Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-03-09 18:47:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2349 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Wed Mar 9 18:47:00 2022 rev:155 rq:960152 version:8.9p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-10-11 16:48:39.962172529 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2349/openssh.changes 2022-03-11 11:48:33.326793554 +0100 @@ -1,0 +2,170 @@ +Mon Mar 7 18:00:09 UTC 2022 - Hans Petter Jansson <h...@suse.com> + +- Version update to 8.9p1: + = Security + * sshd(8): fix an integer overflow in the user authentication path + that, in conjunction with other logic errors, could have yielded + unauthenticated access under difficult to exploit conditions. + + This situation is not exploitable because of independent checks in + the privilege separation monitor. Privilege separation has been + enabled by default in since openssh-3.2.2 (released in 2002) and + has been mandatory since openssh-7.5 (released in 2017). Moreover, + portable OpenSSH has used toolchain features available in most + modern compilers to abort on signed integer overflow since + openssh-6.5 (released in 2014). + + Thanks to Malcolm Stagg for finding and reporting this bug. + + = Potentially-incompatible changes + * sshd(8), portable OpenSSH only: this release removes in-built + support for MD5-hashed passwords. If you require these on your + system then we recommend linking against libxcrypt or similar. + * This release modifies the FIDO security key middleware interface + and increments SSH_SK_VERSION_MAJOR. + + = New features + * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for + restricting forwarding and use of keys added to ssh-agent(1) + A detailed description of the feature is available at + https://www.openssh.com/agent-restrict.html and the protocol + extensions are documented in the PROTOCOL and PROTOCOL.agent + files in the source release. + * ssh(1), sshd(8): add the sntrup761x25519-sha...@openssh.com hybrid + ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the + default KEXAlgorithms list (after the ECDH methods but before the + prime-group DH ones). The next release of OpenSSH is likely to + make this key exchange the default method. + * ssh-keygen(1): when downloading resident keys from a FIDO token, + pass back the user ID that was used when the key was created and + append it to the filename the key is written to (if it is not the + default). Avoids keys being clobbered if the user created multiple + resident keys with the same application string but different user + IDs. + * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys + on tokens that provide user verification (UV) on the device itself, + including biometric keys, avoiding unnecessary PIN prompts. + * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to + perform matching of principals names against an allowed signers + file. To be used towards a TOFU model for SSH signatures in git. + * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added + to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at + authentication time. + * ssh-keygen(1): allow selection of hash at sshsig signing time + (either sha512 (default) or sha256). + * ssh(1), sshd(8): read network data directly to the packet input + buffer instead of indirectly via a small stack buffer. Provides a + modest performance improvement. + * ssh(1), sshd(8): read data directly to the channel input buffer, + providing a similar modest performance improvement. + * ssh(1): extend the PubkeyAuthentication configuration directive to + accept yes|no|unbound|host-bound to allow control over one of the + protocol extensions used to implement agent-restricted keys. + + = Bugfixes + * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and + PubkeyAuthOptions can be used in a Match block. PR277. + * sshd(8): fix possible string truncation when constructing paths to + .rhosts/.shosts files with very long user home directory names. + * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 + exchange hashes + * ssh(1): don't put the TTY into raw mode when SessionType=none, + avoids ^C being unable to kill such a session. bz3360 + * scp(1): fix some corner-case bugs in SFTP-mode handling of + ~-prefixed paths. + * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to + select RSA keys when only RSA/SHA2 signature algorithms are + configured (this is the default case). Previously RSA keys were + not being considered in the default case. + * ssh-keysign(1): make ssh-keysign use the requested signature + algorithm and not the default for the key type. Part of unbreaking + hostbased auth for RSA/SHA2 keys. + * ssh(1): stricter UpdateHostkey signature verification logic on + the client- side. Require RSA/SHA2 signatures for RSA hostkeys + except when RSA/SHA1 was explicitly negotiated during initial + KEX; bz3375 + * ssh(1), sshd(8): fix signature algorithm selection logic for + UpdateHostkeys on the server side. The previous code tried to + prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some + cases. This will use RSA/SHA2 signatures for RSA keys if the + client proposed these algorithms in initial KEX. bz3375 + * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). + This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) + and sftp-server(8), as well as the sshd(8) listen loop and all + other FD read/writability checks. On platforms with missing or + broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is + available. + * ssh-keygen(1): the "-Y find-principals" command was verifying key + validity when using ca certs but not with simple key lifetimes + within the allowed signers file. + * ssh-keygen(1): make sshsig verify-time argument parsing optional + * sshd(8): fix truncation in rhosts/shosts path construction. + * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA + keys (we already did this for RSA keys). Avoids fatal errors for + PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B + "cryptoauthlib"; bz#3364 + * ssh(1), ssh-agent(1): improve the testing of credentials against + inserted FIDO: ask the token whether a particular key belongs to + it in cases where the token supports on-token user-verification + (e.g. biometrics) rather than just assuming that it will accept it. + Will reduce spurious "Confirm user presence" notifications for key + handles that relate to FIDO keys that are not currently inserted in at + least some cases. bz3366 + * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to + allow for the preceding two ECN bits. bz#3373 + * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" + option. + * ssh-keygen(1): fix a NULL deref when using the find-principals + function, when matching an allowed_signers line that contains a + namespace restriction, but no restriction specified on the + command-line + * ssh-agent(1): fix memleak in process_extension(); oss-fuzz + issue #42719 + * ssh(1): suppress "Connection to xxx closed" messages when LogLevel + is set to "error" or above. bz3378 + * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing + compressed packet data. bz3372 + * scp(1): when recursively transferring files in SFTP mode, create the + destination directory if it doesn't already exist to match scp(1) in + legacy RCP mode behaviour. + * scp(1): many improvements in error message consistency between scp(1) + in SFTP mode vs legacy RCP mode. + * sshd(8): fix potential race in SIGTERM handling PR289 + * ssh(1), ssh(8): since DSA keys are deprecated, move them to the + end of the default list of public keys so that they will be tried + last. PR295 + * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match + wildcard principals in allowed_signers files + + = Portability + * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's + implementation does not work in a chroot when the kernel does not + have close_range(2). It tries to read from /proc/self/fd and when + that fails dies with an assertion of sorts. Instead, call + close_range(2) directly from our compat code and fall back if + that fails. bz#3349, + * OS X poll(2) is broken; use compat replacement. For character- + special devices like /dev/null, Darwin's poll(2) returns POLLNVAL + when polled with POLLIN. Apparently this is Apple bug 3710161 - + not public but a websearch will find other OSS projects + rediscovering it periodically since it was first identified in + 2005. + * Correct handling of exceptfds/POLLPRI in our select(2)-based + poll(2)/ppoll(2) compat implementation. + * Cygwin: correct checking of mbstowcs() return value. + * Add a basic SECURITY.md that refers people to the openssh.com + website. + * Enable additional compiler warnings and toolchain hardening flags, + including -Wbitwise-instead-of-logical, -Wmisleading-indentation, + -fzero-call-used-regs and -ftrivial-auto-var-init. + * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version + is not reliable. + +- Rebased patches: + * openssh-7.7p1-ldap.