Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-01-19 16:00:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Tue Jan 19 16:00:43 2021 rev:147 rq:863947 version:8.4p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-15
19:43:33.397773139 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes
2021-01-19 16:00:54.711263653 +0100
@@ -1,0 +2,130 @@
+Mon Jan 18 00:30:37 UTC 2021 - Dirk M??ller <dmuel...@suse.com>
+
+- update to 8.4p1:
+ Security
+ ========
+ * ssh-agent(1): restrict ssh-agent from signing web challenges for
+ FIDO/U2F keys.
+ * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
+ a FIDO resident key.
+ * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
+ each use. These keys may be generated using ssh-keygen using a new
+ "verify-required" option. When a PIN-required key is used, the user
+ will be prompted for a PIN to complete the signature operation.
+ New Features
+ ------------
+ * sshd(8): authorized_keys now supports a new "verify-required"
+ option to require FIDO signatures assert that the token verified
+ that the user was present before making the signature. The FIDO
+ protocol supports multiple methods for user-verification, but
+ currently OpenSSH only supports PIN verification.
+
+ * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
+ signatures. Webauthn is a standard for using FIDO keys in web
+ browsers. These signatures are a slightly different format to plain
+ FIDO signatures and thus require explicit support.
+
+ * ssh(1): allow some keywords to expand shell-style ${ENV}
+ environment variables. The supported keywords are CertificateFile,
+ ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
+ RemoteForward when used for Unix domain socket paths. bz#3140
+
+ * ssh(1), ssh-agent(1): allow some additional control over the use of
+ ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
+ including forcibly enabling and disabling its use. bz#69
+
+ * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
+ limit for keys in addition to its current flag options. Time-
+ limited keys will automatically be removed from ssh-agent after
+ their expiry time has passed.
+
+ * scp(1), sftp(1): allow the -A flag to explicitly enable agent
+ forwarding in scp and sftp. The default remains to not forward an
+ agent, even when ssh_config enables it.
+
+ * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of
+ the destination. This allows, e.g., keeping host keys in individual
+ files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654
+
+ * ssh(1): add %-TOKEN, environment variable and tilde expansion to
+ the UserKnownHostsFile directive, allowing the path to be
+ completed by the configuration (e.g. bz#1654)
+
+ * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted
+ from stdin. bz#3180
+
+ * sshd(8): improve logging for MaxStartups connection throttling.
+ sshd will now log when it starts and stops throttling and periodically
+ while in this state. bz#3055
+
+ Bugfixes
+ --------
+ * ssh(1), ssh-keygen(1): better support for multiple attached FIDO
+ tokens. In cases where OpenSSH cannot unambiguously determine which
+ token to direct a request to, the user is now required to select a
+ token by touching it. In cases of operations that require a PIN to
+ be verified, this avoids sending the wrong PIN to the wrong token
+ and incrementing the token's PIN failure counter (tokens
+ effectively erase their keys after too many PIN failures).
+ * sshd(8): fix Include before Match in sshd_config; bz#3122
+ * ssh(1): close stdin/out/error when forking after authentication
+ completes ("ssh -f ...") bz#3137
+ * ssh(1), sshd(8): limit the amount of channel input data buffered,
+ avoiding peers that advertise large windows but are slow to read
+ from causing high memory consumption.
+ * ssh-agent(1): handle multiple requests sent in a single write() to
+ the agent.
+ * sshd(8): allow sshd_config longer than 256k
+ * sshd(8): avoid spurious "Unable to load host key" message when sshd
+ load a private key but no public counterpart
+ * ssh(1): prefer the default hostkey algorithm list whenever we have
+ a hostkey that matches its best-preference algorithm.
+ * sshd(1): when ordering the hostkey algorithms to request from a
+ server, prefer certificate types if the known_hosts files contain a key
+ marked as a @cert-authority; bz#3157
+ * ssh(1): perform host key fingerprint comparisons for the "Are you
+ sure you want to continue connecting (yes/no/[fingerprint])?"
+ prompt with case sensitivity.
+ * sshd(8): ensure that address/masklen mismatches in sshd_config
+ yield fatal errors at daemon start time rather than later when
+ they are evaluated.
+ * ssh-keygen(1): ensure that certificate extensions are lexically
+ sorted. Previously if the user specified a custom extension then
+ the everything would be in order except the custom ones. bz#3198
+ * ssh(1): also compare username when checking for JumpHost loops.
+ bz#3057
+ * ssh-keygen(1): preserve group/world read permission on known_hosts
+ files across runs of "ssh-keygen -Rf /path". The old behaviour was
+ to remove all rights for group/other. bz#3146
+ * ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen
+ manual page and usage().
+ * sshd(8): explicitly construct path to ~/.ssh/rc rather than
+ relying on it being relative to the current directory, so that it
+ can still be found if the shell startup changes its directory.
+ bz#3185
+ * sshd(8): when redirecting sshd's log output to a file, undo this
+ redirection after the session child process is forked(). Fixes
+ missing log messages when using this feature under some
+ circumstances.
