From 086813594c24783fe25d1b65bcb127c026628cf1 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 11 Oct 2023 14:09:02 +0200
Subject: [PATCH 1/3] net-misc/openssh: Sync with Gentoo

It's from Gentoo commit 682d6efe2be9885241813bb863324178a8d8aa5a.
---
 .../coreos-overlay/net-misc/openssh/Manifest  |  4 +-
 .../files/openssh-9.3_p2-zlib-1.3.patch       | 21 --------
 ...sh-9.4_p1.ebuild => openssh-9.5_p1.ebuild} | 49 +++----------------
 3 files changed, 8 insertions(+), 66 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch
 rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/{openssh-9.4_p1.ebuild => openssh-9.5_p1.ebuild} (88%)

diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
index 570a72c142..40dccfe452 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
@@ -1,2 +1,2 @@
-DIST openssh-9.4p1.tar.gz 1845094 BLAKE2B d13d758129cce947d3f12edb6e88406aad10de6887b19ffa3ebd8e382b742a05f2a692a8824aec99939f6c7e13fbccc3bb14e5ee112f9a9255d4882eb87dcf53 SHA512 0aaedeced7dbc70419c7245eb0e9db4ef570e0e7739b890ebae04d56da5fe8d147e8e150f3c943f60730976569e3ac6cc8da62ec7e2a78e2ef47d295ca0b1d25
-DIST openssh-9.4p1.tar.gz.asc 833 BLAKE2B 95eedd9356766e5d0ea1261da3dc4c7869f054b418c626fb35815a0aa655b1ddbf54436b437d98c4344b05c9196c8fa1f592eac07b3ccf08bd3e980f8b6955af SHA512 983b4ebaa3b98e70831ce686cb503270926c065163a2510eef0c5102ef50b6e665b889ee15ea8c0bd7c4bbddb19270f036e1d554a8212ef2c292f9c682c8631a
+DIST openssh-9.5p1.tar.gz 1843001 BLAKE2B 55dbb0a2792b0046c943a19ca0966660e6e378e77856e94823a1bbbafaa0da94357403765c4c028aebf6543049a0f9bbe0019629be3f92cdadfac1be56def796 SHA512 e183fdf7477fd986215b889eea4a945d71385e35305746ccb164e757ecc28166f429c70890a237d8ef4cdcae5132935ba2ecb3b2a658eb73a6afcf6f42277b9c
+DIST openssh-9.5p1.tar.gz.asc 833 BLAKE2B abec3d14d9a880008db202be00ed446ccc0a98ce77c16a9e6d6492feac07c8f3284f9cd24f6ee1d904a55f9f23d5cce8a716916975c179a38ef6bde1d36e0acf SHA512 2b6de653420ba02eb99c7e6fba09af3bacfe9c701f3dfc3c94f41a3539c0414954fc5c64cce63c488c5ccd5d4ddb42d3f2184ff7f323342c885c47bf7d426ca1
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch
deleted file mode 100644
index f1336bbe03..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-https://bugs.gentoo.org/912766
-https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621
-
-From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
-From: Darren Tucker <dtucker@dtucker.net>
-Date: Sat, 19 Aug 2023 07:39:08 +1000
-Subject: [PATCH] Fix zlib version check for 1.3 and future version.
-
-bz#3604.
---- a/configure.ac
-+++ b/configure.ac
-@@ -1464,7 +1464,7 @@ else
- 	[[
- 	int a=0, b=0, c=0, d=0, n, v;
- 	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
--	if (n != 3 && n != 4)
-+	if (n < 1)
- 		exit(1);
- 	v = a*1000000 + b*10000 + c*100 + d;
- 	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
-
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.5_p1.ebuild
similarity index 88%
rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.5_p1.ebuild
index baac0b9956..ec36f34457 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.5_p1.ebuild
@@ -86,7 +86,6 @@ PATCHES=(
 	"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
 	"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
 	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
-	"${FILESDIR}/${PN}-9.3_p2-zlib-1.3.patch" #912766
 )
 
 pkg_pretend() {
@@ -229,37 +228,6 @@ src_test() {
 	emake -j1 "${tests[@]}" </dev/null
 }
 
-insert_include() {
-	local src_config="${1}" options="${2}" includedir="${3}"
-	local name copy regexp_options regexp lineno comment_options
-
-	name=${src_config##*/}
-	copy="${T}/${name}"
-	cp -a "${src_config}" "${copy}" || die
-
-	# Catch "Option ", "#Option " or "# Option ".
-	regexp_options=${options//,/'\|'}
-	regexp='^[[:space:]]*#\?[[:space:]]*\('"${regexp_options}"'\)[[:space:]]'
-	lineno=$(set -o pipefail; grep -ne "${regexp}" -m 1 "${copy}" | cut -d : -f 1 || die)
-	# We have found a first line with the option, now find a first
-	# non-comment line just above the comments of the option. The
-	# lineno - 2 is here to ignore the line just above the option
-	# in case the comment block is separated by an empty line.
-	lineno=$(set -o pipefail; head -n $((lineno - 2)) "${copy}" | grep -ne '^[[:space:]]*\([^#]\|$\)' | tail -n 1 | cut -d : -f 1 || die)
-
-	comment_options=${options//,/ or }
-	{
-		head -n "${lineno}" "${copy}" || die
-		cat <<-EOF || die
-		# Make sure that all ${comment_options} options are below this Include!
-		Include "${EPREFIX}/${includedir}/*.conf"
-
-		EOF
-		tail -n "+${lineno}" "${copy}" || die
-	} >"${src_config}"
-	rm -f "${copy}" || die
-}
-
 # Gentoo tweaks to default config files.
 tweak_ssh_configs() {
 	local locale_vars=(
@@ -273,9 +241,12 @@ tweak_ssh_configs() {
 	)
 
