Update 14.2 to p2

[ericbsd]

Summary by Sourcery

This pull request updates the OpenSSH version to 14.2p2 and includes several bug fixes. It also prevents replying to PING messages in pre-authentication and during key exchange.

Bug Fixes:

• Fixes host key verification failure.
• Prevents replying to PING messages in pre-authentication and during key exchange.
• Fixes multiple potential SSH_ERR_INVALID_FORMAT and SSH_ERR_ALLOC_FAIL errors related to key constraints, session ID limits, KRL section processing, resident key loading, and certificate principal filtering.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request updates OpenSSH to version 14.2p2. It includes bug fixes related to host key verification, PING packet handling, and several input validation and error handling improvements. It also updates the SSH protocol banner with the latest FreeBSD version.

Sequence diagram for handling SSH2_MSG_PING

sequenceDiagram
    participant Client
    participant Server

    Client->>Server: SSH2_MSG_PING
    alt Server is in pre-authentication or rekeying phase
        Server-->>Client: (No response)
    else Server is authenticated and not rekeying
        Server->>Server: sshpkt_start(SSH2_MSG_PONG)
        Server->>Server: sshpkt_put_string(data from PING)
        Server->>Server: sshpkt_send()
        Server-->>Client: SSH2_MSG_PONG
    end

Loading

Updated class diagram for SocketEntry

classDiagram
    class SocketEntry {
        -session_ids: char**
        -nsession_ids: int
        +process_ext_session_bind(SocketEntry *e)
    }

    note for SocketEntry "Added check for AGENT_MAX_SESSION_IDS in process_ext_session_bind to prevent recording too many session IDs."

Loading

File-Level Changes

Change	Details	Files
Implemented a fix to prevent replying to PING packets during rekeying or pre-authentication phases.	Added checks to avoid replying to SSH2_MSG_PING packets when the connection is in the pre-authentication phase. Added checks to avoid replying to SSH2_MSG_PING packets during key exchange (rekeying).	crypto/openssh/packet.c
Improved error handling and input validation in ssh-agent, sshconnect2, krl, and ssh-sk-client.	Added checks for exceeding the maximum number of destination constraints and certificates in parse_key_constraint_extension. Added a check to prevent recording too many session IDs in process_ext_session_bind. Added checks for unknown public key algorithms and key type mismatches in input_userauth_pk_ok. Added a check for insane bitmap gaps in revoked_certs_generate. Added allocation failure checks in ssh_krl_from_blob and sshsk_load_resident. Added allocation failure check in cert_filter_principals.	crypto/openssh/ssh-agent.c crypto/openssh/sshconnect2.c crypto/openssh/krl.c crypto/openssh/ssh-sk-client.c crypto/openssh/sshsig.c
Fixed host key verification failure.	Corrected the return value check in verify_host_key_callback to properly handle host key verification failures.	crypto/openssh/sshconnect2.c
Updated the SSH protocol banner with the latest FreeBSD version.	Modified sshd_config.5 and version.h to reflect the updated FreeBSD version. Modified newvers.sh to reflect the updated FreeBSD release.	crypto/openssh/sshd_config.5 crypto/openssh/version.h sys/conf/newvers.sh

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.