+ * sshd(8): start ClientAliveInterval bookkeeping before first pass
+ through select() loop; fixed theoretical case where busy sshd may
+ ignore timeouts from client.
+ * ssh(1): only reset the ServerAliveInterval check when we receive
+ traffic from the server and ignore traffic from a port forwarding
+ client, preventing a client from keeping a connection alive when
+ it should be terminated. bz#2265
+ * ssh-keygen(1): avoid spurious error message when ssh-keygen
+ creates files outside ~/.ssh
+ * sftp-client(1): fix off-by-one error that caused sftp downloads to
+ make one more concurrent request that desired. This prevented using
+ sftp(1) in unpipelined request/response mode, which is useful when
+ debugging. bz#3054
+ * ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect()
+ helpers. bz#3071
+ * ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to
+ write to it so we don't leave an empty .ssh directory when it's not
+ needed. bz#3156
+ * ssh(1), sshd(8): fix multiplier when parsing time specifications
+ when handling seconds after other units. bz#3171
+
+-------------------------------------------------------------------
Old:
----
openssh-8.3p1.tar.gz
openssh-8.3p1.tar.gz.asc
New:
----
openssh-8.4p1.tar.gz
openssh-8.4p1.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.271266011 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.275266016 +0100
@@ -18,14 +18,14 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version: 8.3p1
+Version: 8.4p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
Group: Productivity/Networking/SSH
-URL: http://www.openssh.com/
-Source:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
-Source42:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
+URL: https://www.openssh.com/
+Source:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
+Source42:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
Requires: %{_name} = %{version}
Supplements: packageand(openssh-clients:libgtk-3-0)
%if 0%{?suse_version} >= 1550
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.303266059 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.307266065 +0100
@@ -38,14 +38,14 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version: 8.3p1
+Version: 8.4p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
Group: Productivity/Networking/SSH
URL: https://www.openssh.com/
-Source0:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
-Source1:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
+Source0:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+Source1:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pamd
Source3: README.SUSE
Source4: README.kerberos
@@ -108,7 +108,7 @@
Patch41: openssh-fips-ensure-approved-moduli.patch
Patch42: openssh-link-with-sk.patch
BuildRequires: audit-devel
-BuildRequires: autoconf
+BuildRequires: automake
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel
++++++ openssh-7.7p1-allow_root_password_login.patch ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.407266216 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.407266216 +0100
@@ -5,11 +5,11 @@
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
-Index: openssh-7.9p1/servconf.c
+Index: openssh-8.4p1/servconf.c
===================================================================
---- openssh-7.9p1.orig/servconf.c
-+++ openssh-7.9p1/servconf.c
-@@ -292,7 +292,7 @@ fill_default_server_options(ServerOption
+--- openssh-8.4p1.orig/servconf.c
++++ openssh-8.4p1/servconf.c
+@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
@@ -18,10 +18,10 @@
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
-Index: openssh-7.9p1/sshd_config
+Index: openssh-8.4p1/sshd_config
===================================================================
---- openssh-7.9p1.orig/sshd_config
-+++ openssh-7.9p1/sshd_config
+--- openssh-8.4p1.orig/sshd_config
++++ openssh-8.4p1/sshd_config
@@ -29,7 +29,7 @@
# Authentication:
@@ -31,11 +31,11 @@
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
-Index: openssh-7.9p1/sshd_config.0
+Index: openssh-8.4p1/sshd_config.0
===================================================================
---- openssh-7.9p1.orig/sshd_config.0
-+++ openssh-7.9p1/sshd_config.0
-@@ -749,7 +749,7 @@ DESCRIPTION
+--- openssh-8.4p1.orig/sshd_config.0
++++ openssh-8.4p1/sshd_config.0
+@@ -778,7 +778,7 @@ DESCRIPTION
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
@@ -44,11 +44,11 @@
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
-Index: openssh-7.9p1/sshd_config.5
+Index: openssh-8.4p1/sshd_config.5
===================================================================
---- openssh-7.9p1.orig/sshd_config.5
-+++ openssh-7.9p1/sshd_config.5
-@@ -1285,7 +1285,7 @@ The argument must be
+--- openssh-8.4p1.orig/sshd_config.5
++++ openssh-8.4p1/sshd_config.5
+@@ -1331,7 +1331,7 @@ The argument must be
or
.Cm no .
