Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-02-27 22:43:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1770 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Tue Feb 27 22:43:12 2024 rev:170 rq:1150501 version:9.6p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes
2023-07-24 18:11:52.629179853 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1770/openssh-askpass-gnome.changes
2024-02-27 22:43:13.539393967 +0100
@@ -1,0 +2,7 @@
+Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <h...@suse.com>
+
+- Update to openssh 9.6p1:
+ * No changes for askpass, see main package changelog for
+ details.
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-12-19
23:15:52.301619235 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes
2024-02-27 22:43:13.599396142 +0100
@@ -1,0 +2,219 @@
+Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <h...@suse.com>
+
+- Update to openssh 9.6p1:
+ = Security
+ * ssh(1), sshd(8): implement protocol extensions to thwart the
+ so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
+ Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
+ limited break of the integrity of the early encrypted SSH transport
+ protocol by sending extra messages prior to the commencement of
+ encryption, and deleting an equal number of consecutive messages
+ immediately after encryption starts. A peer SSH client/server
+ would not be able to detect that messages were deleted.
+ * ssh-agent(1): when adding PKCS#11-hosted private keys while
+ specifying destination constraints, if the PKCS#11 token returned
+ multiple keys then only the first key had the constraints applied.
+ Use of regular private keys, FIDO tokens and unconstrained keys
+ are unaffected.
+ * ssh(1): if an invalid user or hostname that contained shell
+ metacharacters was passed to ssh(1), and a ProxyCommand,
+ LocalCommand directive or "match exec" predicate referenced the
+ user or hostname via %u, %h or similar expansion token, then
+ an attacker who could supply arbitrary user/hostnames to ssh(1)
+ could potentially perform command injection depending on what
+ quoting was present in the user-supplied ssh_config(5) directive.
+
+ = Potentially incompatible changes
+ * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
+ a TCP-like window mechanism that limits the amount of data that
+ can be sent without acceptance from the peer. In cases where this
+ limit was exceeded by a non-conforming peer SSH implementation,
+ ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH
+ 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer
+ exceeds the window limit by more than a small grace factor. This
+ change should have no effect of SSH implementations that follow
+ the specification.
+
+ = New features
+ * ssh(1): add a %j token that expands to the configured ProxyJump
+ hostname (or the empty string if this option is not being used)
+ that can be used in a number of ssh_config(5) keywords. bz3610
+ * ssh(1): add ChannelTimeout support to the client, mirroring the
+ same option in the server and allowing ssh(1) to terminate
+ quiescent channels.
+ * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for
+ reading ED25519 private keys in PEM PKCS8 format. Previously
+ only the OpenSSH private key format was supported.
+ * ssh(1), sshd(8): introduce a protocol extension to allow
+ renegotiation of acceptable signature algorithms for public key
+ authentication after the server has learned the username being
+ used for authentication. This allows varying sshd_config(5)
+ PubkeyAcceptedAlgorithms in a "Match user" block.
+ * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow
+ specifying certificates when loading PKCS#11 keys. This allows the
+ use of certificates backed by PKCS#11 private keys in all OpenSSH
+ tools that support ssh-agent(1). Previously only ssh(1) supported
+ this use-case.
+
+ = Bugfixes
+ * ssh(1): when deciding whether to enable the keystroke timing
+ obfuscation, enable it only if a channel with a TTY is active.
+ * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals
+ before checking flags set in signal handler. Avoids potential
+ race condition between signaling ssh to exit and polling. bz3531
+ * ssh(1): when connecting to a destination with both the
+ AddressFamily and CanonicalizeHostname directives in use,
+ the AddressFamily directive could be ignored. bz5326
+ * sftp(1): correct handling of the lim...@openssh.com option when
+ the server returned an unexpected message.
+ * A number of fixes to the PuTTY and Dropbear regress/integration
+ tests.
+ * ssh(1): release GSS OIDs only at end of authentication, avoiding
+ unnecessary init/cleanup cycles. bz2982
+ * ssh_config(5): mention "none" is a valid argument to IdentityFile
+ in the manual. bz3080
+ * scp(1): improved debugging for paths from the server rejected for
+ not matching the client's glob(3) pattern in old SCP/RCP protocol
+ mode.
+ * ssh-agent(1): refuse signing operations on destination-constrained
+ keys if a previous session-bind operation has failed. This may
+ prevent a fail-open situation in future if a user uses a mismatched
+ ssh(1) client and ssh-agent(1) where the client supports a key type
+ that the agent does not support.
+
+- Update to openssh 9.5p1:
+ = Potentially incompatible changes
+ * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
+ are very convenient due to their small size. Ed25519 keys are
+ specified in RFC 8709 and OpenSSH has supported them since version 6.5
+ (January 2014).
+ * sshd(8): the Subsystem directive now accurately preserves quoting of
+ subsystem commands and arguments. This may change behaviour for exotic
+ configurations, but the most common subsystem configuration
+ (sftp-server) is unlikely to be affected.