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.4p1-vendordir.patch + * openssh-reenable-dh-group14-sha1-default.patch + +------------------------------------------------------------------- Old: ---- openssh-8.8p1.tar.gz openssh-8.8p1.tar.gz.asc New: ---- openssh-8.9p1.tar.gz openssh-8.9p1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.BNI8KT/_old 2022-03-11 11:48:34.234792653 +0100 +++ /var/tmp/diff_new_pack.BNI8KT/_new 2022-03-11 11:48:34.238792648 +0100 @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 8.8p1 +Version: 8.9p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.BNI8KT/_old 2022-03-11 11:48:34.270792617 +0100 +++ /var/tmp/diff_new_pack.BNI8KT/_new 2022-03-11 11:48:34.278792609 +0100 @@ -35,7 +35,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 8.8p1 +Version: 8.9p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT ++++++ openssh-7.7p1-ldap.patch ++++++ --- /var/tmp/diff_new_pack.BNI8KT/_old 2022-03-11 11:48:34.386792501 +0100 +++ /var/tmp/diff_new_pack.BNI8KT/_new 2022-03-11 11:48:34.390792498 +0100 @@ -10,10 +10,10 @@ # internal versions. ssh-keyconverter consequently fails to link as it lacks # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) -Index: openssh-8.8p1/HOWTO.ldap-keys +Index: openssh-8.9p1/HOWTO.ldap-keys =================================================================== --- /dev/null -+++ openssh-8.8p1/HOWTO.ldap-keys ++++ openssh-8.9p1/HOWTO.ldap-keys @@ -0,0 +1,108 @@ + +HOW TO START @@ -123,11 +123,11 @@ + - frederic peters. + - Finlay dobbie. + - Stefan Fisher. -Index: openssh-8.8p1/Makefile.in +Index: openssh-8.9p1/Makefile.in =================================================================== ---- openssh-8.8p1.orig/Makefile.in -+++ openssh-8.8p1/Makefile.in -@@ -26,6 +26,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server +--- openssh-8.9p1.orig/Makefile.in ++++ openssh-8.9p1/Makefile.in +@@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper @@ -136,7 +136,7 @@ CAVSTEST_CTR=$(libexecdir)/cavstest-ctr CAVSTEST_KDF=$(libexecdir)/cavstest-kdf PRIVSEP_PATH=@PRIVSEP_PATH@ -@@ -73,6 +75,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a +@@ -75,6 +77,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) @@ -146,7 +146,7 @@ XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -160,8 +165,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve +@@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS) @@ -157,7 +157,7 @@ MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -244,6 +249,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib +@@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -167,7 +167,7 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -416,6 +424,10 @@ install-files: +@@ -421,6 +429,10 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -178,7 +178,7 @@ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -@@ -435,6 +447,10 @@ install-files: +@@ -440,6 +452,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -189,7 +189,7 @@ $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 install-sysconf: -@@ -459,6 +475,13 @@ install-sysconf: +@@ -464,6 +480,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -203,7 +203,7 @@ host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -497,6 +520,8 @@ uninstall: +@@ -502,6 +525,8 @@ uninstall: -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) @@ -212,7 +212,7 @@ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -509,6 +534,7 @@ uninstall: +@@ -514,6 +539,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 @@ -220,11 +220,11 @@ regress-prep: $(MKDIR_P) `pwd`/regress/unittests/test_helper -Index: openssh-8.8p1/configure.ac +Index: openssh-8.9p1/configure.ac =================================================================== ---- openssh-8.8p1.orig/configure.ac -+++ openssh-8.8p1/configure.ac -@@ -1758,6 +1758,106 @@ AC_ARG_WITH([audit], +--- openssh-8.9p1.orig/configure.ac ++++ openssh-8.9p1/configure.ac +@@ -1780,6 +1780,106 @@ AC_ARG_WITH([audit], esac ] ) @@ -331,10 +331,10 @@ AC_ARG_WITH([pie], [ --with-pie Build Position Independent Executables if possible], [ if test "x$withval" = "xno"; then -Index: openssh-8.8p1/ldap-helper.c +Index: openssh-8.9p1/ldap-helper.c =================================================================== --- /dev/null -+++ openssh-8.8p1/ldap-helper.c ++++ openssh-8.9p1/ldap-helper.c @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -491,10 +491,10 @@ +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; } +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {} + -Index: openssh-8.8p1/ldap-helper.h +Index: openssh-8.9p1/ldap-helper.