commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-07-08 19:06:54 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2080 (New) Package is "openssh" Mon Jul 8 19:06:54 2024 rev:180 rq:1185823 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-07-02 18:16:21.659224267 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes 2024-07-08 19:07:02.296058655 +0200 @@ -1,0 +2,22 @@ +Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa + +- Add patch from upstream to fix proxy multiplexing mode: + * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch +- Add patch from upstream to restore correctly sigprocmask + * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch +- Add patch from upstream to fix a logic error in + ObscureKeystrokeTiming that rendered this feature ineffective, + allowing a passive observer to detect which network packets + contained real keystrokes (bsc#1227318, CVE-2024-39894): + * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch + +--- +Wed Jul 3 16:53:53 UTC 2024 - Antonio Larrosa + +- Add obsoletes for openssh-server-config-rootlogin since that + package existed for a brief period of time during SLE 15 SP6/ + Leap 15.6 development but even if it was removed from the + repositories before GM, some users might have it in their + systems from having tried a beta/RC release (boo#1227350). + +--- @@ -134 +156,2 @@ -quoting was present in the user-supplied ssh_config(5) directive. +quoting was present in the user-supplied ssh_config(5) directive +(bsc#1218215, CVE-2023-51385). New: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch from upstream to restore correctly sigprocmask /work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes: * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch /work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch from upstream to fix a logic error in New:/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch from upstream to fix proxy multiplexing mode: /work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes: * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch /work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes-- Add patch from upstream to restore correctly sigprocmask New:/work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes- contained real keystrokes (bsc#1227318, CVE-2024-39894): /work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes: * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch /work/SRC/openSUSE:Factory/.openssh.new.2080/openssh.changes- BETA DEBUG END: Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.EYrqds/_old 2024-07-08 19:07:06.572215042 +0200 +++ /var/tmp/diff_new_pack.EYrqds/_new 2024-07-08 19:07:06.588215627 +0200 @@ -128,8 +128,14 @@ # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch -# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387 +# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387 Patch109: fix-CVE-2024-6387.patch +# PATCH-FIX-UPSTREAM +Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch +# PATCH-FIX-UPSTREAM +Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch +# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894 +Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch %if 0%{with allow_root_password_login_by_default} Patch1000: openssh-7.7p1-allow_root_password_login.patch %endif @@ -204,6 +210,12 @@ Requires(post): %fillup_prereq Requires(post): permissions Provides: openssh:%{_sbindir}/sshd +%if 0%{with allow_root_password_login_by_default} +# For a brief period of time this package existed in SLE/Leap. +# It was removed before GM but some people might have it from +# a beta distribution version (boo#1227350) +Obsoletes: openssh-server-config-rootlogin <= %{version} +%endif %sysusers_requires %description server ++
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-07-02 18:16:12 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.18349 (New) Package is "openssh" Tue Jul 2 18:16:12 2024 rev:179 rq:1184302 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-06-10 17:37:10.697934828 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.18349/openssh.changes 2024-07-02 18:16:21.659224267 +0200 @@ -1,0 +2,7 @@ +Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa + +- Add patch to fix a race condition in a signal handler by removing + the async-signal-unsafe code (CVE-2024-6387, bsc#1226642): + * fix-CVE-2024-6387.patch + +--- New: fix-CVE-2024-6387.patch BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.18349/openssh.changes- the async-signal-unsafe code (CVE-2024-6387, bsc#1226642): /work/SRC/openSUSE:Factory/.openssh.new.18349/openssh.changes: * fix-CVE-2024-6387.patch /work/SRC/openSUSE:Factory/.openssh.new.18349/openssh.changes- BETA DEBUG END: Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.nOfU2N/_old 2024-07-02 18:16:23.007273597 +0200 +++ /var/tmp/diff_new_pack.nOfU2N/_new 2024-07-02 18:16:23.011273743 +0200 @@ -128,6 +128,8 @@ # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch +# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387 +Patch109: fix-CVE-2024-6387.patch %if 0%{with allow_root_password_login_by_default} Patch1000: openssh-7.7p1-allow_root_password_login.patch %endif ++ fix-CVE-2024-6387.patch ++ Index: openssh-9.6p1/log.c === --- openssh-9.6p1.orig/log.c +++ openssh-9.6p1/log.c @@ -451,12 +451,14 @@ void sshsigdie(const char *file, const char *func, int line, int showfunc, LogLevel level, const char *suffix, const char *fmt, ...) { +#if 0 va_list args; va_start(args, fmt); sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, suffix, fmt, args); va_end(args); +#endif _exit(1); }
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-06-10 17:37:06 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.19518 (New) Package is "openssh" Mon Jun 10 17:37:06 2024 rev:178 rq:1179624 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-05-17 20:04:08.961185171 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.19518/openssh.changes 2024-06-10 17:37:10.697934828 +0200 @@ -1,0 +2,7 @@ +Mon Jun 10 07:10:48 UTC 2024 - Antonio Larrosa + +- Add #include in some files added by the ldap patch to + fix build with gcc14 (boo#1225904). + * openssh-7.7p1-ldap.patch + +--- Other differences: -- openssh.spec: same change ++ openssh-7.7p1-ldap.patch ++ --- /var/tmp/diff_new_pack.z3rcQd/_old 2024-06-10 17:37:12.421999092 +0200 +++ /var/tmp/diff_new_pack.z3rcQd/_new 2024-06-10 17:37:12.425999241 +0200 @@ -335,7 +335,7 @@ === --- /dev/null +++ openssh-8.9p1/ldap-helper.c -@@ -0,0 +1,155 @@ +@@ -0,0 +1,156 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -369,6 +369,7 @@ +#include "ldapbody.h" +#include +#include ++#include + +static int config_debug = 0; +int config_exclusive_config_file = 0; @@ -1175,7 +1176,7 @@ === --- /dev/null +++ openssh-8.9p1/ldapconf.c -@@ -0,0 +1,711 @@ +@@ -0,0 +1,712 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1209,6 +1210,7 @@ +#include "ldapconf.h" +#include +#include ++#include + +/* Keyword tokens. */ +
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-05-17 20:03:57 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1880 (New) Package is "openssh" Fri May 17 20:03:57 2024 rev:177 rq:1174781 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-05-17 09:34:05.056230116 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes 2024-05-17 20:04:08.961185171 +0200 @@ -1,0 +2,31 @@ +Fri May 17 07:45:38 UTC 2024 - Antonio Larrosa + +- Remove the recommendation for openssh-server-config-rootlogin + from openssh-server. Since the default for that config option + was changed in SLE it's not needed anymore in SLE nor in TW + (boo#1224392). + +--- +Tue May 14 19:29:05 UTC 2024 - Antonio Larrosa + +- Add a warning in %post of openssh-clients, openssh-server and + openssh-server-config-disallow-rootlogin to warn the user if + the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not + being used (bsc#1223486). + +--- +Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa + +- Only for SLE15, restore the patch file removed in + Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour + from SP5 of having root password login allowed by default + (fixes bsc#1223486, related to bsc#1173067): + * openssh-7.7p1-allow_root_password_login.patch +- Since the default value for this config option is now set to + permit root to use password logins in SLE15, the + openssh-server-config-rootlogin subpackage isn't useful there so + we now create an openssh-server-config-disallow-rootlogin + subpackage that sets the configuration the other way around + than openssh-server-config-rootlogin. + +--- New: openssh-7.7p1-allow_root_password_login.patch BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes- (fixes bsc#1223486, related to bsc#1173067): /work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes: * openssh-7.7p1-allow_root_password_login.patch /work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes-- Since the default value for this config option is now set to BETA DEBUG END: Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.eBFEPV/_old 2024-05-17 20:04:11.505277099 +0200 +++ /var/tmp/diff_new_pack.eBFEPV/_new 2024-05-17 20:04:11.505277099 +0200 @@ -28,8 +28,10 @@ %if 0%{?suse_version} >= 1550 %bcond_without wtmpdb +%bcond_with allow_root_password_login_by_default %else %bcond_with wtmpdb +%bcond_without allow_root_password_login_by_default %endif #Compat macro for new _fillupdir macro introduced in Nov 2017 @@ -126,6 +128,9 @@ # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch +%if 0%{with allow_root_password_login_by_default} +Patch1000: openssh-7.7p1-allow_root_password_login.patch +%endif BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -192,9 +197,6 @@ Requires: %{name}-common = %{version}-%{release} Requires: crypto-policies >= 20220824 Recommends: audit -%if 0%{?suse_version} == 1500 -Recommends: openssh-server-config-rootlogin -%endif Requires(pre): findutils Requires(pre): grep Requires(post): %fillup_prereq @@ -214,16 +216,31 @@ This package contains the Secure Shell daemon, which allows clients to securely connect to your server. +%if 0%{with allow_root_password_login_by_default} +%package server-config-disallow-rootlogin +Summary:Config to disallow password root logins to sshd +Group: Productivity/Networking/SSH +Requires: %{name}-server = %{version}-%{release} +Conflicts: %{name}-server-config-rootlogin + +%description server-config-disallow-rootlogin +The openssh-server package by default allows password based +root logins. This package provides a config that disallows root +to log in using the passwor. It's useful to secure your system +preventing password attacks on the root account over ssh. +%else %package server-config-rootlogin Summary:Config to permit root logins to sshd Group: Productivity/Networking/SSH Requires: %{name}-server = %{version}-%{release} +Conflicts: %{name}-server-config-disallow-rootlogin %description server-config-rootlogin The openssh-server package by default disallows password based root
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-05-15 21:25:44 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1880 (New) Package is "openssh" Wed May 15 21:25:44 2024 rev:175 rq:1173885 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-04-16 20:03:49.228397724 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes 2024-05-15 21:26:04.472458037 +0200 @@ -1,0 +2,15 @@ +Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa + +- Only for SLE15, restore the patch file removed in + Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour + from SP5 of having root password login allowed by default + (fixes bsc#1223486, related to bsc#1173067): + * openssh-7.7p1-allow_root_password_login.patch +- Since the default value for this config option is now set to + permit root to use password logins in SLE15, the + openssh-server-config-rootlogin subpackage isn't useful there so + we now create an openssh-server-config-disallow-rootlogin + subpackage that sets the configuration the other way around + than openssh-server-config-rootlogin. + +--- New: openssh-7.7p1-allow_root_password_login.patch BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes- (fixes bsc#1223486, related to bsc#1173067): /work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes: * openssh-7.7p1-allow_root_password_login.patch /work/SRC/openSUSE:Factory/.openssh.new.1880/openssh.changes-- Since the default value for this config option is now set to BETA DEBUG END: Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.Ia1IW1/_old 2024-05-15 21:26:05.764504802 +0200 +++ /var/tmp/diff_new_pack.Ia1IW1/_new 2024-05-15 21:26:05.768504947 +0200 @@ -28,8 +28,10 @@ %if 0%{?suse_version} >= 1550 %bcond_without wtmpdb +%bcond_with allow_root_password_login_by_default %else %bcond_with wtmpdb +%bcond_without allow_root_password_login_by_default %endif #Compat macro for new _fillupdir macro introduced in Nov 2017 @@ -126,6 +128,9 @@ # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch +%if 0%{with allow_root_password_login_by_default} +Patch1000: openssh-7.7p1-allow_root_password_login.patch +%endif BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -192,7 +197,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: crypto-policies >= 20220824 Recommends: audit -%if 0%{?suse_version} == 1500 +%if 0%{without allow_root_password_login_by_default} Recommends: openssh-server-config-rootlogin %endif Requires(pre): findutils @@ -214,16 +219,31 @@ This package contains the Secure Shell daemon, which allows clients to securely connect to your server. +%if 0%{with allow_root_password_login_by_default} +%package server-config-disallow-rootlogin +Summary:Config to disallow password root logins to sshd +Group: Productivity/Networking/SSH +Requires: %{name}-server = %{version}-%{release} +Conflicts: %{name}-server-config-rootlogin + +%description server-config-disallow-rootlogin +The openssh-server package by default allows password based +root logins. This package provides a config that disallows root +to log in using the passwor. It's useful to secure your system +preventing password attacks on the root account over ssh. +%else %package server-config-rootlogin Summary:Config to permit root logins to sshd Group: Productivity/Networking/SSH Requires: %{name}-server = %{version}-%{release} +Conflicts: %{name}-server-config-disallow-rootlogin %description server-config-rootlogin The openssh-server package by default disallows password based root logins. This package provides a config that does. It's useful to temporarily have a password based login to be able to use ssh-copy-id(1). +%endif %package clients Summary:SSH (Secure Shell) client applications @@ -369,7 +389,11 @@ install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config +%if 0%{with allow_root_password_login_by_default} +echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf +%else echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-04-14 11:53:40 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.26366 (New) Package is "openssh" Sun Apr 14 11:53:40 2024 rev:173 rq:1166980 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-04-08 17:37:59.570053154 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.26366/openssh.changes 2024-04-14 11:53:50.985753374 +0200 @@ -1,0 +2,5 @@ +Thu Apr 11 06:35:21 UTC 2024 - Arnav Singh + +- Fix duplicate loading of dropins. (boo#1222467) + +--- Other differences: -- openssh.spec: same change ++ openssh-9.6p1-crypto-policies.patch ++ --- /var/tmp/diff_new_pack.o7vTap/_old 2024-04-14 11:53:52.765818457 +0200 +++ /var/tmp/diff_new_pack.o7vTap/_new 2024-04-14 11:53:52.765818457 +0200 @@ -29,21 +29,6 @@ +# Uncomment this if you want to use .local domain +# Host *.local + -Index: openssh-9.6p1/sshd_config -=== openssh-9.6p1.orig/sshd_config -+++ openssh-9.6p1/sshd_config -@@ -17,6 +17,10 @@ Include /etc/ssh/sshd_config.d/*.conf - # default value. - Include /usr/etc/ssh/sshd_config.d/*.conf - -+# To modify the system-wide sshd configuration, create a *.conf file under -+# /etc/ssh/sshd_config.d/ which will be automatically included below -+Include /etc/ssh/sshd_config.d/*.conf -+ - #Port 22 - #AddressFamily any - #ListenAddress 0.0.0.0 Index: openssh-9.6p1/sshd_config_suse_cp === --- /dev/null
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-04-08 17:37:41 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1905 (New) Package is "openssh" Mon Apr 8 17:37:41 2024 rev:172 rq:1166157 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-04-04 22:25:29.305609598 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes 2024-04-08 17:37:59.570053154 +0200 @@ -1,0 +2,23 @@ +Fri Apr 5 11:10:18 UTC 2024 - Antonio Larrosa + +- Add missing bugzilla/CVE references to the changelog + +--- +Thu Apr 4 12:23:13 UTC 2024 - Antonio Larrosa + +- Add patch from SLE which was missing in Factory: + * Mon Jun 7 20:54:09 UTC 2021 - Hans Petter Jansson +- Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which + attempts to mitigate instances of secrets lingering in memory + after a session exits. (bsc#1213004 bsc#1213008) +- Rebase patch: + * openssh-6.6p1-privsep-selinux.patch + +--- +Tue Apr 2 13:07:43 UTC 2024 - Martin Sirringhaus + +- Rebase openssh-7.7p1-fips.patch (bsc#1221928) + Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by + upstream + +--- @@ -30 +53,2 @@ -would not be able to detect that messages were deleted. +would not be able to detect that messages were deleted +(bsc#1217950, CVE-2023-48795). @@ -282 +306 @@ -- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): +- Update to openssh 9.3p2: @@ -286 +310 @@ - Fix CVE-2023-38408 - a condition where specific libaries loaded via + Fix a condition where specific libaries loaded via @@ -289 +313 @@ - conditions are met: + conditions are met (bsc#1213504, CVE-2023-38408): @@ -1045 +1069 @@ -gain unintended privilege. +gain unintended privilege (bsc#1190975, CVE-2021-41617). @@ -1244 +1268 @@ -with access to the agent socket. +with access to the agent socket (bsc#1183137, CVE-2021-28041) @@ -2273 +2297,3 @@ - * openssh-7.7p1-fips_checks.patch + * openssh-7.7p1-fips_checks.patch . Close the right +filedescriptor to avoid fd leads, and also close fdh in +read_hmac (bsc#1209536). New: openssh-mitigate-lingering-secrets.patch BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- * Mon Jun 7 20:54:09 UTC 2021 - Hans Petter Jansson /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes:- Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- attempts to mitigate instances of secrets lingering in memory BETA DEBUG END: Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.VpsQer/_old 2024-04-08 17:38:06.902323789 +0200 +++ /var/tmp/diff_new_pack.VpsQer/_new 2024-04-08 17:38:06.902323789 +0200 @@ -116,6 +116,7 @@ Patch50:openssh-openssl-3.patch Patch51:wtmpdb.patch Patch52:logind_set_tty.patch +Patch54:openssh-mitigate-lingering-secrets.patch Patch100: fix-missing-lz.patch Patch102: openssh-7.8p1-role-mls.patch Patch103: openssh-6.6p1-privsep-selinux.patch ++ openssh-6.6p1-privsep-selinux.patch ++ --- /var/tmp/diff_new_pack.VpsQer/_old 2024-04-08 17:38:06.986326890 +0200 +++ /var/tmp/diff_new_pack.VpsQer/_new 2024-04-08 17:38:06.990327037 +0200 @@ -114,7 +114,7 @@ if (privsep_chroot) { /* Change our root directory */ @@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct - { + #ifdef DISABLE_FD_PASSING if (1) { +#elif defined(WITH_SELINUX) ++ openssh-7.7p1-fips.patch ++ --- /var/tmp/diff_new_pack.VpsQer/_old 2024-04-08 17:38:07.022328218 +0200 +++ /var/tmp/diff_new_pack.VpsQer/_new 2024-04-08 17:38:07.026328366 +0200 @@ -39,7 +39,7 @@ #ifdef WITH_OPENSSL #ifndef OPENSSL_NO_DES { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, -@@ -110,8 +113,52 @@ static const struct sshcipher ciphers[] +@@ -110,8 +113,50 @@ static const struct sshcipher ciphers[] { NULL, 0, 0, 0, 0, 0, NULL } }; @@ -53,12 +53,10 @@ + { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr }, + { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr }, + { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr }, -+# ifdef OPENSSL_HAVE_EVPGCM + { "aes128-...@openssh.com", + 16, 16, 12, 16, 0,
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-04-04 22:24:47 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1905 (New) Package is "openssh" Thu Apr 4 22:24:47 2024 rev:171 rq:1164536 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-02-27 22:43:13.599396142 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes 2024-04-04 22:25:29.305609598 +0200 @@ -1,0 +2,17 @@ +Tue Apr 2 11:23:05 UTC 2024 - Antonio Larrosa + +- Use %config(noreplace) for sshd_config . In any case, it's + recommended to drop a file in sshd_config.d instead of editing + sshd_config (bsc#1221063) +- Use %{_libexecdir} when removing ssh-keycat instead of the + hardcoded path so it works in TW and SLE. + +--- +Mon Mar 4 09:57:06 UTC 2024 - Pedro Monreal + +- Add crypto-policies support [bsc#1211301] + * Add patches: +- openssh-9.6p1-crypto-policies.patch +- openssh-9.6p1-crypto-policies-man.patch + +--- New: openssh-9.6p1-crypto-policies-man.patch openssh-9.6p1-crypto-policies.patch BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes-- openssh-9.6p1-crypto-policies.patch /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes:- openssh-9.6p1-crypto-policies-man.patch /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- New:/work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes- * Add patches: /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes:- openssh-9.6p1-crypto-policies.patch /work/SRC/openSUSE:Factory/.openssh.new.1905/openssh.changes-- openssh-9.6p1-crypto-policies-man.patch BETA DEBUG END: Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.W69ZiC/_old 2024-04-04 22:25:31.141677195 +0200 +++ /var/tmp/diff_new_pack.W69ZiC/_new 2024-04-04 22:25:31.141677195 +0200 @@ -122,6 +122,9 @@ Patch104: openssh-6.6p1-keycat.patch Patch105: openssh-6.6.1p1-selinux-contexts.patch Patch106: openssh-7.6p1-cleanup-selinux.patch +# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support +Patch107: openssh-9.6p1-crypto-policies.patch +Patch108: openssh-9.6p1-crypto-policies-man.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -209,6 +212,7 @@ %package server-config-rootlogin Summary:Config to permit root logins to sshd Group: Productivity/Networking/SSH +Requires: crypto-policies >= 20220824 Requires: %{name}-server = %{version}-%{release} %description server-config-rootlogin @@ -220,6 +224,7 @@ %package clients Summary:SSH (Secure Shell) client applications Group: Productivity/Networking/SSH +Requires: crypto-policies >= 20220824 Requires: %{name}-common = %{version}-%{release} Provides: openssh:%{_bindir}/ssh @@ -371,6 +376,13 @@ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %endif +install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf +%if %{defined _distconfdir} +install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf +%else +install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf +%endif + %if 0%{?suse_version} < 1550 # install firewall definitions mkdir -p %{buildroot}%{_fwdefdir} @@ -388,7 +400,7 @@ mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf -rm %{buildroot}/usr/libexec/ssh/ssh-keycat +rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat #rm -r %{buildroot}/usr/lib/debug/.build-id # the hmac hashes - taken from openssl @@ -488,12 +500,17 @@ %if %{defined _distconfdir} %attr(0755,root,root) %dir %{_distconfdir}/ssh %attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d -%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config +%attr(0640,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config %attr(0644,root,root) %{_pam_vendordir}/sshd %else -%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config +%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %endif +%if %{defined _distconfdir} +%attr(0600,root,root) %config(noreplace)
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-02-27 22:43:12 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1770 (New) Package is "openssh" Tue Feb 27 22:43:12 2024 rev:170 rq:1150501 version:9.6p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2023-07-24 18:11:52.629179853 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1770/openssh-askpass-gnome.changes 2024-02-27 22:43:13.539393967 +0100 @@ -1,0 +2,7 @@ +Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson + +- Update to openssh 9.6p1: + * No changes for askpass, see main package changelog for +details. + +--- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-12-19 23:15:52.301619235 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes 2024-02-27 22:43:13.599396142 +0100 @@ -1,0 +2,219 @@ +Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson + +- Update to openssh 9.6p1: + = Security + * ssh(1), sshd(8): implement protocol extensions to thwart the +so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus +Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a +limited break of the integrity of the early encrypted SSH transport +protocol by sending extra messages prior to the commencement of +encryption, and deleting an equal number of consecutive messages +immediately after encryption starts. A peer SSH client/server +would not be able to detect that messages were deleted. + * ssh-agent(1): when adding PKCS#11-hosted private keys while +specifying destination constraints, if the PKCS#11 token returned +multiple keys then only the first key had the constraints applied. +Use of regular private keys, FIDO tokens and unconstrained keys +are unaffected. + * ssh(1): if an invalid user or hostname that contained shell +metacharacters was passed to ssh(1), and a ProxyCommand, +LocalCommand directive or "match exec" predicate referenced the +user or hostname via %u, %h or similar expansion token, then +an attacker who could supply arbitrary user/hostnames to ssh(1) +could potentially perform command injection depending on what +quoting was present in the user-supplied ssh_config(5) directive. + + = Potentially incompatible changes + * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides +a TCP-like window mechanism that limits the amount of data that +can be sent without acceptance from the peer. In cases where this +limit was exceeded by a non-conforming peer SSH implementation, +ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH +9.6, ssh(1)/sshd(8) will now terminate the connection if a peer +exceeds the window limit by more than a small grace factor. This +change should have no effect of SSH implementations that follow +the specification. + + = New features + * ssh(1): add a %j token that expands to the configured ProxyJump +hostname (or the empty string if this option is not being used) +that can be used in a number of ssh_config(5) keywords. bz3610 + * ssh(1): add ChannelTimeout support to the client, mirroring the +same option in the server and allowing ssh(1) to terminate +quiescent channels. + * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for +reading ED25519 private keys in PEM PKCS8 format. Previously +only the OpenSSH private key format was supported. + * ssh(1), sshd(8): introduce a protocol extension to allow +renegotiation of acceptable signature algorithms for public key +authentication after the server has learned the username being +used for authentication. This allows varying sshd_config(5) +PubkeyAcceptedAlgorithms in a "Match user" block. + * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow +specifying certificates when loading PKCS#11 keys. This allows the +use of certificates backed by PKCS#11 private keys in all OpenSSH +tools that support ssh-agent(1). Previously only ssh(1) supported +this use-case. + + = Bugfixes + * ssh(1): when deciding whether to enable the keystroke timing +obfuscation, enable it only if a channel with a TTY is active. + * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals +before checking flags set in signal handler. Avoids potential +race condition between signaling ssh to exit and polling. bz3531 + * ssh(1): when connecting to a destination with both the +AddressFamily and CanonicalizeHostname directives in use, +the AddressFamily directive could be ignored. bz5326 + * sftp(1):
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-12-19 23:15:40 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.9037 (New) Package is "openssh" Tue Dec 19 23:15:40 2023 rev:169 rq:1133933 version:9.3p2 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-11-30 21:59:23.260785993 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.9037/openssh.changes 2023-12-19 23:15:52.301619235 +0100 @@ -1,0 +2,7 @@ +Tue Dec 19 01:42:55 UTC 2023 - Hans Petter Jansson + +- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795). + This mitigates a prefix truncation attack that could be used to + undermine channel security. + +--- @@ -29,0 +37,5 @@ + +--- +Wed Sep 27 06:28:57 UTC 2023 - Thorsten Kukuk + +- Disable SLP by default for Factory and ALP (bsc#1214884) New: openssh-cve-2023-48795.patch BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.9037/openssh.changes- /work/SRC/openSUSE:Factory/.openssh.new.9037/openssh.changes:- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795). /work/SRC/openSUSE:Factory/.openssh.new.9037/openssh.changes- This mitigates a prefix truncation attack that could be used to BETA DEBUG END: Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.ljpbqJ/_old 2023-12-19 23:15:53.973680123 +0100 +++ /var/tmp/diff_new_pack.ljpbqJ/_new 2023-12-19 23:15:53.973680123 +0100 @@ -124,6 +124,7 @@ Patch104: openssh-6.6p1-keycat.patch Patch105: openssh-6.6.1p1-selinux-contexts.patch Patch106: openssh-7.6p1-cleanup-selinux.patch +Patch107: openssh-cve-2023-48795.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -349,8 +350,10 @@ install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d +%if 0%{?suse_version} < 1600 install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/ install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/ +%endif install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service ln -s service %{buildroot}%{_sbindir}/rcsshd install -d -m 755 %{buildroot}%{_fillupdir} @@ -500,8 +503,10 @@ %attr(0444,root,root) %{_mandir}/man8/sftp-server.8* %attr(0444,root,root) %{_mandir}/man8/sshd.8* %attr(0755,root,root) %{_libexecdir}/ssh/sftp-server +%if 0%{?suse_version} < 1600 %dir %{_sysconfdir}/slp.reg.d %config %{_sysconfdir}/slp.reg.d/ssh.reg +%endif %{_fillupdir}/sysconfig.ssh %if 0%{?suse_version} < 1550 %dir %{_fwdir} ++ openssh-cve-2023-48795.patch ++ Index: openssh-9.3p2/PROTOCOL === --- openssh-9.3p2.orig/PROTOCOL +++ openssh-9.3p2/PROTOCOL @@ -104,6 +104,25 @@ http://git.libssh.org/users/aris/libssh. This is identical to curve25519-sha256 as later published in RFC8731. +1.9 transport: strict key exchange extension + +OpenSSH supports a number of transport-layer hardening measures under +a "strict KEX" feature. This feature is signalled similarly to the +RFC8305 ext-info feature: by including a additional algorithm in the +SSH2_MSG_KEXINIT kex_algorithms field. The client may append +"kex-strict-c-...@openssh.com" to its kex_algorithms and the server +may append "kex-strict-s-...@openssh.com". + +When endpoint that supports this extension observes this algorithm +name in a peer's KEXINIT packet, it MUST make the following changes to +the the protocol: + +a) During initial KEX, terminate the connection if any unexpected or + out-of-sequence packet is received. This includes terminating the + connection if the first packet received is not SSH2_MSG_KEXINIT. +b) At each SSH2_MSG_NEWKEYS message, reset the packet sequence number + to zero. + 2. Connection protocol changes 2.1. connection: Channel write close extension "e...@openssh.com" Index: openssh-9.3p2/kex.c === --- openssh-9.3p2.orig/kex.c +++ openssh-9.3p2/kex.c @@ -76,7 +76,7 @@ #include "fips.h" /* prototype */ -static int kex_choose_conf(struct ssh *); +static int kex_choose_conf(struct ssh *, uint32_t seq); static int kex_input_newkeys(int, u_int32_t, struct ssh *); static const char * const proposal_names[PROPOSAL_MAX] = { @@ -261,6 +261,18 @@ kex_names_valid(const char *names) return 1; } +/* returns non-zero if proposal contains any
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-11-30 21:59:01 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.25432 (New) Package is "openssh" Thu Nov 30 21:59:01 2023 rev:168 rq:1129646 version:9.3p2 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-10-25 18:02:49.458442925 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes 2023-11-30 21:59:23.260785993 +0100 @@ -1,0 +2,24 @@ +Fri Nov 3 10:44:14 UTC 2023 - Johannes Segitz + +- Enhanced SELinux functionality. Added + * openssh-7.8p1-role-mls.patch +Proper handling of MLS systems and basis for other SELinux +improvements + * openssh-6.6p1-privsep-selinux.patch +Properly set contexts during privilege separation + * openssh-6.6p1-keycat.patch +Add ssh-keycat command to allow retrival of authorized_keys +on MLS setups with polyinstantiation + * openssh-6.6.1p1-selinux-contexts.patch +Additional changes to set the proper context during privilege +separation + * openssh-7.6p1-cleanup-selinux.patch +Various changes and putting the pieces together + + For now we don't ship the ssh-keycat command, but we need the patch + for the other SELinux infrastructure + + This change fixes issues like bsc#1214788, where the ssh daemon + needs to act on behalf of a user and needs a proper context for this + +--- New: openssh-6.6.1p1-selinux-contexts.patch openssh-6.6p1-keycat.patch openssh-6.6p1-privsep-selinux.patch openssh-7.6p1-cleanup-selinux.patch openssh-7.8p1-role-mls.patch BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-on MLS setups with polyinstantiation /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: * openssh-6.6.1p1-selinux-contexts.patch /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Additional changes to set the proper context during privilege New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes- Properly set contexts during privilege separation /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: * openssh-6.6p1-keycat.patch /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Add ssh-keycat command to allow retrival of authorized_keys New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes- improvements /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: * openssh-6.6p1-privsep-selinux.patch /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Properly set contexts during privilege separation New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes- separation /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: * openssh-7.6p1-cleanup-selinux.patch /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Various changes and putting the pieces together New:/work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-- Enhanced SELinux functionality. Added /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes: * openssh-7.8p1-role-mls.patch /work/SRC/openSUSE:Factory/.openssh.new.25432/openssh.changes-Proper handling of MLS systems and basis for other SELinux BETA DEBUG END: Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.6fInxO/_old 2023-11-30 21:59:25.196857315 +0100 +++ /var/tmp/diff_new_pack.6fInxO/_new 2023-11-30 21:59:25.200857463 +0100 @@ -119,6 +119,11 @@ # PATCH-FIx-UPSTREAM cb4ed12f.patch -- Fix build with zlib 1.3 Patch53: https://github.com/openssh/openssh-portable/commit/cb4ed12f.patch Patch100: fix-missing-lz.patch +Patch102: openssh-7.8p1-role-mls.patch +Patch103: openssh-6.6p1-privsep-selinux.patch +Patch104: openssh-6.6p1-keycat.patch +Patch105: openssh-6.6.1p1-selinux-contexts.patch +Patch106: openssh-7.6p1-cleanup-selinux.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -383,6 +388,9 @@ mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf +rm %{buildroot}/usr/libexec/ssh/ssh-keycat +#rm -r %{buildroot}/usr/lib/debug/.build-id + # the hmac hashes - taken from openssl # # re-define the __os_install_post macro: the macro strips ++ openssh-6.6.1p1-selinux-contexts.patch ++ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c === --- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c +++
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-10-25 18:02:04 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.24901 (New) Package is "openssh" Wed Oct 25 18:02:04 2023 rev:167 rq:1120184 version:9.3p2 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-09-22 21:47:31.917117018 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.24901/openssh.changes 2023-10-25 18:02:49.458442925 +0200 @@ -1,0 +2,6 @@ +Tue Oct 24 10:56:31 UTC 2023 - Dominique Leuenberger + +- Add cb4ed12f.patch: Fix build using zlib 1.3. The check expected + a version in the form a.b.c[.d], which no longer matches 1.3. + +--- New: cb4ed12f.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.cEvMd6/_old 2023-10-25 18:02:50.730489053 +0200 +++ /var/tmp/diff_new_pack.cEvMd6/_new 2023-10-25 18:02:50.730489053 +0200 @@ -116,6 +116,8 @@ Patch50:openssh-openssl-3.patch Patch51:wtmpdb.patch Patch52:logind_set_tty.patch +# PATCH-FIx-UPSTREAM cb4ed12f.patch -- Fix build with zlib 1.3 +Patch53: https://github.com/openssh/openssh-portable/commit/cb4ed12f.patch Patch100: fix-missing-lz.patch BuildRequires: audit-devel BuildRequires: automake ++ cb4ed12f.patch ++ >From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 19 Aug 2023 07:39:08 +1000 Subject: [PATCH] Fix zlib version check for 1.3 and future version. bz#3604. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 07893e87065..e3128dfcbb4 100644 --- a/configure.ac +++ b/configure.ac @@ -1464,7 +1464,7 @@ else [[ int a=0, b=0, c=0, d=0, n, v; n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", , , , ); - if (n != 3 && n != 4) + if (n < 1) exit(1); v = a*100 + b*1 + c*100 + d; fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-09-22 21:46:58 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1770 (New) Package is "openssh" Fri Sep 22 21:46:58 2023 rev:166 rq:1112087 version:9.3p2 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-07-24 18:11:52.685180183 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1770/openssh.changes 2023-09-22 21:47:31.917117018 +0200 @@ -42,0 +43,11 @@ +Wed Jun 21 12:14:54 UTC 2023 - Thorsten Kukuk + +- Disable old lastlog, we use pam_lastlog2 +- openssh-8.4p1-pam_motd.patch: adjust to remove PrintLastLog + +--- +Thu Jun 15 07:05:38 UTC 2023 - Thorsten Kukuk + +- logind_set_tty.patch: tell systemd-logind our current TTY + +--- New: logind_set_tty.