+
+ = New features
+ * ssh(1): add keystroke timing obfuscation to the client. This attempts
+ to hide inter-keystroke timings by sending interactive traffic at
+ fixed intervals (default: every 20ms) when there is only a small
+ amount of data being sent. It also sends fake "chaff" keystrokes for
+ a random interval after the last real keystroke. These are
+ controlled by a new ssh_config ObscureKeystrokeTiming keyword.
+ * ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
+ a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
+ implement a ping capability. These messages use numbers in the "local
+ extensions" number space and are advertised using a "p...@openssh.com"
+ ext-info message with a string version number of "0".
+ * sshd(8): allow override of Subsystem directives in sshd Match blocks.
+
+ = Bugfixes
+ * scp(1): fix scp in SFTP mode recursive upload and download of
+ directories that contain symlinks to other directories. In scp mode,
+ the links would be followed, but in SFTP mode they were not. bz3611
+ * ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
+ sshsig signature files.
+ * ssh(1): interactive mode for ControlPersist sessions if they
+ originally requested a tty.
+ * sshd(8): make PerSourceMaxStartups first-match-wins
+ * sshd(8): limit artificial login delay to a reasonable maximum (5s)
+ and don't delay at all for the "none" authentication mechanism.
+ bz3602
+ * sshd(8): Log errors in kex_exchange_identification() with level
+ verbose instead of error to reduce preauth log spam. All of those
+ get logged with a more generic error message by sshpkt_fatal().
+ * sshd(8): correct math for ClientAliveInterval that caused the probes
+ to be sent less frequently than configured.
+ * ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
+ multiplexed sessions to ignore SIGINT under some circumstances.
+
+- Update to openssh 9.4p1:
+ = Potentially incompatible changes
+ * This release removes support for older versions of libcrypto.
+ OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
+ Note that these versions are already deprecated by their upstream
+ vendors.
+ * ssh-agent(1): PKCS#11 modules must now be specified by their full
+ paths. Previously dlopen(3) could search for them in system
+ library directories.
+
+ = New features
+ * ssh(1): allow forwarding Unix Domain sockets via ssh -W.
+ * ssh(1): add support for configuration tags to ssh(1).
+ This adds a ssh_config(5) "Tag" directive and corresponding
+ "Match tag" predicate that may be used to select blocks of
+ configuration similar to the pf.conf(5) keywords of the same
+ name.
+ * ssh(1): add a "match localnetwork" predicate. This allows matching
+ on the addresses of available network interfaces and may be used to
+ vary the effective client configuration based on network location.
+ * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
+ extensions. This defines wire formats for optional KRL extensions
+ and implements parsing of the new submessages. No actual extensions
+ are supported at this point.
+ * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
+ accept two additional %-expansion sequences: %D which expands to
+ the routing domain of the connected session and %C which expands
+ to the addresses and port numbers for the source and destination
+ of the connection.
+ * ssh-keygen(1): increase the default work factor (rounds) for the
+ bcrypt KDF used to derive symmetric encryption keys for passphrase
+ protected key files by 50%.
+
+ = Bugfixes
+ * ssh-agent(1): improve isolation between loaded PKCS#11 modules
+ by running separate ssh-pkcs11-helpers for each loaded provider.
+ * ssh(1): make -f (fork after authentication) work correctly with
+ multiplexed connections, including ControlPersist. bz3589 bz3589
+ * ssh(1): make ConnectTimeout apply to multiplexing sockets and not
+ just to network connections.
+ * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
+ modules being loaded by checking that the requested module
+ contains the required symbol before loading it.
+ * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
+ appears before it in sshd_config. Since OpenSSH 8.7 the
+ AuthorizedPrincipalsCommand directive was incorrectly ignored in
+ this situation. bz3574
+ * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
+ signatures When the KRL format was originally defined, it included
+ support for signing of KRL objects. However, the code to sign KRLs
+ and verify KRL signatues was never completed in OpenSSH. This
+ release removes the partially-implemented code to verify KRLs.
+ All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
+ KRL files.
+ * All: fix a number of memory leaks and unreachable/harmless integer
+ overflows.
+ * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
+ modules; GHPR406
+ * sshd(8), ssh(1): better validate CASignatureAlgorithms in
+ ssh_config and sshd_config. Previously this directive would accept
+ certificate algorithm names, but these were unusable in practice as
+ OpenSSH does not support CA chains. bz3577
+ * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
+ algorithms that are valid for CA signing. Previous behaviour was
+ to list all signing algorithms, including certificate algorithms.
+ * ssh-keyscan(1): gracefully handle systems where rlimits or the
+ maximum number of open files is larger than INT_MAX; bz3581
+ * ssh-keygen(1): fix "no comment" not showing on when running
+ `ssh-keygen -l` on multiple keys where one has a comment and other
+ following keys do not. bz3580
+ * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
+ reorder requests. Previously, if the server reordered requests then
+ the resultant file would be erroneously truncated.
