openssh: update to 7.9p1

[l2dy (Zero King)]

​https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Vulnerabilities

---

1. CWE-20: scp client improper directory name validation [CVE-2018-20685]

The scp client allows server to modify permissions of the target directory by using empty ("D0777 0 \n") or dot ("D0777 0 .\n") directory name.

2. CWE-20: scp client missing received object name validation [CVE-2019-6111]

Due to the scp implementation being derived from 1983 rcp [1], the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).

The same vulnerability in WinSCP is known as CVE-2018-20684.

3. CWE-451: scp client spoofing via object name [CVE-2019-6109]

Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

4. CWE-451: scp client spoofing via stderr [CVE-2019-6110]

Due to accepting and displaying arbitrary stderr output from the scp server, a malicious server can manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

[danielluke (Daniel J. Luke)]

Simple version bump

[danielluke (Daniel J. Luke)]

As per usual, I've tested this and it works - but I don't use the +hpn or +gsskex variants, so I didn't check to see if the patchefiles applied or work (they usually need attention after a new upstream release).

[Schamschula (Marius Schamschula)]

I consider the +hpn variant obsolete. FreeBSD has not offered updated patches for HPN since 7.5p1 either, and has marked the port as broken if you choose to build it with the HPN variant.