ztgrace / changeme Goto Github PK

Create postgres scanner.

As suggested by @AlessandroZ:

I think, it could be a good idea, to add the possibility to list "categories" and "subcategories" from the command line, to not always enter on the source code to see what it exists.

Add Supermicro IPMI default credential.

Ref: https://packetstormsecurity.com/files/105730/Supermicro-IPMI-Default-Accounts.html

Add a parameter to disable continuous bruteforcing when using two or more default credentials to speed up scans.

hi again @ztgrace
i am very impressed by this project cuz it is in python and easy to be grown by community. i believe this project have much more perspectives even than famous "hydra".
i will introduce your tool to netstalking community in my paper-guide very soon.
besides creatings an issues i would like to make some pull requests too by myself. at least some new creds profiles and improving the screenshoting function by "camera" category, to grab a video-channel jpeg snaphots just by python requests. (i.e. http://admin:[email protected]:80/cgi-bin/net_jpeg.cgi/?ch=1)
thank u for ur great work!

Hi again,

I encountered one more usecase today. Now, this might not make sense to you at all but I just thought of letting you know.

After the initial fingerprinting against a target, the POST request is being sent to a different domain all together. Think about this as an authentication microservice that is used by a target.

So, even though the fingerprinting is successful, the next phase of trying the default creds will always fail because there is no way to change the domain to send the authentication request to. It tries it against the target only.

I noticed there is a HOST header but making that static to the authentication microservice didn't help either.

I am curious to know your thoughts on this?

Cheers!

Create a mysql scanner.

The Dockerfile in the repo root doesn't appear to build an image successfully for me, initially failing during cffi installation:

gcc -fno-strict-aliasing -Os -fomit-frame-pointer -g -DNDEBUG -Os -fomit-frame-pointer -g -fPIC -DUSE__THREAD -I/usr/lib/libffi-3.2.1/include -I/usr/include/python2.7 -c c/_cffi_backend.c -o build/temp.linux-x86_64-2.7/c/_cffi_backend.o
    c/_cffi_backend.c:2:20: fatal error: Python.h: No such file or directory
     #include <Python.h>
                        ^
    compilation terminated.
    error: command 'gcc' failed with exit status 1
    
    ----------------------------------------
Command "/usr/bin/python2 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-XRmBKF/cffi/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-yi59Pl-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-XRmBKF/cffi/

However, if I add the following dependencies to the Dockerfile (around line 12), so that it is the following:

# snipped
RUN apk add --no-cache --virtual .changeme-deps \
        bash \
        libxml2 \
        py-lxml \
        py-pip \
        python-dev \ #HERE
        libffi-dev \ # HERE
        musl-dev \ # HERE
        openssl-dev \ # AND HERE
    && apk add --no-cache --virtual .build-deps \
        libxml2-dev \
        gcc \
    && pip install -r /changeme/requirements.txt
# snipped

it successfully builds. I'm happy to open a PR for this, just wanted to make sure I'm not doing something obviously wrong.

Hi,
I am trying to find out the default credentials of DB server ( MS SQL).
When i was trying to scan a DB server using the following command,
./changeme.py -s X.X.X.X

I get the error message below. kindly help.

Traceback (most recent call last):
File "C:\changeme-master\changeme.py", line 6, in core.main()
File "C:\changeme-master\changeme\core.py", line 41, in main creds = load_creds(config)
File "C:\changeme-master\changeme\core.py", line 231, in load_creds protocol = get_protocol(f)
File "C:\changeme-master\changeme\core.py", line 217, in get_protocol return filename.split('/')[1]
IndexError: list index out of range

If we don't have a subnet IP range, please suggest me the command that is used to scan multiple web servers/db servers for default credentials. Thanks in advance

The current User-Agent is the python requests user agent. This should be changed to an app-specific UA. Also the ability to specify or cycle through a number of user agents would be useful.

The base module was created, but is broken.

