commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-07-08 19:06:54
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.2080 (New)
Package is "openssh"
Mon Jul 8 19:06:54 2024 rev:180 rq:1185823 version:9.6p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-07-02
18:16:21.659224267 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes
2024-07-08 19:07:02.296058655 +0200
@@ -1,0 +2,22 @@
+Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa
+
+- Add patch from upstream to fix proxy multiplexing mode:
+ * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+- Add patch from upstream to restore correctly sigprocmask
+ * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+- Add patch from upstream to fix a logic error in
+ ObscureKeystrokeTiming that rendered this feature ineffective,
+ allowing a passive observer to detect which network packets
+ contained real keystrokes (bsc#1227318, CVE-2024-39894):
+ * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+
+---
+Wed Jul 3 16:53:53 UTC 2024 - Antonio Larrosa
+
+- Add obsoletes for openssh-server-config-rootlogin since that
+ package existed for a brief period of time during SLE 15 SP6/
+ Leap 15.6 development but even if it was removed from the
+ repositories before GM, some users might have it in their
+ systems from having tried a beta/RC release (boo#1227350).
+
+---
@@ -134 +156,2 @@
-quoting was present in the user-supplied ssh_config(5) directive.
+quoting was present in the user-supplied ssh_config(5) directive
+(bsc#1218215, CVE-2023-51385).
New:
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch
from upstream to restore correctly sigprocmask
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes: *
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch from
upstream to fix a logic error in
New:/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch
from upstream to fix proxy multiplexing mode:
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes: *
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch from
upstream to restore correctly sigprocmask
New:/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes- contained
real keystrokes (bsc#1227318, CVE-2024-39894):
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes: *
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-
BETA DEBUG END:
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.EYrqds/_old 2024-07-08 19:07:06.572215042 +0200
+++ /var/tmp/diff_new_pack.EYrqds/_new 2024-07-08 19:07:06.588215627 +0200
@@ -128,8 +128,14 @@
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch
-# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387
+# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
Patch109: fix-CVE-2024-6387.patch
+# PATCH-FIX-UPSTREAM
+Patch110:
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+# PATCH-FIX-UPSTREAM
+Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
+Patch112:
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
%if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif
@@ -204,6 +210,12 @@
Requires(post): %fillup_prereq
Requires(post): permissions
Provides: openssh:%{_sbindir}/sshd
+%if 0%{with allow_root_password_login_by_default}
+# For a brief period of time this package existed in SLE/Leap.
+# It was removed before GM but some people might have it from
+# a beta distribution version (boo#1227350)
+Obsoletes: openssh-server-config-rootlogin <= %{version}
+%endif
%sysusers_requires
%description server
++
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-07-02 18:16:12
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.18349 (New)
Package is "openssh"
Tue Jul 2 18:16:12 2024 rev:179 rq:1184302 version:9.6p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-06-10
17:37:10.697934828 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.18349/openssh.changes
2024-07-02 18:16:21.659224267 +0200
@@ -1,0 +2,7 @@
+Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa
+
+- Add patch to fix a race condition in a signal handler by removing
+ the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
+ * fix-CVE-2024-6387.patch
+
+---
New:
fix-CVE-2024-6387.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.18349/openssh.changes- the
async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
/work/SRC/openSUSE:Factory/.openssh.new.18349/openssh.changes: *
fix-CVE-2024-6387.patch
/work/SRC/openSUSE:Factory/.openssh.new.18349/openssh.changes-
BETA DEBUG END:
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.nOfU2N/_old 2024-07-02 18:16:23.007273597 +0200
+++ /var/tmp/diff_new_pack.nOfU2N/_new 2024-07-02 18:16:23.011273743 +0200
@@ -128,6 +128,8 @@
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch
+# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387
+Patch109: fix-CVE-2024-6387.patch
%if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif
++ fix-CVE-2024-6387.patch ++
Index: openssh-9.6p1/log.c
===
--- openssh-9.6p1.orig/log.c
+++ openssh-9.6p1/log.c
@@ -451,12 +451,14 @@ void
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
+#if 0
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
+#endif
_exit(1);
}
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-06-10 17:37:06 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.19518 (New) Package is "openssh" Mon Jun 10 17:37:06 2024 rev:178 rq:1179624 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-05-17 20:04:08.961185171 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.19518/openssh.changes 2024-06-10 17:37:10.697934828 +0200 @@ -1,0 +2,7 @@ +Mon Jun 10 07:10:48 UTC 2024 - Antonio Larrosa + +- Add #include in some files added by the ldap patch to + fix build with gcc14 (boo#1225904). + * openssh-7.7p1-ldap.patch + +--- Other differences: -- openssh.spec: same change ++ openssh-7.7p1-ldap.patch ++ --- /var/tmp/diff_new_pack.z3rcQd/_old 2024-06-10 17:37:12.421999092 +0200 +++ /var/tmp/diff_new_pack.z3rcQd/_new 2024-06-10 17:37:12.425999241 +0200 @@ -335,7 +335,7 @@ === --- /dev/null +++ openssh-8.9p1/ldap-helper.c -@@ -0,0 +1,155 @@ +@@ -0,0 +1,156 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -369,6 +369,7 @@ +#include "ldapbody.h" +#include +#include ++#include + +static int config_debug = 0; +int config_exclusive_config_file = 0; @@ -1175,7 +1176,7 @@ === --- /dev/null +++ openssh-8.9p1/ldapconf.c -@@ -0,0 +1,711 @@ +@@ -0,0 +1,712 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1209,6 +1210,7 @@ +#include "ldapconf.h" +#include +#include ++#include + +/* Keyword tokens. */ +
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-05-17 20:03:57
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1880 (New)
Package is "openssh"
Fri May 17 20:03:57 2024 rev:177 rq:1174781 version:9.6p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-05-17
09:34:05.056230116 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes
2024-05-17 20:04:08.961185171 +0200
@@ -1,0 +2,31 @@
+Fri May 17 07:45:38 UTC 2024 - Antonio Larrosa
+
+- Remove the recommendation for openssh-server-config-rootlogin
+ from openssh-server. Since the default for that config option
+ was changed in SLE it's not needed anymore in SLE nor in TW
+ (boo#1224392).
+
+---
+Tue May 14 19:29:05 UTC 2024 - Antonio Larrosa
+
+- Add a warning in %post of openssh-clients, openssh-server and
+ openssh-server-config-disallow-rootlogin to warn the user if
+ the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
+ being used (bsc#1223486).
+
+---
+Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa
+
+- Only for SLE15, restore the patch file removed in
+ Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
+ from SP5 of having root password login allowed by default
+ (fixes bsc#1223486, related to bsc#1173067):
+ * openssh-7.7p1-allow_root_password_login.patch
+- Since the default value for this config option is now set to
+ permit root to use password logins in SLE15, the
+ openssh-server-config-rootlogin subpackage isn't useful there so
+ we now create an openssh-server-config-disallow-rootlogin
+ subpackage that sets the configuration the other way around
+ than openssh-server-config-rootlogin.
+
+---
New:
openssh-7.7p1-allow_root_password_login.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes- (fixes
bsc#1223486, related to bsc#1173067):
/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes: *
openssh-7.7p1-allow_root_password_login.patch
/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes-- Since the
default value for this config option is now set to
BETA DEBUG END:
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.eBFEPV/_old 2024-05-17 20:04:11.505277099 +0200
+++ /var/tmp/diff_new_pack.eBFEPV/_new 2024-05-17 20:04:11.505277099 +0200
@@ -28,8 +28,10 @@
%if 0%{?suse_version} >= 1550
%bcond_without wtmpdb
+%bcond_with allow_root_password_login_by_default
%else
%bcond_with wtmpdb
+%bcond_without allow_root_password_login_by_default
%endif
#Compat macro for new _fillupdir macro introduced in Nov 2017
@@ -126,6 +128,9 @@
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch
+%if 0%{with allow_root_password_login_by_default}
+Patch1000: openssh-7.7p1-allow_root_password_login.patch
+%endif
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -192,9 +197,6 @@
Requires: %{name}-common = %{version}-%{release}
Requires: crypto-policies >= 20220824
Recommends: audit
-%if 0%{?suse_version} == 1500
-Recommends: openssh-server-config-rootlogin
-%endif
Requires(pre): findutils
Requires(pre): grep
Requires(post): %fillup_prereq
@@ -214,16 +216,31 @@
This package contains the Secure Shell daemon, which allows clients to
securely connect to your server.
+%if 0%{with allow_root_password_login_by_default}
+%package server-config-disallow-rootlogin
+Summary:Config to disallow password root logins to sshd
+Group: Productivity/Networking/SSH
+Requires: %{name}-server = %{version}-%{release}
+Conflicts: %{name}-server-config-rootlogin
+
+%description server-config-disallow-rootlogin
+The openssh-server package by default allows password based
+root logins. This package provides a config that disallows root
+to log in using the passwor. It's useful to secure your system
+preventing password attacks on the root account over ssh.
+%else
%package server-config-rootlogin
Summary:Config to permit root logins to sshd
Group: Productivity/Networking/SSH
Requires: %{name}-server = %{version}-%{release}
+Conflicts: %{name}-server-config-disallow-rootlogin
%description server-config-rootlogin
The openssh-server package by default disallows password based
root
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-05-15 21:25:44
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1880 (New)
Package is "openssh"
Wed May 15 21:25:44 2024 rev:175 rq:1173885 version:9.6p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-04-16
20:03:49.228397724 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes
2024-05-15 21:26:04.472458037 +0200
@@ -1,0 +2,15 @@
+Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa
+
+- Only for SLE15, restore the patch file removed in
+ Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
+ from SP5 of having root password login allowed by default
+ (fixes bsc#1223486, related to bsc#1173067):
+ * openssh-7.7p1-allow_root_password_login.patch
+- Since the default value for this config option is now set to
+ permit root to use password logins in SLE15, the
+ openssh-server-config-rootlogin subpackage isn't useful there so
+ we now create an openssh-server-config-disallow-rootlogin
+ subpackage that sets the configuration the other way around
+ than openssh-server-config-rootlogin.
+
+---
New:
openssh-7.7p1-allow_root_password_login.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes- (fixes
bsc#1223486, related to bsc#1173067):
/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes: *
openssh-7.7p1-allow_root_password_login.patch
/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes-- Since the
default value for this config option is now set to
BETA DEBUG END:
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.Ia1IW1/_old 2024-05-15 21:26:05.764504802 +0200
+++ /var/tmp/diff_new_pack.Ia1IW1/_new 2024-05-15 21:26:05.768504947 +0200
@@ -28,8 +28,10 @@
%if 0%{?suse_version} >= 1550
%bcond_without wtmpdb
+%bcond_with allow_root_password_login_by_default
%else
%bcond_with wtmpdb
+%bcond_without allow_root_password_login_by_default
%endif
#Compat macro for new _fillupdir macro introduced in Nov 2017
@@ -126,6 +128,9 @@
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch
+%if 0%{with allow_root_password_login_by_default}
+Patch1000: openssh-7.7p1-allow_root_password_login.patch
+%endif
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -192,7 +197,7 @@
Requires: %{name}-common = %{version}-%{release}
Requires: crypto-policies >= 20220824
Recommends: audit
-%if 0%{?suse_version} == 1500
+%if 0%{without allow_root_password_login_by_default}
Recommends: openssh-server-config-rootlogin
%endif
Requires(pre): findutils
@@ -214,16 +219,31 @@
This package contains the Secure Shell daemon, which allows clients to
securely connect to your server.
+%if 0%{with allow_root_password_login_by_default}
+%package server-config-disallow-rootlogin
+Summary:Config to disallow password root logins to sshd
+Group: Productivity/Networking/SSH
+Requires: %{name}-server = %{version}-%{release}
+Conflicts: %{name}-server-config-rootlogin
+
+%description server-config-disallow-rootlogin
+The openssh-server package by default allows password based
+root logins. This package provides a config that disallows root
+to log in using the passwor. It's useful to secure your system
+preventing password attacks on the root account over ssh.
+%else
%package server-config-rootlogin
Summary:Config to permit root logins to sshd
Group: Productivity/Networking/SSH
Requires: %{name}-server = %{version}-%{release}
+Conflicts: %{name}-server-config-disallow-rootlogin
%description server-config-rootlogin
The openssh-server package by default disallows password based
root logins. This package provides a config that does. It's useful
to temporarily have a password based login to be able to use
ssh-copy-id(1).
