart border; bz#2247
>>>
>>>  * ssh-agent(1): Only cleanup agent socket in the main agent process
>>>    and not in any subprocesses it may have started (e.g. forked
>>>    askpass). Fixes agent sockets being zapped when askpass processes
>>>    fatal(); bz#2236
>>>
>>>  * ssh-add(1): Make stdout line-buffered; saves partial output getting
>>>    lost when ssh-add fatal()s part-way through (e.g. when listing keys
>>>    from an agent that supports key types that ssh-add doesn't);
>>>    bz#2234
>>>
>>>  * ssh-keygen(1): When hashing or removing hosts, don't choke on
>>>    @revoked markers and don't remove @cert-authority markers; bz#2241
>>>
>>>  * ssh(1): Don't fatal when hostname canonicalisation fails and a
>>>    ProxyCommand is in use; continue and allow the ProxyCommand to
>>>    connect anyway (e.g. to a host with a name outside the DNS behind
>>>    a bastion)
>>>
>>>  * scp(1): When copying local->remote fails during read, don't send
>>>    uninitialised heap to the remote end.
>>>
>>>  * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
>>>    filenames with  a single quote char somewhere in the string;
>>>    bz#2238
>>>
>>>  * ssh-keyscan(1): Scan for Ed25519 keys by default.
>>>
>>>  * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
>>>    convert any certificate keys to plain keys and attempt SSHFP
>>>    resolution.  Prevents a server from skipping SSHFP lookup and
>>>    forcing a new-hostkey dialog by offering only certificate keys.
>>>
>>>  * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
>>>
>>>  * Fix some strict-alignment errors.
>>>
>>> Portable OpenSSH
>>>
>>>  * Portable OpenSSH now supports building against libressl-portable.
>>>
>>>  * Portable OpenSSH now requires openssl 0.9.8f or greater. Older
>>>    versions are no longer supported.
>>>
>>>  * In the OpenSSL version check, allow fix version upgrades (but not
>>>    downgrades. Debian bug #748150.
>>>
>>>  * sshd(8): On Cygwin, determine privilege separation user at runtime,
>>>    since it may need to be a domain account.
>>>
>>>  * sshd(8): Don't attempt to use vhangup on Linux. It doens't work for
>>>    non-root users, and for them it just messes up the tty settings.
>>>
>>>  * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
>>>    available. It takes into account time spent suspended, thereby
>>>    ensuring timeouts (e.g. for expiring agent keys) fire correctly.
>>>    bz#2228
>>>
>>>  * Add support for ed25519 to opensshd.init init script.
>>>
>>>  * sftp-server(8): On platforms that support it, use prctl() to
>>>    prevent sftp-server from accessing /proc/self/{mem,maps}
>>>
>>> Reporting Bugs:
>>> ===============
>>>
>>> - Please read http://www.openssh.com/report.html
>>>   Security bugs should be reported directly to openssh@xxxxxxxxxxx
>>>
>>> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
>>> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
>>> Ben Lindstrom.
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev@xxxxxxxxxxx
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>>
>>
>>
>> --
>> # include <stddisclaimer.h>
>> /* Kevin  Brott <Kevin.Brott@xxxxxxxxx> */
>>
>>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott@xxxxxxxxx> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott@xxxxxxxxx> */
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux