Overview Repositories Revisions Requests Users Attributes Meta

Revisions of openssh

Petr Cerny's avatar Petr Cerny (pcerny) accepted request 563724 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 128) 
reworking packaging, gssapi kex patch
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 551548 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 127) 
- upgrade to 7.6p1
  see main package changelog for details

- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)

- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  ---- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 547285 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 126) 
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 547161 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 125) 
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 547144 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 124) 
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches
Dirk Mueller's avatar Dirk Mueller (dirkmueller) accepted request 544667 from Richard Brown's avatar Richard Brown (RBrownSUSE) (revision 123) 
Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 539322 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 122) 
- upgrade to 7.6p1
  see main package changelog for details

- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  ---- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC
    padding oracle countermeasures. Reported by Jean Paul
    Degabriele, Kenny Paterson, Torben Hansen and Martin
    Albrecht. Note that CBC ciphers are disabled by default and
buildservice-autocommit accepted request 536831 from Dirk Mueller's avatar Dirk Mueller (dirkmueller) (revision 121) 
baserev update by copy to link target
Dirk Mueller's avatar Dirk Mueller (dirkmueller) accepted request 536578 from Johannes Segitz's avatar Johannes Segitz (jsegitz) (revision 120) 
- sshd_config is has now permissions 0600 in secure mode
buildservice-autocommit accepted request 500282 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 119) 
baserev update by copy to link target
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 500281 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 118) 
- require OpenSSL < 1.1 where that one is a default
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 500279 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 117) 
- Fix preauth seccomp separation on mainframes (bsc#1016709)
  [openssh-7.2p2-s390_hw_crypto_syscalls.patch]
  [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
- enable case-insensitive hostname matching (bsc#1017099)
  [openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
- add CAVS tests 
  [openssh-7.2p2-cavstest-ctr.patch]
  [openssh-7.2p2-cavstest-kdf.patch]
- Adding missing pieces for user matching (bsc#1021626)
- Properly verify CIDR masks in configuration
  (bsc#1005893)
  [openssh-7.2p2-verify_CIDR_address_ranges.patch]
- Remove pre-auth compression support from the server to prevent
  possible cryptographic attacks.
  (CVE-2016-10012, bsc#1016370)
  [openssh-7.2p2-disable_preauth_compression.patch]
- limit directories for loading PKCS11 modules
  (CVE-2016-10009, bsc#1016366)
  [openssh-7.2p2-restrict_pkcs11-modules.patch]
- Prevent possible leaks of host private keys to low-privilege
  process handling authentication
  (CVE-2016-10011, bsc#1016369)
  [openssh-7.2p2-prevent_private_key_leakage.patch]
- Do not allow unix socket forwarding when running without
  privilege separation
  (CVE-2016-10010, bsc#1016368)
  [openssh-7.2p2-secure_unix_sockets_forwarding.patch]
- prevent resource depletion during key exchange
  (bsc#1005480, CVE-2016-8858)
  [openssh-7.2p2-kex_resource_depletion.patch]
buildservice-autocommit accepted request 461303 from Dirk Mueller's avatar Dirk Mueller (dirkmueller) (revision 116) 
baserev update by copy to link target
Dirk Mueller's avatar Dirk Mueller (dirkmueller) accepted request 459897 from Cristian Rodríguez's avatar Cristian Rodríguez (elvigia) (revision 115) 
- sshd.service: Set TasksMax=infinity, as there should be
  no limit on the amount of tasks sshd can run.
buildservice-autocommit accepted request 433780 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 114) 
baserev update by copy to link target
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 433779 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 113) 
- remaining patches that were still missing
  since the update to 7.2p2 (FATE#319675):
  [openssh-7.2p2-disable_openssl_abi_check.patch]
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
  [openssh-7.2p2-IPv6_X_forwarding.patch]
- ignore PAM environment when using login
  (bsc#975865, CVE-2015-8325)
  [openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
- limit accepted password length (prevents possible DoS)
  (bsc#992533, CVE-2016-6515)
  [openssh-7.2p2-limit_password_length.patch]
- Prevent user enumeration through the timing of password
  processing (bsc#989363, CVE-2016-6210)
  [openssh-7.2p2-prevent_timing_user_enumeration.patch]
- Add auditing for PRNG re-seeding
  [openssh-7.2p2-audit_seed_prng.patch]
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 432093 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 112) 
next round of patches
- allow X forwarding over IPv4 when IPv6 sockets is not available
  [openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
- do not write PID file when not daemonizing
  [openssh-7.2p2-no_fork-no_pid_file.patch]
- use correct options when invoking login
  [openssh-7.2p2-login_options.patch]
- helper application for retrieving users' public keys from
  an LDAP server
  [openssh-7.2p2-ldap.patch]
- allow forcing permissions over sftp
  [openssh-7.2p2-sftp_force_permissions.patch]
- do not perform run-time checks for OpenSSL API/ABI change
  [openssh-7.2p2-disable-openssl-abi-check.patch]
- suggest commands for cleaning known hosts file
  [openssh-7.2p2-host_ident.patch]
- sftp home chroot patch
  [openssh-7.2p2-sftp_homechroot.patch]
- ssh sessions auditing
  [openssh-7.2p2-audit.patch]
- enable seccomp sandbox on additional architectures
  [openssh-7.2p2-additional_seccomp_archs.patch]
buildservice-autocommit accepted request 428545 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 111) 
baserev update by copy to link target
Petr Cerny's avatar Petr Cerny (pcerny) accepted request 428544 from Petr Cerny's avatar Petr Cerny (pcerny) (revision 110) 
- FIPS compatibility (no selfchecks, only crypto restrictions)
  [openssh-7.2p2-fips.patch]
- PRNG re-seeding
  [openssh-7.2p2-seed-prng.patch]
- preliminary version of GSSAPI KEX
  [openssh-7.2p2-gssapi_key_exchange.patch]
buildservice-autocommit accepted request 415094 from Marcus Meissner's avatar Marcus Meissner (msmeissn) (revision 109) 
baserev update by copy to link target
Displaying revisions 141 - 160 of 268
openSUSE Build Service is sponsored by
Places