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.PW86Yb/_old 2023-09-22 21:47:36.589286631 +0200 +++ /var/tmp/diff_new_pack.PW86Yb/_new 2023-09-22 21:47:36.589286631 +0200 @@ -115,6 +115,7 @@ Patch49:openssh-do-not-send-empty-message.patch Patch50:openssh-openssl-3.patch Patch51:wtmpdb.patch +Patch52:logind_set_tty.patch Patch100: fix-missing-lz.patch BuildRequires: audit-devel BuildRequires: automake @@ -318,6 +319,10 @@ %if %{with wtmpdb} --with-wtmpdb \ %endif +%if 0%{?suse_version} >= 1550 +--disable-lastlog \ +--with-logind \ +%endif --with-security-key-builtin \ --target=%{_target_cpu}-suse-linux ++ logind_set_tty.patch ++ diff --git a/Makefile.in b/Makefile.in index f0ea07e7b..35dcf45f1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -56,6 +56,7 @@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ LIBFIDO2=@LIBFIDO2@ LIBWTMPDB=@LIBWTMPDB@ +LIBSYSTEMD=@LIBSYSTEMD@ AR=@AR@ AWK=@AWK@ RANLIB=@RANLIB@ @@ -208,7 +209,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) sshd$(EXEEXT): libssh.a$(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD) scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/configure.ac b/configure.ac index a12c6f7ad..860df3379 100644 --- a/configure.ac +++ b/configure.ac @@ -1789,6 +1789,47 @@ AC_ARG_WITH([wtmpdb], ) +# Check whether user wants logind/set tty support +AC_ARG_WITH([logind], + [ --with-logind[[=PATH]] Enable logind support for sshd], + [ if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) + if test "x$PKGCONFIG" != "xno"; then + AC_MSG_CHECKING([if $PKGCONFIG knows about libsystemd]) + if "$PKGCONFIG" libsystemd; then + AC_MSG_RESULT([yes]) + use_pkgconfig_for_libsystemd=yes + else + AC_MSG_RESULT([no]) + fi + fi + else + CPPFLAGS="$CPPFLAGS -I${withval}/include" + if test -n "${rpath_opt}"; then + LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + fi + if test "x$use_pkgconfig_for_libsystemd" = "xyes"; then + LIBSYSTEMD=`$PKGCONFIG --libs libsystemd` + CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libsystemd`" + else + LIBSYSTEMD="-lsystemd" + fi + OTHERLIBS=`echo $LIBSYSTEMD | sed 's/-lsystemd//'` + AC_CHECK_LIB([systemd], [sd_bus_open_system], + [ AC_DEFINE([USE_LOGIND], [1], [Use systemd-logind]) + AC_SUBST([LIBSYSTEMD]) + ], + [ AC_MSG_ERROR([libsystemd not found]) ], + [ $OTHERLIBS ] +
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-07-24 18:11:47 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1467 (New) Package is "openssh" Mon Jul 24 18:11:47 2023 rev:165 rq:1099856 version:9.3p2 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2023-06-06 19:55:08.426075279 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1467/openssh-askpass-gnome.changes 2023-07-24 18:11:52.629179853 +0200 @@ -1,0 +2,7 @@ +Fri Jul 21 05:13:56 UTC 2023 - Simon Lees + +- Update to openssh 9.3p2 + * No changes for askpass, see main package changelog for +details + +--- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-06-06 19:55:08.530075896 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1467/openssh.changes 2023-07-24 18:11:52.685180183 +0200 @@ -1,0 +2,41 @@ +Fri Jul 21 02:48:58 UTC 2023 - Simon Lees + +- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): + Security + + + Fix CVE-2023-38408 - a condition where specific libaries loaded via + ssh-agent(1)'s PKCS#11 support could be abused to achieve remote + code execution via a forwarded agent socket if the following + conditions are met: + + * Exploitation requires the presence of specific libraries on +the victim system. + * Remote exploitation requires that the agent was forwarded +to an attacker-controlled system. + + Exploitation can also be prevented by starting ssh-agent(1) with an + empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring + an allowlist that contains only specific provider libraries. + + This vulnerability was discovered and demonstrated to be exploitable + by the Qualys Security Advisory team. + + In addition to removing the main precondition for exploitation, + this release removes the ability for remote ssh-agent(1) clients + to load PKCS#11 modules by default (see below). + + Potentially-incompatible changes + + + * ssh-agent(8): the agent will now refuse requests to load PKCS#11 + modules issued by remote clients by default. A flag has been added + to restore the previous behaviour "-Oallow-remote-pkcs11". + + Note that ssh-agent(8) depends on the SSH client to identify + requests that are remote. The OpenSSH >=8.9 ssh(1) client does + this, but forwarding access to an agent socket using other tools + may circumvent this restriction. + + +--- Old: openssh-9.3p1.tar.gz openssh-9.3p1.tar.gz.asc New: openssh-9.3p2.tar.gz openssh-9.3p2.tar.gz.asc Other differences: -- ++ openssh-askpass-gnome.spec ++ --- /var/tmp/diff_new_pack.pW1q6I/_old 2023-07-24 18:11:54.105188540 +0200 +++ /var/tmp/diff_new_pack.pW1q6I/_new 2023-07-24 18:11:54.113188586 +0200 @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version:9.3p1 +Version:9.3p2 Release:0 Summary:A GNOME-Based Passphrase Dialog for OpenSSH License:BSD-2-Clause ++ openssh.spec ++ --- /var/tmp/diff_new_pack.pW1q6I/_old 2023-07-24 18:11:54.141188751 +0200 +++ /var/tmp/diff_new_pack.pW1q6I/_new 2023-07-24 18:11:54.145188774 +0200 @@ -37,7 +37,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version:9.3p1 +Version:9.3p2 Release:0 Summary:Secure Shell Client and Server (Remote Login Program) License:BSD-2-Clause AND MIT ++ openssh-9.3p1.tar.gz -> openssh-9.3p2.tar.gz ++ 2189 lines of diff (skipped)
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-06-06 19:54:55 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.15902 (New) Package is "openssh" Tue Jun 6 19:54:55 2023 rev:164 rq:1090577 version:9.3p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2021-10-11 16:48:39.866172377 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh-askpass-gnome.changes 2023-06-06 19:55:08.426075279 +0200 @@ -1,0 +2,14 @@ +Sun May 28 09:16:44 UTC 2023 - Andreas Stieger + +- openssh-askpass-gnome: require only openssh-clients, not the full + openssh (including -server), to avoid pulling in excessive + dependencies when installing git on Gnome (boo#1211446) + +--- +Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa + +- Update to openssh 9.3p1 + * No changes for askpass, see main package changelog for +details + +--- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-04-15 22:32:05.581173030 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh.changes 2023-06-06 19:55:08.530075896 +0200 @@ -1,0 +2,476 @@ +Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa + +- Update to openssh 9.3p1: + = Security + * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the + per-hop destination constraints (ssh-add -h ...) added in + OpenSSH 8.9, a logic error prevented the constraints from being + communicated to the agent. This resulted in the keys being added + without constraints. The common cases of non-smartcard keys and + keys without destination constraints are unaffected. This + problem was reported by Luci Stanescu. + + * ssh(1): Portable OpenSSH provides an implementation of the + getrrsetbyname(3) function if the standard library does not + provide it, for use by the VerifyHostKeyDNS feature. A + specifically crafted DNS response could cause this function to + perform an out-of-bounds read of adjacent stack data, but this + condition does not appear to be exploitable beyond denial-of- + service to the ssh(1) client. + The getrrsetbyname(3) replacement is only included if the + system's standard library lacks this function and portable + OpenSSH was not compiled with the ldns library (--with-ldns). + getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to + fetch SSHFP records. This problem was found by the Coverity + static analyzer. + + = New features + * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 +when outputting SSHFP fingerprints to allow algorithm +selection. bz3493 + * sshd(8): add a `sshd -G` option that parses and prints the +effective configuration without attempting to load private keys +and perform other checks. This allows usage of the option +before keys have been generated and for configuration +evaluation and verification by unprivileged users. + + = Bugfixes + * scp(1), sftp(1): fix progressmeter corruption on wide displays; +bz3534 + * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing +usability of private keys as some systems are starting to +disable RSA/SHA1 in libcrypto. + * sftp-server(8): fix a memory leak. GHPR363 + * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol +compatibility code and simplify what's left. + * Fix a number of low-impact Coverity static analysis findings. +These include several reported via bz2687 + * ssh_config(5), sshd_config(5): mention that some options are +not first-match-wins. + * Rework logging for the regression tests. Regression tests will +now capture separate logs for each ssh and sshd invocation in +a test. + * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage +says it should; bz3532. + * ssh(1): ensure that there is a terminating newline when adding +a new entry to known_hosts; bz3529 + + = Portability + * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of +mmap(2), madvise(2) and futex(2) flags, removing some +concerning kernel attack surface. + * sshd(8): improve Linux seccomp-bpf sandbox for older systems; +bz3537 + +- Update to openssh 9.2p1: + = Security + * sshd(8): fix a pre-authentication double-free memory fault +introduced in OpenSSH 9.1. This is not believed to be +exploitable, and it occurs in the unprivileged pre-auth process +that is subject to chroot(2) and is further sandboxed on most +major platforms. + * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen +option would ignore its first argument unless it was one of the +
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-04-15 22:32:04 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.19717 (New) Package is "openssh" Sat Apr 15 22:32:04 2023 rev:163 rq:1079298 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-03-28 17:48:44.314793416 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.19717/openssh.changes 2023-04-15 22:32:05.581173030 +0200 @@ -1,0 +2,6 @@ +Mon Mar 27 08:39:38 UTC 2023 - Thorsten Kukuk + +- Rename sshd.pamd to sshd-sle.pamd and fix order of pam_keyinit +- Add new sshd.pamd including postlogin-* config files + +--- New: sshd-sle.pamd Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.EqMs5I/_old 2023-04-15 22:32:06.897180622 +0200 +++ /var/tmp/diff_new_pack.EqMs5I/_new 2023-04-15 22:32:06.901180645 +0200 @@ -51,6 +51,7 @@ Source12: cavs_driver-ssh.pl Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring Source14: sysusers-sshd.conf +Source15: sshd-sle.pamd Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch @@ -308,8 +309,9 @@ install -d -m 755 %{buildroot}%{_pam_vendordir} install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd %else +# SLE has no distconfdir, so use sle PAM config install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d -install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd +install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/sshd %endif install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d ++ sshd-sle.pamd ++ #%PAM-1.0 authrequisite pam_nologin.so authinclude common-auth account requisite pam_nologin.so account include common-account passwordinclude common-password session requiredpam_loginuid.so session optionalpam_keyinit.so force revoke session include common-session session optionalpam_motd.so ++ sshd.pamd ++ --- /var/tmp/diff_new_pack.EqMs5I/_old 2023-04-15 22:32:07.189182307 +0200 +++ /var/tmp/diff_new_pack.EqMs5I/_new 2023-04-15 22:32:07.193182330 +0200 @@ -1,12 +1,15 @@ #%PAM-1.0 authrequisite pam_nologin.so -authinclude common-auth +authsubstackcommon-auth +authinclude postlogin-auth account requisite pam_nologin.so -account include common-account -passwordinclude common-password +account substackcommon-account +account include postlogin-account +passwordsubstackcommon-password +passwordinclude postlogin-password session requiredpam_loginuid.so -session include common-session session optionalpam_keyinit.so force revoke +session substackcommon-session +session include postlogin-session session optionalpam_motd.so -
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-03-28 17:48:40 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.31432 (New) Package is "openssh" Tue Mar 28 17:48:40 2023 rev:162 rq:1074486 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-12-23 10:20:48.075240196 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.31432/openssh.changes 2023-03-28 17:48:44.314793416 +0200 @@ -1,0 +2,11 @@ +Wed Feb 15 10:35:43 UTC 2023 - Thorsten Kukuk + +- Remove BuildRequires for libtirpc, we don't use it + +--- +Tue Feb 14 13:46:14 UTC 2023 - Thorsten Kukuk + +- Remove pam_lastlog from sshd PAM config. sshd is doing the same, + too, which leads to e.g. duplicate entries in wtmp [bsc#1208243] + +--- Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.0UgPMG/_old 2023-03-28 17:48:45.506799168 +0200 +++ /var/tmp/diff_new_pack.0UgPMG/_new 2023-03-28 17:48:45.514799207 +0200 @@ -19,11 +19,6 @@ %ifnarch ppc %define sandbox_seccomp 1 %endif -%if 0%{?suse_version} >= 1500 -%bcond_without tirpc -%else -%bcond_with tirpc -%endif %define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d %define _fwdefdir %{_fwdir}/services %define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' ) @@ -127,9 +122,6 @@ BuildRequires: sysuser-tools Requires: %{name}-clients = %{version}-%{release} Requires: %{name}-server = %{version}-%{release} -%if %{with tirpc} -BuildRequires: libtirpc-devel -%endif %if 0%{?suse_version} >= 1550 BuildRequires: pkgconfig(krb5) %else ++ sshd.pamd ++ --- /var/tmp/diff_new_pack.0UgPMG/_old 2023-03-28 17:48:45.766800422 +0200 +++ /var/tmp/diff_new_pack.0UgPMG/_new 2023-03-28 17:48:45.770800442 +0200 @@ -7,7 +7,6 @@ session requiredpam_loginuid.so session include common-session session optionalpam_keyinit.so force revoke -session optionalpam_lastlog.so showfailed session optionalpam_motd.so