Changeme fails to run with the following output:

/opt/changeme/changeme.py -d PTDS_scan_1.xml

[09:12:21][core][_validate_args] Delay is set to 500 milliseconds
[09:12:21][core][_validate_args] http
[09:12:23][core][check_version] Unable to retrieve latest changeme version.
Traceback (most recent call last):
File "/opt/changeme/changeme.py", line 6, in
core.main()
File "/opt/changeme/changeme/core.py", line 48, in main
creds = load_creds(config)
File "/opt/changeme/changeme/core.py", line 260, in load_creds
protocols = next(os.walk('creds'))[1]
StopIteration

/opt/changeme/changeme.py -d 10.154.1.1

[13:40:18][core][_validate_args] Delay is set to 500 milliseconds
[13:40:18][core][_validate_args] http
[13:40:20][core][check_version] Unable to retrieve latest changeme version.
Traceback (most recent call last):
File "/opt/changeme/changeme.py", line 6, in
core.main()
File "/opt/changeme/changeme/core.py", line 48, in main
creds = load_creds(config)
File "/opt/changeme/changeme/core.py", line 260, in load_creds
protocols = next(os.walk('creds'))[1]
StopIteration

Hi,

The scanner class checks only for a default port at this moment. The default ports are given in the Yml files. In reality all the web servers/db servers are running in a non-standard or non default ports. E.g Apache Tomcat may run in 9999, how to make use of this project to extend it for non standard ports ( 8000, 8010, etc..)

can we comment this line #port = self.cred['default_port'] and make use of some thing like below?
Please suggest.

openports = [8000,8001,8002,8005,8006,8007,8008,8009,8010]
for openp in openports:
port = openp

def fingerprint(self):
port = self.cred['default_port']
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(3)
result = sock.connect_ex((str(self.target), port))
sock.shutdown(2)
------------------------------------------

Thank you very much.

Hi,

I have installed a Tomcat server to test this module. However, the password has not been found. I have checked why and it is because the string "Tomcat Web Application Manager" is not present, but I have some other string such as "Welcome to Tomcat" that I can add

I think if you put that string is because it was present on your tomcat instance. So my idea was to change the schema of "body" to use list and not string. The user could add many trigger string and if one match the credentials are ok:

success:
    body: 
      - Welcome to Tomcat
      - Tomcat Web Application Manager
    status: 200

Moreover, I think this field should not be always required. For example only the status code could be checked for Tomcat (if it's equal to 200 it's ok). It could avoid false positive for this module (and maybe others).

If your ok to these modification I could do it. However, it will affect all yaml files so I want to be sure that you're ok about that.

I add the following username and password such as new line in ssh.yml file.
And running command "sudo ./changeme.py --protocols ssh TARGET-IP" , But I get alert,
No handlers could be found for logger "paramiko.transport"
No default credentials found

#add ssh.yml file

• username: root
  password: test

How can I find a solition for this issue? Thanks

An HTML report that includes the following:

• URL
• Username
• Password
• Screenshot of authenticated service
  • embed the screenshot into the HTML

The base module was created, but is broken.

i have input file with 90 000 hosts and scanner just stucks and doing nothing even when i allowing 100 threads with "-t" flag

Lets take Apache Tomcat as an example.

There is Tomcat Manager and Tomcat Host Manager. They both have different endpoints and different fingerprints. For instance, the Basic Auth Realm for Tomcat Manager says "Tomcat Manager Application" and for Tomcat Host Manager, it says "Tomcat Host Manager Application".

Tomcat Host Manager is exposed at the endpoint /host-manager/html whereas Tomcat Manager is exposed at endpoints like /manager/html, /tomcat/manager/html, /manager/text, /manager/status.

So, basically even though it is Apache Tomcat, it needs multiple sections of fingerprints.

Right now, I just created two separate files for them, but it would be nice to be able to have multiple sections of fingerprints in a single YAML file.

Incorporate HD Moore's SSH Bad Keys into the SSH scanner: https://github.com/rapid7/ssh-badkeys

Add the HTTP Server header as an option to fingerprint a service.

Hello,

I noticed there is a bug in the way the resource names are being read to load the YML files.

So, for instance, lets suppose we have 2 YML files - exactly same but the only difference being that the ssl value is true in one and false in the other.

Let's say the names of these YML files are "xyz SSL" and "xyz noSSL".

Let's say we have a target with SSL enabled and invalid cert.

If we run changeme with just the noSSL YML file by specifying the -n flag as -n "xyz noSSL", fingerprinting is not successful. This is as expected.