 	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
-
-	insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d'
-	insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d'
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
+	Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
+	Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
+	EOF
 
 	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
 	# Send locale environment variables (bug #367017)
@@ -294,10 +265,6 @@ tweak_ssh_configs() {
 	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
 	EOF
 
-	# Move sshd's Subsystem option to a drop-in file.
-	grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
-	sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config
-
 	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
 	# Allow client to pass locale environment variables (bug #367017)
 	AcceptEnv ${locale_vars[*]}
@@ -323,10 +290,6 @@ tweak_ssh_configs() {
 		PermitRootLogin Yes
 		EOF
 	fi
-
-	local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf)
-	fperms 0700 /etc/ssh/sshd_config.d
-	fperms 0600 "${sshd_drop_ins[@]#${ED}}"
 }
 
 src_install() {

From 72783b44c310640bb4caef93f17b4b46b44d611d Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Mon, 25 Sep 2023 16:43:28 +0200
Subject: [PATCH 2/3] overlay net-misc/openssh: Apply Flatcar modifications

None of these modifications are Flatcar-specific. We are trying to
upstream them in https://github.com/gentoo/gentoo/pull/31615. When
they reach Gentoo, we can move net-misc/openssh to portage-stable.

An exception from above paragraph is marking the ebuild as stable on
amd64 and arm64.
---
 .../net-misc/openssh/openssh-9.5_p1.ebuild    | 50 ++++++++++++++++---
 1 file changed, 43 insertions(+), 7 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.5_p1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.5_p1.ebuild
index ec36f34457..c4c68abbcc 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.5_p1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.5_p1.ebuild
@@ -19,7 +19,7 @@ S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss"
 
@@ -228,6 +228,37 @@ src_test() {
 	emake -j1 "${tests[@]}" </dev/null
 }
 
+insert_include() {
+	local src_config="${1}" options="${2}" includedir="${3}"
+	local name copy regexp_options regexp lineno comment_options
+
+	name=${src_config##*/}
+	copy="${T}/${name}"
+	cp -a "${src_config}" "${copy}" || die
+
+	# Catch "Option ", "#Option " or "# Option ".
+	regexp_options=${options//,/'\|'}
+	regexp='^[[:space:]]*#\?[[:space:]]*\('"${regexp_options}"'\)[[:space:]]'
+	lineno=$(set -o pipefail; grep -ne "${regexp}" -m 1 "${copy}" | cut -d : -f 1 || die)
+	# We have found a first line with the option, now find a first
+	# non-comment line just above the comments of the option. The
+	# lineno - 2 is here to ignore the line just above the option
+	# in case the comment block is separated by an empty line.
+	lineno=$(set -o pipefail; head -n $((lineno - 2)) "${copy}" | grep -ne '^[[:space:]]*\([^#]\|$\)' | tail -n 1 | cut -d : -f 1 || die)
+
+	comment_options=${options//,/ or }
+	{
+		head -n "${lineno}" "${copy}" || die
+		cat <<-EOF || die
+		# Make sure that all ${comment_options} options are below this Include!
+		Include "${EPREFIX}/${includedir}/*.conf"
+
+		EOF
+		tail -n "+${lineno}" "${copy}" || die
+	} >"${src_config}"
+	rm -f "${copy}" || die
+}
+
 # Gentoo tweaks to default config files.
 tweak_ssh_configs() {
 	local locale_vars=(
@@ -241,12 +272,9 @@ tweak_ssh_configs() {
 	)
 
 	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
-	Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
-	Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
-	EOF
+
+	insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d'
+	insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d'
 
 	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
 	# Send locale environment variables (bug #367017)
@@ -265,6 +293,10 @@ tweak_ssh_configs() {
 	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
 	EOF
 
+	# Move sshd's Subsystem option to a drop-in file.
+	grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
+	sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config
+
 	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
 	# Allow client to pass locale environment variables (bug #367017)
 	AcceptEnv ${locale_vars[*]}
@@ -290,6 +322,10 @@ tweak_ssh_configs() {
 		PermitRootLogin Yes
 		EOF
 	fi
+
+	local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf)
+	fperms 0700 /etc/ssh/sshd_config.d
+	fperms 0600 "${sshd_drop_ins[@]#${ED}}"
 }
 
 src_install() {

From f6c0af7244ab7f57c391fa21b54619f4a3f047fe Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 11 Oct 2023 14:16:22 +0200
Subject: [PATCH 3/3] changelog: Add an entry

---
 changelog/updates/2023-10-11-openssh-update.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/updates/2023-10-11-openssh-update.md

diff --git a/changelog/updates/2023-10-11-openssh-update.md b/changelog/updates/2023-10-11-openssh-update.md
new file mode 100644
index 0000000000..79cacf422f
--- /dev/null
+++ b/changelog/updates/2023-10-11-openssh-update.md
@@ -0,0 +1 @@
+- openssh ([9.5p1](https://www.openssh.com/releasenotes.html#9.5p1))