+%endif
%package clients
Summary:SSH (Secure Shell) client applications
@@ -369,7 +389,11 @@
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g
%{buildroot}%{_sysconfdir}/ssh/sshd_config
+%if 0%{with allow_root_password_login_by_default}
+echo "PermitRootLogin prohibit-password" >
%{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
echo "PermitRootLogin yes" >
%{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-04-14 11:53:40 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.26366 (New) Package is "openssh" Sun Apr 14 11:53:40 2024 rev:173 rq:1166980 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-04-08 17:37:59.570053154 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.26366/openssh.changes 2024-04-14 11:53:50.985753374 +0200 @@ -1,0 +2,5 @@ +Thu Apr 11 06:35:21 UTC 2024 - Arnav Singh + +- Fix duplicate loading of dropins. (boo#1222467) + +--- Other differences: -- openssh.spec: same change ++ openssh-9.6p1-crypto-policies.patch ++ --- /var/tmp/diff_new_pack.o7vTap/_old 2024-04-14 11:53:52.765818457 +0200 +++ /var/tmp/diff_new_pack.o7vTap/_new 2024-04-14 11:53:52.765818457 +0200 @@ -29,21 +29,6 @@ +# Uncomment this if you want to use .local domain +# Host *.local + -Index: openssh-9.6p1/sshd_config -=== openssh-9.6p1.orig/sshd_config -+++ openssh-9.6p1/sshd_config -@@ -17,6 +17,10 @@ Include /etc/ssh/sshd_config.d/*.conf - # default value. - Include /usr/etc/ssh/sshd_config.d/*.conf - -+# To modify the system-wide sshd configuration, create a *.conf file under -+# /etc/ssh/sshd_config.d/ which will be automatically included below -+Include /etc/ssh/sshd_config.d/*.conf -+ - #Port 22 - #AddressFamily any - #ListenAddress 0.0.0.0 Index: openssh-9.6p1/sshd_config_suse_cp === --- /dev/null
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-04-08 17:37:41
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1905 (New)
Package is "openssh"
Mon Apr 8 17:37:41 2024 rev:172 rq:1166157 version:9.6p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-04-04
22:25:29.305609598 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes
2024-04-08 17:37:59.570053154 +0200
@@ -1,0 +2,23 @@
+Fri Apr 5 11:10:18 UTC 2024 - Antonio Larrosa
+
+- Add missing bugzilla/CVE references to the changelog
+
+---
+Thu Apr 4 12:23:13 UTC 2024 - Antonio Larrosa
+
+- Add patch from SLE which was missing in Factory:
+ * Mon Jun 7 20:54:09 UTC 2021 - Hans Petter Jansson
+- Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which
+ attempts to mitigate instances of secrets lingering in memory
+ after a session exits. (bsc#1213004 bsc#1213008)
+- Rebase patch:
+ * openssh-6.6p1-privsep-selinux.patch
+
+---
+Tue Apr 2 13:07:43 UTC 2024 - Martin Sirringhaus
+
+- Rebase openssh-7.7p1-fips.patch (bsc#1221928)
+ Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by
+ upstream
+
+---
@@ -30 +53,2 @@
-would not be able to detect that messages were deleted.
+would not be able to detect that messages were deleted
+(bsc#1217950, CVE-2023-48795).
@@ -282 +306 @@
-- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
+- Update to openssh 9.3p2:
@@ -286 +310 @@
- Fix CVE-2023-38408 - a condition where specific libaries loaded via
+ Fix a condition where specific libaries loaded via
@@ -289 +313 @@
- conditions are met:
+ conditions are met (bsc#1213504, CVE-2023-38408):
@@ -1045 +1069 @@
-gain unintended privilege.
+gain unintended privilege (bsc#1190975, CVE-2021-41617).
@@ -1244 +1268 @@
-with access to the agent socket.
+with access to the agent socket (bsc#1183137, CVE-2021-28041)
@@ -2273 +2297,3 @@
- * openssh-7.7p1-fips_checks.patch
+ * openssh-7.7p1-fips_checks.patch . Close the right
+filedescriptor to avoid fd leads, and also close fdh in
+read_hmac (bsc#1209536).
New:
openssh-mitigate-lingering-secrets.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- * Mon Jun
7 20:54:09 UTC 2021 - Hans Petter Jansson
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes:- Add
openssh-mitigate-lingering-secrets.patch (bsc#1186673), which
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- attempts to
mitigate instances of secrets lingering in memory
BETA DEBUG END:
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.VpsQer/_old 2024-04-08 17:38:06.902323789 +0200
+++ /var/tmp/diff_new_pack.VpsQer/_new 2024-04-08 17:38:06.902323789 +0200
@@ -116,6 +116,7 @@
Patch50:openssh-openssl-3.patch
Patch51:wtmpdb.patch
Patch52:logind_set_tty.patch
+Patch54:openssh-mitigate-lingering-secrets.patch
Patch100: fix-missing-lz.patch
Patch102: openssh-7.8p1-role-mls.patch
Patch103: openssh-6.6p1-privsep-selinux.patch
++ openssh-6.6p1-privsep-selinux.patch ++
--- /var/tmp/diff_new_pack.VpsQer/_old 2024-04-08 17:38:06.986326890 +0200
+++ /var/tmp/diff_new_pack.VpsQer/_new 2024-04-08 17:38:06.990327037 +0200
@@ -114,7 +114,7 @@
if (privsep_chroot) {
/* Change our root directory */
@@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct
- {
+
#ifdef DISABLE_FD_PASSING
if (1) {
+#elif defined(WITH_SELINUX)
++ openssh-7.7p1-fips.patch ++
--- /var/tmp/diff_new_pack.VpsQer/_old 2024-04-08 17:38:07.022328218 +0200
+++ /var/tmp/diff_new_pack.VpsQer/_new 2024-04-08 17:38:07.026328366 +0200
@@ -39,7 +39,7 @@
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-@@ -110,8 +113,52 @@ static const struct sshcipher ciphers[]
+@@ -110,8 +113,50 @@ static const struct sshcipher ciphers[]
{ NULL, 0, 0, 0, 0, 0, NULL }
};
@@ -53,12 +53,10 @@
+ { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr },
-+# ifdef OPENSSL_HAVE_EVPGCM
+ { "aes128-...@openssh.com",
+ 16, 16, 12, 16, 0,
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-04-04 22:24:47
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1905 (New)
Package is "openssh"
Thu Apr 4 22:24:47 2024 rev:171 rq:1164536 version:9.6p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-02-27
22:43:13.599396142 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes
2024-04-04 22:25:29.305609598 +0200
@@ -1,0 +2,17 @@
+Tue Apr 2 11:23:05 UTC 2024 - Antonio Larrosa
+
+- Use %config(noreplace) for sshd_config . In any case, it's
+ recommended to drop a file in sshd_config.d instead of editing
+ sshd_config (bsc#1221063)
+- Use %{_libexecdir} when removing ssh-keycat instead of the
+ hardcoded path so it works in TW and SLE.
+
+---
+Mon Mar 4 09:57:06 UTC 2024 - Pedro Monreal
+
+- Add crypto-policies support [bsc#1211301]
+ * Add patches:
+- openssh-9.6p1-crypto-policies.patch
+- openssh-9.6p1-crypto-policies-man.patch
+
+---
New:
openssh-9.6p1-crypto-policies-man.patch
openssh-9.6p1-crypto-policies.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes--
openssh-9.6p1-crypto-policies.patch
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes:-
openssh-9.6p1-crypto-policies-man.patch
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes-
New:/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- * Add
patches:
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes:-
openssh-9.6p1-crypto-policies.patch
/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes--
openssh-9.6p1-crypto-policies-man.patch
BETA DEBUG END:
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.W69ZiC/_old 2024-04-04 22:25:31.141677195 +0200
+++ /var/tmp/diff_new_pack.W69ZiC/_new 2024-04-04 22:25:31.141677195 +0200
@@ -122,6 +122,9 @@
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
+# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
+Patch107: openssh-9.6p1-crypto-policies.patch
+Patch108: openssh-9.6p1-crypto-policies-man.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -209,6 +212,7 @@
%package server-config-rootlogin
Summary:Config to permit root logins to sshd
Group: Productivity/Networking/SSH
+Requires: crypto-policies >= 20220824
Requires: %{name}-server = %{version}-%{release}
%description server-config-rootlogin
@@ -220,6 +224,7 @@
%package clients
Summary:SSH (Secure Shell) client applications
Group: Productivity/Networking/SSH
+Requires: crypto-policies >= 20220824
Requires: %{name}-common = %{version}-%{release}
Provides: openssh:%{_bindir}/ssh
@@ -371,6 +376,13 @@
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
+install -m 644 ssh_config_suse
%{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
+%if %{defined _distconfdir}
+install -m 644 sshd_config_suse_cp
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%else
+install -m 644 sshd_config_suse_cp
%{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%endif
+
%if 0%{?suse_version} < 1550
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
@@ -388,7 +400,7 @@
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
-rm %{buildroot}/usr/libexec/ssh/ssh-keycat
+rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
#rm -r %{buildroot}/usr/lib/debug/.build-id
# the hmac hashes - taken from openssl
@@ -488,12 +500,17 @@
%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
-%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
+%attr(0640,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config
%attr(0644,root,root) %{_pam_vendordir}/sshd
%else
-%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
+%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif
+%if %{defined _distconfdir}
+%attr(0600,root,root) %config(noreplace)
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-02-27 22:43:12 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1770 (New) Package is "openssh" Tue Feb 27 22:43:12 2024 rev:170 rq:1150501 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2023-07-24 18:11:52.629179853 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1770/openssh-askpass-gnome.changes 2024-02-27 22:43:13.539393967 +0100 @@ -1,0 +2,7 @@ +Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson + +- Update to openssh 9.6p1: + * No changes for askpass, see main package changelog for +details. + +--- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-12-19 23:15:52.301619235 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes 2024-02-27 22:43:13.599396142 +0100 @@ -1,0 +2,219 @@ +Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson + +- Update to openssh 9.6p1: + = Security + * ssh(1), sshd(8): implement protocol extensions to thwart the +so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus +Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a +limited break of the integrity of the early encrypted SSH transport +protocol by sending extra messages prior to the commencement of +encryption, and deleting an equal number of consecutive messages +immediately after encryption starts. A peer SSH client/server +would not be able to detect that messages were deleted. + * ssh-agent(1): when adding PKCS#11-hosted private keys while +specifying destination constraints, if the PKCS#11 token returned +multiple keys then only the first key had the constraints applied. +Use of regular private keys, FIDO tokens and unconstrained keys +are unaffected. + * ssh(1): if an invalid user or hostname that contained shell +metacharacters was passed to ssh(1), and a ProxyCommand, +LocalCommand directive or "match exec" predicate referenced the +user or hostname via %u, %h or similar expansion token, then +an attacker who could supply arbitrary user/hostnames to ssh(1) +could potentially perform command injection depending on what +quoting was present in the user-supplied ssh_config(5) directive. + + = Potentially incompatible changes + * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides +a TCP-like window mechanism that limits the amount of data that +can be sent without acceptance from the peer. In cases where this +limit was exceeded by a non-conforming peer SSH implementation, +ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH +9.6, ssh(1)/sshd(8) will now terminate the connection if a peer +exceeds the window limit by more than a small grace factor. This +change should have no effect of SSH implementations that follow +the specification. + + = New features + * ssh(1): add a %j token that expands to the configured ProxyJump +hostname (or the empty string if this option is not being used) +that can be used in a number of ssh_config(5) keywords. bz3610 + * ssh(1): add ChannelTimeout support to the client, mirroring the +same option in the server and allowing ssh(1) to terminate +quiescent channels. + * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for +reading ED25519 private keys in PEM PKCS8 format. Previously +only the OpenSSH private key format was supported. + * ssh(1), sshd(8): introduce a protocol extension to allow +renegotiation of acceptable signature algorithms for public key +authentication after the server has learned the username being +used for authentication. This allows varying sshd_config(5) +PubkeyAcceptedAlgorithms in a "Match user" block. + * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow +specifying certificates when loading PKCS#11 keys. This allows the +use of certificates backed by PKCS#11 private keys in all OpenSSH +tools that support ssh-agent(1). Previously only ssh(1) supported +this use-case. + + = Bugfixes + * ssh(1): when deciding whether to enable the keystroke timing +obfuscation, enable it only if a channel with a TTY is active. + * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals +before checking flags set in signal handler. Avoids potential +race condition between signaling ssh to exit and polling. bz3531 + * ssh(1): when connecting to a destination with both the +AddressFamily and CanonicalizeHostname directives in use, +the AddressFamily directive could be ignored. bz5326 + * sftp(1):
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2023-12-19 23:15:40
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.9037 (New)
Package is "openssh"
Tue Dec 19 23:15:40 2023 rev:169 rq:1133933 version:9.3p2
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-11-30
21:59:23.260785993 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.9037/openssh.changes
2023-12-19 23:15:52.301619235 +0100
@@ -1,0 +2,7 @@
+Tue Dec 19 01:42:55 UTC 2023 - Hans Petter Jansson
+
+- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
+ This mitigates a prefix truncation attack that could be used to
+ undermine channel security.