+ * ssh(1): don't incorrectly disable hostname canonicalization when
+ CanonicalizeHostname=yes and ProxyJump was expicitly set to
+ "none". bz3567
+ * scp(1): when copying local->remote, check that the source file
+ exists before opening an SFTP connection to the server. Based on
+ GHPR#370
+
+- Dropped patches:
+ * cb4ed12f.patch - implemented upstream.
+ * openssh-cve-2023-48795.patch - implemented upstream.
+
+- Rebased patches:
+ * openssh-6.6p1-selinux-contexts.patch
+ * openssh-7.7p1-fips.patch
+ * openssh-7.8p1-role-mls.patch
+ * openssh-8.0p1-gssapi-keyex.patch
+
+-------------------------------------------------------------------
Old:
----
cb4ed12f.patch
openssh-9.3p2.tar.gz
openssh-9.3p2.tar.gz.asc
openssh-cve-2023-48795.patch
New:
----
openssh-9.6p1.tar.gz
openssh-9.6p1.tar.gz.asc
BETA DEBUG BEGIN:
Old:/work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes-- Dropped
patches:
/work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes: * cb4ed12f.patch
- implemented upstream.
/work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes- *
openssh-cve-2023-48795.patch - implemented upstream.
Old:/work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes- *
cb4ed12f.patch - implemented upstream.
/work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes: *
openssh-cve-2023-48795.patch - implemented upstream.
/work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes-
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.3yFRmy/_old 2024-02-27 22:43:17.791548114 +0100
+++ /var/tmp/diff_new_pack.3yFRmy/_new 2024-02-27 22:43:17.807548695 +0100
@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version: 9.3p2
+Version: 9.6p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.3yFRmy/_old 2024-02-27 22:43:17.935553335 +0100
+++ /var/tmp/diff_new_pack.3yFRmy/_new 2024-02-27 22:43:17.939553480 +0100
@@ -37,7 +37,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version: 9.3p2
+Version: 9.6p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@@ -116,15 +116,12 @@
Patch50: openssh-openssl-3.patch
Patch51: wtmpdb.patch
Patch52: logind_set_tty.patch
-# PATCH-FIx-UPSTREAM cb4ed12f.patch -- Fix build with zlib 1.3
-Patch53:
https://github.com/openssh/openssh-portable/commit/cb4ed12f.patch
Patch100: fix-missing-lz.patch
Patch102: openssh-7.8p1-role-mls.patch
Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
-Patch107: openssh-cve-2023-48795.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
++++++ openssh-6.6.1p1-selinux-contexts.patch ++++++
--- /var/tmp/diff_new_pack.3yFRmy/_old 2024-02-27 22:43:18.047557396 +0100
+++ /var/tmp/diff_new_pack.3yFRmy/_new 2024-02-27 22:43:18.051557541 +0100
@@ -1,7 +1,7 @@
-Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
+Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
===================================================================
---- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
-+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
+--- openssh-9.6p1.orig/openbsd-compat/port-linux-sshd.c
++++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
@@ -33,6 +33,7 @@
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
#include "servconf.h"
@@ -92,23 +92,10 @@
#endif
#endif
-Index: openssh-9.3p2/openbsd-compat/port-linux.c
+Index: openssh-9.6p1/openbsd-compat/port-linux.h
===================================================================
---- openssh-9.3p2.orig/openbsd-compat/port-linux.c
-+++ openssh-9.3p2/openbsd-compat/port-linux.c
-@@ -182,7 +182,7 @@ ssh_selinux_change_context(const char *n
- strlcpy(newctx + len, newname, newlen - len);
- if ((cx = index(cx + 1, ':')))
- strlcat(newctx, cx, newlen);
-- debug3("%s: setting context from '%s' to '%s'", __func__,
-+ debug_f("setting context from '%s' to '%s'",
- oldctx, newctx);
- if (setcon(newctx) < 0)
- do_log2(log_level, "%s: setcon %s from %s failed with %s",
-Index: openssh-9.3p2/openbsd-compat/port-linux.h
-===================================================================
---- openssh-9.3p2.orig/openbsd-compat/port-linux.h
-+++ openssh-9.3p2/openbsd-compat/port-linux.h
+--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
++++ openssh-9.6p1/openbsd-compat/port-linux.h
@@ -27,6 +27,7 @@ int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
@@ -117,10 +104,10 @@
#endif
#ifdef LINUX_OOM_ADJUST
-Index: openssh-9.3p2/sshd.c
+Index: openssh-9.6p1/sshd.c
===================================================================
---- openssh-9.3p2.orig/sshd.c
-+++ openssh-9.3p2/sshd.c
+--- openssh-9.6p1.orig/sshd.c
++++ openssh-9.6p1/sshd.c
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
demote_sensitive_data(ssh);
++++++ openssh-7.7p1-fips.patch ++++++
--- /var/tmp/diff_new_pack.3yFRmy/_old 2024-02-27 22:43:18.087558846 +0100
+++ /var/tmp/diff_new_pack.3yFRmy/_new 2024-02-27 22:43:18.095559136 +0100
@@ -3,11 +3,11 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
-Index: openssh-8.8p1/Makefile.in
+Index: openssh-9.6p1/Makefile.in
