net-misc/openssh: update to 9.2_p1-r2

Update net-misc/openssh to 9.2_p1-r2, mainly to address CVE-2023-25136. Gentoo commit: a773d7e0cdb9579343c1a4437ed4ce97f9d91d1f
2025-08-31 19:31:07 +02:00 · 2023-02-14 15:16:47 +01:00 · 2023-02-14 15:16:47 +01:00 · 52919f1e29
commit 52919f1e29
parent 49a6781cf6
13 changed files with 200 additions and 95 deletions
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
@ -1,7 +1,10 @@
-DIST openssh-9.1_p1-X509-glue-13.5.patch.xz 1092 BLAKE2B 19da945547472048d01a6ec26f28cba11afe1a0590a115582d1e21a852b6b66589b091ab4440d57952200522318aeffb7d9404e53f9532ae80e47685c24c4097 SHA512 96de9f59bacfd99aa9ef03362d55d88b3eea0acc57a11fb72e5c612bfb0f5e48455b0a0d0add9a8a5524b9d4701f47db1ff7859f1d3c2a12947b27292961cbd5
-DIST openssh-9.1_p1-hpn-15.2-X509-glue.patch.xz 5504 BLAKE2B 776b467ddde16e268536c5632b028a32db22b26d7bc11e2a9fa6c8e29528be3eb781066d6b30fb2f561a73a24c34a29963fcd7c872aa92dc19d715d8ffbf2cbe SHA512 aa753da5f75d90165f5922ead1dd495a15a4c581360d5862ec6f802caea54055da8e308c1919efa8e78b31a7ea082f8693dda0ab84ccee414c562ec062c50fb1
-DIST openssh-9.1_p1-hpn-15.2-glue.patch.xz 3840 BLAKE2B 06fb14d8c6f52f1c6fae7971fc4da810c814d7b52063f8cc7e83356baa7ed70c84476c1d1cc896eba6d0d51813dc994e3c82278e66c04998431c8123a09fe7df SHA512 99c88c08fb384336a9680629bc04a89121780d64ee8b03ac164c4e446cc30b865004292e98516b6f857bd75e1b4393291427c046ffcabc1578629e6075636cbf
-DIST openssh-9.1p1+x509-13.5.diff.gz 1213948 BLAKE2B 5663a1c865c80f590642bb855f7d7a17e71e0db099deb4cea5750cfe734bd506b70a1b266fccc2a58174ae2b1b96a7f1ced56382d5d7e741b07e46422b03f7e6 SHA512 70a1f12e98b8fa8170c208803ee482aea2fcf6b9e41ecada5fabaa0288ed5a32574f42a7b50718bb484978f3c65f50e55966c9f555a9de100dc8d695b9aec531
-DIST openssh-9.1p1-sctp-1.2.patch.xz 6772 BLAKE2B 8393c1ca5f0df7e4d490cef5c38d50d45da83a9c3f650e9af15d95825f9e682a6aaf6a0e85fc1704d41d6567aec8f0b34e43b20652e0141008ccdbe91426dfac SHA512 6750394d0fb7b7f93a0e4f94204e53277cc341c5b2427130559e443557dbb95f2e85a71cfe8d40cfa17dd015b0f3880f79a1f868374e60e94e8385c9b45acec5
-DIST openssh-9.1p1.tar.gz 1838747 BLAKE2B 287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5 SHA512 a1f02c407f6b621b1d0817d1a0c9a6839b67e416c84f3b76c63003b119035b24c19a1564b22691d1152e1d2d55f4dc7eb1af2d2318751e431a99c4efa77edc70
-DIST openssh-9.1p1.tar.gz.asc 833 BLAKE2B 83efe3c705f6a02c25a9fc9bac2a4efd77470598d9e0fcb86dff2d265c58cffec1afecad3621769b2bd78ac25884f0ee20ae9b311e895db93e3bb552dffd6e74 SHA512 47dc7295f9694250bcbb86d7ca0830a47da4f3df7795bb05ebaf1590284ccce5317022c536bea1b09bd2fa4d8013295cc0de287ebe3f9dc605582077e9f11ddd
+DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
+DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
+DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
+DIST openssh-9.2_p1-X509-glue-14.1.patch.xz 900 BLAKE2B 1cfde24cdd636390bcd9b546da182b0848d637c366ff387f045e8d9158e94ff9577c0dff9d87a552208a56aac4ae8319bb17fd772719a7aa2cbc8baf2bfe59fc SHA512 b3f87fb0c339ffe627b347b4cc56fc6a056e5e9a4f23481bb18fc55262e1de3f0394d2f7a85c4fa120f74616a5872cf6628118bcda6973dfa9baec8d7e0e65b1
+DIST openssh-9.2_p1-hpn-15.2-X509-14.1-glue.patch.xz 6040 BLAKE2B d032d1f03ab1bd310af055a452375e6b85ebe40f3d09effdfb07085981155b751c6fdc74a9ee10afe807c2cd10be3444baf712eb0b211bdaff4dc43dc4f65938 SHA512 696f5ee26eeef7a1d56c212eb8bf7c7a568ded2a576eddae92b98b9b3b6bd5bd66e0944b9328e93ec4d55d16f72215a13c25d27de81f75aaae8fdbe68e3df51e
+DIST openssh-9.2_p1-hpn-15.2-glue.patch.xz 4172 BLAKE2B 7bec61008f02c07bf24112995066bcd434820354155eb022ffa550baa8f7be896d915423698427ec921473190eb8e83739d2ceff04f79967759fc82b74435dac SHA512 c669a70611479f4ee0f3ba8417afc052f0212cb2d338c524fb3bf6c52a1bf3ca78fe78ab04118de5aa472a10d30b95f084c3ed00a542a8b3d0f541f8ea3f26af