+
+---
@@ -29,0 +37,5 @@
+
+---
+Wed Sep 27 06:28:57 UTC 2023 - Thorsten Kukuk
+
+- Disable SLP by default for Factory and ALP (bsc#1214884)
New:
openssh-cve-2023-48795.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.9037/openssh.changes-
/work/SRC/openSUSE:Factory/.openssh.new.9037/openssh.changes:- Added
openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
/work/SRC/openSUSE:Factory/.openssh.new.9037/openssh.changes- This mitigates a
prefix truncation attack that could be used to
BETA DEBUG END:
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.ljpbqJ/_old 2023-12-19 23:15:53.973680123 +0100
+++ /var/tmp/diff_new_pack.ljpbqJ/_new 2023-12-19 23:15:53.973680123 +0100
@@ -124,6 +124,7 @@
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
+Patch107: openssh-cve-2023-48795.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -349,8 +350,10 @@
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
+%if 0%{?suse_version} < 1600
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
+%endif
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
ln -s service %{buildroot}%{_sbindir}/rcsshd
install -d -m 755 %{buildroot}%{_fillupdir}
@@ -500,8 +503,10 @@
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
+%if 0%{?suse_version} < 1600
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
+%endif
%{_fillupdir}/sysconfig.ssh
%if 0%{?suse_version} < 1550
%dir %{_fwdir}
++ openssh-cve-2023-48795.patch ++
Index: openssh-9.3p2/PROTOCOL
===
--- openssh-9.3p2.orig/PROTOCOL
+++ openssh-9.3p2/PROTOCOL
@@ -104,6 +104,25 @@ http://git.libssh.org/users/aris/libssh.
This is identical to curve25519-sha256 as later published in RFC8731.
+1.9 transport: strict key exchange extension
+
+OpenSSH supports a number of transport-layer hardening measures under
+a "strict KEX" feature. This feature is signalled similarly to the
+RFC8305 ext-info feature: by including a additional algorithm in the
+SSH2_MSG_KEXINIT kex_algorithms field. The client may append
+"kex-strict-c-...@openssh.com" to its kex_algorithms and the server
+may append "kex-strict-s-...@openssh.com".
+
+When endpoint that supports this extension observes this algorithm
+name in a peer's KEXINIT packet, it MUST make the following changes to
+the the protocol:
+
+a) During initial KEX, terminate the connection if any unexpected or
+ out-of-sequence packet is received. This includes terminating the
+ connection if the first packet received is not SSH2_MSG_KEXINIT.
+b) At each SSH2_MSG_NEWKEYS message, reset the packet sequence number
+ to zero.
+
2. Connection protocol changes
2.1. connection: Channel write close extension "e...@openssh.com"
Index: openssh-9.3p2/kex.c
===
--- openssh-9.3p2.orig/kex.c
+++ openssh-9.3p2/kex.c
@@ -76,7 +76,7 @@
#include "fips.h"
/* prototype */
-static int kex_choose_conf(struct ssh *);
+static int kex_choose_conf(struct ssh *, uint32_t seq);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
static const char * const proposal_names[PROPOSAL_MAX] = {
@@ -261,6 +261,18 @@ kex_names_valid(const char *names)
return 1;
}
+/* returns non-zero if proposal contains any
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2023-11-30 21:59:01
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.25432 (New)
Package is "openssh"
Thu Nov 30 21:59:01 2023 rev:168 rq:1129646 version:9.3p2
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-10-25
18:02:49.458442925 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes
2023-11-30 21:59:23.260785993 +0100
@@ -1,0 +2,24 @@
+Fri Nov 3 10:44:14 UTC 2023 - Johannes Segitz
+
+- Enhanced SELinux functionality. Added
+ * openssh-7.8p1-role-mls.patch
+Proper handling of MLS systems and basis for other SELinux
+improvements
+ * openssh-6.6p1-privsep-selinux.patch
+Properly set contexts during privilege separation
+ * openssh-6.6p1-keycat.patch
+Add ssh-keycat command to allow retrival of authorized_keys
+on MLS setups with polyinstantiation
+ * openssh-6.6.1p1-selinux-contexts.patch
+Additional changes to set the proper context during privilege
+separation
+ * openssh-7.6p1-cleanup-selinux.patch
+Various changes and putting the pieces together
+
+ For now we don't ship the ssh-keycat command, but we need the patch
+ for the other SELinux infrastructure
+
+ This change fixes issues like bsc#1214788, where the ssh daemon
+ needs to act on behalf of a user and needs a proper context for this
+
+---
New:
openssh-6.6.1p1-selinux-contexts.patch
openssh-6.6p1-keycat.patch
openssh-6.6p1-privsep-selinux.patch
openssh-7.6p1-cleanup-selinux.patch
openssh-7.8p1-role-mls.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-on MLS
setups with polyinstantiation
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: *
openssh-6.6.1p1-selinux-contexts.patch
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Additional
changes to set the proper context during privilege
New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-
Properly set contexts during privilege separation
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: *
openssh-6.6p1-keycat.patch
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Add
ssh-keycat command to allow retrival of authorized_keys
New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-
improvements
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: *
openssh-6.6p1-privsep-selinux.patch
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Properly set
contexts during privilege separation
New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-
separation
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: *
openssh-7.6p1-cleanup-selinux.patch
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Various
changes and putting the pieces together
New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-- Enhanced
SELinux functionality. Added
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: *
openssh-7.8p1-role-mls.patch
/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Proper
handling of MLS systems and basis for other SELinux
BETA DEBUG END:
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.6fInxO/_old 2023-11-30 21:59:25.196857315 +0100
+++ /var/tmp/diff_new_pack.6fInxO/_new 2023-11-30 21:59:25.200857463 +0100
@@ -119,6 +119,11 @@
# PATCH-FIx-UPSTREAM cb4ed12f.patch -- Fix build with zlib 1.3
Patch53:
https://github.com/openssh/openssh-portable/commit/cb4ed12f.patch
Patch100: fix-missing-lz.patch
+Patch102: openssh-7.8p1-role-mls.patch
+Patch103: openssh-6.6p1-privsep-selinux.patch
+Patch104: openssh-6.6p1-keycat.patch
+Patch105: openssh-6.6.1p1-selinux-contexts.patch
+Patch106: openssh-7.6p1-cleanup-selinux.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -383,6 +388,9 @@
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
+rm %{buildroot}/usr/libexec/ssh/ssh-keycat
+#rm -r %{buildroot}/usr/lib/debug/.build-id
+
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
++ openssh-6.6.1p1-selinux-contexts.patch ++
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
===
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-10-25 18:02:04 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.24901 (New) Package is "openssh" Wed Oct 25 18:02:04 2023 rev:167 rq:1120184 version:9.3p2 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-09-22 21:47:31.917117018 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.24901/openssh.changes 2023-10-25 18:02:49.458442925 +0200 @@ -1,0 +2,6 @@ +Tue Oct 24 10:56:31 UTC 2023 - Dominique Leuenberger + +- Add cb4ed12f.patch: Fix build using zlib 1.3. The check expected + a version in the form a.b.c[.d], which no longer matches 1.3. + +--- New: cb4ed12f.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.cEvMd6/_old 2023-10-25 18:02:50.730489053 +0200 +++ /var/tmp/diff_new_pack.cEvMd6/_new 2023-10-25 18:02:50.730489053 +0200 @@ -116,6 +116,8 @@ Patch50:openssh-openssl-3.patch Patch51:wtmpdb.patch Patch52:logind_set_tty.patch +# PATCH-FIx-UPSTREAM cb4ed12f.patch -- Fix build with zlib 1.3 +Patch53: https://github.com/openssh/openssh-portable/commit/cb4ed12f.patch Patch100: fix-missing-lz.patch BuildRequires: audit-devel BuildRequires: automake ++ cb4ed12f.patch ++ >From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 19 Aug 2023 07:39:08 +1000 Subject: [PATCH] Fix zlib version check for 1.3 and future version. bz#3604. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 07893e87065..e3128dfcbb4 100644 --- a/configure.ac +++ b/configure.ac @@ -1464,7 +1464,7 @@ else [[ int a=0, b=0, c=0, d=0, n, v; n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", , , , ); - if (n != 3 && n != 4) + if (n < 1) exit(1); v = a*100 + b*1 + c*100 + d; fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2023-09-22 21:46:58
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1770 (New)
Package is "openssh"
Fri Sep 22 21:46:58 2023 rev:166 rq:1112087 version:9.3p2
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-07-24
18:11:52.685180183 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes
2023-09-22 21:47:31.917117018 +0200
@@ -42,0 +43,11 @@
+Wed Jun 21 12:14:54 UTC 2023 - Thorsten Kukuk
+
+- Disable old lastlog, we use pam_lastlog2
+- openssh-8.4p1-pam_motd.patch: adjust to remove PrintLastLog
+
+---
+Thu Jun 15 07:05:38 UTC 2023 - Thorsten Kukuk
+
+- logind_set_tty.patch: tell systemd-logind our current TTY
+
+---
New:
logind_set_tty.patch
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.PW86Yb/_old 2023-09-22 21:47:36.589286631 +0200
+++ /var/tmp/diff_new_pack.PW86Yb/_new 2023-09-22 21:47:36.589286631 +0200
@@ -115,6 +115,7 @@
Patch49:openssh-do-not-send-empty-message.patch
Patch50:openssh-openssl-3.patch
Patch51:wtmpdb.patch
+Patch52:logind_set_tty.patch
Patch100: fix-missing-lz.patch
BuildRequires: audit-devel
BuildRequires: automake
@@ -318,6 +319,10 @@
%if %{with wtmpdb}
--with-wtmpdb \
%endif
+%if 0%{?suse_version} >= 1550
+--disable-lastlog \
+--with-logind \
+%endif
--with-security-key-builtin \
--target=%{_target_cpu}-suse-linux
++ logind_set_tty.patch ++
diff --git a/Makefile.in b/Makefile.in
index f0ea07e7b..35dcf45f1 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -56,6 +56,7 @@ SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
LIBWTMPDB=@LIBWTMPDB@
+LIBSYSTEMD=@LIBSYSTEMD@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
@@ -208,7 +209,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a$(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/configure.ac b/configure.ac
index a12c6f7ad..860df3379 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1789,6 +1789,47 @@ AC_ARG_WITH([wtmpdb],
)
+# Check whether user wants logind/set tty support
+AC_ARG_WITH([logind],
+ [ --with-logind[[=PATH]] Enable logind support for sshd],
+ [ if test "x$withval" != "xno" ; then
+ if test "x$withval" = "xyes" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "x$PKGCONFIG" != "xno"; then
+ AC_MSG_CHECKING([if $PKGCONFIG knows about
libsystemd])
+ if "$PKGCONFIG" libsystemd; then
+ AC_MSG_RESULT([yes])
+ use_pkgconfig_for_libsystemd=yes
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ else
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib
${rpath_opt}${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ fi
+ if test "x$use_pkgconfig_for_libsystemd" = "xyes"; then
+ LIBSYSTEMD=`$PKGCONFIG --libs libsystemd`
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libsystemd`"
+ else
+ LIBSYSTEMD="-lsystemd"
+ fi
+ OTHERLIBS=`echo $LIBSYSTEMD | sed 's/-lsystemd//'`
+ AC_CHECK_LIB([systemd], [sd_bus_open_system],
+ [ AC_DEFINE([USE_LOGIND], [1], [Use systemd-logind])
+ AC_SUBST([LIBSYSTEMD])
+ ],
+ [ AC_MSG_ERROR([libsystemd not found]) ],
+ [ $OTHERLIBS ]
+
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2023-07-24 18:11:47
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1467 (New)
Package is "openssh"
Mon Jul 24 18:11:47 2023 rev:165 rq:1099856 version:9.3p2
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes
2023-06-06 19:55:08.426075279 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1467/openssh-askpass-gnome.changes
2023-07-24 18:11:52.629179853 +0200
@@ -1,0 +2,7 @@
+Fri Jul 21 05:13:56 UTC 2023 - Simon Lees
+
+- Update to openssh 9.3p2
+ * No changes for askpass, see main package changelog for
+details
+
+---
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-06-06
19:55:08.530075896 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1467/openssh.changes
2023-07-24 18:11:52.685180183 +0200
@@ -1,0 +2,41 @@
+Fri Jul 21 02:48:58 UTC 2023 - Simon Lees
+
+- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
+ Security
+
+
+ Fix CVE-2023-38408 - a condition where specific libaries loaded via
+ ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
+ code execution via a forwarded agent socket if the following
+ conditions are met:
+
+ * Exploitation requires the presence of specific libraries on
+the victim system.