The default is
++++++ openssh-7.7p1-cavstest-ctr.patch ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.423266241 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.427266246 +0100
@@ -2,10 +2,10 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation
-diff --git a/Makefile.in b/Makefile.in
-index d5c37b5..5d4fcd2 100644
---- a/Makefile.in
-+++ b/Makefile.in
+Index: openssh-8.4p1/Makefile.in
+===================================================================
+--- openssh-8.4p1.orig/Makefile.in
++++ openssh-8.4p1/Makefile.in
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -14,7 +14,7 @@
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
-@@ -70,6 +71,8 @@ MKDIR_P=@MKDIR_P@
+@@ -68,6 +69,8 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT)
@@ -23,7 +23,7 @@
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
-@@ -244,6 +247,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a
$(SFTPSERVER_OBJS)
+@@ -242,6 +245,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(LIBEDIT)
@@ -34,7 +34,7 @@
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh
$(LIBS)
-@@ -398,6 +405,7 @@ install-files:
+@@ -400,6 +407,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT)
$(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -42,11 +42,10 @@
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-diff --git a/cavstest-ctr.c b/cavstest-ctr.c
-new file mode 100644
-index 0000000..f81cb72
+Index: openssh-8.4p1/cavstest-ctr.c
+===================================================================
--- /dev/null
-+++ b/cavstest-ctr.c
++++ openssh-8.4p1/cavstest-ctr.c
@@ -0,0 +1,214 @@
+/*
+ *
@@ -262,10 +261,10 @@
+ printf("\n");
+ return 0;
+}
-diff --git a/cipher.c b/cipher.c
-index 2f5430b..599b54a 100644
---- a/cipher.c
-+++ b/cipher.c
+Index: openssh-8.4p1/cipher.c
+===================================================================
+--- openssh-8.4p1.orig/cipher.c
++++ openssh-8.4p1/cipher.c
@@ -58,15 +58,6 @@
#define EVP_CIPHER_CTX void
#endif
@@ -282,10 +281,10 @@
struct sshcipher {
char *name;
u_int block_size;
-diff --git a/cipher.h b/cipher.h
-index 1a591cd..10ccb28 100644
---- a/cipher.h
-+++ b/cipher.h
+Index: openssh-8.4p1/cipher.h
+===================================================================
+--- openssh-8.4p1.orig/cipher.h
++++ openssh-8.4p1/cipher.h
@@ -48,7 +48,15 @@
#define CIPHER_DECRYPT 0
++++++ openssh-7.7p1-cavstest-kdf.patch ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.447266277 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.447266277 +0100
@@ -2,10 +2,10 @@
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
CAVS test for KDF implementation in OpenSSH
-diff --git a/Makefile.in b/Makefile.in
-index 5d4fcd2..9eab827 100644
---- a/Makefile.in
-+++ b/Makefile.in
+Index: openssh-8.4p1/Makefile.in
+===================================================================
+--- openssh-8.4p1.orig/Makefile.in
++++ openssh-8.4p1/Makefile.in
@@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
@@ -14,7 +14,7 @@
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
-@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@
+@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT)
@@ -23,7 +23,7 @@
XMSS_OBJS=\
ssh-xmss.o \
-@@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
+@@ -249,6 +250,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o
cavstest-ctr.o
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
@@ -33,7 +33,7 @@
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh
$(LIBS)
-@@ -406,6 +410,7 @@ install-files:
+@@ -408,6 +412,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT)
$(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@@ -41,11 +41,10 @@
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-diff --git a/cavstest-kdf.c b/cavstest-kdf.c
-new file mode 100644
-index 0000000..a6ecf45
+Index: openssh-8.4p1/cavstest-kdf.c
+===================================================================
--- /dev/null
-+++ b/cavstest-kdf.c
++++ openssh-8.4p1/cavstest-kdf.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smuel...@chronox.de>
++++++ openssh-7.7p1-fips.patch ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.479266325 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.479266325 +0100
@@ -3,11 +3,11 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
-diff --git a/Makefile.in b/Makefile.in
-index 62cd072..d5c37b5 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -114,6 +114,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+Index: openssh-8.4p1/Makefile.in
+===================================================================
+--- openssh-8.4p1.orig/Makefile.in
++++ openssh-8.4p1/Makefile.in
+@@ -112,6 +112,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
SKOBJS= ssh-sk-client.o
@@ -16,10 +16,10 @@
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
-diff --git a/cipher-ctr.c b/cipher-ctr.c
