Revisions of openssh
Antonio Larrosa (alarrosa)
accepted
request 1167855
from
Antonio Larrosa (alarrosa)
(revision 265)
Add bugzilla reference to bsc#1221005
Antonio Larrosa (alarrosa)
accepted
request 1167816
from
Marcus Meissner (msmeissn)
(revision 264)
- openssh-8.0p1-gssapi-keyex.patch: Added missing struct initializer, added missing parameter (bsc#1222840)
Antonio Larrosa (alarrosa)
accepted
request 1167038
from
Antonio Larrosa (alarrosa)
(revision 263)
- Make openssh-server recommend the openssh-server-config-rootlogin package in SLE in order to keep the same behaviour of previous SPs where the PermitRootLogin default was set to yes. - Fix crypto-policies requirement to be set by openssh-server, not the config-rootlogin subpackage. - Add back %config(noreplace) tag for more config files that were already set like this in previous SPs.
Antonio Larrosa (alarrosa)
accepted
request 1166764
from
Arnav Singh (Arnavion)
(revision 262)
- Fix duplicate loading of dropins. (boo#1222467)
Antonio Larrosa (alarrosa)
accepted
request 1166156
from
Antonio Larrosa (alarrosa)
(revision 261)
Add one more bsc/CVE reference
Antonio Larrosa (alarrosa)
accepted
request 1165554
from
Antonio Larrosa (alarrosa)
(revision 260)
- Add missing bugzilla/CVE references to the changelog
Antonio Larrosa (alarrosa)
accepted
request 1165549
from
Antonio Larrosa (alarrosa)
(revision 259)
- Add patch from SLE which was missing in Factory: * Mon Jun 7 20:54:09 UTC 2021 - Hans Petter Jansson <hpj@suse.com> - Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which attempts to mitigate instances of secrets lingering in memory after a session exits. (bsc#1213004 bsc#1213008) - Rebase patch: * openssh-6.6p1-privsep-selinux.patch
Antonio Larrosa (alarrosa)
accepted
request 1165438
from
Antonio Larrosa (alarrosa)
(revision 258)
Forward a fix for a patch from SLE - Rebase openssh-7.7p1-fips.patch (bsc#1221928) Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by upstream
Marcus Meissner (msmeissn)
accepted
request 1164145
from
Antonio Larrosa (alarrosa)
(revision 257)
- Use %config(noreplace) for sshd_config . In any case, it's recommended to drop a file in sshd_config.d instead of editing sshd_config (bsc#1221063) - Use %{_libexecdir} when removing ssh-keycat instead of the hardcoded path so it works in TW and SLE.
Marcus Meissner (msmeissn)
accepted
request 1155471
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 256)
- Add crypto-policies support [bsc#1211301] * Add patches: - openssh-9.6p1-crypto-policies.patch - openssh-9.6p1-crypto-policies-man.patch
Hans Petter Jansson (hpjansson)
accepted
request 1150500
from
Hans Petter Jansson (hpjansson)
(revision 255)
- Update to openssh 9.6p1: * No changes for askpass, see main package changelog for details. - Update to openssh 9.6p1: = Security * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. = Potentially incompatible changes * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this
Hans Petter Jansson (hpjansson)
accepted
request 1133932
from
Hans Petter Jansson (hpjansson)
(revision 254)
Added openssh-cve-2023-48795.patch
Hans Petter Jansson (hpjansson)
accepted
request 1113799
from
Thorsten Kukuk (kukuk)
(revision 253)
- Disable SLP by default for Factory and ALP (bsc#1214884)
Hans Petter Jansson (hpjansson)
accepted
request 1123220
from
Johannes Segitz (jsegitz)
(revision 252)
- Enhanced SELinux functionality. Added Fedora patches: * openssh-7.8p1-role-mls.patch Proper handling of MLS systems and basis for other SELinux improvements * openssh-6.6p1-privsep-selinux.patch Properly set contexts during privilege separation * openssh-6.6p1-keycat.patch Add ssh-keycat command to allow retrival of authorized_keys on MLS setups with polyinstantiation * openssh-6.6.1p1-selinux-contexts.patch Additional changes to set the proper context during privilege separation * openssh-7.6p1-cleanup-selinux.patch Various changes and putting the pieces together For now we don't ship the ssh-keycat command, but we need the patch for the other SELinux infrastructure This change fixes issues like bsc#1214788, where the ssh daemon needs to act on behalf of a user and needs a proper context for this
Marcus Meissner (msmeissn)
accepted
request 1119952
from
Dominique Leuenberger (dimstar)
(revision 251)
- Add cb4ed12f.patch: Fix build using zlib 1.3. The check expected a version in the form a.b.c[.d], which no longer matches 1.3. See failure with zlib 1.3 in Staging:N
Hans Petter Jansson (hpjansson)
accepted
request 1110800
from
Thorsten Kukuk (kukuk)
(revision 250)
Teach openssh to tell logind the TTY, else tools like wall will stop working now with the new systemd v254 and util-linux (and who, w, ... will not show a tty)
Marcus Meissner (msmeissn)
accepted
request 1099810
from
Simon Lees (simotek)
(revision 249)
- Update to openssh 9.3p2 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction.
Dirk Mueller (dirkmueller)
accepted
request 1089432
from
Andreas Stieger (AndreasStieger)
(revision 248)
- openssh-askpass-gnome: require only openssh-clients, not the full openssh (including -server), to avoid pulling in excessive dependencies when installing git on Gnome (boo#1211446)
Hans Petter Jansson (hpjansson)
accepted
request 1087770
from
Antonio Larrosa (alarrosa)
(revision 247)
- Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493
Hans Petter Jansson (hpjansson)
accepted
request 1074609
from
Thorsten Kukuk (kukuk)
(revision 246)
- Rename sshd.pamd to sshd-sle.pamd and fix order of pam_keyinit - Add new sshd.pamd including postlogin-* config files
Displaying revisions 1 - 20 of 265