Subject: CVS commit: pkgsrc/security/ssh-audit
From: Havard Eidnes
Date: 2025-01-07 17:36:43
Message id: 20250107163643.BE507FC1D@cvs.NetBSD.org
Log Message:
security/ssh-audit: Update to version 3.3.0.

Pkgsrc changes:
 * Remove upstream patch which is now integrated
 * Checksum updates

Upstream changes:

### v3.3.0 (2024-10-15)
 - Added Python 3.13 support.
 - Added built-in policies for Ubuntu 24.04 LTS server & client,
   OpenSSH 9.8, and OpenSSH 9.9.
 - Added IPv6 support for DHEat and connection rate tests.
 - Added TCP port information to JSON policy scan results; credit
   [Fabian Malte Kopp](https://github.com/dreizehnutters).
 - Added LANcom LCOS server recognition and Ed448 key extraction;
   credit [Daniel Lenski](https://github.com/dlenskiSB).
 - Now reports ECDSA and DSS fingerprints when in verbose mode;
   partial credit [Daniel Lenski](https://github.com/dlenskiSB).
 - Removed CVE information based on server/client version numbers,
   as this was wildly inaccurate (see [this thread]
   (https://github.com/jtesta/ssh-audit/issues/240) for the full
   discussion, as well as the results of the community vote on this
   matter).
 - Fixed crash when running with `-P` and `-T` options simultaneously.
 - Fixed host key tests from only reporting a key type at most once
   despite multiple hosts supporting it; credit [Daniel
   Lenski](https://github.com/dlenskiSB).
 - Fixed DHEat connection rate testing on MacOS X and BSD platforms;
   credit [Drew Noel](https://github.com/drewmnoel) and [Michael
   Osipov](https://github.com/michael-o).
 - Fixed invalid JSON output when a socket error occurs while
   performing a client audit.
 - Fixed `--conn-rate-test` feature on Windows.
 - When scanning multiple targets (using `-T`/`--targets`), the
   `-p`/`--port` option will now be used as the default port (set to
   22 if `-p`/`--port` is not given).  Hosts specified in the file
   can override this default with an explicit port number (i.e.:
   "host1:1234").  For example, when using `-T targets.txt -p 222`,
   all hosts in `targets.txt` that do not explicitly include a port
   number will default to 222; when using `-T targets.txt` (without
   `-p`), all hosts will use a default of 22.
 - Updated built-in server & client policies for Amazon Linux 2023,
   Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key
   efficiency and cipher resistance to quantum attacks.
 - Added 1 new cipher: `grasshopper-ctr128`.
 - Added 2 new key exchanges: `mlkem768x25519-sha256`, `sntrup761x25519-sha512`.

### v3.2.0 (2024-04-22)
 - Added implementation of the DHEat denial-of-service attack (see
   `--dheat` option; [CVE-2002-20001]
   (https://nvd.nist.gov/vuln/detail/CVE-2002-20001)).
 - Expanded filter of CBC ciphers to flag for the Terrapin
   vulnerability.  It now includes more rarely found ciphers.
 - Fixed parsing of `ecdsa-sha2-nistp*` CA signatures on host keys.
   Additionally, they are now flagged as potentially back-doored,
   just as standard host keys are.
 - Gracefully handle rare exceptions (i.e.: crashes) while performing
   GEX tests.
 - The built-in man page (`-m`, `--manual`) is now available on
   Docker, PyPI, and Snap builds, in addition to the Windows build.
 - Snap builds are now architecture-independent.
 - Changed Docker base image from `python:3-slim` to `python:3-alpine`,
   resulting in a 59% reduction in image size; credit [Daniel
   Thamdrup](https://github.com/dallemon).
 - Added built-in policies for Amazon Linux 2023, Debian 12, OpenSSH
   9.7, and Rocky Linux 9.
 - Built-in policies now include a change log (use `-L -v` to view them).
 - Custom policies now support the `allow_algorithm_subset_and_reordering`
   directive to allow targets to pass with a subset and/or re-ordered
   list of host keys, kex, ciphers, and MACs.  This allows for the
   creation of a baseline policy where targets can optionally implement
   stricter controls; partial credit [yannik1015]
   (https://github.com/yannik1015).
 - Custom policies now support the `allow_larger_keys` directive
   to allow targets to pass with larger host keys, CA keys, and
   Diffie-Hellman keys.  This allows for the creation of a baseline
   policy where targets can optionally implement stricter controls;
   partial credit [Damian Szuberski](https://github.com/szubersk).
 - Color output is disabled if the `NO_COLOR` environment variable
   is set (see https://no-color.org/).
 - Added 1 new key exchange algorithm: `gss-nistp384-sha384-*`.
 - Added 1 new cipher: `aes128-ocb@libassh.org`.
Files:
RevisionActionfile
1.7modifypkgsrc/security/ssh-audit/Makefile
1.3modifypkgsrc/security/ssh-audit/PLIST
1.6modifypkgsrc/security/ssh-audit/distinfo
1.2removepkgsrc/security/ssh-audit/patches/patch-01-upstream-44393c-more-cbc.patch