===================================================================
---- openssh-8.8p1.orig/Makefile.in
-+++ openssh-8.8p1/Makefile.in
-@@ -113,6 +113,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+--- openssh-9.6p1.orig/Makefile.in
++++ openssh-9.6p1/Makefile.in
+@@ -115,6 +115,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
SKOBJS= ssh-sk-client.o
@@ -16,32 +16,10 @@
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
-#Index: openssh-8.8p1/cipher-ctr.c
-#===================================================================
-#--- openssh-8.8p1.orig/cipher-ctr.c
-#+++ openssh-8.8p1/cipher-ctr.c
-#@@ -27,6 +27,8 @@
-# #include "xmalloc.h"
-# #include "log.h"
-#
-#+#include "fips.h"
-#+
-# /* compatibility with old or broken OpenSSL versions */
-# #include "openbsd-compat/openssl-compat.h"
-#
-#@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
-# #ifndef SSH_OLD_EVP
-# aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-# EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-#+ if (fips_mode())
-#+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
-# #endif
-# return (&aes_ctr);
-# }
-Index: openssh-8.8p1/cipher.c
+Index: openssh-9.6p1/cipher.c
===================================================================
---- openssh-8.8p1.orig/cipher.c
-+++ openssh-8.8p1/cipher.c
+--- openssh-9.6p1.orig/cipher.c
++++ openssh-9.6p1/cipher.c
@@ -51,6 +51,9 @@
#include "openbsd-compat/openssl-compat.h"
@@ -61,7 +39,7 @@
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-@@ -112,8 +115,52 @@ static const struct sshcipher ciphers[]
+@@ -110,8 +113,52 @@ static const struct sshcipher ciphers[]
{ NULL, 0, 0, 0, 0, 0, NULL }
};
@@ -114,7 +92,7 @@
/* Returns a comma-separated list of supported ciphers. */
char *
cipher_alg_list(char sep, int auth_only)
-@@ -122,7 +169,7 @@ cipher_alg_list(char sep, int auth_only)
+@@ -120,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0;
const struct sshcipher *c;
@@ -123,7 +101,7 @@
if ((c->flags & CFLAG_INTERNAL) != 0)
continue;
if (auth_only && c->auth_len == 0)
-@@ -205,7 +252,7 @@ const struct sshcipher *
+@@ -203,7 +250,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
const struct sshcipher *c;
@@ -132,10 +110,10 @@
if (strcmp(c->name, name) == 0)
return c;
return NULL;
-Index: openssh-8.8p1/fips.c
+Index: openssh-9.6p1/fips.c
===================================================================
--- /dev/null
-+++ openssh-8.8p1/fips.c
++++ openssh-9.6p1/fips.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -349,10 +327,10 @@
+ return dgst;
+}
+
-Index: openssh-8.8p1/fips.h
+Index: openssh-9.6p1/fips.h
===================================================================
--- /dev/null
-+++ openssh-8.8p1/fips.h
++++ openssh-9.6p1/fips.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -398,10 +376,10 @@
+
+#endif
+
-Index: openssh-8.8p1/hmac.c
+Index: openssh-9.6p1/hmac.c
===================================================================
---- openssh-8.8p1.orig/hmac.c
-+++ openssh-8.8p1/hmac.c
+--- openssh-9.6p1.orig/hmac.c
++++ openssh-9.6p1/hmac.c
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
size_t i;
u_char digest[16];
@@ -411,20 +389,20 @@
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
-Index: openssh-8.8p1/kex.c
+Index: openssh-9.6p1/kex.c
===================================================================
---- openssh-8.8p1.orig/kex.c
-+++ openssh-8.8p1/kex.c
-@@ -62,6 +62,8 @@
+--- openssh-9.6p1.orig/kex.c
++++ openssh-9.6p1/kex.c
+@@ -64,6 +64,8 @@
#include "digest.h"
#include "xmalloc.h"
+#include "fips.h"
+
/* prototype */
- static int kex_choose_conf(struct ssh *);
+ static int kex_choose_conf(struct ssh *, uint32_t seq);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
-@@ -85,7 +87,7 @@ struct kexalg {
+@@ -87,7 +89,7 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@@ -433,7 +411,7 @@
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
-@@ -118,6 +120,47 @@ static const struct kexalg kexalgs[] = {
+@@ -120,6 +122,47 @@ static const struct kexalg kexalgs[] = {
{ NULL, 0, -1, -1},
};
@@ -481,7 +459,7 @@
char *
kex_alg_list(char sep)
{
-@@ -125,7 +168,7 @@ kex_alg_list(char sep)
+@@ -127,7 +170,7 @@ kex_alg_list(char sep)
size_t nlen, rlen = 0;
const struct kexalg *k;
@@ -490,7 +468,7 @@
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
-@@ -145,7 +188,7 @@ kex_alg_by_name(const char *name)
+@@ -147,7 +190,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@@ -499,7 +477,7 @@
if (strcmp(k->name, name) == 0)
return k;
}
-@@ -165,7 +208,10 @@ kex_names_valid(const char *names)
+@@ -167,7 +210,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -510,10 +488,10 @@
free(s);
return 0;
}
-Index: openssh-8.8p1/mac.c
+Index: openssh-9.6p1/mac.c
===================================================================
---- openssh-8.8p1.orig/mac.c
-+++ openssh-8.8p1/mac.c
+--- openssh-9.6p1.orig/mac.c
++++ openssh-9.6p1/mac.c
@@ -41,6 +41,9 @@
#include "openbsd-compat/openssl-compat.h"