+ * Remote exploitation requires that the agent was forwarded
+to an attacker-controlled system.
+
+ Exploitation can also be prevented by starting ssh-agent(1) with an
+ empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
+ an allowlist that contains only specific provider libraries.
+
+ This vulnerability was discovered and demonstrated to be exploitable
+ by the Qualys Security Advisory team.
+
+ In addition to removing the main precondition for exploitation,
+ this release removes the ability for remote ssh-agent(1) clients
+ to load PKCS#11 modules by default (see below).
+
+ Potentially-incompatible changes
+
+
+ * ssh-agent(8): the agent will now refuse requests to load PKCS#11
+ modules issued by remote clients by default. A flag has been added
+ to restore the previous behaviour "-Oallow-remote-pkcs11".
+
+ Note that ssh-agent(8) depends on the SSH client to identify
+ requests that are remote. The OpenSSH >=8.9 ssh(1) client does
+ this, but forwarding access to an agent socket using other tools
+ may circumvent this restriction.
+
+
+---
Old:
openssh-9.3p1.tar.gz
openssh-9.3p1.tar.gz.asc
New:
openssh-9.3p2.tar.gz
openssh-9.3p2.tar.gz.asc
Other differences:
--
++ openssh-askpass-gnome.spec ++
--- /var/tmp/diff_new_pack.pW1q6I/_old 2023-07-24 18:11:54.105188540 +0200
+++ /var/tmp/diff_new_pack.pW1q6I/_new 2023-07-24 18:11:54.113188586 +0200
@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version:9.3p1
+Version:9.3p2
Release:0
Summary:A GNOME-Based Passphrase Dialog for OpenSSH
License:BSD-2-Clause
++ openssh.spec ++
--- /var/tmp/diff_new_pack.pW1q6I/_old 2023-07-24 18:11:54.141188751 +0200
+++ /var/tmp/diff_new_pack.pW1q6I/_new 2023-07-24 18:11:54.145188774 +0200
@@ -37,7 +37,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version:9.3p1
+Version:9.3p2
Release:0
Summary:Secure Shell Client and Server (Remote Login Program)
License:BSD-2-Clause AND MIT
++ openssh-9.3p1.tar.gz -> openssh-9.3p2.tar.gz ++
2189 lines of diff (skipped)
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-06-06 19:54:55 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.15902 (New) Package is "openssh" Tue Jun 6 19:54:55 2023 rev:164 rq:1090577 version:9.3p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2021-10-11 16:48:39.866172377 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh-askpass-gnome.changes 2023-06-06 19:55:08.426075279 +0200 @@ -1,0 +2,14 @@ +Sun May 28 09:16:44 UTC 2023 - Andreas Stieger + +- openssh-askpass-gnome: require only openssh-clients, not the full + openssh (including -server), to avoid pulling in excessive + dependencies when installing git on Gnome (boo#1211446) + +--- +Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa + +- Update to openssh 9.3p1 + * No changes for askpass, see main package changelog for +details + +--- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-04-15 22:32:05.581173030 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh.changes 2023-06-06 19:55:08.530075896 +0200 @@ -1,0 +2,476 @@ +Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa + +- Update to openssh 9.3p1: + = Security + * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the + per-hop destination constraints (ssh-add -h ...) added in + OpenSSH 8.9, a logic error prevented the constraints from being + communicated to the agent. This resulted in the keys being added + without constraints. The common cases of non-smartcard keys and + keys without destination constraints are unaffected. This + problem was reported by Luci Stanescu. + + * ssh(1): Portable OpenSSH provides an implementation of the + getrrsetbyname(3) function if the standard library does not + provide it, for use by the VerifyHostKeyDNS feature. A + specifically crafted DNS response could cause this function to + perform an out-of-bounds read of adjacent stack data, but this + condition does not appear to be exploitable beyond denial-of- + service to the ssh(1) client. + The getrrsetbyname(3) replacement is only included if the + system's standard library lacks this function and portable + OpenSSH was not compiled with the ldns library (--with-ldns). + getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to + fetch SSHFP records. This problem was found by the Coverity + static analyzer. + + = New features + * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 +when outputting SSHFP fingerprints to allow algorithm +selection. bz3493 + * sshd(8): add a `sshd -G` option that parses and prints the +effective configuration without attempting to load private keys +and perform other checks. This allows usage of the option +before keys have been generated and for configuration +evaluation and verification by unprivileged users. + + = Bugfixes + * scp(1), sftp(1): fix progressmeter corruption on wide displays; +bz3534 + * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing +usability of private keys as some systems are starting to +disable RSA/SHA1 in libcrypto. + * sftp-server(8): fix a memory leak. GHPR363 + * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol +compatibility code and simplify what's left. + * Fix a number of low-impact Coverity static analysis findings. +These include several reported via bz2687 + * ssh_config(5), sshd_config(5): mention that some options are +not first-match-wins. + * Rework logging for the regression tests. Regression tests will +now capture separate logs for each ssh and sshd invocation in +a test. + * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage +says it should; bz3532. + * ssh(1): ensure that there is a terminating newline when adding +a new entry to known_hosts; bz3529 + + = Portability + * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of +mmap(2), madvise(2) and futex(2) flags, removing some +concerning kernel attack surface. + * sshd(8): improve Linux seccomp-bpf sandbox for older systems; +bz3537 + +- Update to openssh 9.2p1: + = Security + * sshd(8): fix a pre-authentication double-free memory fault +introduced in OpenSSH 9.1. This is not believed to be +exploitable, and it occurs in the unprivileged pre-auth process +that is subject to chroot(2) and is further sandboxed on most +major platforms. + * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen +option would ignore its first argument unless it was one of the +
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2023-04-15 22:32:04
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.19717 (New)
Package is "openssh"
Sat Apr 15 22:32:04 2023 rev:163 rq:1079298 version:8.9p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-03-28
17:48:44.314793416 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.19717/openssh.changes
2023-04-15 22:32:05.581173030 +0200
@@ -1,0 +2,6 @@
+Mon Mar 27 08:39:38 UTC 2023 - Thorsten Kukuk
+
+- Rename sshd.pamd to sshd-sle.pamd and fix order of pam_keyinit
+- Add new sshd.pamd including postlogin-* config files
+
+---
New:
sshd-sle.pamd
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.EqMs5I/_old 2023-04-15 22:32:06.897180622 +0200
+++ /var/tmp/diff_new_pack.EqMs5I/_new 2023-04-15 22:32:06.901180645 +0200
@@ -51,6 +51,7 @@
Source12: cavs_driver-ssh.pl
Source13:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
Source14: sysusers-sshd.conf
+Source15: sshd-sle.pamd
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
@@ -308,8 +309,9 @@
install -d -m 755 %{buildroot}%{_pam_vendordir}
install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd
%else
+# SLE has no distconfdir, so use sle PAM config
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
-install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
+install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/sshd
%endif
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
++ sshd-sle.pamd ++
#%PAM-1.0
authrequisite pam_nologin.so
authinclude common-auth
account requisite pam_nologin.so
account include common-account
passwordinclude common-password
session requiredpam_loginuid.so
session optionalpam_keyinit.so force revoke
session include common-session
session optionalpam_motd.so
++ sshd.pamd ++
--- /var/tmp/diff_new_pack.EqMs5I/_old 2023-04-15 22:32:07.189182307 +0200
+++ /var/tmp/diff_new_pack.EqMs5I/_new 2023-04-15 22:32:07.193182330 +0200
@@ -1,12 +1,15 @@
#%PAM-1.0
authrequisite pam_nologin.so
-authinclude common-auth
+authsubstackcommon-auth
+authinclude postlogin-auth
account requisite pam_nologin.so
-account include common-account
-passwordinclude common-password
+account substackcommon-account
+account include postlogin-account
+passwordsubstackcommon-password
+passwordinclude postlogin-password
session requiredpam_loginuid.so
-session include common-session
session optionalpam_keyinit.so force revoke
+session substackcommon-session
+session include postlogin-session
session optionalpam_motd.so
-
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2023-03-28 17:48:40
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.31432 (New)
Package is "openssh"
Tue Mar 28 17:48:40 2023 rev:162 rq:1074486 version:8.9p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-12-23
10:20:48.075240196 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.31432/openssh.changes
2023-03-28 17:48:44.314793416 +0200
@@ -1,0 +2,11 @@
+Wed Feb 15 10:35:43 UTC 2023 - Thorsten Kukuk
+
+- Remove BuildRequires for libtirpc, we don't use it
+
+---
+Tue Feb 14 13:46:14 UTC 2023 - Thorsten Kukuk
+
+- Remove pam_lastlog from sshd PAM config. sshd is doing the same,
+ too, which leads to e.g. duplicate entries in wtmp [bsc#1208243]
+
+---
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.0UgPMG/_old 2023-03-28 17:48:45.506799168 +0200
+++ /var/tmp/diff_new_pack.0UgPMG/_new 2023-03-28 17:48:45.514799207 +0200
@@ -19,11 +19,6 @@
%ifnarch ppc
%define sandbox_seccomp 1
%endif
-%if 0%{?suse_version} >= 1500
-%bcond_without tirpc
-%else
-%bcond_with tirpc
-%endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir %{_fwdir}/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r
's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
@@ -127,9 +122,6 @@
BuildRequires: sysuser-tools
Requires: %{name}-clients = %{version}-%{release}
Requires: %{name}-server = %{version}-%{release}
-%if %{with tirpc}
-BuildRequires: libtirpc-devel
-%endif
%if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(krb5)
%else
++ sshd.pamd ++
--- /var/tmp/diff_new_pack.0UgPMG/_old 2023-03-28 17:48:45.766800422 +0200
+++ /var/tmp/diff_new_pack.0UgPMG/_new 2023-03-28 17:48:45.770800442 +0200
@@ -7,7 +7,6 @@
session requiredpam_loginuid.so
session include common-session
session optionalpam_keyinit.so force revoke
-session optionalpam_lastlog.so showfailed
session optionalpam_motd.so
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2022-12-23 10:20:44
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1563 (New)
Package is "openssh"
Fri Dec 23 10:20:44 2022 rev:161 rq:1044051 version:8.9p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-12-16
17:51:32.639982091 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.1563/openssh.changes
2022-12-23 10:20:48.075240196 +0100
@@ -1,0 +2,6 @@
+Mon Dec 19 15:41:26 UTC 2022 - Otto Hollmann
+
+- Adapt OpenSSH to build with OpenSSL 3, use new KDF API (bsc#1205042)
+ Add openssh-openssl-3.patch
+
+---
New:
openssh-openssl-3.patch
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.CxmSa4/_old 2022-12-23 10:20:49.099246049 +0100
+++ /var/tmp/diff_new_pack.CxmSa4/_new 2022-12-23 10:20:49.107246094 +0100
@@ -110,13 +110,14 @@
Patch47:openssh-8.4p1-vendordir.patch
Patch48:openssh-8.4p1-pam_motd.patch
Patch49:openssh-do-not-send-empty-message.patch
+Patch50:openssh-openssl-3.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel
BuildRequires: openldap2-devel