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-12-23 10:20:44 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1563 (New) Package is "openssh" Fri Dec 23 10:20:44 2022 rev:161 rq:1044051 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-12-16 17:51:32.639982091 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.1563/openssh.changes 2022-12-23 10:20:48.075240196 +0100 @@ -1,0 +2,6 @@ +Mon Dec 19 15:41:26 UTC 2022 - Otto Hollmann + +- Adapt OpenSSH to build with OpenSSL 3, use new KDF API (bsc#1205042) + Add openssh-openssl-3.patch + +--- New: openssh-openssl-3.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.CxmSa4/_old 2022-12-23 10:20:49.099246049 +0100 +++ /var/tmp/diff_new_pack.CxmSa4/_new 2022-12-23 10:20:49.107246094 +0100 @@ -110,13 +110,14 @@ Patch47:openssh-8.4p1-vendordir.patch Patch48:openssh-8.4p1-pam_motd.patch Patch49:openssh-do-not-send-empty-message.patch +Patch50:openssh-openssl-3.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff BuildRequires: libedit-devel BuildRequires: libselinux-devel BuildRequires: openldap2-devel -BuildRequires: pkgconfig(openssl) < 3 +BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: zlib-devel ++ openssh-openssl-3.patch ++ --- fips.c |5 + kex.c | 61 - 2 files changed, 65 insertions(+), 1 deletion(-) --- a/fips.c +++ b/fips.c @@ -48,6 +48,11 @@ static int fips_state = -1; +#if (OPENSSL_VERSION_NUMBER >= 0x3000L) +# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL) +# define FIPS_mode_set(x) EVP_default_properties_enable_fips(NULL,x) +#endif + /* calculates HMAC of contents of a file given by filename using the hash * algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into * newly allacated memory - remember to free it when not needed anymore */ --- a/kex.c +++ b/kex.c @@ -41,6 +41,9 @@ #include #include #include +# if (OPENSSL_VERSION_NUMBER >= 0x3000L) +# include +# endif #endif #include "ssh.h" @@ -1191,14 +1194,61 @@ derive_key_via_openssl(struct ssh *ssh, { struct kex *kex = ssh->kex; EVP_KDF_CTX *hashctx = NULL; - const EVP_MD *md = NULL; u_char *digest = NULL; int r = SSH_ERR_LIBCRYPTO_ERROR; +# if (OPENSSL_VERSION_NUMBER >= 0x3000L) + OSSL_PARAM params[6], *p = params; + char type = (char) id; + EVP_KDF *kdf = EVP_KDF_fetch (NULL, "SSHKDF", NULL); + if (!kdf) + goto out; + hashctx = EVP_KDF_CTX_new (kdf); +# else + const EVP_MD *md = NULL; hashctx = EVP_KDF_CTX_new_id (EVP_KDF_SSHKDF); +# endif if (!hashctx) goto out; +# if (OPENSSL_VERSION_NUMBER >= 0x3000L) + switch (kex->hash_alg) + { + case SSH_DIGEST_MD5: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5, strlen(SN_md5)); + break; + case SSH_DIGEST_SHA1: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_sha1, strlen(SN_sha1)); + break; + case SSH_DIGEST_SHA256: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_sha256, strlen(SN_sha256)); + break; + case SSH_DIGEST_SHA384: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_sha384, strlen(SN_sha384)); + break; + case SSH_DIGEST_SHA512: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_sha512, strlen(SN_sha512)); + break; + default: + goto out; + } + + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, + sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, + hash, (size_t) hashlen); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, + sshbuf_ptr(kex->session_id), (size_t) sshbuf_len(kex->session_id)); + *p++ =
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-12-16 17:51:30 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1835 (New) Package is "openssh" Fri Dec 16 17:51:30 2022 rev:160 rq:1043180 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-11-16 15:42:39.607678753 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.1835/openssh.changes 2022-12-16 17:51:32.639982091 +0100 @@ -1,0 +2,6 @@ +Thu Dec 15 16:35:33 UTC 2022 - Dirk Müller + +- limit to openssl < 3.0 as this version is not compatible (bsc#1205042) + next version update will fix it + +--- Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.Uge5b4/_old 2022-12-16 17:51:33.983989489 +0100 +++ /var/tmp/diff_new_pack.Uge5b4/_new 2022-12-16 17:51:33.991989533 +0100 @@ -116,7 +116,7 @@ BuildRequires: libedit-devel BuildRequires: libselinux-devel BuildRequires: openldap2-devel -BuildRequires: openssl-devel +BuildRequires: pkgconfig(openssl) < 3 BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: zlib-devel
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-11-16 15:42:34 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1597 (New) Package is "openssh" Wed Nov 16 15:42:34 2022 rev:159 rq:1035879 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-08-30 14:48:25.419958697 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1597/openssh.changes 2022-11-16 15:42:39.607678753 +0100 @@ -1,0 +2,8 @@ +Thu Nov 10 02:18:08 UTC 2022 - Hans Petter Jansson + +- Update openssh-8.1p1-audit.patch: Merge fix for race condition + (bsc#1115550, bsc#1174162). +- Add openssh-do-not-send-empty-message.patch, which prevents + superfluous newlines with empty MOTD files (bsc#1192439). + +--- New: openssh-do-not-send-empty-message.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.mMmu4u/_old 2022-11-16 15:42:40.599682348 +0100 +++ /var/tmp/diff_new_pack.mMmu4u/_new 2022-11-16 15:42:40.603682363 +0100 @@ -109,6 +109,7 @@ Patch46:openssh-whitelist-syscalls.patch Patch47:openssh-8.4p1-vendordir.patch Patch48:openssh-8.4p1-pam_motd.patch +Patch49:openssh-do-not-send-empty-message.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff ++ openssh-8.1p1-audit.patch ++ --- /var/tmp/diff_new_pack.mMmu4u/_old 2022-11-16 15:42:40.731682827 +0100 +++ /var/tmp/diff_new_pack.mMmu4u/_new 2022-11-16 15:42:40.735682842 +0100 @@ -1550,7 +1550,7 @@ sshbuf_free(m); } #endif /* SSH_AUDIT_EVENTS */ -@@ -1074,3 +1114,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc +@@ -1074,3 +1114,130 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc } #endif /* GSSAPI */ @@ -1633,6 +1633,53 @@ + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m); + sshbuf_free(m); +} ++ ++int mm_forward_audit_messages(int fdin) ++{ ++ u_char buf[4]; ++ u_int blen, msg_len; ++ struct sshbuf *m; ++ int ret = 0; ++ ++ debug3("%s: entering", __func__); ++ m = sshbuf_new(); ++ do { ++ int r; ++ ++ blen = atomicio(read, fdin, buf, sizeof(buf)); ++ if (blen == 0) /* closed pipe */ ++ break; ++ if (blen != sizeof(buf)) { ++ error("%s: Failed to read the buffer from child", __func__); ++ ret = -1; ++ break; ++ } ++ ++ msg_len = get_u32(buf); ++ if (msg_len > 256 * 1024) ++ fatal("%s: read: bad msg_len %d", __func__, msg_len); ++ sshbuf_reset(m); ++ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) { ++ error("%s: Failed to read the the buffer conent from the child", __func__); ++ ret = -1; ++ break; ++ } ++ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || ++ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) { ++ error("%s: Failed to write the messag to the monitor", __func__); ++ ret = -1; ++ break; ++ } ++ } while (1); ++ sshbuf_free(m); ++ return ret; ++} ++void mm_set_monitor_pipe(int fd) ++{ ++ pmonitor->m_recvfd = fd; ++} +#endif /* SSH_AUDIT_EVENTS */ Index: openssh-8.9p1/monitor_wrap.h === @@ -1649,7 +1696,7 @@ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); #ifdef GSSAPI -@@ -83,7 +85,12 @@ void mm_sshpam_free_ctx(void *); +@@ -83,7 +85,14 @@ void mm_sshpam_free_ctx(void *); #ifdef SSH_AUDIT_EVENTS #include "audit.h" void mm_audit_event(struct ssh *, ssh_audit_event_t); @@ -1660,6 +1707,8 @@ +void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t); +void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t); +void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t); ++int mm_forward_audit_messages(int); ++void mm_set_monitor_pipe(int); #endif struct Session; @@ -1689,7 +1738,12 @@ /* * Returns the IP-address of the remote host as a string. The returned * string must not be freed.
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-08-30 14:48:22 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2083 (New) Package is "openssh" Tue Aug 30 14:48:22 2022 rev:158 rq:999883 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-08-18 16:48:52.289404588 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2083/openssh.changes 2022-08-30 14:48:25.419958697 +0200 @@ -1,0 +2,5 @@ +Mon Aug 8 07:36:55 UTC 2022 - Thorsten Kukuk + +- Use %_pam_vendordir + +--- Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.sLQGBi/_old 2022-08-30 14:48:26.511961485 +0200 +++ /var/tmp/diff_new_pack.sLQGBi/_new 2022-08-30 14:48:26.519961505 +0200 @@ -311,8 +311,8 @@ %install %make_install %if %{defined _distconfdir} -install -d -m 755 %{buildroot}%{_distconfdir}/pam.d -install -m 644 %{SOURCE2} %{buildroot}%{_distconfdir}/pam.d/sshd +install -d -m 755 %{buildroot}%{_pam_vendordir} +install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd %else install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd @@ -447,7 +447,7 @@ %attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d %attr(0640,root,root) %{_distconfdir}/ssh/sshd_config %if %{defined _distconfdir} -%attr(0644,root,root) %{_distconfdir}/pam.d/sshd +%attr(0644,root,root) %{_pam_vendordir}/sshd %else %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %endif ++ openssh-8.4p1-ssh_config_d.patch ++ --- /var/tmp/diff_new_pack.sLQGBi/_old 2022-08-30 14:48:26.715962006 +0200 +++ /var/tmp/diff_new_pack.sLQGBi/_new 2022-08-30 14:48:26.719962016 +0200 @@ -2,20 +2,20 @@ === --- openssh-8.9p1.orig/ssh_config +++ openssh-8.9p1/ssh_config -@@ -16,6 +16,13 @@ - # Site-wide defaults for some commonly used options. For a comprehensive +@@ -17,6 +17,13 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. -+Include /usr/etc/ssh/ssh_config.d/*.conf -+ + +# To modify the system-wide ssh configuration, create a "*.conf" file under +# "/etc/ssh/ssh_config.d/" which will be automatically included below. +# Don't edit this configuration file itself if possible to avoid update +# problems. +Include /etc/ssh/ssh_config.d/*.conf - ++Include /usr/etc/ssh/ssh_config.d/*.conf ++ Host * # ForwardAgent no + # ForwardX11 no Index: openssh-8.9p1/sshd_config === --- openssh-8.9p1.orig/sshd_config
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-08-18 16:48:44 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2083 (New) Package is "openssh" Thu Aug 18 16:48:44 2022 rev:157 rq:997452 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-05-01 18:53:31.935159823 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2083/openssh.changes 2022-08-18 16:48:52.289404588 +0200 @@ -1,0 +2,6 @@ +Wed Jul 6 12:15:29 UTC 2022 - Adam Majer + +- openssh-8.4p1-ssh_config_d.patch: admin overrides should take + priority (listed first) over package defaults + +--- Other differences: -- openssh.spec: same change ++ openssh-8.4p1-ssh_config_d.patch ++ --- /var/tmp/diff_new_pack.jZgn1D/_old 2022-08-18 16:48:53.493407392 +0200 +++ /var/tmp/diff_new_pack.jZgn1D/_new 2022-08-18 16:48:53.497407401 +0200 @@ -20,17 +20,21 @@ === --- openssh-8.9p1.orig/sshd_config +++ openssh-8.9p1/sshd_config -@@ -9,6 +9,13 @@ - # OpenSSH is to specify options with their default value where - # possible, but leave them commented. Uncommented options override the - # default value. -+Include /usr/etc/ssh/sshd_config.d/*.conf -+ +@@ -5,10 +5,17 @@ + + # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# To modify the system-wide sshd configuration, create a "*.conf" file under +# "/etc/ssh/sshd_config.d/" which will be automatically included below. +# Don't edit this configuration file itself if possible to avoid update +# problems. +Include /etc/ssh/sshd_config.d/*.conf ++ + # The strategy used for options in the default sshd_config shipped with + # OpenSSH is to specify options with their default value where + # possible, but leave them commented. Uncommented options override the + # default value. ++Include /usr/etc/ssh/sshd_config.d/*.conf #Port 22 #AddressFamily any