If we run changeme with just the SSL YML file by specifying the -n flag as -n "xyz SSL", fingerprinting is successful. This is as expected.

Now, if we run changeme with both the YML files by specifying the -n flag as -n "xyz", it appears as if its loading both YML files and fingerprinting is coming out to be successful with both the ssl and noSSL YML files. The fingerprinting against the noSSL file should have failed but its succeeding.

So, as per above, there is some discrepancy where specifying an incomplete name like -n "xyz" is not producing the expected output.

Cheers!

Add fingerprint match threshold to scanning. Right now, all defined fingerprint details have to match in order for a service to get scanned for default credentials. A threshold would be more flexible in the instances where certain fingerprint data may be suppressed such as server headers.

There's an issue with the SSH credential scanner where it passes an invalid target to the connection. This raises gaierror Exception: [Errno -2] Name or service not known.

[16:25:58][scan_engine][_scan] 4 scanners remaining
[16:25:58][scanner][check_success] Invalid Raspberry Pi default cred pi:raspberry at ssh://192.168.1.162:22:22
[16:25:58][scanner][check_success] gaierror Exception: [Errno -2] Name or service not known
[16:25:58][scan_engine][_scan] 3 scanners remaining
[16:25:58][scanner][check_success] Invalid AT&T Arris NVG589 & NVG599 (SharknAT&To) default cred remotessh:5SaP9I26 at ssh://192.168.1.162:22:22
[16:25:58][scanner][check_success] gaierror Exception: [Errno -2] Name or service not known
[16:25:58][scan_engine][_scan] 2 scanners remaining
[16:25:58][scanner][check_success] Invalid ssh default cred root:password at ssh://192.168.1.162:22:22
[16:25:58][scanner][check_success] gaierror Exception: [Errno -2] Name or service not known
[16:25:58][scan_engine][_scan] 1 scanners remaining
[16:25:58][scanner][check_success] Invalid ssh default cred root:root at ssh://192.168.1.162:22:22
[16:25:58][scanner][check_success] gaierror Exception: [Errno -2] Name or service not known

This appears to be due to the fact that self.target in ssh.py contains the protocol and the port ssh://:22 when being passed as hostname to the paramiko connect() function in ssh.py.

delete this

[22:50:42][scan_engine][fingerprint_targets] 9906 fingerprints remaining
[22:50:52][scan_engine][fingerprint_targets] Caught exception: OperationalError
[22:50:52][scan_engine][fingerprint_targets] Exception: OperationalError: database is locked
[22:50:53][scan_engine][fingerprint_targets] 9906 fingerprints remaining
[22:51:03][scan_engine][fingerprint_targets] Caught exception: OperationalError
[22:51:03][scan_engine][fingerprint_targets] Exception: OperationalError: database is locked
[22:51:03][scan_engine][scan] Fingerprinting completed
Traceback (most recent call last):
File "changeme.py", line 6, in
core.main()
File "/home/root/Desktop/changeme/changeme/core.py", line 69, in main
s.scan()
File "/home/root/Desktop/changeme/changeme/scan_engine.py", line 63, in scan
while self.scanners.qsize() > 0:
File "/usr/local/lib/python2.7/dist-packages/persistqueue/sqlqueue.py", line 84, in qsize
return self.size
File "/usr/local/lib/python2.7/dist-packages/persistqueue/sqlqueue.py", line 81, in size
return self._count()
File "/usr/local/lib/python2.7/dist-packages/persistqueue/sqlbase.py", line 121, in _count
row = self._putter.execute(sql).fetchone()
sqlite3.OperationalError: database is locked

Hi brother, I have this problem. How can I solve this problem? thank you ！

Name field within cch.yml file incorrectly states "MSSQL" and conflicts with mssql.yml. Changing name field within cch.yml to "CCH" fixes the issue.

Need to change out driver per warning message?