@@ -593,11 +571,11 @@
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
-Index: openssh-8.8p1/readconf.c
+Index: openssh-9.6p1/readconf.c
===================================================================
---- openssh-8.8p1.orig/readconf.c
-+++ openssh-8.8p1/readconf.c
-@@ -68,6 +68,8 @@
+--- openssh-9.6p1.orig/readconf.c
++++ openssh-9.6p1/readconf.c
+@@ -71,6 +71,8 @@
#include "myproposal.h"
#include "digest.h"
@@ -606,7 +584,7 @@
/* Format of the configuration file:
# Configuration data is parsed as follows:
-@@ -2307,6 +2309,23 @@ config_has_permitted_cnames(Options *opt
+@@ -2478,6 +2480,23 @@ config_has_permitted_cnames(Options *opt
return options->num_permitted_cnames > 0;
}
@@ -630,7 +608,7 @@
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
-@@ -2618,6 +2637,9 @@ fill_default_options(Options * options)
+@@ -2796,6 +2815,9 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -640,7 +618,7 @@
#ifdef ENABLE_SK_INTERNAL
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
-@@ -2654,6 +2676,8 @@ fill_default_options(Options * options)
+@@ -2840,6 +2862,8 @@ fill_default_options(Options * options)
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
@@ -649,23 +627,23 @@
#define CLEAR_ON_NONE(v) \
do { \
if (option_clear_or_none(v)) { \
-Index: openssh-8.8p1/readconf.h
+Index: openssh-9.6p1/readconf.h
===================================================================
---- openssh-8.8p1.orig/readconf.h
-+++ openssh-8.8p1/readconf.h
-@@ -212,6 +212,7 @@ typedef struct {
- #define SSH_STRICT_HOSTKEY_YES 2
- #define SSH_STRICT_HOSTKEY_ASK 3
+--- openssh-9.6p1.orig/readconf.h
++++ openssh-9.6p1/readconf.h
+@@ -231,6 +231,7 @@ typedef struct {
+ #define SSH_KEYSTROKE_CHAFF_MIN_MS 1024
+ #define SSH_KEYSTROKE_CHAFF_RNG_MS 2048
+void filter_fips_algorithms(Options *o);
const char *kex_default_pk_alg(void);
char *ssh_connection_hash(const char *thishost, const char *host,
- const char *portstr, const char *user);
-Index: openssh-8.8p1/servconf.c
+ const char *portstr, const char *user, const char *jump_host);
+Index: openssh-9.6p1/servconf.c
===================================================================
---- openssh-8.8p1.orig/servconf.c
-+++ openssh-8.8p1/servconf.c
-@@ -70,6 +70,7 @@
+--- openssh-9.6p1.orig/servconf.c
++++ openssh-9.6p1/servconf.c
+@@ -68,6 +68,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
@@ -673,7 +651,7 @@
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
-@@ -205,6 +206,23 @@ option_clear_or_none(const char *o)
+@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -697,7 +675,7 @@
static void
assemble_algorithms(ServerOptions *o)
{
-@@ -246,6 +264,8 @@ assemble_algorithms(ServerOptions *o)
+@@ -248,6 +266,8 @@ assemble_algorithms(ServerOptions *o)
free(def_kex);
free(def_key);
free(def_sig);
@@ -706,7 +684,7 @@
}
void
-@@ -438,6 +458,8 @@ fill_default_server_options(ServerOption
+@@ -440,6 +460,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -715,20 +693,20 @@
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
-Index: openssh-8.8p1/ssh-keygen.c
+Index: openssh-9.6p1/ssh-keygen.c
===================================================================
---- openssh-8.8p1.orig/ssh-keygen.c
-+++ openssh-8.8p1/ssh-keygen.c
-@@ -67,6 +67,8 @@
- #include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
- #include "cipher.h"
+--- openssh-9.6p1.orig/ssh-keygen.c
++++ openssh-9.6p1/ssh-keygen.c
+@@ -18,6 +18,8 @@
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+#include "fips.h"
+
#ifdef WITH_OPENSSL
- # define DEFAULT_KEY_TYPE_NAME "rsa"
- #else
-@@ -1037,11 +1039,13 @@ do_fingerprint(struct passwd *pw)
+ #include <openssl/evp.h>
+ #include <openssl/pem.h>
+@@ -1040,11 +1042,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@@ -744,8 +722,7 @@
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
#ifdef OPENSSL_HAS_ECC
-# { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
-@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1058,6 +1062,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@@ -763,7 +740,7 @@
u_int32_t bits = 0;
int first = 0;
struct stat st;
-@@ -1063,6 +1078,12 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1065,6 +1080,12 @@ do_gen_all_hostkeys(struct passwd *pw)
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
int i, type, fd, r;
@@ -776,7 +753,7 @@
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
-@@ -3620,6 +3641,15 @@ main(int argc, char **argv)
+@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@@ -792,11 +769,11 @@
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
-Index: openssh-8.8p1/ssh_config.5
+Index: openssh-9.6p1/ssh_config.5
===================================================================
---- openssh-8.8p1.orig/ssh_config.5
-+++ openssh-8.8p1/ssh_config.5
-@@ -736,6 +736,8 @@ The argument to this keyword must be
+--- openssh-9.6p1.orig/ssh_config.5
++++ openssh-9.6p1/ssh_config.5
+@@ -831,6 +831,8 @@ The argument to this keyword must be
option) or
.Cm no
(the default).