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldap-helper.h ++++ openssh-8.9p1/ldap-helper.h @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -528,10 +528,10 @@ +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -Index: openssh-8.8p1/ldap.conf +Index: openssh-8.9p1/ldap.conf =================================================================== --- /dev/null -+++ openssh-8.8p1/ldap.conf ++++ openssh-8.9p1/ldap.conf @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -621,10 +621,10 @@ +#tls_cert +#tls_key + -Index: openssh-8.8p1/ldapbody.c +Index: openssh-8.9p1/ldapbody.c =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapbody.c ++++ openssh-8.9p1/ldapbody.c @@ -0,0 +1,503 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1129,10 +1129,10 @@ + return; +} + -Index: openssh-8.8p1/ldapbody.h +Index: openssh-8.9p1/ldapbody.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapbody.h ++++ openssh-8.9p1/ldapbody.h @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1171,10 +1171,10 @@ + +#endif /* LDAPBODY_H */ + -Index: openssh-8.8p1/ldapconf.c +Index: openssh-8.9p1/ldapconf.c =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapconf.c ++++ openssh-8.9p1/ldapconf.c @@ -0,0 +1,711 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1887,10 +1887,10 @@ + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -Index: openssh-8.8p1/ldapconf.h +Index: openssh-8.9p1/ldapconf.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapconf.h ++++ openssh-8.9p1/ldapconf.h @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1963,10 +1963,10 @@ +void dump_config(void); + +#endif /* LDAPCONF_H */ -Index: openssh-8.8p1/ldapincludes.h +Index: openssh-8.9p1/ldapincludes.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapincludes.h ++++ openssh-8.9p1/ldapincludes.h @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2009,10 +2009,10 @@ +#endif + +#endif /* LDAPINCLUDES_H */ -Index: openssh-8.8p1/ldapmisc.c +Index: openssh-8.9p1/ldapmisc.c =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapmisc.c ++++ openssh-8.9p1/ldapmisc.c @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2093,10 +2093,10 @@ +} +#endif + -Index: openssh-8.8p1/ldapmisc.h +Index: openssh-8.9p1/ldapmisc.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapmisc.h ++++ openssh-8.9p1/ldapmisc.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2133,10 +2133,10 @@ + +#endif /* LDAPMISC_H */ + -Index: openssh-8.8p1/openbsd-compat/base64.c +Index: openssh-8.9p1/openbsd-compat/base64.c =================================================================== ---- openssh-8.8p1.orig/openbsd-compat/base64.c -+++ openssh-8.8p1/openbsd-compat/base64.c +--- openssh-8.9p1.orig/openbsd-compat/base64.c ++++ openssh-8.9p1/openbsd-compat/base64.c @@ -46,7 +46,7 @@ #include "includes.h" @@ -2145,8 +2145,8 @@ +#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)) || defined(USE_INTERNAL_B64) #include <sys/types.h> - #include <sys/param.h> -@@ -129,7 +129,7 @@ static const char Pad64 = '='; + #include <sys/socket.h> +@@ -128,7 +128,7 @@ static const char Pad64 = '='; characters followed by one "=" padding character. */ @@ -2155,7 +2155,7 @@ int b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) { -@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle +@@ -184,7 +184,7 @@ b64_ntop(u_char const *src, size_t srcle } #endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */ @@ -2164,10 +2164,10 @@ /* skips all whitespace anywhere. converts characters, four at a time, starting at (or after) -Index: openssh-8.8p1/openbsd-compat/base64.h +Index: openssh-8.9p1/openbsd-compat/base64.h =================================================================== ---- openssh-8.8p1.orig/openbsd-compat/base64.h -+++ openssh-8.8p1/openbsd-compat/base64.h +--- openssh-8.9p1.orig/openbsd-compat/base64.h ++++ openssh-8.9p1/openbsd-compat/base64.h @@ -45,16 +45,16 @@ #include "includes.h" @@ -2189,10 +2189,10 @@ int b64_pton(char const *src, u_char *target, size_t targsize); # endif /* !HAVE_B64_PTON */ # define __b64_pton(a,b,c) b64_pton(a,b,c) -Index: openssh-8.8p1/openssh-lpk-openldap.schema +Index: openssh-8.9p1/openssh-lpk-openldap.schema =================================================================== --- /dev/null -+++ openssh-8.8p1/openssh-lpk-openldap.schema ++++ openssh-8.9p1/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2215,10 +2215,10 @@ + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -Index: openssh-8.8p1/openssh-lpk-sun.schema +Index: openssh-8.9p1/openssh-lpk-sun.schema =================================================================== --- /dev/null -+++ openssh-8.8p1/openssh-lpk-sun.schema ++++ openssh-8.9p1/openssh-lpk-sun.schema @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2243,10 +2243,10 @@ + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -Index: openssh-8.8p1/ssh-ldap-helper.8 +Index: openssh-8.9p1/ssh-ldap-helper.8 =================================================================== --- /dev/null -+++ openssh-8.8p1/ssh-ldap-helper.8 ++++ openssh-8.9p1/ssh-ldap-helper.8 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2327,19 +2327,19 @@ +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchad...@redhat.com -Index: openssh-8.8p1/ssh-ldap-wrapper +Index: openssh-8.9p1/ssh-ldap-wrapper =================================================================== --- /dev/null -+++ openssh-8.8p1/ssh-ldap-wrapper ++++ openssh-8.9p1/ssh-ldap-wrapper @@ -0,0 +1,4 @@ +#!/bin/sh + +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" + -Index: openssh-8.8p1/ssh-ldap.conf.5 +Index: openssh-8.9p1/ssh-ldap.conf.5 =================================================================== --- /dev/null -+++ openssh-8.8p1/ssh-ldap.conf.5 ++++ openssh-8.9p1/ssh-ldap.conf.5 @@ -0,0 +1,376 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" ++++++ openssh-8.0p1-gssapi-keyex.patch ++++++ ++++ 872 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.0p1-gssapi-keyex.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.2349/openssh-8.0p1-gssapi-keyex.patch ++++++ openssh-8.1p1-audit.patch ++++++ ++++ 843 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.2349/openssh-8.1p1-audit.patch ++++++ openssh-8.4p1-vendordir.patch ++++++ --- /var/tmp/diff_new_pack.BNI8KT/_old 2022-03-11 11:48:34.506792382 +0100 +++ /var/tmp/diff_new_pack.BNI8KT/_new 2022-03-11 11:48:34.510792379 +0100 @@ -1,8 +1,8 @@ Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib. -Index: openssh-8.8p1/dh.c +Index: openssh-8.9p1/dh.c =================================================================== ---- openssh-8.8p1.orig/dh.c -+++ openssh-8.8p1/dh.c +--- openssh-8.9p1.orig/dh.c ++++ openssh-8.9p1/dh.c @@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file static const char * get_moduli_filename(void) @@ -22,10 +22,10 @@ } static int -Index: openssh-8.8p1/pathnames.h +Index: openssh-8.9p1/pathnames.h =================================================================== ---- openssh-8.8p1.orig/pathnames.h -+++ openssh-8.8p1/pathnames.h +--- openssh-8.9p1.orig/pathnames.h ++++ openssh-8.9p1/pathnames.h @@ -18,6 +18,8 @@ #define SSHDIR ETCDIR "/ssh" #endif @@ -53,10 +53,10 @@ #ifndef _PATH_SSH_PROGRAM #define _PATH_SSH_PROGRAM "/usr/bin/ssh" -Index: openssh-8.8p1/ssh.c +Index: openssh-8.9p1/ssh.c =================================================================== ---- openssh-8.8p1.orig/ssh.c -+++ openssh-8.8p1/ssh.c +--- openssh-8.9p1.orig/ssh.c ++++ openssh-8.9p1/ssh.c @@ -549,6 +549,7 @@ static void process_config_files(const char *host_name, struct passwd *pw, int final_pass, int *want_final_pass) @@ -93,10 +93,10 @@ } } -Index: openssh-8.8p1/ssh_config.5 +Index: openssh-8.9p1/ssh_config.5 =================================================================== ---- openssh-8.8p1.orig/ssh_config.5 -+++ openssh-8.8p1/ssh_config.5 +--- openssh-8.9p1.orig/ssh_config.5 ++++ openssh-8.9p1/ssh_config.5 @@ -54,6 +54,9 @@ user's configuration file .It system-wide configuration file @@ -107,7 +107,7 @@ .El .Pp For each parameter, the first obtained value -@@ -2212,6 +2215,11 @@ This file provides