[21:02:32][http_get][_screenshot] Screenshotting http://127.0.0.1:8080/admin-console/login.seam
/tmp/python2/local/lib/python2.7/site-packages/selenium/webdriver/phantomjs/webdriver.py:49: UserWarning: Selenium support for PhantomJS has been deprecated, please use headless versions of Chrome or Firefox instead
  warnings.warn('Selenium support for PhantomJS has been deprecated, please use headless '

I try to run changeme with command
./changeme.py -s x.x.x.x

And got error

Traceback (most recent call last):
  File "./changeme.py", line 4, in <module>
    import requests
ImportError: No module named requests

I try to list all module and i saw module reuqest is installed

pip3 list

Cerberus (0.9.2)
cookies (2.2.1)
dnspython3 (1.12.0)
intelmq (1.0.0.dev4)
logutils (0.3.3)
lxml (3.6.0)
netaddr (0.7.18)
nose (1.3.7)
pip (8.1.1)
psutil (4.1.0)
pycurl (7.43.0)
python-dateutil (2.5.3)
python-termstyle (0.1.10)
pytz (2016.4)
PyYAML (3.11)
redis (2.10.5)
requests (2.9.1)
responses (0.5.1)
setuptools (20.10.1)
six (1.10.0)
wheel (0.29.0)

Current threading should be cleaned up and improved.

Add AJP scanner support using https://github.com/hypn0s/AJPy/

Hello,

So, I downloaded a docker image for the Nexus Repository Manager and started it locally by typing docker run -d -p 8081:8081 --name nexus sonatype/nexus:oss

This started the Nexus Repository Manager and I could access it by going to http://localhost:8081/nexus.

I then ran changeme to scan against this URL and it did not find the default creds. I could however navigate to the console and click on Login and enter the default creds admin/admin123 and get in successfully.

So, I am guessing there is something wrong with the https://github.com/ztgrace/changeme/blob/master/creds/http/general/nexus_repository_manager.yml file here. It says basic_auth but the login doesn't look like its happening over Basic Auth. Is that why?

Cheers!

Cloned and move to a working directory. Attempting to run from the local machine rather than from a docker container. My coding/scripting skills are not excellent. Receiving the following:

Traceback (most recent call last):
File "./changeme.py", line 3, in
from changeme import core
File "/opt/ChangeMe/changeme/core.py", line 3, in
from changeme.redis_queue import RedisQueue
File "/opt/ChangeMe/changeme/redis_queue.py", line 1, in
import redis
ImportError: No module named redis

Occasionally the app completes processing but fails to exit the program cleanly. Need to investigate and fix this.

The monolithic changeme.py should be refactored into a python package. This will allow schema.py and mkcred.py to get merged more easily into the same codebase.

https://docs.python.org/2/tutorial/modules.html#packages

The fingerprint_targets process fails when using FIFOSQLiteQueue with: Exception: OperationalError: database is locked

[11:14:08][scan_engine][_build_targets] 39 fingerprints
[11:14:08][scan_engine][scan] Number of procs: 10
[11:14:08][scan_engine][fingerprint_targets] 39 fingerprints remaining
[11:14:18][scan_engine][fingerprint_targets] Caught exception: OperationalError
[11:14:18][scan_engine][fingerprint_targets] Exception: OperationalError: database is locked
[11:14:18][scan_engine][fingerprint_targets] 39 fingerprints remaining
[11:14:28][scan_engine][fingerprint_targets] Caught exception: OperationalError
[11:14:28][scan_engine][fingerprint_targets] Exception: OperationalError: database is locked
[11:14:28][scan_engine][fingerprint_targets] 39 fingerprints remaining
[11:14:38][scan_engine][fingerprint_targets] Caught exception: OperationalError
[11:14:38][scan_engine][fingerprint_targets] Exception: OperationalError: database is locked
[11:14:38][scan_engine][fingerprint_targets] 39 fingerprints remaining

Specific problem occurs on the fpq.get() call in fingerprint_targets()

Hi,

I grabbed the prebuilt changeme from docker hub and ran it today. ./changeme.py -n "Apache Tomcat" XXXX. Though tomcat uses the default credentials, it didn't find the creds. I have also verified the same default creds hardcoded in creds folder (Yaml file)

Loaded 2 default creds profiles
Loaded 34 default creds

No default creds found .

I didnt pull redis and used redis at the background. Appreciate any help.

Thanks

First of all: thanks for excellent tool. Just found it so haven't used during the testing engagement but it has potential to save huge amount of time during the testing and skip most mundane activity during pen tests of large networks: walking thru all the web consoles for yet another (and another, ...) device/appliance and try out default creds manually.