@@ -805,11 +782,11 @@
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
-Index: openssh-8.8p1/sshd.c
+Index: openssh-9.6p1/sshd.c
===================================================================
---- openssh-8.8p1.orig/sshd.c
-+++ openssh-8.8p1/sshd.c
-@@ -126,6 +126,8 @@
+--- openssh-9.6p1.orig/sshd.c
++++ openssh-9.6p1/sshd.c
+@@ -128,6 +128,8 @@
#include "srclimit.h"
#include "dh.h"
@@ -818,11 +795,11 @@
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-Index: openssh-8.8p1/sshd_config.5
+Index: openssh-9.6p1/sshd_config.5
===================================================================
---- openssh-8.8p1.orig/sshd_config.5
-+++ openssh-8.8p1/sshd_config.5
-@@ -600,6 +600,8 @@ and
+--- openssh-9.6p1.orig/sshd_config.5
++++ openssh-9.6p1/sshd_config.5
+@@ -681,6 +681,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .
++++++ openssh-7.8p1-role-mls.patch ++++++
--- /var/tmp/diff_new_pack.3yFRmy/_old 2024-02-27 22:43:18.143560875 +0100
+++ /var/tmp/diff_new_pack.3yFRmy/_new 2024-02-27 22:43:18.147561021 +0100
@@ -1,8 +1,8 @@
-Index: openssh-9.3p2/auth2.c
+Index: openssh-9.6p1/auth2.c
===================================================================
---- openssh-9.3p2.orig/auth2.c
-+++ openssh-9.3p2/auth2.c
-@@ -262,6 +262,9 @@ input_userauth_request(int type, u_int32
+--- openssh-9.6p1.orig/auth2.c
++++ openssh-9.6p1/auth2.c
+@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL;
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
@@ -12,7 +12,7 @@
int r, authenticated = 0;
double tstart = monotime_double();
-@@ -275,6 +278,11 @@ input_userauth_request(int type, u_int32
+@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user,
service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@@ -24,7 +24,7 @@
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
-@@ -302,8 +310,15 @@ input_userauth_request(int type, u_int32
+@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
@@ -39,13 +39,13 @@
+#endif
+ }
userauth_banner(ssh);
- if (auth2_setup_methods_lists(authctxt) != 0)
- ssh_packet_disconnect(ssh,
-Index: openssh-9.3p2/auth2-gss.c
-===================================================================
---- openssh-9.3p2.orig/auth2-gss.c
-+++ openssh-9.3p2/auth2-gss.c
-@@ -325,6 +325,7 @@ input_gssapi_mic(int type, u_int32_t ple
+ if ((r = kex_server_update_ext_info(ssh)) != 0)
+ fatal_fr(r, "kex_server_update_ext_info failed");
+Index: openssh-9.6p1/auth2-gss.c
+===================================================================
+--- openssh-9.6p1.orig/auth2-gss.c
++++ openssh-9.6p1/auth2-gss.c
+@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ssh->authctxt;
Gssctxt *gssctxt;
int r, authenticated = 0;
@@ -53,7 +53,7 @@
struct sshbuf *b;
gss_buffer_desc mic, gssbuf;
const char *displayname;
-@@ -342,7 +343,13 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple
fatal_f("sshbuf_new failed");
mic.value = p;
mic.length = len;
@@ -68,7 +68,7 @@
"gssapi-with-mic", ssh->kex->session_id);
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
-@@ -356,6 +363,8 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
sshbuf_free(b);
@@ -77,10 +77,10 @@
free(mic.value);
if ((!use_privsep || mm_is_monitor()) &&
-Index: openssh-9.3p2/auth2-hostbased.c
+Index: openssh-9.6p1/auth2-hostbased.c
===================================================================
---- openssh-9.3p2.orig/auth2-hostbased.c
-+++ openssh-9.3p2/auth2-hostbased.c
+--- openssh-9.6p1.orig/auth2-hostbased.c
++++ openssh-9.6p1/auth2-hostbased.c
@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons
/* reconstruct packet */
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
@@ -98,10 +98,10 @@
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
(r = sshbuf_put_cstring(b, method)) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
-Index: openssh-9.3p2/auth2-pubkey.c
+Index: openssh-9.6p1/auth2-pubkey.c
===================================================================
---- openssh-9.3p2.orig/auth2-pubkey.c
-+++ openssh-9.3p2/auth2-pubkey.c
+--- openssh-9.6p1.orig/auth2-pubkey.c
++++ openssh-9.6p1/auth2-pubkey.c
@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c
goto done;
}
@@ -121,10 +121,10 @@