-index 32771f2..b66f92f 100644
---- a/cipher-ctr.c
-+++ b/cipher-ctr.c
+Index: openssh-8.4p1/cipher-ctr.c
+===================================================================
+--- openssh-8.4p1.orig/cipher-ctr.c
++++ openssh-8.4p1/cipher-ctr.c
@@ -27,6 +27,8 @@
#include "xmalloc.h"
#include "log.h"
@@ -38,10 +38,10 @@
#endif
return (&aes_ctr);
}
-diff --git a/cipher.c b/cipher.c
-index 8195199..2f5430b 100644
---- a/cipher.c
-+++ b/cipher.c
+Index: openssh-8.4p1/cipher.c
+===================================================================
+--- openssh-8.4p1.orig/cipher.c
++++ openssh-8.4p1/cipher.c
@@ -51,6 +51,9 @@
#include "openbsd-compat/openssl-compat.h"
@@ -61,7 +61,7 @@
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = {
+@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[]
{ NULL, 0, 0, 0, 0, 0, NULL }
};
@@ -132,11 +132,10 @@
if (strcmp(c->name, name) == 0)
return c;
return NULL;
-diff --git a/fips.c b/fips.c
-new file mode 100644
-index 0000000..23e3876
+Index: openssh-8.4p1/fips.c
+===================================================================
--- /dev/null
-+++ b/fips.c
++++ openssh-8.4p1/fips.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -350,11 +349,10 @@
+ return dgst;
+}
+
-diff --git a/fips.h b/fips.h
-new file mode 100644
-index 0000000..a115a61
+Index: openssh-8.4p1/fips.h
+===================================================================
--- /dev/null
-+++ b/fips.h
++++ openssh-8.4p1/fips.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -400,11 +398,11 @@
+
+#endif
+
-diff --git a/hmac.c b/hmac.c
-index 7b58801..5a92074 100644
---- a/hmac.c
-+++ b/hmac.c
-@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen,
u_char *e, size_t elen)
+Index: openssh-8.4p1/hmac.c
+===================================================================
+--- openssh-8.4p1.orig/hmac.c
++++ openssh-8.4p1/hmac.c
+@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
size_t i;
u_char digest[16];
@@ -413,11 +411,11 @@
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
-diff --git a/kex.c b/kex.c
-index b09fbac..a5e4be7 100644
---- a/kex.c
-+++ b/kex.c
-@@ -63,6 +63,8 @@
+Index: openssh-8.4p1/kex.c
+===================================================================
+--- openssh-8.4p1.orig/kex.c
++++ openssh-8.4p1/kex.c
+@@ -62,6 +62,8 @@
#include "sshbuf.h"
#include "digest.h"
@@ -426,7 +424,7 @@
/* prototype */
static int kex_choose_conf(struct ssh *);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
-@@ -86,7 +88,7 @@ struct kexalg {
+@@ -85,7 +87,7 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@@ -435,7 +433,7 @@
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
-@@ -117,6 +119,47 @@ static const struct kexalg kexalgs[] = {
+@@ -116,6 +118,47 @@ static const struct kexalg kexalgs[] = {
{ NULL, 0, -1, -1},
};
@@ -483,7 +481,7 @@
char *
kex_alg_list(char sep)
{
-@@ -124,7 +167,7 @@ kex_alg_list(char sep)
+@@ -123,7 +166,7 @@ kex_alg_list(char sep)
size_t nlen, rlen = 0;
const struct kexalg *k;
@@ -492,7 +490,7 @@
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
-@@ -144,7 +187,7 @@ kex_alg_by_name(const char *name)
+@@ -143,7 +186,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@@ -501,7 +499,7 @@
if (strcmp(k->name, name) == 0)
return k;
}
-@@ -164,7 +207,10 @@ kex_names_valid(const char *names)
+@@ -163,7 +206,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -512,10 +510,10 @@
free(s);
return 0;
}
-diff --git a/mac.c b/mac.c
-index f3dda66..90d71c8 100644
---- a/mac.c
-+++ b/mac.c
+Index: openssh-8.4p1/mac.c
+===================================================================
+--- openssh-8.4p1.orig/mac.c
++++ openssh-8.4p1/mac.c
@@ -41,6 +41,9 @@
#include "openbsd-compat/openssl-compat.h"
@@ -586,7 +584,7 @@
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
-@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name)
+@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name
{
const struct macalg *m;
@@ -595,10 +593,10 @@
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
-diff --git a/readconf.c b/readconf.c
-index 26e80c5..595f053 100644
---- a/readconf.c
-+++ b/readconf.c
+Index: openssh-8.4p1/readconf.c
+===================================================================
+--- openssh-8.4p1.orig/readconf.c
++++ openssh-8.4p1/readconf.c
@@ -68,6 +68,8 @@
#include "myproposal.h"
#include "digest.h"
@@ -608,7 +606,7 @@
/* Format of the configuration file:
# Configuration data is parsed as follows:
-@@ -1908,6 +1910,23 @@ option_clear_or_none(const char *o)
+@@ -1949,6 +1951,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -632,7 +630,7 @@
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
-@@ -2196,6 +2215,9 @@ fill_default_options(Options * options)
+@@ -2240,6 +2259,9 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -642,7 +640,7 @@
#ifdef ENABLE_SK_INTERNAL
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