+DIST openssh-9.2p1+x509-14.1.diff.gz 1210737 BLAKE2B 6b1cb2392c3fdbc7627b44a055da7662c686786cddaefcdf63f33fa92c1d97a5fb9ff54d03b7aef700715baa44f4485ad2dd73f59aac5b19617597832e135773 SHA512 88ba0dfd6e7eddf06e47d27299ee900dd1a9dc24df706bde51231b290f666848935204281577a9e47267939e7ee852f7232caaccdae6ac3eb503e53c075e630d
+DIST openssh-9.2p1-sctp-1.2.patch.xz 6828 BLAKE2B 8a57b85ce5d18dca34ef71b486f2f24bbc82f6bf263a4f162a1222d96ef2adc469cce62f368c9192512efaa8e1e2496a7bd8f79a11698bf0118eee07a703e6ef SHA512 3713847ef7b280f8b74a1b493644152c948ce74e06c1d0bff52996647963ca156cbc845b4459bcdbd4745eb440e409af07af2f0b696c65950a8a6d7ddb46f6c8
+DIST openssh-9.2p1.tar.gz 1852380 BLAKE2B 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21 SHA512 c4b79ef3a05b96bfc477ffb31f734635bffd5be213ab58e043111c3232dbe999ff24665fa1069518237cffa5126ded0dda8984e1b8f098f4f09b8c1dae20e604
+DIST openssh-9.2p1.tar.gz.asc 833 BLAKE2B 36210757aaa4ee8e6bdf4cfbb5590e6c54a617817d1657ebb446e54530d01a9e9f5559408b3d424d5efdb4ba06f0c02755637f5480dc81f9b4e32963de91087a SHA512 2a56f8946ed00fcd5a92935e090523d40b5c3747e25661d575b799b1825bf5e47a95eed5e7ed968fe042349c2c7d94d6b0e6bf2d9145b5c6ff5df2ca538d56e5
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
@ -0,0 +1,18 @@
+diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:06:45.020527770 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:07:01.294423665 -0700
+@@ -1414,14 +1414,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b4fa372..332fb486 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_8.5"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn15v2"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
@ -0,0 +1,13 @@
+diff --git a/kex.c b/kex.c
+index 34808b5c..88d7ccac 100644
+--- a/kex.c
+++ b/kex.c
+@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ 	if (version_addendum != NULL && *version_addendum == '\0')
+ 		version_addendum = NULL;
+ 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ 	    version_addendum == NULL ? "" : " ",
+ 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
+ 		oerrno = errno;
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch
@ -1,54 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.4.1.diff b/openssh-9.0p1+x509-13.4.1.diff
--- a/openssh-9.0p1+x509-13.4.1.diff	2022-06-23 10:43:33.957093896 -0700
-+++ b/openssh-9.0p1+x509-13.4.1.diff	2022-06-23 10:44:17.232396805 -0700
-@@ -48941,8 +48941,8 @@
-  		gss_create_empty_oid_set(&status, &oidset);
-  		gss_add_oid_set_member(&status, ctx->oid, &oidset);
-  
--		if (gethostname(lname, MAXHOSTNAMELEN)) {
-+		if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
-+-		if (gethostname(lname, HOST_NAME_MAX)) {
-++		if (gethostname(lname, HOST_NAME_MAX) == -1) {
-  			gss_release_oid_set(&status, &oidset);
-  			return (-1);
-  		}
-@@ -57102,12 +57102,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -395,6 +372,8 @@
-+@@ -395,6 +372,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
-+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -78638,7 +78637,7 @@
- +if test "$sshd_type" = "pkix" ; then
- +  unset_arg=''
- +else
-+  unset_arg=none
-++  unset_arg=''
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -143777,16 +143776,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	    __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
-diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.4.1/version.h
---- openssh-9.0p1/version.h	2022-04-06 03:47:48.000000000 +0300