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
-Index: openssh-9.3p2/auth.h
+Index: openssh-9.6p1/auth.h
===================================================================
---- openssh-9.3p2.orig/auth.h
-+++ openssh-9.3p2/auth.h
+--- openssh-9.6p1.orig/auth.h
++++ openssh-9.6p1/auth.h
@@ -65,6 +65,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
@@ -135,11 +135,11 @@
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
-Index: openssh-9.3p2/auth-pam.c
+Index: openssh-9.6p1/auth-pam.c
===================================================================
---- openssh-9.3p2.orig/auth-pam.c
-+++ openssh-9.3p2/auth-pam.c
-@@ -1240,7 +1240,7 @@ is_pam_session_open(void)
+--- openssh-9.6p1.orig/auth-pam.c
++++ openssh-9.6p1/auth-pam.c
+@@ -1242,7 +1242,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
@@ -148,10 +148,10 @@
{
int ret = 1;
char *compound;
-Index: openssh-9.3p2/auth-pam.h
+Index: openssh-9.6p1/auth-pam.h
===================================================================
---- openssh-9.3p2.orig/auth-pam.h
-+++ openssh-9.3p2/auth-pam.h
+--- openssh-9.6p1.orig/auth-pam.h
++++ openssh-9.6p1/auth-pam.h
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
void do_pam_session(struct ssh *);
void do_pam_setcred(int );
@@ -161,11 +161,11 @@
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
-Index: openssh-9.3p2/misc.c
+Index: openssh-9.6p1/misc.c
===================================================================
---- openssh-9.3p2.orig/misc.c
-+++ openssh-9.3p2/misc.c
-@@ -745,6 +745,7 @@ char *
+--- openssh-9.6p1.orig/misc.c
++++ openssh-9.6p1/misc.c
+@@ -771,6 +771,7 @@ char *
colon(char *cp)
{
int flag = 0;
@@ -173,7 +173,7 @@
if (*cp == ':') /* Leading colon is part of file name. */
return NULL;
-@@ -760,6 +761,13 @@ colon(char *cp)
+@@ -786,6 +787,13 @@ colon(char *cp)
return (cp);
if (*cp == '/')
return NULL;
@@ -187,10 +187,10 @@
}
return NULL;
}
-Index: openssh-9.3p2/monitor.c
+Index: openssh-9.6p1/monitor.c
===================================================================
---- openssh-9.3p2.orig/monitor.c
-+++ openssh-9.3p2/monitor.c
+--- openssh-9.6p1.orig/monitor.c
++++ openssh-9.6p1/monitor.c
@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
@@ -201,7 +201,7 @@
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -203,6 +206,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -211,7 +211,7 @@
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
-@@ -832,6 +838,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
+@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -221,7 +221,7 @@
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM
-@@ -906,6 +915,26 @@ key_base_type_match(const char *method,
+@@ -908,6 +917,26 @@ key_base_type_match(const char *method,
return found;
}
@@ -248,7 +248,7 @@
int
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{
-@@ -1278,7 +1307,7 @@ monitor_valid_userblob(struct ssh *ssh,
+@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh,
struct sshbuf *b;
struct sshkey *hostkey = NULL;
const u_char *p;
@@ -257,7 +257,7 @@
size_t len;
u_char type;
int hostbound = 0, r, fail = 0;
-@@ -1309,6 +1338,8 @@ monitor_valid_userblob(struct ssh *ssh,
+@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh,
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle");
@@ -266,7 +266,7 @@
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
-@@ -1359,7 +1390,7 @@ monitor_valid_hostbasedblob(const u_char
+@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char
{
struct sshbuf *b;
const u_char *p;
@@ -275,7 +275,7 @@
size_t len;
int r, fail = 0;
u_char type;
-@@ -1380,6 +1411,8 @@ monitor_valid_hostbasedblob(const u_char
+@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle");
@@ -284,10 +284,10 @@
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
-Index: openssh-9.3p2/monitor.h
+Index: openssh-9.6p1/monitor.h
===================================================================
---- openssh-9.3p2.orig/monitor.h
-+++ openssh-9.3p2/monitor.h
+--- openssh-9.6p1.orig/monitor.h
++++ openssh-9.6p1/monitor.h
@@ -55,6 +55,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50,
@@ -299,10 +299,10 @@
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
-Index: openssh-9.3p2/monitor_wrap.c