That being said, during my pen test I've recently found instance of Aruba ClearPass (https://www.arubanetworks.com/products/security/network-access-control/) and guess what default credentials admin:eTIPS123 worked perfectly :).

After finding changeme I've decided to add ClearPass to it. The authentication to ClearPass is straightforward and could be summed up with following curl invocations:

Failed authn:

curl -x 127.0.0.1:8080 -v -k --url https://<ip>/tips/tipsLoginSubmit.action -d 'username=admin&password=badpass'

# Response:
< HTTP/1.1 200 OK
< Date: Thu, 23 May 2019 16:35:18 GMT
...

Successful authn:

curl -x 127.0.0.1:8080 -v -k --url https://<ip>/tips/tipsLoginSubmit.action -d 'username=admin&password=eTIPS123'

# Response:
< HTTP/1.1 302 Found
< Date: Thu, 23 May 2019 16:37:28 GMT
....
(empty body)

So the HTTP status code 200 vs 302 differentiate successful vs failed authn.

Fingerprinting:

curl -s -x 127.0.0.1:8080 -k --url https://<ip>/tips/tipsLogin.action | grep '<title>ClearPass Policy Manager - Aruba Networks</title>'

# Response:
<title>ClearPass Policy Manager - Aruba Networks</title>

So I've prepared (with --mkcred) following yaml file for changeme:

auth:
  credentials:
  - password: eTIPS123
    username: admin
  headers: []
  post:
    password: password
    username: username
  sessionid: JSESSIONID
  success:
    body:
    - ""
    status: 302
  type: post
  url:
  - /tips/tipsLoginSubmit.action
category: general
contributor: mzet
default_port: 443
fingerprint:
  body:
  - <title>ClearPass Policy Manager - Aruba Networks</title>
  status: 200
  url:
  - /tips/tipsLogin.action
name: ClearPass
protocol: http
ssl: true

Unfortunately default creds aren't identified:

What I've missed? Or mybe yaml file is wrong?

Best,
mzet

how to make more complicated --shodan_query (for example http.title:"VIDEO WEB SERVER" port:80 country:US) while it takes only one argument?
or how to get more than 100 results when using shodan_query?

Add a parameter to disable screenshots to speed up scans. As requested by @Celestial-intelligence

root@kali:~/githubtools/changeme# ./changeme.py -s 10.217.24.0/24
Traceback (most recent call last):
File "./changeme.py", line 47, in
print core.banner(version.version)
AttributeError: 'module' object has no attribute 'banner'

Hi,

while trying to add credentials for Odoo, I have stumbled upon a weird corner case with user agent headers.

Upon successful login, Odoo redirects the user to either a user given URL (unvalidated redirect :/) or base back-office URL, but the redirect method is different depending on the user agent.

I am using the redirect as an indicator for login success, and I need a constant user agent in order to get consistent results.

It turns out, changeme by default uses a random user agent from a predefined list.

I have tried setting the headers in auth block, but it appears that the user agent is overwritten with the one selected by changeme afterwards, so, no luck :/

It works great if I pass my user agent via CLI parameters, however, this is not an optimal solution.

I have tried to change the order in which the headers are calculated, so that custom headers from the credentials file are applied afterwards, eg.:

self.headers.update(self.config.useragent)
headers = self.cred['auth'].get('headers', dict())
if headers:
    for h in headers:
        self.headers.update(h)

and it seems to work great. However, I was not sure if the previous header evaluation order was intentional or not. Please let me know if you think the solution is suitable, and I'll gladly make a PR.

The current HP Laserjet yml files have a blank username. My HP LJ 1102w has default admin for username. Also, it doesn't use SSL and it's default port is 80. I tried using the --mkcred script and i also tried creating a new yml for my printer with the above 3 changes, but changeme isn't finding it. I assume the fingerprint page is different also. How do I find the fingerprint page for a device?
thanks!