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-05-01 18:53:26 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1538 (New) Package is "openssh" Sun May 1 18:53:26 2022 rev:156 rq:973782 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-03-11 11:48:33.326793554 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.1538/openssh.changes 2022-05-01 18:53:31.935159823 +0200 @@ -1,0 +2,6 @@ +Mon Mar 28 15:00:52 UTC 2022 - Ludwig Nussel + +- read ssh and sshd config file also from /usr/etc +- add openssh-server-config-rootlogin subpackage that enabled PermitRootLogin + +--- Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.0tYjjW/_old 2022-05-01 18:53:32.855160677 +0200 +++ /var/tmp/diff_new_pack.0tYjjW/_new 2022-05-01 18:53:32.859160680 +0200 @@ -191,6 +191,17 @@ This package contains the Secure Shell daemon, which allows clients to securely connect to your server. +%package server-config-rootlogin +Summary:Config to permit root logins to sshd +Group: Productivity/Networking/SSH +Requires: %{name}-server = %{version}-%{release} + +%description server-config-rootlogin +The openssh-server package by default disallows password based +root logins. This package provides a config that does. It's useful +to temporarily have a password based login to be able to use +ssh-copy-id(1). + %package clients Summary:SSH (Secure Shell) client applications Group: Productivity/Networking/SSH @@ -321,10 +332,11 @@ sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config # Move /etc to /usr/etc/ssh -mkdir -p %{buildroot}%{_distconfdir}/ssh +mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/ +echo "PermitRootLogin yes" > %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %if 0%{?suse_version} < 1550 # install firewall definitions @@ -419,6 +431,7 @@ %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0755,root,root) %dir %{_distconfdir}/ssh +%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d %attr(0600,root,root) %{_distconfdir}/ssh/moduli %attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0444,root,root) %{_mandir}/man5/moduli.5* @@ -431,6 +444,7 @@ %dir %attr(0755,root,root) %{_localstatedir}/lib/sshd %dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d %attr(0755,root,root) %dir %{_distconfdir}/ssh +%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d %attr(0640,root,root) %{_distconfdir}/ssh/sshd_config %if %{defined _distconfdir} %attr(0644,root,root) %{_distconfdir}/pam.d/sshd @@ -452,6 +466,9 @@ %config %{_fwdefdir}/sshd %endif +%files server-config-rootlogin +%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf + %files clients %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config ++ openssh-8.4p1-ssh_config_d.patch ++ --- /var/tmp/diff_new_pack.0tYjjW/_old 2022-05-01 18:53:33.007160817 +0200 +++ /var/tmp/diff_new_pack.0tYjjW/_new 2022-05-01 18:53:33.011160821 +0200 @@ -1,33 +1,37 @@ -diff -ur openssh-8.4p1.orig/ssh_config openssh-8.4p1/ssh_config openssh-8.4p1.orig/ssh_config 2021-01-27 14:43:22.698144889 +0100 -+++ openssh-8.4p1/ssh_config 2021-01-27 14:40:46.170143382 +0100 -@@ -17,6 +17,12 @@ +Index: openssh-8.9p1/ssh_config +=== +--- openssh-8.9p1.orig/ssh_config openssh-8.9p1/ssh_config +@@ -16,6 +16,13 @@ + # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. - ++Include /usr/etc/ssh/ssh_config.d/*.conf ++ +# To modify the system-wide ssh configuration, create a "*.conf" file under +# "/etc/ssh/ssh_config.d/" which will be automatically included below. +# Don't edit this configuration file itself if possible to avoid update +# problems. +Include /etc/ssh/ssh_config.d/*.conf -+ + Host * # ForwardAgent no - # ForwardX11 no -diff -ur openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config openssh-8.4p1.orig/sshd_config 2020-09-27
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-03-09 18:47:00 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2349 (New) Package is "openssh" Wed Mar 9 18:47:00 2022 rev:155 rq:960152 version:8.9p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-10-11 16:48:39.962172529 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2349/openssh.changes 2022-03-11 11:48:33.326793554 +0100 @@ -1,0 +2,170 @@ +Mon Mar 7 18:00:09 UTC 2022 - Hans Petter Jansson + +- Version update to 8.9p1: + = Security + * sshd(8): fix an integer overflow in the user authentication path +that, in conjunction with other logic errors, could have yielded +unauthenticated access under difficult to exploit conditions. + +This situation is not exploitable because of independent checks in +the privilege separation monitor. Privilege separation has been +enabled by default in since openssh-3.2.2 (released in 2002) and +has been mandatory since openssh-7.5 (released in 2017). Moreover, +portable OpenSSH has used toolchain features available in most +modern compilers to abort on signed integer overflow since +openssh-6.5 (released in 2014). + +Thanks to Malcolm Stagg for finding and reporting this bug. + + = Potentially-incompatible changes + * sshd(8), portable OpenSSH only: this release removes in-built +support for MD5-hashed passwords. If you require these on your +system then we recommend linking against libxcrypt or similar. + * This release modifies the FIDO security key middleware interface +and increments SSH_SK_VERSION_MAJOR. + + = New features + * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for +restricting forwarding and use of keys added to ssh-agent(1) +A detailed description of the feature is available at +https://www.openssh.com/agent-restrict.html and the protocol +extensions are documented in the PROTOCOL and PROTOCOL.agent +files in the source release. + * ssh(1), sshd(8): add the sntrup761x25519-sha...@openssh.com hybrid +ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the +default KEXAlgorithms list (after the ECDH methods but before the +prime-group DH ones). The next release of OpenSSH is likely to +make this key exchange the default method. + * ssh-keygen(1): when downloading resident keys from a FIDO token, +pass back the user ID that was used when the key was created and +append it to the filename the key is written to (if it is not the +default). Avoids keys being clobbered if the user created multiple +resident keys with the same application string but different user +IDs. + * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys +on tokens that provide user verification (UV) on the device itself, +including biometric keys, avoiding unnecessary PIN prompts. + * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to +perform matching of principals names against an allowed signers +file. To be used towards a TOFU model for SSH signatures in git. + * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added +to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at +authentication time. + * ssh-keygen(1): allow selection of hash at sshsig signing time +(either sha512 (default) or sha256). + * ssh(1), sshd(8): read network data directly to the packet input +buffer instead of indirectly via a small stack buffer. Provides a +modest performance improvement. + * ssh(1), sshd(8): read data directly to the channel input buffer, +providing a similar modest performance improvement. + * ssh(1): extend the PubkeyAuthentication configuration directive to +accept yes|no|unbound|host-bound to allow control over one of the +protocol extensions used to implement agent-restricted keys. + + = Bugfixes + * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and +PubkeyAuthOptions can be used in a Match block. PR277. + * sshd(8): fix possible string truncation when constructing paths to +.rhosts/.shosts files with very long user home directory names. + * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 +exchange hashes + * ssh(1): don't put the TTY into raw mode when SessionType=none, +avoids ^C being unable to kill such a session. bz3360 + * scp(1): fix some corner-case bugs in SFTP-mode handling of +~-prefixed paths. + * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to +select RSA keys when only RSA/SHA2 signature algorithms are +configured (this is the default case). Previously RSA keys were +not
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-10-11 16:48:36 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2443 (New) Package is "openssh" Mon Oct 11 16:48:36 2021 rev:154 rq:923951 version:8.8p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2020-10-18 16:30:20.444729018 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2443/openssh-askpass-gnome.changes 2021-10-11 16:48:39.866172377 +0200 @@ -1,0 +2,7 @@ +Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson + +- Version upgrade to 8.8p1 + * No changes for askpass, see main package changelog for +details + +--- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-07-22 22:43:29.231189893 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2443/openssh.changes 2021-10-11 16:48:39.962172529 +0200 @@ -1,0 +2,368 @@ +Tue Sep 28 17:50:57 UTC 2021 - Hans Petter Jansson + +- Version update to 8.8p1: + = Security + * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise +supplemental groups when executing an AuthorizedKeysCommand or +AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or +AuthorizedPrincipalsCommandUser directive has been set to run the +command as a different user. Instead these commands would inherit +the groups that sshd(8) was started with. + +Depending on system configuration, inherited groups may allow +AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to +gain unintended privilege. + +Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are +enabled by default in sshd_config(5). + + = Potentially-incompatible changes + * This release disables RSA signatures using the SHA-1 hash algorithm +by default. This change has been made as the SHA-1 hash algorithm is +cryptographically broken, and it is possible to create chosen-prefix +hash collisions for https://bugzilla.novell.com/show_bug.cgi?id=847710 -diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c openssh-7.7p1/channels.c -+++ openssh-7.7p1/channels.c -@@ -4590,33 +4590,42 @@ x11_connect_display(struct ssh *ssh) - return -1; - - /* OK, we now have a connection to the display. */ - return sock; - } +Index: openssh-8.8p1/channels.c +=== +--- openssh-8.8p1.orig/channels.c openssh-8.8p1/channels.c +@@ -4776,9 +4776,10 @@ x11_connect_display(struct ssh *ssh) /* * Connect to an inet socket. The DISPLAY value is supposedly * hostname:d[.s], where hostname may also be numeric IP address. @@ -25,14 +21,7 @@ if (!cp) { error("Could not find ':' in DISPLAY: %.100s", display); return -1; - } - *cp = 0; - /* -* buf now contains the host name. But first we parse the -* display number. -*/ - if (sscanf(cp + 1, "%u", _number) != 1) { - error("Could not parse display number from DISPLAY: %.100s", +@@ -4793,6 +4794,14 @@ x11_connect_display(struct ssh *ssh) display); return -1; } @@ -47,8 +36,3 @@ /* Look up the host address */ memset(, 0, sizeof(hints)); - hints.ai_family = ssh->chanctxt->IPv4or6; - hints.ai_socktype = SOCK_STREAM; - snprintf(strport, sizeof strport, "%u", 6000 + display_number); - if ((gaierr = getaddrinfo(buf, strport, , )) != 0) { - error("%.100s: unknown host. (%s)", buf, ++ openssh-7.7p1-X11_trusted_forwarding.patch ++ --- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.718175320 +0200 +++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.718175320 +0200 @@ -6,10 +6,10 @@ Enable Trusted X11 forwarding by default, since the security benefits of having it disabled are negligible these days with XI2 being widely used. -Index: openssh-7.8p1/ssh_config +Index: openssh-8.8p1/ssh_config === openssh-7.8p1.orig/ssh_config -+++ openssh-7.8p1/ssh_config +--- openssh-8.8p1.orig/ssh_config openssh-8.8p1/ssh_config @@ -17,9 +17,20 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. @@ -32,10 +32,10 @@ # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no -Index: openssh-7.8p1/sshd_config +Index: openssh-8.8p1/sshd_config ===
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-07-22 22:42:59 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1899 (New) Package is "openssh" Thu Jul 22 22:42:59 2021 rev:153 rq:907490 version:8.4p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-06-25 15:01:43.092179407 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1899/openssh.changes 2021-07-22 22:43:29.231189893 +0200 @@ -1,0 +2,8 @@ +Mon Jul 19 14:51:08 UTC 2021 - Cristian Rodr??guez + +- The linux kernel has close_range(2) syscall which current glibc + uses to implement closefrom(3) which will be then used by openssh. + whitelist the new system call so closefrom does not fail or + fallback to iterating proc/self/fd (openssh-whitelist-syscalls.patch) + +--- Other differences: -- openssh.spec: same change ++ openssh-whitelist-syscalls.patch ++ --- /var/tmp/diff_new_pack.LL2qO7/_old 2021-07-22 22:43:31.275187230 +0200 +++ /var/tmp/diff_new_pack.LL2qO7/_new 2021-07-22 22:43:31.275187230 +0200 @@ -1,8 +1,16 @@ -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 797a14b..02698cc 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c -@@ -204,6 +204,9 @@ static const struct sock_filter preauth_insns[] = { +@@ -195,6 +195,9 @@ + #ifdef __NR_close + SC_ALLOW(__NR_close), + #endif ++#ifdef __NR_close_range ++ SC_ALLOW(__NR_close_range), ++#endif + #ifdef __NR_exit + SC_ALLOW(__NR_exit), + #endif +@@ -204,6 +207,9 @@ #ifdef __NR_futex SC_ALLOW(__NR_futex), #endif @@ -12,7 +20,7 @@ #ifdef __NR_geteuid SC_ALLOW(__NR_geteuid), #endif -@@ -282,6 +285,9 @@ static const struct sock_filter preauth_insns[] = { +@@ -282,6 +288,9 @@ #ifdef __NR_pselect6 SC_ALLOW(__NR_pselect6), #endif