-BuildRequires: pkgconfig(openssl) < 3
+BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
++ openssh-openssl-3.patch ++
---
fips.c |5 +
kex.c | 61 -
2 files changed, 65 insertions(+), 1 deletion(-)
--- a/fips.c
+++ b/fips.c
@@ -48,6 +48,11 @@
static int fips_state = -1;
+#if (OPENSSL_VERSION_NUMBER >= 0x3000L)
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
+# define FIPS_mode_set(x) EVP_default_properties_enable_fips(NULL,x)
+#endif
+
/* calculates HMAC of contents of a file given by filename using the hash
* algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
* newly allacated memory - remember to free it when not needed anymore */
--- a/kex.c
+++ b/kex.c
@@ -41,6 +41,9 @@
#include
#include
#include
+# if (OPENSSL_VERSION_NUMBER >= 0x3000L)
+# include
+# endif
#endif
#include "ssh.h"
@@ -1191,14 +1194,61 @@ derive_key_via_openssl(struct ssh *ssh,
{
struct kex *kex = ssh->kex;
EVP_KDF_CTX *hashctx = NULL;
- const EVP_MD *md = NULL;
u_char *digest = NULL;
int r = SSH_ERR_LIBCRYPTO_ERROR;
+# if (OPENSSL_VERSION_NUMBER >= 0x3000L)
+ OSSL_PARAM params[6], *p = params;
+ char type = (char) id;
+ EVP_KDF *kdf = EVP_KDF_fetch (NULL, "SSHKDF", NULL);
+ if (!kdf)
+ goto out;
+ hashctx = EVP_KDF_CTX_new (kdf);
+# else
+ const EVP_MD *md = NULL;
hashctx = EVP_KDF_CTX_new_id (EVP_KDF_SSHKDF);
+# endif
if (!hashctx)
goto out;
+# if (OPENSSL_VERSION_NUMBER >= 0x3000L)
+ switch (kex->hash_alg)
+ {
+ case SSH_DIGEST_MD5:
+ *p++ =
OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_md5, strlen(SN_md5));
+ break;
+ case SSH_DIGEST_SHA1:
+ *p++ =
OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_sha1, strlen(SN_sha1));
+ break;
+ case SSH_DIGEST_SHA256:
+ *p++ =
OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_sha256, strlen(SN_sha256));
+ break;
+ case SSH_DIGEST_SHA384:
+ *p++ =
OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_sha384, strlen(SN_sha384));
+ break;
+ case SSH_DIGEST_SHA512:
+ *p++ =
OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_sha512, strlen(SN_sha512));
+ break;
+ default:
+ goto out;
+ }
+
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
+ hash, (size_t) hashlen);
+ *p++ =
OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
+ sshbuf_ptr(kex->session_id), (size_t)
sshbuf_len(kex->session_id));
+ *p++ =
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-12-16 17:51:30 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1835 (New) Package is "openssh" Fri Dec 16 17:51:30 2022 rev:160 rq:1043180 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-11-16 15:42:39.607678753 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.1835/openssh.changes 2022-12-16 17:51:32.639982091 +0100 @@ -1,0 +2,6 @@ +Thu Dec 15 16:35:33 UTC 2022 - Dirk Müller + +- limit to openssl < 3.0 as this version is not compatible (bsc#1205042) + next version update will fix it + +--- Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.Uge5b4/_old 2022-12-16 17:51:33.983989489 +0100 +++ /var/tmp/diff_new_pack.Uge5b4/_new 2022-12-16 17:51:33.991989533 +0100 @@ -116,7 +116,7 @@ BuildRequires: libedit-devel BuildRequires: libselinux-devel BuildRequires: openldap2-devel -BuildRequires: openssl-devel +BuildRequires: pkgconfig(openssl) < 3 BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: zlib-devel
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2022-11-16 15:42:34
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1597 (New)
Package is "openssh"
Wed Nov 16 15:42:34 2022 rev:159 rq:1035879 version:8.9p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-08-30
14:48:25.419958697 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1597/openssh.changes
2022-11-16 15:42:39.607678753 +0100
@@ -1,0 +2,8 @@
+Thu Nov 10 02:18:08 UTC 2022 - Hans Petter Jansson
+
+- Update openssh-8.1p1-audit.patch: Merge fix for race condition
+ (bsc#1115550, bsc#1174162).
+- Add openssh-do-not-send-empty-message.patch, which prevents
+ superfluous newlines with empty MOTD files (bsc#1192439).
+
+---
New:
openssh-do-not-send-empty-message.patch
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.mMmu4u/_old 2022-11-16 15:42:40.599682348 +0100
+++ /var/tmp/diff_new_pack.mMmu4u/_new 2022-11-16 15:42:40.603682363 +0100
@@ -109,6 +109,7 @@
Patch46:openssh-whitelist-syscalls.patch
Patch47:openssh-8.4p1-vendordir.patch
Patch48:openssh-8.4p1-pam_motd.patch
+Patch49:openssh-do-not-send-empty-message.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
++ openssh-8.1p1-audit.patch ++
--- /var/tmp/diff_new_pack.mMmu4u/_old 2022-11-16 15:42:40.731682827 +0100
+++ /var/tmp/diff_new_pack.mMmu4u/_new 2022-11-16 15:42:40.735682842 +0100
@@ -1550,7 +1550,7 @@
sshbuf_free(m);
}
#endif /* SSH_AUDIT_EVENTS */
-@@ -1074,3 +1114,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
+@@ -1074,3 +1114,130 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
}
#endif /* GSSAPI */
@@ -1633,6 +1633,53 @@
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE,
m);
+ sshbuf_free(m);
+}
++
++int mm_forward_audit_messages(int fdin)
++{
++ u_char buf[4];
++ u_int blen, msg_len;
++ struct sshbuf *m;
++ int ret = 0;
++
++ debug3("%s: entering", __func__);
++ m = sshbuf_new();
++ do {
++ int r;
++
++ blen = atomicio(read, fdin, buf, sizeof(buf));
++ if (blen == 0) /* closed pipe */
++ break;
++ if (blen != sizeof(buf)) {
++ error("%s: Failed to read the buffer from child",
__func__);
++ ret = -1;
++ break;
++ }
++
++ msg_len = get_u32(buf);
++ if (msg_len > 256 * 1024)
++ fatal("%s: read: bad msg_len %d", __func__, msg_len);
++ sshbuf_reset(m);
++ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
++ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) !=
msg_len) {
++ error("%s: Failed to read the the buffer conent from
the child", __func__);
++ ret = -1;
++ break;
++ }
++ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
++ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m),
msg_len) != msg_len) {
++ error("%s: Failed to write the messag to the monitor",
__func__);
++ ret = -1;
++ break;
++ }
++ } while (1);
++ sshbuf_free(m);
++ return ret;
++}
++void mm_set_monitor_pipe(int fd)
++{
++ pmonitor->m_recvfd = fd;
++}
+#endif /* SSH_AUDIT_EVENTS */
Index: openssh-8.9p1/monitor_wrap.h
===
@@ -1649,7 +1696,7 @@
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details
**);
#ifdef GSSAPI
-@@ -83,7 +85,12 @@ void mm_sshpam_free_ctx(void *);
+@@ -83,7 +85,14 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
#include "audit.h"
void mm_audit_event(struct ssh *, ssh_audit_event_t);
@@ -1660,6 +1707,8 @@
+void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *,
pid_t, uid_t);
+void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t);
+void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t,
uid_t);
++int mm_forward_audit_messages(int);
++void mm_set_monitor_pipe(int);
#endif
struct Session;
@@ -1689,7 +1738,12 @@
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2022-08-30 14:48:22
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.2083 (New)
Package is "openssh"
Tue Aug 30 14:48:22 2022 rev:158 rq:999883 version:8.9p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-08-18
16:48:52.289404588 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.2083/openssh.changes
2022-08-30 14:48:25.419958697 +0200
@@ -1,0 +2,5 @@
+Mon Aug 8 07:36:55 UTC 2022 - Thorsten Kukuk
+
+- Use %_pam_vendordir
+
+---
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.sLQGBi/_old 2022-08-30 14:48:26.511961485 +0200
+++ /var/tmp/diff_new_pack.sLQGBi/_new 2022-08-30 14:48:26.519961505 +0200
@@ -311,8 +311,8 @@
%install
%make_install
%if %{defined _distconfdir}
-install -d -m 755 %{buildroot}%{_distconfdir}/pam.d
-install -m 644 %{SOURCE2} %{buildroot}%{_distconfdir}/pam.d/sshd
+install -d -m 755 %{buildroot}%{_pam_vendordir}
+install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd
%else
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
@@ -447,7 +447,7 @@
%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
%if %{defined _distconfdir}
-%attr(0644,root,root) %{_distconfdir}/pam.d/sshd
+%attr(0644,root,root) %{_pam_vendordir}/sshd
%else
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif
++ openssh-8.4p1-ssh_config_d.patch ++
--- /var/tmp/diff_new_pack.sLQGBi/_old 2022-08-30 14:48:26.715962006 +0200
+++ /var/tmp/diff_new_pack.sLQGBi/_new 2022-08-30 14:48:26.719962016 +0200
@@ -2,20 +2,20 @@
===
--- openssh-8.9p1.orig/ssh_config
+++ openssh-8.9p1/ssh_config
-@@ -16,6 +16,13 @@
- # Site-wide defaults for some commonly used options. For a comprehensive
+@@ -17,6 +17,13 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
-+Include /usr/etc/ssh/ssh_config.d/*.conf
-+
+
+# To modify the system-wide ssh configuration, create a "*.conf" file under
+# "/etc/ssh/ssh_config.d/" which will be automatically included below.
+# Don't edit this configuration file itself if possible to avoid update
+# problems.
+Include /etc/ssh/ssh_config.d/*.conf
-
++Include /usr/etc/ssh/ssh_config.d/*.conf
++
Host *
# ForwardAgent no
+ # ForwardX11 no
Index: openssh-8.9p1/sshd_config
===
--- openssh-8.9p1.orig/sshd_config
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-08-18 16:48:44 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2083 (New) Package is "openssh" Thu Aug 18 16:48:44 2022 rev:157 rq:997452 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-05-01 18:53:31.935159823 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2083/openssh.changes 2022-08-18 16:48:52.289404588 +0200 @@ -1,0 +2,6 @@ +Wed Jul 6 12:15:29 UTC 2022 - Adam Majer + +- openssh-8.4p1-ssh_config_d.patch: admin overrides should take + priority (listed first) over package defaults + +--- Other differences: -- openssh.spec: same change ++ openssh-8.4p1-ssh_config_d.patch ++ --- /var/tmp/diff_new_pack.jZgn1D/_old 2022-08-18 16:48:53.493407392 +0200 +++ /var/tmp/diff_new_pack.jZgn1D/_new 2022-08-18 16:48:53.497407401 +0200 @@ -20,17 +20,21 @@ === --- openssh-8.9p1.orig/sshd_config +++ openssh-8.9p1/sshd_config -@@ -9,6 +9,13 @@ - # OpenSSH is to specify options with their default value where - # possible, but leave them commented. Uncommented options override the - # default value. -+Include /usr/etc/ssh/sshd_config.d/*.conf -+ +@@ -5,10 +5,17 @@ + + # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# To modify the system-wide sshd configuration, create a "*.conf" file under +# "/etc/ssh/sshd_config.d/" which will be automatically included below. +# Don't edit this configuration file itself if possible to avoid update +# problems. +Include /etc/ssh/sshd_config.d/*.conf ++ + # The strategy used for options in the default sshd_config shipped with + # OpenSSH is to specify options with their default value where + # possible, but leave them commented. Uncommented options override the + # default value. ++Include /usr/etc/ssh/sshd_config.d/*.conf #Port 22 #AddressFamily any
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2022-05-01 18:53:26
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1538 (New)
Package is "openssh"
Sun May 1 18:53:26 2022 rev:156 rq:973782 version:8.9p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-03-11
11:48:33.326793554 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.1538/openssh.changes
2022-05-01 18:53:31.935159823 +0200
@@ -1,0 +2,6 @@
+Mon Mar 28 15:00:52 UTC 2022 - Ludwig Nussel
+
+- read ssh and sshd config file also from /usr/etc
+- add openssh-server-config-rootlogin subpackage that enabled PermitRootLogin
+
+---
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.0tYjjW/_old 2022-05-01 18:53:32.855160677 +0200
+++ /var/tmp/diff_new_pack.0tYjjW/_new 2022-05-01 18:53:32.859160680 +0200
@@ -191,6 +191,17 @@
This package contains the Secure Shell daemon, which allows clients to
securely connect to your server.