defaults for those +@@ -2220,6 +2223,11 @@ This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. @@ -119,11 +119,11 @@ .El .Sh SEE ALSO .Xr ssh 1 -Index: openssh-8.8p1/sshd.c +Index: openssh-8.9p1/sshd.c =================================================================== ---- openssh-8.8p1.orig/sshd.c -+++ openssh-8.8p1/sshd.c -@@ -145,7 +145,7 @@ extern char *__progname; +--- openssh-8.9p1.orig/sshd.c ++++ openssh-8.9p1/sshd.c +@@ -148,7 +148,7 @@ extern char *__progname; ServerOptions options; /* Name of the server configuration file. */ @@ -132,7 +132,7 @@ /* * Debug mode flag. This can be set on the command line. If debug -@@ -1594,6 +1594,7 @@ prepare_proctitle(int ac, char **av) +@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av) int main(int ac, char **av) { @@ -140,7 +140,7 @@ struct ssh *ssh = NULL; extern char *optarg; extern int optind; -@@ -1809,7 +1810,21 @@ main(int ac, char **av) +@@ -1806,7 +1807,21 @@ main(int ac, char **av) */ (void)atomicio(vwrite, startup_pipe, "\0", 1); } @@ -162,10 +162,10 @@ load_server_config(config_file_name, cfg); parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, -Index: openssh-8.8p1/sshd_config.5 +Index: openssh-8.9p1/sshd_config.5 =================================================================== ---- openssh-8.8p1.orig/sshd_config.5 -+++ openssh-8.8p1/sshd_config.5 +--- openssh-8.9p1.orig/sshd_config.5 ++++ openssh-8.9p1/sshd_config.5 @@ -44,7 +44,9 @@ .Xr sshd 8 reads configuration data from @@ -177,19 +177,19 @@ .Fl f on the command line). The file contains keyword-argument pairs, one per line. -Index: openssh-8.8p1/ssh-keysign.c +Index: openssh-8.9p1/ssh-keysign.c =================================================================== ---- openssh-8.8p1.orig/ssh-keysign.c -+++ openssh-8.8p1/ssh-keysign.c -@@ -172,6 +172,7 @@ main(int argc, char **argv) +--- openssh-8.9p1.orig/ssh-keysign.c ++++ openssh-8.9p1/ssh-keysign.c +@@ -186,6 +186,7 @@ main(int argc, char **argv) u_char *signature, *data, rver; - char *host, *fp; + char *host, *fp, *pkalg; size_t slen, dlen; -+ struct stat st; ++ struct stat st; if (pledge("stdio rpath getpw dns id", NULL) != 0) fatal("%s: pledge: %s", __progname, strerror(errno)); -@@ -205,8 +206,14 @@ main(int argc, char **argv) +@@ -219,8 +220,14 @@ main(int argc, char **argv) /* verify that ssh-keysign is enabled by the admin */ initialize_options(&options); ++++++ openssh-8.8p1.tar.gz -> openssh-8.9p1.tar.gz ++++++ ++++ 24383 lines of diff (skipped) ++++++ openssh-reenable-dh-group14-sha1-default.patch ++++++ --- /var/tmp/diff_new_pack.BNI8KT/_old 2022-03-11 11:48:34.910791981 +0100 +++ /var/tmp/diff_new_pack.BNI8KT/_new 2022-03-11 11:48:34.914791977 +0100 @@ -1,8 +1,8 @@ -Index: openssh-8.8p1/myproposal.h +Index: openssh-8.9p1/myproposal.h =================================================================== ---- openssh-8.8p1.orig/myproposal.h -+++ openssh-8.8p1/myproposal.h -@@ -33,7 +33,8 @@ +--- openssh-8.9p1.orig/myproposal.h ++++ openssh-8.9p1/myproposal.h +@@ -34,7 +34,8 @@ "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group16-sha512," \ "diffie-hellman-group18-sha512," \ @@ -12,11 +12,11 @@ #define KEX_CLIENT_KEX KEX_SERVER_KEX -Index: openssh-8.8p1/ssh_config.5 +Index: openssh-8.9p1/ssh_config.5 =================================================================== ---- openssh-8.8p1.orig/ssh_config.5 -+++ openssh-8.8p1/ssh_config.5 -@@ -1227,7 +1227,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec +--- openssh-8.9p1.orig/ssh_config.5 ++++ openssh-8.9p1/ssh_config.5 +@@ -1228,7 +1228,8 @@ sntrup761x25519-sha...@openssh.com, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, @@ -26,12 +26,12 @@ .Ed .Pp The list of available key exchange algorithms may also be obtained using -Index: openssh-8.8p1/sshd_config.5 +Index: openssh-8.9p1/sshd_config.5 =================================================================== ---- openssh-8.8p1.orig/sshd_config.5 -+++ openssh-8.8p1/sshd_config.5 -@@ -997,7 +997,7 @@ curve25519-sha256,curve25519-sha256@libs - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +--- openssh-8.9p1.orig/sshd_config.5 ++++ openssh-8.9p1/sshd_config.5 +@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec + sntrup761x25519-sha...@openssh.com, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, -diffie-hellman-group14-sha256