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-06-25 15:01:12 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2625 (New) Package is "openssh" Fri Jun 25 15:01:12 2021 rev:152 rq:901582 version:8.4p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-06-09 21:51:02.138339300 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2625/openssh.changes 2021-06-25 15:01:43.092179407 +0200 @@ -1,0 +2,12 @@ +Wed Jun 23 18:32:20 UTC 2021 - Hans Petter Jansson + +- Don't move user-modified ssh_config and sshd_config files to + .rpmsave on upgrade. + +--- +Tue May 18 17:16:33 UTC 2021 - Thorsten Kukuk + +- Use pam_motd to unify motd message output [bsc#1185897] + (openssh-8.4p1-pam_motd.patch) + +--- New: openssh-8.4p1-pam_motd.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.jJ1cht/_old 2021-06-25 15:01:44.372180969 +0200 +++ /var/tmp/diff_new_pack.jJ1cht/_new 2021-06-25 15:01:44.376180974 +0200 @@ -109,6 +109,7 @@ Patch45:openssh-8.4p1-ssh_config_d.patch Patch46:openssh-whitelist-syscalls.patch Patch47:openssh-8.4p1-vendordir.patch +Patch48:openssh-8.4p1-pam_motd.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -363,8 +364,9 @@ %pre server -f sshd.pre %if %{defined _distconfdir} -# move outdated pam.d/*.rpmsave file away +# Prepare for migration to /usr/etc. test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||: +test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||: %endif %service_add_pre sshd.service @@ -390,8 +392,20 @@ %posttrans server # Migration to /usr/etc. test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd ||: +test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config ||: %endif +%if %{defined _distconfdir} +%pre clients +# Prepare for migration to /usr/etc. +test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||: +%endif + +%if %{defined _distconfdir} +%posttrans clients +# Migration to /usr/etc. +test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config ||: +%endif %triggerin -n openssh-fips -- %{name} = %{version}-%{release} %restart_on_update sshd ++ openssh-8.4p1-pam_motd.patch ++ Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/contrib und openssh-8.4p1/contrib. Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/.github und openssh-8.4p1/.github. Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/m4 und openssh-8.4p1/m4. Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/openbsd-compat und openssh-8.4p1/openbsd-compat. Gemeinsame Unterverzeichnisse: openssh-8.4p1.orig/regress und openssh-8.4p1/regress. diff -u openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config --- openssh-8.4p1.orig/sshd_config 2020-09-27 09:25:01.0 +0200 +++ openssh-8.4p1/sshd_config 2021-05-18 19:15:39.190701511 +0200 @@ -88,8 +88,8 @@ #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes -#PrintMotd yes -#PrintLastLog yes +PrintMotd no +PrintLastLog no #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed ++ sshd.pamd ++ --- /var/tmp/diff_new_pack.jJ1cht/_old 2021-06-25 15:01:44.600181247 +0200 +++ /var/tmp/diff_new_pack.jJ1cht/_new 2021-06-25 15:01:44.600181247 +0200 @@ -6,5 +6,7 @@ passwordinclude common-password session requiredpam_loginuid.so session include common-session -session optionalpam_lastlog.so silent noupdate showfailed session optionalpam_keyinit.so force revoke +session optionalpam_lastlog.so showfailed +session optionalpam_motd.so +
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-06-09 21:51:00 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.32437 (New) Package is "openssh" Wed Jun 9 21:51:00 2021 rev:151 rq:888799 version:8.4p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-02-15 13:15:53.310345403 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.32437/openssh.changes 2021-06-09 21:51:02.138339300 +0200 @@ -1,0 +2,23 @@ +Thu Apr 22 12:02:55 UTC 2021 - Hans Petter Jansson + +- Change vendor configuration dir from /usr/share/ssh/ to + /usr/etc/ssh/. +- Remove upgrade enablement hack. This has been fixed in + systemd-rpm-macros (bsc#1180083). + +--- +Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk + +- Add support for vendor provided configuration files in + /usr/share/ssh/ (openssh-8.4p1-vendordir.patch) +- Move configuration files from /etc/ssh/ to /usr/share/ssh/ + +--- +Thu Feb 18 13:54:44 UTC 2021 - Johannes Segitz + +- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login + as root via password by default (is also upstream default). Comment + indicates that this was a temporary meassure that we now had for + five years, time to get rid of it (bsc#1173067) + +--- Old: openssh-7.7p1-allow_root_password_login.patch New: openssh-8.4p1-vendordir.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.n7XrYn/_old 2021-06-09 21:51:03.186341169 +0200 +++ /var/tmp/diff_new_pack.n7XrYn/_new 2021-06-09 21:51:03.186341169 +0200 @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # - %define sandbox_seccomp 0 %ifnarch ppc %define sandbox_seccomp 1 @@ -30,8 +29,6 @@ %define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' ) %define CHECKSUM_SUFFIX .hmac %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE" -%define _tmpenableddir %{_localstatedir}/lib/sshd -%define _tmpenabledfile %{_tmpenableddir}/is-enabled.rpmtmp #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} @@ -59,7 +56,6 @@ Source12: cavs_driver-ssh.pl Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring Source14: sysusers-sshd.conf -Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch @@ -112,6 +108,7 @@ Patch44:openssh-fix-ssh-copy-id.patch Patch45:openssh-8.4p1-ssh_config_d.patch Patch46:openssh-whitelist-syscalls.patch +Patch47:openssh-8.4p1-vendordir.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -298,7 +295,7 @@ --target=%{_target_cpu}-suse-linux %make_build -%sysusers_generate_pre %{SOURCE14} sshd +%sysusers_generate_pre %{SOURCE14} sshd sshd.conf %install %make_install @@ -323,6 +320,12 @@ install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config +# Move /etc to /usr/etc/ssh +mkdir -p %{buildroot}%{_distconfdir}/ssh +mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/ +mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/ +mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/ + %if 0%{?suse_version} < 1550 # install firewall definitions mkdir -p %{buildroot}%{_fwdefdir} @@ -358,52 +361,17 @@ }} -%pre -# Remember whether the sshd service was enabled prior to an upgrade. This -# is needed when upgrading to a split-off openssh-server package. The -# %%service_add_post scriptlet (in %%post server) will see it as a new service -# and apply the preset, disabling it. We need to reenable it afterwards if -# necessary. -mkdir -p %{_tmpenableddir} || : -if [ -x %{_bindir}/systemctl ]; then -%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : -else -if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \ --exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1 -then echo "enabled" > %{_tmpenabledfile} || :; fi -fi - %pre server -f sshd.pre %if %{defined _distconfdir} # move outdated pam.d/*.rpmsave file away
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-02-15 13:15:51 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New) Package is "openssh" Mon Feb 15 13:15:51 2021 rev:150 rq:872342 version:8.4p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-02-01 13:25:59.881897206 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes 2021-02-15 13:15:53.310345403 +0100 @@ -1,0 +2,7 @@ +Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson + +- Add openssh-whitelist-syscalls.patch (bsc#1182232), fixing + failure to accept connections on 32-bit platforms with + glibc 2.33+. + +--- New: openssh-whitelist-syscalls.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.uRCL1P/_old 2021-02-15 13:15:54.606347321 +0100 +++ /var/tmp/diff_new_pack.uRCL1P/_new 2021-02-15 13:15:54.610347328 +0100 @@ -111,6 +111,7 @@ Patch43:openssh-reenable-dh-group14-sha1-default.patch Patch44:openssh-fix-ssh-copy-id.patch Patch45:openssh-8.4p1-ssh_config_d.patch +Patch46:openssh-whitelist-syscalls.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff ++ openssh-whitelist-syscalls.patch ++ diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 797a14b..02698cc 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -204,6 +204,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_futex SC_ALLOW(__NR_futex), #endif +#ifdef __NR_futex_time64 + SC_ALLOW(__NR_futex_time64), +#endif #ifdef __NR_geteuid SC_ALLOW(__NR_geteuid), #endif @@ -282,6 +285,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_pselect6 SC_ALLOW(__NR_pselect6), #endif +#ifdef __NR_pselect6_time64 + SC_ALLOW(__NR_pselect6_time64), +#endif #ifdef __NR_read SC_ALLOW(__NR_read), #endif
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-02-01 13:25:40 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New) Package is "openssh" Mon Feb 1 13:25:40 2021 rev:149 rq:867288 version:8.4p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-26 14:49:43.407675456 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes 2021-02-01 13:25:59.881897206 +0100 @@ -1,0 +2,6 @@ +Wed Jan 27 14:09:08 UTC 2021 - Thorsten Kukuk + +- Add support for /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d + (openssh-8.4p1-ssh_config_d.patch) + +--- New: openssh-8.4p1-ssh_config_d.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.7h38H4/_old 2021-02-01 13:26:01.177899223 +0100 +++ /var/tmp/diff_new_pack.7h38H4/_new 2021-02-01 13:26:01.177899223 +0100 @@ -110,6 +110,7 @@ Patch42:openssh-link-with-sk.patch Patch43:openssh-reenable-dh-group14-sha1-default.patch Patch44:openssh-fix-ssh-copy-id.patch +Patch45:openssh-8.4p1-ssh_config_d.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -308,6 +309,8 @@ install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd %endif install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd +install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d +install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/ install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/ install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service @@ -445,7 +448,8 @@ %attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_sbindir}/rcsshd %attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start -%dir %attr(755,root,root) %{_localstatedir}/lib/sshd +%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd +%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d %verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %if %{defined _distconfdir} %attr(0644,root,root) %{_distconfdir}/pam.d/sshd @@ -468,6 +472,7 @@ %endif %files clients +%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %attr(0755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/scp* ++ openssh-8.4p1-ssh_config_d.patch ++ diff -ur openssh-8.4p1.orig/ssh_config openssh-8.4p1/ssh_config --- openssh-8.4p1.orig/ssh_config 2021-01-27 14:43:22.698144889 +0100 +++ openssh-8.4p1/ssh_config2021-01-27 14:40:46.170143382 +0100 @@ -17,6 +17,12 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +# To modify the system-wide ssh configuration, create a "*.conf" file under +# "/etc/ssh/ssh_config.d/" which will be automatically included below. +# Don't edit this configuration file itself if possible to avoid update +# problems. +Include /etc/ssh/ssh_config.d/*.conf + Host * # ForwardAgent no # ForwardX11 no diff -ur openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config --- openssh-8.4p1.orig/sshd_config 2020-09-27 09:25:01.0 +0200 +++ openssh-8.4p1/sshd_config 2021-01-27 14:21:23.070132184 +0100 @@ -10,6 +10,12 @@ # possible, but leave them commented. Uncommented options override the # default value. +# To modify the system-wide sshd configuration, create a "*.conf" file under +# "/etc/ssh/sshd_config.d/" which will be automatically included below. +# Don't edit this configuration file itself if possible to avoid update +# problems. +Include /etc/ssh/sshd_config.d/*.conf + #Port 22 #AddressFamily any #ListenAddress 0.0.0.0