+%package server-config-rootlogin
+Summary:Config to permit root logins to sshd
+Group: Productivity/Networking/SSH
+Requires: %{name}-server = %{version}-%{release}
+
+%description server-config-rootlogin
+The openssh-server package by default disallows password based
+root logins. This package provides a config that does. It's useful
+to temporarily have a password based login to be able to use
+ssh-copy-id(1).
+
%package clients
Summary:SSH (Secure Shell) client applications
Group: Productivity/Networking/SSH
@@ -321,10 +332,11 @@
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g
%{buildroot}%{_sysconfdir}/ssh/sshd_config
# Move /etc to /usr/etc/ssh
-mkdir -p %{buildroot}%{_distconfdir}/ssh
+mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
+echo "PermitRootLogin yes" >
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%if 0%{?suse_version} < 1550
# install firewall definitions
@@ -419,6 +431,7 @@
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO
CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0755,root,root) %dir %{_distconfdir}/ssh
+%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
@@ -431,6 +444,7 @@
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
%attr(0755,root,root) %dir %{_distconfdir}/ssh
+%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/pam.d/sshd
@@ -452,6 +466,9 @@
%config %{_fwdefdir}/sshd
%endif
+%files server-config-rootlogin
+%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+
%files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
++ openssh-8.4p1-ssh_config_d.patch ++
--- /var/tmp/diff_new_pack.0tYjjW/_old 2022-05-01 18:53:33.007160817 +0200
+++ /var/tmp/diff_new_pack.0tYjjW/_new 2022-05-01 18:53:33.011160821 +0200
@@ -1,33 +1,37 @@
-diff -ur openssh-8.4p1.orig/ssh_config openssh-8.4p1/ssh_config
openssh-8.4p1.orig/ssh_config 2021-01-27 14:43:22.698144889 +0100
-+++ openssh-8.4p1/ssh_config 2021-01-27 14:40:46.170143382 +0100
-@@ -17,6 +17,12 @@
+Index: openssh-8.9p1/ssh_config
+===
+--- openssh-8.9p1.orig/ssh_config
openssh-8.9p1/ssh_config
+@@ -16,6 +16,13 @@
+ # Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
-
++Include /usr/etc/ssh/ssh_config.d/*.conf
++
+# To modify the system-wide ssh configuration, create a "*.conf" file under
+# "/etc/ssh/ssh_config.d/" which will be automatically included below.
+# Don't edit this configuration file itself if possible to avoid update
+# problems.
+Include /etc/ssh/ssh_config.d/*.conf
-+
+
Host *
# ForwardAgent no
- # ForwardX11 no
-diff -ur openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config
openssh-8.4p1.orig/sshd_config 2020-09-27
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-03-09 18:47:00 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2349 (New) Package is "openssh" Wed Mar 9 18:47:00 2022 rev:155 rq:960152 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-10-11 16:48:39.962172529 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2349/openssh.changes 2022-03-11 11:48:33.326793554 +0100 @@ -1,0 +2,170 @@ +Mon Mar 7 18:00:09 UTC 2022 - Hans Petter Jansson + +- Version update to 8.9p1: + = Security + * sshd(8): fix an integer overflow in the user authentication path +that, in conjunction with other logic errors, could have yielded +unauthenticated access under difficult to exploit conditions. + +This situation is not exploitable because of independent checks in +the privilege separation monitor. Privilege separation has been +enabled by default in since openssh-3.2.2 (released in 2002) and +has been mandatory since openssh-7.5 (released in 2017). Moreover, +portable OpenSSH has used toolchain features available in most +modern compilers to abort on signed integer overflow since +openssh-6.5 (released in 2014). + +Thanks to Malcolm Stagg for finding and reporting this bug. + + = Potentially-incompatible changes + * sshd(8), portable OpenSSH only: this release removes in-built +support for MD5-hashed passwords. If you require these on your +system then we recommend linking against libxcrypt or similar. + * This release modifies the FIDO security key middleware interface +and increments SSH_SK_VERSION_MAJOR. + + = New features + * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for +restricting forwarding and use of keys added to ssh-agent(1) +A detailed description of the feature is available at +https://www.openssh.com/agent-restrict.html and the protocol +extensions are documented in the PROTOCOL and PROTOCOL.agent +files in the source release. + * ssh(1), sshd(8): add the sntrup761x25519-sha...@openssh.com hybrid +ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the +default KEXAlgorithms list (after the ECDH methods but before the +prime-group DH ones). The next release of OpenSSH is likely to +make this key exchange the default method. + * ssh-keygen(1): when downloading resident keys from a FIDO token, +pass back the user ID that was used when the key was created and +append it to the filename the key is written to (if it is not the +default). Avoids keys being clobbered if the user created multiple +resident keys with the same application string but different user +IDs. + * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys +on tokens that provide user verification (UV) on the device itself, +including biometric keys, avoiding unnecessary PIN prompts. + * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to +perform matching of principals names against an allowed signers +file. To be used towards a TOFU model for SSH signatures in git. + * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added +to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at +authentication time. + * ssh-keygen(1): allow selection of hash at sshsig signing time +(either sha512 (default) or sha256). + * ssh(1), sshd(8): read network data directly to the packet input +buffer instead of indirectly via a small stack buffer. Provides a +modest performance improvement. + * ssh(1), sshd(8): read data directly to the channel input buffer, +providing a similar modest performance improvement. + * ssh(1): extend the PubkeyAuthentication configuration directive to +accept yes|no|unbound|host-bound to allow control over one of the +protocol extensions used to implement agent-restricted keys. + + = Bugfixes + * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and +PubkeyAuthOptions can be used in a Match block. PR277. + * sshd(8): fix possible string truncation when constructing paths to +.rhosts/.shosts files with very long user home directory names. + * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 +exchange hashes + * ssh(1): don't put the TTY into raw mode when SessionType=none, +avoids ^C being unable to kill such a session. bz3360 + * scp(1): fix some corner-case bugs in SFTP-mode handling of +~-prefixed paths. + * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to +select RSA keys when only RSA/SHA2 signature algorithms are +configured (this is the default case). Previously RSA keys were +not
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-10-11 16:48:36
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.2443 (New)
Package is "openssh"
Mon Oct 11 16:48:36 2021 rev:154 rq:923951 version:8.8p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes
2020-10-18 16:30:20.444729018 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.2443/openssh-askpass-gnome.changes
2021-10-11 16:48:39.866172377 +0200
@@ -1,0 +2,7 @@
+Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson
+
+- Version upgrade to 8.8p1
+ * No changes for askpass, see main package changelog for
+details
+
+---
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-07-22
22:43:29.231189893 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.2443/openssh.changes
2021-10-11 16:48:39.962172529 +0200
@@ -1,0 +2,368 @@
+Tue Sep 28 17:50:57 UTC 2021 - Hans Petter Jansson
+
+- Version update to 8.8p1:
+ = Security
+ * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
+supplemental groups when executing an AuthorizedKeysCommand or
+AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
+AuthorizedPrincipalsCommandUser directive has been set to run the
+command as a different user. Instead these commands would inherit
+the groups that sshd(8) was started with.
+
+Depending on system configuration, inherited groups may allow
+AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
+gain unintended privilege.
+
+Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
+enabled by default in sshd_config(5).
+
+ = Potentially-incompatible changes
+ * This release disables RSA signatures using the SHA-1 hash algorithm
+by default. This change has been made as the SHA-1 hash algorithm is
+cryptographically broken, and it is possible to create chosen-prefix
+hash collisions for https://bugzilla.novell.com/show_bug.cgi?id=847710
-diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
openssh-7.7p1/channels.c
-+++ openssh-7.7p1/channels.c
-@@ -4590,33 +4590,42 @@ x11_connect_display(struct ssh *ssh)
- return -1;
-
- /* OK, we now have a connection to the display. */
- return sock;
- }
+Index: openssh-8.8p1/channels.c
+===
+--- openssh-8.8p1.orig/channels.c
openssh-8.8p1/channels.c
+@@ -4776,9 +4776,10 @@ x11_connect_display(struct ssh *ssh)
/*
* Connect to an inet socket. The DISPLAY value is supposedly
* hostname:d[.s], where hostname may also be numeric IP address.
@@ -25,14 +21,7 @@
if (!cp) {
error("Could not find ':' in DISPLAY: %.100s", display);
return -1;
- }
- *cp = 0;
- /*
-* buf now contains the host name. But first we parse the
-* display number.
-*/
- if (sscanf(cp + 1, "%u", _number) != 1) {
- error("Could not parse display number from DISPLAY: %.100s",
+@@ -4793,6 +4794,14 @@ x11_connect_display(struct ssh *ssh)
display);
return -1;
}
@@ -47,8 +36,3 @@
/* Look up the host address */
memset(, 0, sizeof(hints));
- hints.ai_family = ssh->chanctxt->IPv4or6;
- hints.ai_socktype = SOCK_STREAM;
- snprintf(strport, sizeof strport, "%u", 6000 + display_number);
- if ((gaierr = getaddrinfo(buf, strport, , )) != 0) {
- error("%.100s: unknown host. (%s)", buf,
++ openssh-7.7p1-X11_trusted_forwarding.patch ++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.718175320 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.718175320 +0200
@@ -6,10 +6,10 @@
Enable Trusted X11 forwarding by default, since the security benefits of
having it disabled are negligible these days with XI2 being widely used.
-Index: openssh-7.8p1/ssh_config
+Index: openssh-8.8p1/ssh_config
===
openssh-7.8p1.orig/ssh_config
-+++ openssh-7.8p1/ssh_config
+--- openssh-8.8p1.orig/ssh_config
openssh-8.8p1/ssh_config
@@ -17,9 +17,20 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
@@ -32,10 +32,10 @@
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
-Index: openssh-7.8p1/sshd_config
+Index: openssh-8.8p1/sshd_config
===
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-07-22 22:42:59
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.1899 (New)
Package is "openssh"
Thu Jul 22 22:42:59 2021 rev:153 rq:907490 version:8.4p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-06-25
15:01:43.092179407 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.1899/openssh.changes
2021-07-22 22:43:29.231189893 +0200
@@ -1,0 +2,8 @@
+Mon Jul 19 14:51:08 UTC 2021 - Cristian Rodr??guez
+
+- The linux kernel has close_range(2) syscall which current glibc
+ uses to implement closefrom(3) which will be then used by openssh.
+ whitelist the new system call so closefrom does not fail or
+ fallback to iterating proc/self/fd (openssh-whitelist-syscalls.patch)
+
+---
Other differences:
--
openssh.spec: same change
++ openssh-whitelist-syscalls.patch ++
--- /var/tmp/diff_new_pack.LL2qO7/_old 2021-07-22 22:43:31.275187230 +0200
+++ /var/tmp/diff_new_pack.LL2qO7/_new 2021-07-22 22:43:31.275187230 +0200
@@ -1,8 +1,16 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 797a14b..02698cc 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
-@@ -204,6 +204,9 @@ static const struct sock_filter preauth_insns[] = {
+@@ -195,6 +195,9 @@
+ #ifdef __NR_close
+ SC_ALLOW(__NR_close),
+ #endif
++#ifdef __NR_close_range
++ SC_ALLOW(__NR_close_range),
++#endif
+ #ifdef __NR_exit
+ SC_ALLOW(__NR_exit),
+ #endif
+@@ -204,6 +207,9 @@
#ifdef __NR_futex
SC_ALLOW(__NR_futex),
#endif
@@ -12,7 +20,7 @@
#ifdef __NR_geteuid
SC_ALLOW(__NR_geteuid),
#endif
-@@ -282,6 +285,9 @@ static const struct sock_filter preauth_insns[] = {
+@@ -282,6 +288,9 @@
#ifdef __NR_pselect6
SC_ALLOW(__NR_pselect6),
#endif
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-06-25 15:01:12
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.2625 (New)
Package is "openssh"
Fri Jun 25 15:01:12 2021 rev:152 rq:901582 version:8.4p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-06-09
21:51:02.138339300 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.2625/openssh.changes
2021-06-25 15:01:43.092179407 +0200
@@ -1,0 +2,12 @@
+Wed Jun 23 18:32:20 UTC 2021 - Hans Petter Jansson
+
+- Don't move user-modified ssh_config and sshd_config files to
+ .rpmsave on upgrade.