-@@ -2229,6 +2251,7 @@ fill_default_options(Options * options)
+@@ -2273,6 +2295,7 @@ fill_default_options(Options * options)
ASSEMBLE(pubkey_key_types, def_key, all_key);
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
@@ -650,7 +648,7 @@
free(all_cipher);
free(all_mac);
free(all_kex);
-@@ -2240,6 +2263,8 @@ fill_default_options(Options * options)
+@@ -2284,6 +2307,8 @@ fill_default_options(Options * options)
kex_default_pk_alg_filtered = def_key; /* save for later use */
free(def_sig);
@@ -659,11 +657,11 @@
#define CLEAR_ON_NONE(v) \
do { \
if (option_clear_or_none(v)) { \
-diff --git a/readconf.h b/readconf.h
-index e143a10..ef18d5c 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -199,6 +199,7 @@ typedef struct {
+Index: openssh-8.4p1/readconf.h
+===================================================================
+--- openssh-8.4p1.orig/readconf.h
++++ openssh-8.4p1/readconf.h
+@@ -200,6 +200,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
@@ -671,11 +669,11 @@
const char *kex_default_pk_alg(void);
char *ssh_connection_hash(const char *thishost, const char *host,
const char *portstr, const char *user);
-diff --git a/servconf.c b/servconf.c
-index 6be7274..9a51bfb 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -69,6 +69,7 @@
+Index: openssh-8.4p1/servconf.c
+===================================================================
+--- openssh-8.4p1.orig/servconf.c
++++ openssh-8.4p1/servconf.c
+@@ -70,6 +70,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
@@ -683,7 +681,7 @@
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
-@@ -200,6 +201,23 @@ option_clear_or_none(const char *o)
+@@ -201,6 +202,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -707,7 +705,7 @@
static void
assemble_algorithms(ServerOptions *o)
{
-@@ -241,6 +259,8 @@ assemble_algorithms(ServerOptions *o)
+@@ -242,6 +260,8 @@ assemble_algorithms(ServerOptions *o)
free(def_kex);
free(def_key);
free(def_sig);
@@ -716,7 +714,7 @@
}
static void
-@@ -453,6 +473,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -454,6 +474,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -725,10 +723,10 @@
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 944faca..c1ecc54 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
+Index: openssh-8.4p1/ssh-keygen.c
+===================================================================
+--- openssh-8.4p1.orig/ssh-keygen.c
++++ openssh-8.4p1/ssh-keygen.c
@@ -66,6 +66,8 @@
#include "ssh-sk.h"
#include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
@@ -738,7 +736,7 @@
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
-@@ -1032,11 +1034,13 @@ do_fingerprint(struct passwd *pw)
+@@ -1036,11 +1038,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@@ -754,7 +752,7 @@
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
-@@ -1051,6 +1055,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1055,6 +1059,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@@ -772,7 +770,7 @@
u_int32_t bits = 0;
int first = 0;
struct stat st;
-@@ -1058,6 +1073,12 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1062,6 +1077,12 @@ do_gen_all_hostkeys(struct passwd *pw)
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
int i, type, fd, r;
@@ -785,7 +783,7 @@
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
-@@ -3532,6 +3553,15 @@ main(int argc, char **argv)
+@@ -3586,6 +3607,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@@ -801,11 +799,11 @@
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
-diff --git a/ssh_config.5 b/ssh_config.5
-index c45fb8d..55d4b5e 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -669,6 +669,8 @@ Valid options are:
+Index: openssh-8.4p1/ssh_config.5
+===================================================================
+--- openssh-8.4p1.orig/ssh_config.5
++++ openssh-8.4p1/ssh_config.5
+@@ -682,6 +682,8 @@ Valid options are:
and
.Cm sha256
(the default).
@@ -814,11 +812,11 @@
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
-diff --git a/sshd.c b/sshd.c
-index a24241c..e18078f 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -128,6 +128,8 @@
+Index: openssh-8.4p1/sshd.c
+===================================================================
+--- openssh-8.4p1.orig/sshd.c
++++ openssh-8.4p1/sshd.c
+@@ -124,6 +124,8 @@
#include "ssherr.h"
#include "sk-api.h"
@@ -827,10 +825,10 @@
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-diff --git a/sshd_config.5 b/sshd_config.5
-index 52552d2..35affe5 100644
---- a/sshd_config.5
-+++ b/sshd_config.5
+Index: openssh-8.4p1/sshd_config.5
+===================================================================
+--- openssh-8.4p1.orig/sshd_config.5
++++ openssh-8.4p1/sshd_config.5
@@ -594,6 +594,8 @@ and
.Cm sha256 .
The default is
++++++ openssh-7.7p1-fips_checks.patch ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.499266355 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.499266355 +0100
