Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-07-08 19:06:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.2080 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Mon Jul 8 19:06:54 2024 rev:180 rq:1185823 version:9.6p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-07-02
18:16:21.659224267 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes
2024-07-08 19:07:02.296058655 +0200
@@ -1,0 +2,22 @@
+Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Add patch from upstream to fix proxy multiplexing mode:
+ * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+- Add patch from upstream to restore correctly sigprocmask
+ * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+- Add patch from upstream to fix a logic error in
+ ObscureKeystrokeTiming that rendered this feature ineffective,
+ allowing a passive observer to detect which network packets
+ contained real keystrokes (bsc#1227318, CVE-2024-39894):
+ * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+
+-------------------------------------------------------------------
+Wed Jul 3 16:53:53 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Add obsoletes for openssh-server-config-rootlogin since that
+ package existed for a brief period of time during SLE 15 SP6/
+ Leap 15.6 development but even if it was removed from the
+ repositories before GM, some users might have it in their
+ systems from having tried a beta/RC release (boo#1227350).
+
+-------------------------------------------------------------------
@@ -134 +156,2 @@
- quoting was present in the user-supplied ssh_config(5) directive.
+ quoting was present in the user-supplied ssh_config(5) directive
+ (bsc#1218215, CVE-2023-51385).
New:
----
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch
from upstream to restore correctly sigprocmask
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes: *
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch from
upstream to fix a logic error in
New:/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch
from upstream to fix proxy multiplexing mode:
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes: *
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch from
upstream to restore correctly sigprocmask
New:/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes- contained
real keystrokes (bsc#1227318, CVE-2024-39894):
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes: *
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.EYrqds/_old 2024-07-08 19:07:06.572215042 +0200
+++ /var/tmp/diff_new_pack.EYrqds/_new 2024-07-08 19:07:06.588215627 +0200
@@ -128,8 +128,14 @@
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch
-# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387
+# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
Patch109: fix-CVE-2024-6387.patch
+# PATCH-FIX-UPSTREAM
+Patch110:
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+# PATCH-FIX-UPSTREAM
+Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
+Patch112:
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
%if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif
@@ -204,6 +210,12 @@
Requires(post): %fillup_prereq
Requires(post): permissions
Provides: openssh:%{_sbindir}/sshd
+%if 0%{with allow_root_password_login_by_default}
+# For a brief period of time this package existed in SLE/Leap.
+# It was removed before GM but some people might have it from
+# a beta distribution version (boo#1227350)
+Obsoletes: openssh-server-config-rootlogin <= %{version}
+%endif
%sysusers_requires
%description server
++++++ 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch ++++++
>From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
From: "d...@openbsd.org" <d...@openbsd.org>
Date: Tue, 30 Apr 2024 02:14:10 +0000
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
reported
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
by Tõivo Leedjärv; ok deraadt@
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
---
clientloop.c | 4 ++--
serverloop.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index be8bb5fc1f2..8ea2ada4216 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
# /*
# * Author: Tatu Ylonen <y...@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int
escape_char_arg,
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
&npfd_active, channel_did_enqueue, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (quit_pending)
diff --git a/serverloop.c b/serverloop.c
index f3683c2e4a6..94c8943a616 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
/*
* Author: Tatu Ylonen <y...@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
wait_until_can_do_something(ssh, connection_in, connection_out,
&pfd, &npfd_alloc, &npfd_active, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (received_sigterm) {
++++++ 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
++++++
>From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
From: "d...@openbsd.org" <d...@openbsd.org>
Date: Wed, 21 Feb 2024 05:57:34 +0000
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
timing
obfuscation was added. GHPR#463 from montag451
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
---
clientloop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index eb4902905fb..8ec36af94b3 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
/*
* Author: Tatu Ylonen <y...@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
{
int r;
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
return 0;
/* XXX probabilistically send chaff? */
/*
++++++ 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
++++++
>From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
From: "d...@openbsd.org" <d...@openbsd.org>
Date: Mon, 1 Jul 2024 04:31:17 +0000
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
---
clientloop.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 0b6f3c9be02..8ed8b1c3449 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
# /*
# * Author: Tatu Ylonen <y...@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec
*timeout,
if (timespeccmp(&now, &chaff_until, >=)) {
/* Stop if there have been no keystrokes for a while */
stop_reason = "chaff time expired";
- } else if (timespeccmp(&now, &next_interval, >=)) {
- /* Otherwise if we were due to send, then send chaff */
+ } else if (timespeccmp(&now, &next_interval, >=) &&
+ !ssh_packet_have_data_to_write(ssh)) {
+ /* If due to send but have no data, then send chaff */
if (send_chaff(ssh))
nchaff++;
}