+
+---
+Tue May 18 17:16:33 UTC 2021 - Thorsten Kukuk
+
+- Use pam_motd to unify motd message output [bsc#1185897]
+ (openssh-8.4p1-pam_motd.patch)
+
+---
New:
openssh-8.4p1-pam_motd.patch
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.jJ1cht/_old 2021-06-25 15:01:44.372180969 +0200
+++ /var/tmp/diff_new_pack.jJ1cht/_new 2021-06-25 15:01:44.376180974 +0200
@@ -109,6 +109,7 @@
Patch45:openssh-8.4p1-ssh_config_d.patch
Patch46:openssh-whitelist-syscalls.patch
Patch47:openssh-8.4p1-vendordir.patch
+Patch48:openssh-8.4p1-pam_motd.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -363,8 +364,9 @@
%pre server -f sshd.pre
%if %{defined _distconfdir}
-# move outdated pam.d/*.rpmsave file away
+# Prepare for migration to /usr/etc.
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave
/etc/pam.d/sshd.rpmsave.old ||:
+test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave
/etc/ssh/sshd_config.rpmsave.old ||:
%endif
%service_add_pre sshd.service
@@ -390,8 +392,20 @@
%posttrans server
# Migration to /usr/etc.
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave
/etc/pam.d/sshd ||:
+test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave
/etc/ssh/sshd_config ||:
%endif
+%if %{defined _distconfdir}
+%pre clients
+# Prepare for migration to /usr/etc.
+test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave
/etc/ssh/ssh_config.rpmsave.old ||:
+%endif
+
+%if %{defined _distconfdir}
+%posttrans clients
+# Migration to /usr/etc.
+test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave
/etc/ssh/ssh_config ||:
+%endif
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd
++ openssh-8.4p1-pam_motd.patch ++
Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/contrib und
openssh-8.4p1/contrib.
Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/.github und
openssh-8.4p1/.github.
Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/m4 und openssh-8.4p1/m4.
Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/openbsd-compat und
openssh-8.4p1/openbsd-compat.
Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/regress und
openssh-8.4p1/regress.
diff -u openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config
--- openssh-8.4p1.orig/sshd_config 2020-09-27 09:25:01.0 +0200
+++ openssh-8.4p1/sshd_config 2021-05-18 19:15:39.190701511 +0200
@@ -88,8 +88,8 @@
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
+PrintMotd no
+PrintLastLog no
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
++ sshd.pamd ++
--- /var/tmp/diff_new_pack.jJ1cht/_old 2021-06-25 15:01:44.600181247 +0200
+++ /var/tmp/diff_new_pack.jJ1cht/_new 2021-06-25 15:01:44.600181247 +0200
@@ -6,5 +6,7 @@
passwordinclude common-password
session requiredpam_loginuid.so
session include common-session
-session optionalpam_lastlog.so silent noupdate showfailed
session optionalpam_keyinit.so force revoke
+session optionalpam_lastlog.so showfailed
+session optionalpam_motd.so
+
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-06-09 21:51:00
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.32437 (New)
Package is "openssh"
Wed Jun 9 21:51:00 2021 rev:151 rq:888799 version:8.4p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-02-15
13:15:53.310345403 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.32437/openssh.changes
2021-06-09 21:51:02.138339300 +0200
@@ -1,0 +2,23 @@
+Thu Apr 22 12:02:55 UTC 2021 - Hans Petter Jansson
+
+- Change vendor configuration dir from /usr/share/ssh/ to
+ /usr/etc/ssh/.
+- Remove upgrade enablement hack. This has been fixed in
+ systemd-rpm-macros (bsc#1180083).
+
+---
+Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk
+
+- Add support for vendor provided configuration files in
+ /usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
+- Move configuration files from /etc/ssh/ to /usr/share/ssh/
+
+---
+Thu Feb 18 13:54:44 UTC 2021 - Johannes Segitz
+
+- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
+ as root via password by default (is also upstream default). Comment
+ indicates that this was a temporary meassure that we now had for
+ five years, time to get rid of it (bsc#1173067)
+
+---
Old:
openssh-7.7p1-allow_root_password_login.patch
New:
openssh-8.4p1-vendordir.patch
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.n7XrYn/_old 2021-06-09 21:51:03.186341169 +0200
+++ /var/tmp/diff_new_pack.n7XrYn/_new 2021-06-09 21:51:03.186341169 +0200
@@ -15,7 +15,6 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
-
%define sandbox_seccomp 0
%ifnarch ppc
%define sandbox_seccomp 1
@@ -30,8 +29,6 @@
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r
's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
-%define _tmpenableddir %{_localstatedir}/lib/sshd
-%define _tmpenabledfile %{_tmpenableddir}/is-enabled.rpmtmp
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
@@ -59,7 +56,6 @@
Source12: cavs_driver-ssh.pl
Source13:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
Source14: sysusers-sshd.conf
-Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
@@ -112,6 +108,7 @@
Patch44:openssh-fix-ssh-copy-id.patch
Patch45:openssh-8.4p1-ssh_config_d.patch
Patch46:openssh-whitelist-syscalls.patch
+Patch47:openssh-8.4p1-vendordir.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -298,7 +295,7 @@
--target=%{_target_cpu}-suse-linux
%make_build
-%sysusers_generate_pre %{SOURCE14} sshd
+%sysusers_generate_pre %{SOURCE14} sshd sshd.conf
%install
%make_install
@@ -323,6 +320,12 @@
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g
%{buildroot}%{_sysconfdir}/ssh/sshd_config
+# Move /etc to /usr/etc/ssh
+mkdir -p %{buildroot}%{_distconfdir}/ssh
+mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
+mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
+mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
+
%if 0%{?suse_version} < 1550
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
@@ -358,52 +361,17 @@
}}
-%pre
-# Remember whether the sshd service was enabled prior to an upgrade. This
-# is needed when upgrading to a split-off openssh-server package. The
-# %%service_add_post scriptlet (in %%post server) will see it as a new service
-# and apply the preset, disabling it. We need to reenable it afterwards if
-# necessary.
-mkdir -p %{_tmpenableddir} || :
-if [ -x %{_bindir}/systemctl ]; then
-%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
-else
-if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \
--exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1
-then echo "enabled" > %{_tmpenabledfile} || :; fi
-fi
-
%pre server -f sshd.pre
%if %{defined _distconfdir}
# move outdated pam.d/*.rpmsave file away
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-02-15 13:15:51
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New)
Package is "openssh"
Mon Feb 15 13:15:51 2021 rev:150 rq:872342 version:8.4p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-02-01
13:25:59.881897206 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes
2021-02-15 13:15:53.310345403 +0100
@@ -1,0 +2,7 @@
+Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson
+
+- Add openssh-whitelist-syscalls.patch (bsc#1182232), fixing
+ failure to accept connections on 32-bit platforms with
+ glibc 2.33+.
+
+---
New:
openssh-whitelist-syscalls.patch
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.uRCL1P/_old 2021-02-15 13:15:54.606347321 +0100
+++ /var/tmp/diff_new_pack.uRCL1P/_new 2021-02-15 13:15:54.610347328 +0100
@@ -111,6 +111,7 @@
Patch43:openssh-reenable-dh-group14-sha1-default.patch
Patch44:openssh-fix-ssh-copy-id.patch
Patch45:openssh-8.4p1-ssh_config_d.patch
+Patch46:openssh-whitelist-syscalls.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
++ openssh-whitelist-syscalls.patch ++
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 797a14b..02698cc 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -204,6 +204,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_futex
SC_ALLOW(__NR_futex),
#endif
+#ifdef __NR_futex_time64
+ SC_ALLOW(__NR_futex_time64),
+#endif
#ifdef __NR_geteuid
SC_ALLOW(__NR_geteuid),
#endif
@@ -282,6 +285,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_pselect6
SC_ALLOW(__NR_pselect6),
#endif
+#ifdef __NR_pselect6_time64
+ SC_ALLOW(__NR_pselect6_time64),
+#endif
#ifdef __NR_read
SC_ALLOW(__NR_read),
#endif
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-02-01 13:25:40
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New)
Package is "openssh"
Mon Feb 1 13:25:40 2021 rev:149 rq:867288 version:8.4p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-26
14:49:43.407675456 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes
2021-02-01 13:25:59.881897206 +0100
@@ -1,0 +2,6 @@
+Wed Jan 27 14:09:08 UTC 2021 - Thorsten Kukuk
+
+- Add support for /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d
+ (openssh-8.4p1-ssh_config_d.patch)
+
+---
New:
openssh-8.4p1-ssh_config_d.patch
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.7h38H4/_old 2021-02-01 13:26:01.177899223 +0100
+++ /var/tmp/diff_new_pack.7h38H4/_new 2021-02-01 13:26:01.177899223 +0100
@@ -110,6 +110,7 @@
Patch42:openssh-link-with-sk.patch
Patch43:openssh-reenable-dh-group14-sha1-default.patch
Patch44:openssh-fix-ssh-copy-id.patch
+Patch45:openssh-8.4p1-ssh_config_d.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -308,6 +309,8 @@
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
%endif
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
+install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
+install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
@@ -445,7 +448,8 @@
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_sbindir}/rcsshd
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
-%dir %attr(755,root,root) %{_localstatedir}/lib/sshd
+%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
+%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
%verify(not mode) %attr(0640,root,root) %config(noreplace)
%{_sysconfdir}/ssh/sshd_config
%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/pam.d/sshd
@@ -468,6 +472,7 @@
%endif
%files clients
+%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
%verify(not mode) %attr(0644,root,root) %config(noreplace)
%{_sysconfdir}/ssh/ssh_config
%attr(0755,root,root) %{_bindir}/ssh
%attr(0755,root,root) %{_bindir}/scp*
++ openssh-8.4p1-ssh_config_d.patch ++
diff -ur openssh-8.4p1.orig/ssh_config openssh-8.4p1/ssh_config
--- openssh-8.4p1.orig/ssh_config 2021-01-27 14:43:22.698144889 +0100
+++ openssh-8.4p1/ssh_config2021-01-27 14:40:46.170143382 +0100
@@ -17,6 +17,12 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
+# To modify the system-wide ssh configuration, create a "*.conf" file under
+# "/etc/ssh/ssh_config.d/" which will be automatically included below.
+# Don't edit this configuration file itself if possible to avoid update
+# problems.
+Include /etc/ssh/ssh_config.d/*.conf
+
Host *
# ForwardAgent no
# ForwardX11 no
diff -ur openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config
--- openssh-8.4p1.orig/sshd_config 2020-09-27 09:25:01.0 +0200
+++ openssh-8.4p1/sshd_config 2021-01-27 14:21:23.070132184 +0100
@@ -10,6 +10,12 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+# To modify the system-wide sshd configuration, create a "*.conf" file under
+# "/etc/ssh/sshd_config.d/" which will be automatically included below.
+# Don't edit this configuration file itself if possible to avoid update
+# problems.
+Include /etc/ssh/sshd_config.d/*.conf
+
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-01-26 14:45:54
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New)
Package is "openssh"
Tue Jan 26 14:45:54 2021 rev:148 rq:866401 version:8.4p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-19
16:00:54.711263653 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes
2021-01-26 14:49:43.407675456 +0100
@@ -1,0 +2,32 @@
+Sat Jan 23 18:28:19 UTC 2021 - Hans Petter Jansson
+
+- Add openssh-fix-ssh-copy-id.patch, which fixes breakage
+ introduced in 8.4p1 (bsc#1181311).
+
+---
+Fri Jan 22 21:06:42 UTC 2021 - Hans Petter Jansson
+
+- Improve robustness of sshd init detection when upgrading from
+ a pre-systemd distribution.
+
+---
+Fri Jan 22 03:30:59 UTC 2021 - Hans Petter Jansson
+
+- Add openssh-reenable-dh-group14-sha1-default.patch, which adds
+ diffie-hellman-group14-sha1 key exchange back to the default
+ list (bsc#1180958). This is needed for backwards compatibility
+ with older platforms.