@@ -14,11 +14,10 @@
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
# otherwise.
-diff --git a/fips-check.c b/fips-check.c
-new file mode 100644
-index 0000000..eceb031
+Index: openssh-8.4p1/fips-check.c
+===================================================================
--- /dev/null
-+++ b/fips-check.c
++++ openssh-8.4p1/fips-check.c
@@ -0,0 +1,34 @@
+#include "includes.h"
+#include <fcntl.h>
@@ -54,10 +53,10 @@
+ fips_ssh_init();
+ return 0;
+}
-diff --git a/fips.c b/fips.c
-index 23e3876..297ae99 100644
---- a/fips.c
-+++ b/fips.c
+Index: openssh-8.4p1/fips.c
+===================================================================
+--- openssh-8.4p1.orig/fips.c
++++ openssh-8.4p1/fips.c
@@ -35,30 +35,293 @@
#include "log.h"
#include "xmalloc.h"
@@ -246,7 +245,9 @@
{
int fips_required = 0;
- char *env = getenv(SSH_FORCE_FIPS_ENV);
--
++ int fips_fd;
++ char fips_sys = 0;
+
- if (env) {
- errno = 0;
- fips_required = strtol(env, NULL, 10);
@@ -256,9 +257,6 @@
- fips_required = 0;
- } else
- fips_required = 1;
-+ int fips_fd;
-+ char fips_sys = 0;
-+
+ struct stat dummy;
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
+ switch (errno) {
@@ -364,10 +362,10 @@
int
fips_mode(void)
{
-diff --git a/fips.h b/fips.h
-index a115a61..3404684 100644
---- a/fips.h
-+++ b/fips.h
+Index: openssh-8.4p1/fips.h
+===================================================================
+--- openssh-8.4p1.orig/fips.h
++++ openssh-8.4p1/fips.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -404,15 +402,15 @@
int fips_mode(void);
int fips_correct_dgst(int);
int fips_dgst_min(void);
-@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum fp_type);
+@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
int fips_filter_crypto(char **, fips_filters);
#endif
-
-diff --git a/sftp-server.c b/sftp-server.c
-index 359204f..d6395fd 100644
---- a/sftp-server.c
-+++ b/sftp-server.c
+Index: openssh-8.4p1/sftp-server.c
+===================================================================
+--- openssh-8.4p1.orig/sftp-server.c
++++ openssh-8.4p1/sftp-server.c
@@ -53,6 +53,8 @@
char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
@@ -422,7 +420,7 @@
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
-@@ -1576,6 +1578,9 @@ sftp_server_main(int argc, char **argv, struct passwd
*user_pw)
+@@ -1577,6 +1579,9 @@ sftp_server_main(int argc, char **argv,
extern char *optarg;
extern char *__progname;
@@ -432,10 +430,10 @@
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
-diff --git a/ssh.c b/ssh.c
-index 98b6ce7..dce28fd 100644
---- a/ssh.c
-+++ b/ssh.c
+Index: openssh-8.4p1/ssh.c
+===================================================================
+--- openssh-8.4p1.orig/ssh.c
++++ openssh-8.4p1/ssh.c
@@ -113,6 +113,8 @@
#include "ssh-pkcs11.h"
#endif
@@ -445,9 +443,9 @@
extern char *__progname;
/* Saves a copy of argv for setproctitle emulation */
-@@ -630,6 +632,10 @@ main(int ac, char **av)
- struct addrinfo *addrs = NULL;
+@@ -658,6 +660,10 @@ main(int ac, char **av)
size_t n, len;
+ u_int j;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
@@ -456,11 +454,11 @@
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
-diff --git a/sshd.c b/sshd.c
-index b2146a6..6092f0f 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -1505,6 +1505,10 @@ main(int ac, char **av)
+Index: openssh-8.4p1/sshd.c
+===================================================================
+--- openssh-8.4p1.orig/sshd.c
++++ openssh-8.4p1/sshd.c
+@@ -1545,6 +1545,10 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;
++++++ openssh-7.7p1-hostname_changes_when_forwarding_X.patch ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.519266385 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.523266392 +0100
@@ -3,11 +3,11 @@
# -- uset do be called '-xauthlocalhostname'
handle hostname changes when forwarding X
-diff --git a/session.c b/session.c
-index 18cdfa8..85a9ee2 100644
---- a/session.c
-+++ b/session.c
-@@ -985,7 +985,7 @@ copy_environment(char **source, char ***env, u_int
*envsize)
+Index: openssh-8.4p1/session.c
+===================================================================
+--- openssh-8.4p1.orig/session.c
++++ openssh-8.4p1/session.c
+@@ -985,7 +985,7 @@ copy_environment(char **source, char ***
#endif
static char **
@@ -16,7 +16,7 @@
{
char buf[256];
size_t n;
-@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char
*shell)
+@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
@@ -25,7 +25,7 @@
return env;
}
-@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char
*shell)
+@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s
* first in this order).