-+++ openssh-9.0p1+x509-13.4.1/version.h	2022-06-23 09:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
- 
- #define SSH_VERSION	"OpenSSH_9.0"
- 
--#define SSH_PORTABLE	"p1"
--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.4.1/version.m4
- --- openssh-9.0p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-9.0p1+x509-13.4.1/version.m4	2022-06-23 09:07:00.000000000 +0300
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch
@ -0,0 +1,12 @@
+diff -ur a/auth2.c b/auth2.c
+--- a/auth2.c	2022-05-19 15:59:32.875160028 -0700
+++ b/auth2.c	2022-05-19 16:03:44.291594908 -0700
+@@ -226,7 +226,7 @@
+ 	int digest_alg;
+ 	size_t len;
+ 	u_char *hash;
+-	double delay;
+	double delay = 0;
+ 
+ 	digest_alg = ssh_digest_maxbytes();
+ 	if (len = ssh_digest_bytes(digest_alg) > 0) {
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch
@ -1,13 +0,0 @@
-diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
-index dd8cdc4b7..c446f0aa2 100644
--- a/openbsd-compat/regress/Makefile.in
-+++ b/openbsd-compat/regress/Makefile.in
-@@ -10,7 +10,7 @@ CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. -I$(srcdir)/../.. @CPPFLAGS@ @DEFS@
- EXEEXT=@EXEEXT@
- LIBCOMPAT=../libopenbsd-compat.a
-LIBS=@LIBS@
-+LIBS=@LIBS@ -lssl -lcrypto
- LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
- 
- TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd
@ -0,0 +1,33 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress.
+
+#SSHD_SSD_OPTS="--wait 1000"
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
+
+
+# Path to the ssh-keygen binary (needs to be absolute path).
+
+#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd
@ -0,0 +1,87 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+	# Entropy can be used by ssh-keygen, among other things, but
+	# is not strictly required (bug 470020).
+	use logger dns entropy
+	if [ "${rc_need+set}" = "set" ] ; then
+		: # Do nothing, the user has explicitly set rc_need
+	else
+		local x warn_addr
+		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+			case "${x}" in
+				0.0.0.0|0.0.0.0:*) ;;
+				::|\[::\]*) ;;
+				*) warn_addr="${warn_addr} ${x}" ;;
+			esac
+		done
+		if [ -n "${warn_addr}" ] ; then
+			need net
+			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+			ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+			ewarn "where FOO is the interface(s) providing the following address(es):"
+			ewarn "${warn_addr}"
+		fi
+	fi
+}
+
+checkconfig() {
+	checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
+
+	if [ ! -e "${SSHD_CONFIG}" ] ; then
+		eerror "You need an ${SSHD_CONFIG} file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	${SSHD_KEYGEN_BINARY} -A || return 2
+
+	"${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+	# Make sure that the user's config isn't busted before we try
+	# to start the daemon (this will produce better error messages
+	# than if we just try to start it blindly).
+	#
+	# We always need to call checkconfig because this function will
+	# also generate any missing host key and you can start a
+	# non-running service with "restart" argument.
+	checkconfig || return $?
+}
+
+stop_pre() {
+	# If this is a restart, check to make sure the user's config
+	# isn't busted before we stop the running daemon.
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${pidfile}"
+	eend $?
+}
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.service.1
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.service.1
@ -1,12 +1,15 @@
 [Unit]
 Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
+After=network.target auditd.service