+
+---
+Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson
+
+- Make sure sshd is enabled correctly when upgrading from a
+ pre-systemd distribution (bsc#1180083).
+
+---
+Mon Jan 18 11:04:41 UTC 2021 - Thorsten Kukuk
+
+- sysusers-sshd.conf: use sysusers.d configuration file to create
+ sshd user (avoid hard dependency on shadow).
+
+---
New:
openssh-fix-ssh-copy-id.patch
openssh-reenable-dh-group14-sha1-default.patch
sysusers-sshd.conf
Other differences:
--
++ openssh.spec ++
--- /var/tmp/diff_new_pack.vDHfiZ/_old 2021-01-26 14:49:44.487676928 +0100
+++ /var/tmp/diff_new_pack.vDHfiZ/_new 2021-01-26 14:49:44.487676928 +0100
@@ -58,6 +58,7 @@
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
Source13:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
+Source14: sysusers-sshd.conf
Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
@@ -107,6 +108,8 @@
Patch40:openssh-8.1p1-ed25519-use-openssl-rng.patch
Patch41:openssh-fips-ensure-approved-moduli.patch
Patch42:openssh-link-with-sk.patch
+Patch43:openssh-reenable-dh-group14-sha1-default.patch
+Patch44:openssh-fix-ssh-copy-id.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
@@ -119,6 +122,8 @@
BuildRequires: zlib-devel
BuildRequires: pkgconfig(libfido2)
BuildRequires: pkgconfig(libsystemd)
+BuildRequires: sysuser-shadow
+BuildRequires: sysuser-tools
Requires: %{name}-clients = %{version}-%{release}
Requires: %{name}-server = %{version}-%{release}
%if %{with tirpc}
@@ -129,6 +134,8 @@
%else
BuildRequires: krb5-mini-devel
%endif
+Requires(pre): findutils
+Requires(pre): grep
%description
SSH (Secure Shell) is a program for logging into and executing commands
@@ -166,10 +173,12 @@
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Recommends: audit
-Requires(pre): shadow
+Requires(pre): findutils
+Requires(pre): grep
Requires(post): %fillup_prereq
Requires(post): permissions
Provides: openssh:%{_sbindir}/sshd
+%sysusers_requires
%description server
SSH (Secure Shell) is a program for logging into and executing commands
@@ -287,6 +296,7 @@
--target=%{_target_cpu}-suse-linux
%make_build
+%sysusers_generate_pre %{SOURCE14} sshd
%install
%make_install
@@ -322,6 +332,10 @@
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
+# Install sysusers.d config for sshd user
+mkdir -p %{buildroot}%{_sysusersdir}
+install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
+
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
@@ -346,24 +360,29 @@
# %%service_add_post scriptlet (in %%post server) will see it as a new service
# and apply the preset, disabling it. We need to reenable it afterwards if
# necessary.
+mkdir -p %{_tmpenableddir} || :
if [ -x %{_bindir}/systemctl ]; then
-mkdir -p %{_tmpenableddir} || :
%{_bindir}/systemctl is-enabled
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-01-19 16:00:43
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New)
Package is "openssh"
Tue Jan 19 16:00:43 2021 rev:147 rq:863947 version:8.4p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-15
19:43:33.397773139 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes
2021-01-19 16:00:54.711263653 +0100
@@ -1,0 +2,130 @@
+Mon Jan 18 00:30:37 UTC 2021 - Dirk M??ller
+
+- update to 8.4p1:
+ Security
+
+ * ssh-agent(1): restrict ssh-agent from signing web challenges for
+ FIDO/U2F keys.
+ * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
+ a FIDO resident key.
+ * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
+ each use. These keys may be generated using ssh-keygen using a new
+ "verify-required" option. When a PIN-required key is used, the user
+ will be prompted for a PIN to complete the signature operation.
+ New Features
+
+ * sshd(8): authorized_keys now supports a new "verify-required"
+ option to require FIDO signatures assert that the token verified
+ that the user was present before making the signature. The FIDO
+ protocol supports multiple methods for user-verification, but
+ currently OpenSSH only supports PIN verification.
+
+ * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
+ signatures. Webauthn is a standard for using FIDO keys in web
+ browsers. These signatures are a slightly different format to plain
+ FIDO signatures and thus require explicit support.
+
+ * ssh(1): allow some keywords to expand shell-style ${ENV}
+ environment variables. The supported keywords are CertificateFile,
+ ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
+ RemoteForward when used for Unix domain socket paths. bz#3140
+
+ * ssh(1), ssh-agent(1): allow some additional control over the use of
+ ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
+ including forcibly enabling and disabling its use. bz#69
+
+ * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
+ limit for keys in addition to its current flag options. Time-
+ limited keys will automatically be removed from ssh-agent after
+ their expiry time has passed.
+
+ * scp(1), sftp(1): allow the -A flag to explicitly enable agent
+ forwarding in scp and sftp. The default remains to not forward an
+ agent, even when ssh_config enables it.
+
+ * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of
+ the destination. This allows, e.g., keeping host keys in individual
+ files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654
+
+ * ssh(1): add %-TOKEN, environment variable and tilde expansion to
+ the UserKnownHostsFile directive, allowing the path to be
+ completed by the configuration (e.g. bz#1654)
+
+ * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted
+ from stdin. bz#3180
+
+ * sshd(8): improve logging for MaxStartups connection throttling.
+ sshd will now log when it starts and stops throttling and periodically
+ while in this state. bz#3055
+
+ Bugfixes
+
+ * ssh(1), ssh-keygen(1): better support for multiple attached FIDO
+ tokens. In cases where OpenSSH cannot unambiguously determine which
+ token to direct a request to, the user is now required to select a
+ token by touching it. In cases of operations that require a PIN to
+ be verified, this avoids sending the wrong PIN to the wrong token
+ and incrementing the token's PIN failure counter (tokens
+ effectively erase their keys after too many PIN failures).
+ * sshd(8): fix Include before Match in sshd_config; bz#3122
+ * ssh(1): close stdin/out/error when forking after authentication
+ completes ("ssh -f ...") bz#3137
+ * ssh(1), sshd(8): limit the amount of channel input data buffered,
+ avoiding peers that advertise large windows but are slow to read
+ from causing high memory consumption.
+ * ssh-agent(1): handle multiple requests sent in a single write() to
+ the agent.
+ * sshd(8): allow sshd_config longer than 256k
+ * sshd(8): avoid spurious "Unable to load host key" message when sshd
+ load a private key but no public counterpart
+ * ssh(1): prefer the default hostkey algorithm list whenever we have
+ a hostkey that matches its best-preference algorithm.
+ * sshd(1): when ordering the hostkey algorithms to request from a
+ server, prefer certificate types if the known_hosts files contain a key
+ marked as a @cert-authority; bz#3157
+ * ssh(1): perform host key fingerprint comparisons for the "Are you
+ sure you want to
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-01-15 19:43:28
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New)
Package is "openssh"
Fri Jan 15 19:43:28 2021 rev:146 rq:861779 version:8.3p1
Changes:
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-06
19:55:33.348955736 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes
2021-01-15 19:43:33.397773139 +0100
@@ -1,0 +2,7 @@
+Fri Jan 8 01:37:02 UTC 2021 - Hans Petter Jansson
+
+- Update openssh-8.1p1-audit.patch (bsc#1180501). This fixes
+ occasional crashes on connection termination caused by accessing
+ freed memory.
+
+---
Other differences:
--
openssh.spec: same change
++ openssh-8.1p1-audit.patch ++
--- /var/tmp/diff_new_pack.rGOfCm/_old 2021-01-15 19:43:34.55072 +0100
+++ /var/tmp/diff_new_pack.rGOfCm/_new 2021-01-15 19:43:34.55072 +0100
@@ -1,5 +1,5 @@
diff --git a/Makefile.in b/Makefile.in
-index 9d3f569..5a0e0b6 100644
+index 88aba09..b815eac 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -115,7 +115,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -1673,7 +1673,7 @@
struct Session;
diff --git a/packet.c b/packet.c
-index e7abb34..3e9c95e 100644
+index e7abb34..997c338 100644
--- a/packet.c
+++ b/packet.c
@@ -81,6 +81,7 @@
@@ -1753,7 +1753,7 @@
state->newkeys[mode] = NULL;
}
/* note that both bytes and the seqnr are not reset */
-@@ -2205,6 +2221,71 @@ ssh_packet_get_output(struct ssh *ssh)
+@@ -2205,6 +2221,73 @@ ssh_packet_get_output(struct ssh *ssh)
return (void *)ssh->state->output;
}
@@ -1783,7 +1783,9 @@
+ return;
+
+ cipher_free(state->receive_context);
++ state->receive_context = NULL;
+ cipher_free(state->send_context);
++ state->send_context = NULL;
+
+ sshbuf_free(state->input);
+ state->input = NULL;
[opensuse-commit] commit openssh for openSUSE:Factory
Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2020-11-26 23:10:42 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.5913 (New) Package is "openssh" Thu Nov 26 23:10:42 2020 rev:144 rq:849984 version:8.3p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2020-10-18 16:30:22.716730029 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.5913/openssh.changes 2020-11-26 23:12:22.672940774 +0100 @@ -1,0 +2,22 @@ +Wed Nov 11 20:05:27 UTC 2020 - Hans Petter Jansson + +- Fix build breakage caused by missing security key objects: + + Modify openssh-7.7p1-cavstest-ctr.patch. + + Modify openssh-7.7p1-cavstest-kdf.patch. + + Add openssh-link-with-sk.patch. + +--- +Wed Nov 11 18:27:55 UTC 2020 - Hans Petter Jansson + +- Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). + This ensures only approved DH parameters are used in FIPS mode. + +--- +Wed Nov 11 18:27:54 UTC 2020 - Hans Petter Jansson + +- Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). + This uses OpenSSL's RAND_bytes() directly instead of the internal + ChaCha20-based implementation to obtain random bytes for Ed25519 + curve computations. This is required for FIPS compliance. + +--- New: openssh-8.1p1-ed25519-use-openssl-rng.patch openssh-fips-ensure-approved-moduli.patch openssh-link-with-sk.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.NqJRYZ/_old 2020-11-26 23:12:24.268941105 +0100 +++ /var/tmp/diff_new_pack.NqJRYZ/_new 2020-11-26 23:12:24.268941105 +0100 @@ -104,6 +104,9 @@ Patch37:openssh-8.1p1-seccomp-clock_nanosleep_time64.patch Patch38:openssh-8.1p1-seccomp-clock_gettime64.patch Patch39:openssh-8.1p1-use-openssl-kdf.patch +Patch40:openssh-8.1p1-ed25519-use-openssl-rng.patch +Patch41:openssh-fips-ensure-approved-moduli.patch +Patch42:openssh-link-with-sk.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: groff ++ openssh-7.7p1-cavstest-ctr.patch ++ --- /var/tmp/diff_new_pack.NqJRYZ/_old 2020-11-26 23:12:24.348941121 +0100 +++ /var/tmp/diff_new_pack.NqJRYZ/_new 2020-11-26 23:12:24.352941122 +0100 @@ -28,8 +28,8 @@ $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) +# FIPS tests -+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o -+ $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o ++ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o ++ openssh-7.7p1-cavstest-kdf.patch ++ --- /var/tmp/diff_new_pack.NqJRYZ/_old 2020-11-26 23:12:24.360941124 +0100 +++ /var/tmp/diff_new_pack.NqJRYZ/_new 2020-11-26 23:12:24.360941124 +0100 @@ -24,11 +24,11 @@ XMSS_OBJS=\ ssh-xmss.o \ @@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) - cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o - $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o + $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-kdf.o -+ $(LD) -o $@ cavstest-kdf.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o ++ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o ++ openssh-8.1p1-ed25519-use-openssl-rng.patch ++ commit d281831d887044ede45d458c3dda74be9ae017e3 Author: Hans Petter Jansson Date: Fri Sep 25 23:26:58 2020 +0200 Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519 diff --git a/ed25519.c b/ed25519.c index 767ec24..5d506a9 100644 --- a/ed25519.c +++ b/ed25519.c @@ -9,6 +9,13 @@ #include "includes.h" #include "crypto_api.h" +#ifdef WITH_OPENSSL +#include +#include +#endif + +#include "log.h" + #include "ge25519.h" static void