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-01-26 14:45:54 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New) Package is "openssh" Tue Jan 26 14:45:54 2021 rev:148 rq:866401 version:8.4p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-19 16:00:54.711263653 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes 2021-01-26 14:49:43.407675456 +0100 @@ -1,0 +2,32 @@ +Sat Jan 23 18:28:19 UTC 2021 - Hans Petter Jansson + +- Add openssh-fix-ssh-copy-id.patch, which fixes breakage + introduced in 8.4p1 (bsc#1181311). + +--- +Fri Jan 22 21:06:42 UTC 2021 - Hans Petter Jansson + +- Improve robustness of sshd init detection when upgrading from + a pre-systemd distribution. + +--- +Fri Jan 22 03:30:59 UTC 2021 - Hans Petter Jansson + +- Add openssh-reenable-dh-group14-sha1-default.patch, which adds + diffie-hellman-group14-sha1 key exchange back to the default + list (bsc#1180958). This is needed for backwards compatibility + with older platforms. + +--- +Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson + +- Make sure sshd is enabled correctly when upgrading from a + pre-systemd distribution (bsc#1180083). + +--- +Mon Jan 18 11:04:41 UTC 2021 - Thorsten Kukuk + +- sysusers-sshd.conf: use sysusers.d configuration file to create + sshd user (avoid hard dependency on shadow). + +--- New: openssh-fix-ssh-copy-id.patch openssh-reenable-dh-group14-sha1-default.patch sysusers-sshd.conf Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.vDHfiZ/_old 2021-01-26 14:49:44.487676928 +0100 +++ /var/tmp/diff_new_pack.vDHfiZ/_new 2021-01-26 14:49:44.487676928 +0100 @@ -58,6 +58,7 @@ Source11: README.FIPS Source12: cavs_driver-ssh.pl Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring +Source14: sysusers-sshd.conf Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch @@ -107,6 +108,8 @@ Patch40:openssh-8.1p1-ed25519-use-openssl-rng.patch Patch41:openssh-fips-ensure-approved-moduli.patch Patch42:openssh-link-with-sk.patch +Patch43:openssh-reenable-dh-group14-sha1-default.patch +Patch44:openssh-fix-ssh-copy-id.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff @@ -119,6 +122,8 @@ BuildRequires: zlib-devel BuildRequires: pkgconfig(libfido2) BuildRequires: pkgconfig(libsystemd) +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools Requires: %{name}-clients = %{version}-%{release} Requires: %{name}-server = %{version}-%{release} %if %{with tirpc} @@ -129,6 +134,8 @@ %else BuildRequires: krb5-mini-devel %endif +Requires(pre): findutils +Requires(pre): grep %description SSH (Secure Shell) is a program for logging into and executing commands @@ -166,10 +173,12 @@ Group: Productivity/Networking/SSH Requires: %{name}-common = %{version}-%{release} Recommends: audit -Requires(pre): shadow +Requires(pre): findutils +Requires(pre): grep Requires(post): %fillup_prereq Requires(post): permissions Provides: openssh:%{_sbindir}/sshd +%sysusers_requires %description server SSH (Secure Shell) is a program for logging into and executing commands @@ -287,6 +296,7 @@ --target=%{_target_cpu}-suse-linux %make_build +%sysusers_generate_pre %{SOURCE14} sshd %install %make_install @@ -322,6 +332,10 @@ # sshd keys generator wrapper install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start +# Install sysusers.d config for sshd user +mkdir -p %{buildroot}%{_sysusersdir} +install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf + # the hmac hashes - taken from openssl # # re-define the __os_install_post macro: the macro strips @@ -346,24 +360,29 @@ # %%service_add_post scriptlet (in %%post server) will see it as a new service # and apply the preset, disabling it. We need to reenable it afterwards if # necessary. +mkdir -p %{_tmpenableddir} || : if [ -x %{_bindir}/systemctl ]; then -mkdir -p %{_tmpenableddir} || : %{_bindir}/systemctl is-enabled
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-01-19 16:00:43 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New) Package is "openssh" Tue Jan 19 16:00:43 2021 rev:147 rq:863947 version:8.4p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-15 19:43:33.397773139 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes 2021-01-19 16:00:54.711263653 +0100 @@ -1,0 +2,130 @@ +Mon Jan 18 00:30:37 UTC 2021 - Dirk M??ller + +- update to 8.4p1: + Security + + * ssh-agent(1): restrict ssh-agent from signing web challenges for + FIDO/U2F keys. + * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating + a FIDO resident key. + * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for + each use. These keys may be generated using ssh-keygen using a new + "verify-required" option. When a PIN-required key is used, the user + will be prompted for a PIN to complete the signature operation. + New Features + + * sshd(8): authorized_keys now supports a new "verify-required" + option to require FIDO signatures assert that the token verified + that the user was present before making the signature. The FIDO + protocol supports multiple methods for user-verification, but + currently OpenSSH only supports PIN verification. + + * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn + signatures. Webauthn is a standard for using FIDO keys in web + browsers. These signatures are a slightly different format to plain + FIDO signatures and thus require explicit support. + + * ssh(1): allow some keywords to expand shell-style ${ENV} + environment variables. The supported keywords are CertificateFile, + ControlPath, IdentityAgent and IdentityFile, plus LocalForward and + RemoteForward when used for Unix domain socket paths. bz#3140 + + * ssh(1), ssh-agent(1): allow some additional control over the use of + ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, + including forcibly enabling and disabling its use. bz#69 + + * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time + limit for keys in addition to its current flag options. Time- + limited keys will automatically be removed from ssh-agent after + their expiry time has passed. + + * scp(1), sftp(1): allow the -A flag to explicitly enable agent + forwarding in scp and sftp. The default remains to not forward an + agent, even when ssh_config enables it. + + * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of + the destination. This allows, e.g., keeping host keys in individual + files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654 + + * ssh(1): add %-TOKEN, environment variable and tilde expansion to + the UserKnownHostsFile directive, allowing the path to be + completed by the configuration (e.g. bz#1654) + + * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted + from stdin. bz#3180 + + * sshd(8): improve logging for MaxStartups connection throttling. + sshd will now log when it starts and stops throttling and periodically + while in this state. bz#3055 + + Bugfixes + + * ssh(1), ssh-keygen(1): better support for multiple attached FIDO + tokens. In cases where OpenSSH cannot unambiguously determine which + token to direct a request to, the user is now required to select a + token by touching it. In cases of operations that require a PIN to + be verified, this avoids sending the wrong PIN to the wrong token + and incrementing the token's PIN failure counter (tokens + effectively erase their keys after too many PIN failures). + * sshd(8): fix Include before Match in sshd_config; bz#3122 + * ssh(1): close stdin/out/error when forking after authentication + completes ("ssh -f ...") bz#3137 + * ssh(1), sshd(8): limit the amount of channel input data buffered, + avoiding peers that advertise large windows but are slow to read + from causing high memory consumption. + * ssh-agent(1): handle multiple requests sent in a single write() to + the agent. + * sshd(8): allow sshd_config longer than 256k + * sshd(8): avoid spurious "Unable to load host key" message when sshd + load a private key but no public counterpart + * ssh(1): prefer the default hostkey algorithm list whenever we have + a hostkey that matches its best-preference algorithm. + * sshd(1): when ordering the hostkey algorithms to request from a + server, prefer certificate types if the known_hosts files contain a key + marked as a @cert-authority; bz#3157 + * ssh(1): perform host key fingerprint comparisons for the "Are you + sure you want to
commit openssh for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-01-15 19:43:28 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New) Package is "openssh" Fri Jan 15 19:43:28 2021 rev:146 rq:861779 version:8.3p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-06 19:55:33.348955736 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes 2021-01-15 19:43:33.397773139 +0100 @@ -1,0 +2,7 @@ +Fri Jan 8 01:37:02 UTC 2021 - Hans Petter Jansson + +- Update openssh-8.1p1-audit.patch (bsc#1180501). This fixes + occasional crashes on connection termination caused by accessing + freed memory. + +--- Other differences: -- openssh.spec: same change ++ openssh-8.1p1-audit.patch ++ --- /var/tmp/diff_new_pack.rGOfCm/_old 2021-01-15 19:43:34.55072 +0100 +++ /var/tmp/diff_new_pack.rGOfCm/_new 2021-01-15 19:43:34.55072 +0100 @@ -1,5 +1,5 @@ diff --git a/Makefile.in b/Makefile.in -index 9d3f569..5a0e0b6 100644 +index 88aba09..b815eac 100644 --- a/Makefile.in +++ b/Makefile.in @@ -115,7 +115,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -1673,7 +1673,7 @@ struct Session; diff --git a/packet.c b/packet.c -index e7abb34..3e9c95e 100644 +index e7abb34..997c338 100644 --- a/packet.c +++ b/packet.c @@ -81,6 +81,7 @@ @@ -1753,7 +1753,7 @@ state->newkeys[mode] = NULL; } /* note that both bytes and the seqnr are not reset */ -@@ -2205,6 +2221,71 @@ ssh_packet_get_output(struct ssh *ssh) +@@ -2205,6 +2221,73 @@ ssh_packet_get_output(struct ssh *ssh) return (void *)ssh->state->output; } @@ -1783,7 +1783,9 @@ + return; + + cipher_free(state->receive_context); ++ state->receive_context = NULL; + cipher_free(state->send_context); ++ state->send_context = NULL; + + sshbuf_free(state->input); + state->input = NULL;
[opensuse-commit] commit openssh for openSUSE:Factory
Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2020-11-26 23:10:42 Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.5913 (New) Package is "openssh" Thu Nov 26 23:10:42 2020 rev:144 rq:849984 version:8.3p1 Changes: --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2020-10-18 16:30:22.716730029 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.5913/openssh.changes 2020-11-26 23:12:22.672940774 +0100 @@ -1,0 +2,22 @@ +Wed Nov 11 20:05:27 UTC 2020 - Hans Petter Jansson + +- Fix build breakage caused by missing security key objects: + + Modify openssh-7.7p1-cavstest-ctr.patch. + + Modify openssh-7.7p1-cavstest-kdf.patch. + + Add openssh-link-with-sk.patch. + +--- +Wed Nov 11 18:27:55 UTC 2020 - Hans Petter Jansson + +- Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). + This ensures only approved DH parameters are used in FIPS mode. + +--- +Wed Nov 11 18:27:54 UTC 2020 - Hans Petter Jansson + +- Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). + This uses OpenSSL's RAND_bytes() directly instead of the internal + ChaCha20-based implementation to obtain random bytes for Ed25519 + curve computations. This is required for FIPS compliance. + +--- New: openssh-8.1p1-ed25519-use-openssl-rng.patch openssh-fips-ensure-approved-moduli.patch openssh-link-with-sk.patch Other differences: -- ++ openssh.spec ++ --- /var/tmp/diff_new_pack.NqJRYZ/_old 2020-11-26 23:12:24.268941105 +0100 +++ /var/tmp/diff_new_pack.NqJRYZ/_new 2020-11-26 23:12:24.268941105 +0100 @@ -104,6 +104,9 @@ Patch37:openssh-8.1p1-seccomp-clock_nanosleep_time64.patch Patch38:openssh-8.1p1-seccomp-clock_gettime64.patch Patch39:openssh-8.1p1-use-openssl-kdf.patch +Patch40:openssh-8.1p1-ed25519-use-openssl-rng.patch +Patch41:openssh-fips-ensure-approved-moduli.patch +Patch42:openssh-link-with-sk.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: groff ++ openssh-7.7p1-cavstest-ctr.patch ++ --- /var/tmp/diff_new_pack.NqJRYZ/_old 2020-11-26 23:12:24.348941121 +0100 +++ /var/tmp/diff_new_pack.NqJRYZ/_new 2020-11-26 23:12:24.352941122 +0100 @@ -28,8 +28,8 @@ $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) +# FIPS tests -+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o -+ $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o ++ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o ++ openssh-7.7p1-cavstest-kdf.patch ++ --- /var/tmp/diff_new_pack.NqJRYZ/_old 2020-11-26 23:12:24.360941124 +0100 +++ /var/tmp/diff_new_pack.NqJRYZ/_new 2020-11-26 23:12:24.360941124 +0100 @@ -24,11 +24,11 @@ XMSS_OBJS=\ ssh-xmss.o \ @@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) - cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o - $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o + $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-kdf.o -+ $(LD) -o $@ cavstest-kdf.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o ++ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o ++ openssh-8.1p1-ed25519-use-openssl-rng.patch ++ commit d281831d887044ede45d458c3dda74be9ae017e3 Author: Hans Petter Jansson Date: Fri Sep 25 23:26:58 2020 +0200 Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519 diff --git a/ed25519.c b/ed25519.c index 767ec24..5d506a9 100644 --- a/ed25519.c +++ b/ed25519.c @@ -9,6 +9,13 @@ #include "includes.h" #include "crypto_api.h" +#ifdef WITH_OPENSSL +#include +#include +#endif + +#include "log.h" + #include "ge25519.h" static void