+Index: openssh-9.6p1/monitor_wrap.c
===================================================================
---- openssh-9.3p2.orig/monitor_wrap.c
-+++ openssh-9.3p2/monitor_wrap.c
+--- openssh-9.6p1.orig/monitor_wrap.c
++++ openssh-9.6p1/monitor_wrap.c
@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char *
sshbuf_free(m);
}
@@ -331,10 +331,10 @@
/* Do the password authentication */
int
mm_auth_password(struct ssh *ssh, char *password)
-Index: openssh-9.3p2/monitor_wrap.h
+Index: openssh-9.6p1/monitor_wrap.h
===================================================================
---- openssh-9.3p2.orig/monitor_wrap.h
-+++ openssh-9.3p2/monitor_wrap.h
+--- openssh-9.6p1.orig/monitor_wrap.h
++++ openssh-9.6p1/monitor_wrap.h
@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct
const u_char *, size_t, const char *, const char *,
const char *, u_int compat);
@@ -345,10 +345,10 @@
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
-Index: openssh-9.3p2/openbsd-compat/Makefile.in
+Index: openssh-9.6p1/openbsd-compat/Makefile.in
===================================================================
---- openssh-9.3p2.orig/openbsd-compat/Makefile.in
-+++ openssh-9.3p2/openbsd-compat/Makefile.in
+--- openssh-9.6p1.orig/openbsd-compat/Makefile.in
++++ openssh-9.6p1/openbsd-compat/Makefile.in
@@ -100,7 +100,8 @@ PORTS= port-aix.o \
port-prngd.o \
port-solaris.o \
@@ -359,11 +359,11 @@
.c.o:
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
-Index: openssh-9.3p2/openbsd-compat/port-linux.c
+Index: openssh-9.6p1/openbsd-compat/port-linux.c
===================================================================
---- openssh-9.3p2.orig/openbsd-compat/port-linux.c
-+++ openssh-9.3p2/openbsd-compat/port-linux.c
-@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
+--- openssh-9.6p1.orig/openbsd-compat/port-linux.c
++++ openssh-9.6p1/openbsd-compat/port-linux.c
+@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
return sc;
}
@@ -401,7 +401,7 @@
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
-@@ -143,7 +112,11 @@ ssh_selinux_setup_pty(char *pwname, cons
+@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
@@ -414,10 +414,10 @@
/* XXX: should these calls fatal() upon failure in enforcing mode? */
-Index: openssh-9.3p2/openbsd-compat/port-linux.h
+Index: openssh-9.6p1/openbsd-compat/port-linux.h
===================================================================
---- openssh-9.3p2.orig/openbsd-compat/port-linux.h
-+++ openssh-9.3p2/openbsd-compat/port-linux.h
+--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
++++ openssh-9.6p1/openbsd-compat/port-linux.h
@@ -20,9 +20,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
@@ -430,10 +430,10 @@
#endif
#ifdef LINUX_OOM_ADJUST
-Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
+Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
===================================================================
--- /dev/null
-+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
++++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
@@ -0,0 +1,421 @@
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwa...@redhat.com>
@@ -856,10 +856,10 @@
+#endif
+#endif
+
-Index: openssh-9.3p2/platform.c
+Index: openssh-9.6p1/platform.c
===================================================================
---- openssh-9.3p2.orig/platform.c
-+++ openssh-9.3p2/platform.c
+--- openssh-9.6p1.orig/platform.c
++++ openssh-9.6p1/platform.c
@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
@@ -869,11 +869,11 @@
#endif
}
-Index: openssh-9.3p2/sshd.c
+Index: openssh-9.6p1/sshd.c
===================================================================
---- openssh-9.3p2.orig/sshd.c
-+++ openssh-9.3p2/sshd.c
-@@ -2388,6 +2388,9 @@ main(int ac, char **av)
+--- openssh-9.6p1.orig/sshd.c
++++ openssh-9.6p1/sshd.c
+@@ -2387,6 +2387,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
++++++ openssh-8.0p1-gssapi-keyex.patch ++++++
++++ 1152 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.0p1-gssapi-keyex.patch
++++ and
/work/SRC/openSUSE:Factory/.openssh.new.1770/openssh-8.0p1-gssapi-keyex.patch
++++++ openssh-9.3p2.tar.gz -> openssh-9.6p1.tar.gz ++++++
++++ 25370 lines of diff (skipped)