Traceback (most recent call last):
  File "./changeme.py", line 6, in <module>
    core.main()
  File "/root/sc/tools/changeme/changeme/core.py", line 69, in main
    s.scan()
  File "/root/sc/tools/changeme/changeme/scan_engine.py", line 59, in scan
    proc.start()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 130, in start
    self._popen = Popen(self)
  File "/usr/lib/python2.7/multiprocessing/forking.py", line 121, in __init__
    self.pid = os.fork()
OSError: [Errno 12] Cannot allocate memory

I checked free memory and this is what I found:

# free -h
              total        used        free      shared  buff/cache   available
Mem:          7.8Gi       1.4Gi       6.3Gi       8.0Mi       160Mi       6.2Gi
Swap:         2.0Gi       733Mi       1.3Gi

There seems to be plenty of memory available. I ran this on two different systems (both were Kali Linux virtual machines) and got the same error on both.

Broken Pipe errors.docx
I'm able to get changeme to work when using the IP directly or using a file with less than 5 IP addresses. When I try to run it against a file with several addresses or against a subnet, it comes back with No default credentials and a bunch of "IOError: [Errno 32] Broken pipe" errors. Attached are screenshots showing the results from 4 different tests.

Hi,

I just noticed that in the new version, there are a couple of things that are not working but were working in the previous version.

To reproduce, follow along:

• I started a Nexus Repository Manager by typing docker run -d -p 8081:8081 --name nexus sonatype/nexus:oss
• I then started both v1.0.3 and v1.0.4 in two terminal tabs and ran the command ./changeme.py --fresh -v --protocols http -n "Nexus Repository Manager" 172.17.0.3
• Below are the outputs from each one of them:

v1.0.3

v1.0.4

So in v1.0.4, the verbose flag is not actually showing the creds being tried. I think the new version is not actually trying to login with the default creds from the list but is just fingerprinting even with the -f flag absent.

Hello again,

Another feature request:

Right now, the YML files take in a value for ssl. Can we also add another value here both so that instead of creating two separate files for ssl: true and ssl: false, we can just provide both and it should automatically try to run both?

Cheers!

The base module was created, but is broken.

Process Process-8:
Traceback (most recent call last):
File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
Process Process-10:
Traceback (most recent call last):
File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
self.run()
File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
self._target(_self._args, *_self._kwargs)
self.run()
File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
File "./changeme.py", line 558, in do_scan
fp = fingerprints.get_nowait()
self._target(_self._args, *_self._kwargs)
File "./changeme.py", line 558, in do_scan
fp = fingerprints.get_nowait()
File "", line 2, in get_nowait
File "/usr/lib/python2.7/multiprocessing/managers.py", line 774, in _callmethod
File "", line 2, in get_nowait
File "/usr/lib/python2.7/multiprocessing/managers.py", line 774, in _callmethod
raise convert_to_error(kind, result)
Empty
raise convert_to_error(kind, result)
Empty

Hi,

This is more of a feature request. Right now, if we want to run multiple YMLs for, lets say, a particular resource Apache Tomcat - apache_tomcat_manager.yml (Name - Apache Tomcat Manager) and apache_tomcat_host_manager.yml (Name - Apache Tomcat Host Manager), there is no easy way to do it. I am having to mention -c web so that it automatically runs both of them along with all others.

Can we modify the flag -n to take in multiple names instead of just one?
How easy/difficult would this be? I can try issuing a PR if you can direct me exactly where I need to change this in the code.

Cheers!

It looks like the Dockerfile is broken again. Output of docker build -t changeme . from latest master doesn't build:

ERROR: unsatisfiable constraints:
  openssl-dev-1.0.2k-r0:
    conflicts:
               libressl-dev-2.4.4-r0[pc:libcrypto=1.0.2k]
               libressl-dev-2.4.4-r0[pc:libssl=1.0.2k]
               libressl-dev-2.4.4-r0[pc:openssl=1.0.2k]
  libressl-dev-2.4.4-r0:
    conflicts:
               openssl-dev-1.0.2k-r0[pc:libcrypto=2.4.4]
               openssl-dev-1.0.2k-r0[pc:libssl=2.4.4]
               openssl-dev-1.0.2k-r0[pc:openssl=2.4.4]
    satisfies:
               postgresql-dev-9.6.2-r0[libressl-dev]
  .build-deps-0:
    masked in: cache
    satisfies: world[.build-deps]

Looks like one of the new dependencies from 2df3b31 has brought in libressl-dev which conflicts with openssl-dev.

Removing openssl-dev from the deps list seems to work again. I'll raise a PR as soon as I get a chance.