*/
static void
@@ -33,9 +33,9 @@
+do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int
*env_size)
{
FILE *f = NULL;
- char cmd[1024];
-@@ -1258,12 +1260,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char
*shell)
- options.xauth_location);
+ char *cmd = NULL, *user_rc = NULL;
+@@ -1260,12 +1262,20 @@ do_rc_files(struct ssh *ssh, Session *s,
+ fatal("%s: xasprintf: %s", __func__, strerror(errno));
f = popen(cmd, "w");
if (f) {
+ char hostname[MAXHOSTNAMELEN];
@@ -55,7 +55,7 @@
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
-@@ -1519,6 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
+@@ -1526,6 +1536,7 @@ do_child(struct ssh *ssh, Session *s, co
char **env, *argv[ARGV_MAX], remote_id[512];
const char *shell, *shell0;
struct passwd *pw = s->pw;
@@ -63,7 +63,7 @@
int r = 0;
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
-@@ -1575,7 +1586,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
+@@ -1582,7 +1593,7 @@ do_child(struct ssh *ssh, Session *s, co
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
@@ -72,7 +72,7 @@
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1639,7 +1650,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
+@@ -1646,7 +1657,7 @@ do_child(struct ssh *ssh, Session *s, co
closefrom(STDERR_FILENO + 1);
++++++ openssh-7.7p1-pam_check_locks.patch ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.543266421 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.547266428 +0100
@@ -5,11 +5,11 @@
bnc#708678, FATE#312033
-Index: openssh-7.8p1/auth.c
+Index: openssh-8.4p1/auth.c
===================================================================
---- openssh-7.8p1.orig/auth.c
-+++ openssh-7.8p1/auth.c
-@@ -112,7 +112,7 @@ allowed_user(struct passwd * pw)
+--- openssh-8.4p1.orig/auth.c
++++ openssh-8.4p1/auth.c
+@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
return 0;
#ifdef USE_SHADOW
@@ -18,7 +18,7 @@
spw = getspnam(pw->pw_name);
#ifdef HAS_SHADOW_EXPIRE
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
-@@ -132,7 +132,7 @@ allowed_user(struct passwd * pw)
+@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
#endif
/* check for locked account */
@@ -27,11 +27,11 @@
int locked = 0;
#ifdef LOCKED_PASSWD_STRING
-Index: openssh-7.8p1/servconf.c
+Index: openssh-8.4p1/servconf.c
===================================================================
---- openssh-7.8p1.orig/servconf.c
-+++ openssh-7.8p1/servconf.c
-@@ -83,6 +83,7 @@ initialize_server_options(ServerOptions
+--- openssh-8.4p1.orig/servconf.c
++++ openssh-8.4p1/servconf.c
+@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
/* Portable-specific options */
options->use_pam = -1;
@@ -39,7 +39,7 @@
/* Standard Options */
options->num_ports = 0;
-@@ -259,6 +260,8 @@ fill_default_server_options(ServerOption
+@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
@@ -48,7 +48,7 @@
/* Standard Options */
if (options->num_host_key_files == 0) {
-@@ -459,7 +462,7 @@ fill_default_server_options(ServerOption
+@@ -501,7 +504,7 @@ fill_default_server_options(ServerOption
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
@@ -57,7 +57,7 @@
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
-@@ -509,8 +512,10 @@ static struct {
+@@ -553,8 +556,10 @@ static struct {
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
@@ -68,7 +68,7 @@
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
-@@ -1250,6 +1255,9 @@ process_server_config_line(ServerOptions
+@@ -1318,6 +1323,9 @@ process_server_config_line_depth(ServerO
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
@@ -78,11 +78,11 @@
/* Standard Options */
case sBadOption:
-Index: openssh-7.8p1/servconf.h
+Index: openssh-8.4p1/servconf.h
===================================================================
---- openssh-7.8p1.orig/servconf.h
-+++ openssh-7.8p1/servconf.h
-@@ -181,6 +181,7 @@ typedef struct {
+--- openssh-8.4p1.orig/servconf.h
++++ openssh-8.4p1/servconf.h
+@@ -195,6 +195,7 @@ typedef struct {
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
@@ -90,11 +90,11 @@
int permit_tun;
-Index: openssh-7.8p1/sshd_config.0
+Index: openssh-8.4p1/sshd_config.0
===================================================================
---- openssh-7.8p1.orig/sshd_config.0
-+++ openssh-7.8p1/sshd_config.0
-@@ -961,6 +961,14 @@ DESCRIPTION
+--- openssh-8.4p1.orig/sshd_config.0
++++ openssh-8.4p1/sshd_config.0
+@@ -1032,6 +1032,14 @@ DESCRIPTION
If UsePAM is enabled, you will not be able to run sshd(8) as a
non-root user. The default is no.
@@ -109,11 +109,11 @@
VersionAddendum
Optionally specifies additional text to append to the SSH
protocol banner sent by the server upon connection. The default
-Index: openssh-7.8p1/sshd_config.5
+Index: openssh-8.4p1/sshd_config.5
===================================================================
---- openssh-7.8p1.orig/sshd_config.5
-+++ openssh-7.8p1/sshd_config.5
-@@ -1613,6 +1613,18 @@ is enabled, you will not be able to run
+--- openssh-8.4p1.orig/sshd_config.5
++++ openssh-8.4p1/sshd_config.5
+@@ -1718,6 +1718,18 @@ is enabled, you will not be able to run
as a non-root user.
The default is
.Cm no .