 [Service]
 ExecStartPre=/usr/bin/ssh-keygen -A
 ExecStart=/usr/sbin/sshd -D -e
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
+OOMPolicy=continue
+Restart=on-failure
+RestartSec=42s

 [Install]
 WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
@ -5,7 +5,6 @@ Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
-TriggerLimitBurst=0

 [Install]
 WantedBy=sockets.target
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd_at.service.1
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd_at.service.1
@ -1,6 +1,6 @@
 [Unit]
 Description=OpenSSH per-connection server daemon
-After=syslog.target auditd.service
+After=auditd.service

 [Service]
 ExecStart=-/usr/sbin/sshd -i -e
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml
@ -20,7 +20,6 @@ the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign,
 ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
 	</longdescription>
 	<use>
-		<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
 		<flag name="hpn">Enable high performance ssh</flag>
 		<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
 		<flag name="livecd">Enable root password logins for live-cd environment.</flag>
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.2_p1-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.2_p1-r2.ebuild
@ -1,7 +1,7 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

-EAPI=7
+EAPI=8

 inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig

@ -19,22 +19,23 @@ HPN_PATCHES=(
 	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
 	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
 )
-HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-glue.patch"
+HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-glue.patch"
+HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}"

 SCTP_VER="1.2"
 SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"

-X509_VER="13.5"
+X509_VER="14.1"
 X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
-X509_HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-X509-glue.patch"
+X509_HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"

 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"
 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
 	${HPN_VER:+hpn? (
-		$(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}")
+		$(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}")
 		https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
 	)}
 	${X509_PATCH:+X509? (
@ -49,7 +50,7 @@ S="${WORKDIR}/${PARCH}"

 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"

@ -123,7 +124,6 @@ PATCHES=(
 	"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
 	"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
 	"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
-	"${FILESDIR}/${PN}-9.1_p1-build-tests.patch"
 )

 pkg_pretend() {
@ -164,7 +164,7 @@ src_prepare() {
 	# don't break .ssh/authorized_keys2 for fun
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

-	eapply "${PATCHES[@]}"
+	eapply -- "${PATCHES[@]}"

 	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches

@ -269,10 +269,6 @@ src_prepare() {
 			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
 	fi

-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
 	eapply_user #473004

 	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
@ -282,8 +278,6 @@ src_prepare() {
 	tc-export PKG_CONFIG
 	local sed_args=(
 		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
 		# Disable fortify flags ... our gcc does this for us
 		-e 's:-D_FORTIFY_SOURCE=2::'
 	)
@ -425,6 +419,8 @@ src_install() {
 	emake install-nokeys DESTDIR="${D}"
 	fperms 600 /etc/ssh/sshd_config
 	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd

 	if use pam; then
 		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
@ -441,8 +437,9 @@ src_install() {
 	dodir /etc/skel/.ssh
 	rmdir "${ED}"/var/empty || die

-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+	systemd_dounit "${FILESDIR}"/sshd.socket
+	systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
+	systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
 }

 pkg_preinst() {
@ -490,6 +487,14 @@ pkg_postinst() {
 			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
 			ewarn "connection is generally safe."
 		fi
+		if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
+			ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
+			ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
+			ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
+			ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
+			ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
+			ewarn "set 'Restart=no' in your sshd unit file."
+		fi
 	done

 	if [[ -n ${show_ssl_warning} ]]; then