++++++ openssh-7.7p1-sftp_force_permissions.patch ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.583266482 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.583266482 +0100
@@ -1,14 +1,16 @@
---- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000
-+++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000
-@@ -38,6 +38,7 @@
- .Op Fl P Ar blacklisted_requests
- .Op Fl p Ar whitelisted_requests
+Index: openssh-8.4p1/sftp-server.8
+===================================================================
+--- openssh-8.4p1.orig/sftp-server.8
++++ openssh-8.4p1/sftp-server.8
+@@ -38,6 +38,7 @@
+ .Op Fl P Ar denied_requests
+ .Op Fl p Ar allowed_requests
.Op Fl u Ar umask
+.Op Fl m Ar force_file_dir_perms
.Ek
.Nm
.Fl Q Ar protocol_feature
-@@ -138,6 +139,10 @@
+@@ -138,6 +139,10 @@ Sets an explicit
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
@@ -19,9 +21,11 @@
.El
.Pp
On some systems,
---- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000
-+++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000
-@@ -65,6 +65,10 @@
+Index: openssh-8.4p1/sftp-server.c
+===================================================================
+--- openssh-8.4p1.orig/sftp-server.c
++++ openssh-8.4p1/sftp-server.c
+@@ -69,6 +69,10 @@ struct sshbuf *oqueue;
/* Version of client */
static u_int version;
@@ -32,7 +36,7 @@
/* SSH2_FXP_INIT received */
static int init_done;
-@@ -679,6 +683,7 @@
+@@ -687,6 +691,7 @@ process_open(u_int32_t id)
Attrib a;
char *name;
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
@@ -40,7 +44,7 @@
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
-@@ -688,6 +693,10 @@
+@@ -696,6 +701,10 @@ process_open(u_int32_t id)
debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
@@ -51,7 +55,7 @@
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
-@@ -709,6 +718,8 @@
+@@ -717,6 +726,8 @@ process_open(u_int32_t id)
}
}
}
@@ -60,7 +64,7 @@
if (status != SSH2_FX_OK)
send_status(id, status);
free(name);
-@@ -1110,6 +1121,7 @@
+@@ -1131,6 +1142,7 @@ process_mkdir(u_int32_t id)
Attrib a;
char *name;
int r, mode, status = SSH2_FX_FAILURE;
@@ -68,7 +72,7 @@
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = decode_attrib(iqueue, &a)) != 0)
-@@ -1117,9 +1129,16 @@
+@@ -1138,9 +1150,16 @@ process_mkdir(u_int32_t id)
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
a.perm & 07777 : 0777;
@@ -85,16 +89,16 @@
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
send_status(id, status);
free(name);
-@@ -1490,7 +1509,7 @@
+@@ -1560,7 +1579,7 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
- "[-l log_level]\n\t[-P blacklisted_requests] "
-- "[-p whitelisted_requests] [-u umask]\n"
-+ "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n"
+ "[-l log_level]\n\t[-P denied_requests] "
+- "[-p allowed_requests] [-u umask]\n"
++ "[-p allowed_requests] [-u umask] [-m force_file_dir_perms]\n"
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
-@@ -1516,7 +1535,7 @@
+@@ -1588,7 +1607,7 @@ sftp_server_main(int argc, char **argv,
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
@@ -103,7 +107,7 @@
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
-@@ -1576,6 +1595,15 @@
+@@ -1650,6 +1669,15 @@ sftp_server_main(int argc, char **argv,
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;
++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++
--- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.603266512 +0100
+++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.603266512 +0100
@@ -2,11 +2,11 @@
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
Put back sftp client diagnostic messages in batch mode
-diff --git a/sftp.1 b/sftp.1
-index a305b37..6e802ec 100644
---- a/sftp.1
-+++ b/sftp.1
-@@ -282,6 +282,9 @@ Specifies the port to connect to on the remote host.
+Index: openssh-8.4p1/sftp.1
+===================================================================
+--- openssh-8.4p1.orig/sftp.1
++++ openssh-8.4p1/sftp.1
+@@ -287,6 +287,9 @@ Specifies the port to connect to on the
.It Fl p
Preserves modification times, access times, and modes from the
original files transferred.
@@ -16,10 +16,10 @@
.It Fl q
Quiet mode: disables the progress meter as well as warning and
diagnostic messages from
-diff --git a/sftp.c b/sftp.c
-index 2799e4a..52b2c23 100644
---- a/sftp.c
-+++ b/sftp.c
+Index: openssh-8.4p1/sftp.c
+===================================================================
+--- openssh-8.4p1.orig/sftp.c
++++ openssh-8.4p1/sftp.c
@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
/* Suppress diagnositic messages */
int quiet = 0;
@@ -30,15 +30,15 @@
/* This is set to 0 if the progressmeter is not desired. */
int showprogress = 1;
-@@ -2409,7 +2412,7 @@ main(int argc, char **argv)
+@@ -2408,7 +2411,7 @@ main(int argc, char **argv)
infile = stdin;
while ((ch = getopt(argc, argv,
-- "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
-+ "1246afhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
++ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
switch (ch) {
/* Passed through to ssh(1) */
- case '4':
+ case 'A':
@@ -2426,6 +2429,9 @@ main(int argc, char **argv)
addargs(&args, "-%c", ch);
addargs(&args, "%s", optarg);
@@ -56,5 +56,5 @@
+ if (batchmode && loud)
+ quiet = 0;
- if (!isatty(STDERR_FILENO))
- showprogress = 0;
+ /* Do this last because we want the user to be able to override it */
+ addargs(&args, "-oForwardAgent no");
++++++ openssh-8.1p1-audit.patch ++++++
++++ 1001 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch
++++ and /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh-8.1p1-audit.patch
++++++ openssh-8.3p1.tar.gz -> openssh-8.4p1.tar.gz ++++++
++++ 18641 lines of diff (skipped)
