Revisions of openssh
TB Adm (tbadm)
committed
(revision 11)
- Update to openssh 9.6p1:
* No changes for askpass, see main package changelog for
details.
- openssh-8.0p1-gssapi-keyex.patch: Added missing struct initializer,
added missing parameter (bsc#1222840)
- Make openssh-server recommend the openssh-server-config-rootlogin
package in SLE in order to keep the same behaviour of previous
SPs where the PermitRootLogin default was set to yes
(bsc#1221005).
- Fix crypto-policies requirement to be set by openssh-server, not
the config-rootlogin subpackage.
- Add back %config(noreplace) tag for more config files that were
already set like this in previous SPs.
- Fix duplicate loading of dropins. (boo#1222467)
- Add missing bugzilla/CVE references to the changelog
- Add patch from SLE which was missing in Factory:
* Mon Jun 7 20:54:09 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
- Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which
attempts to mitigate instances of secrets lingering in memory
after a session exits. (bsc#1213004 bsc#1213008)
- Rebase patch:
* openssh-6.6p1-privsep-selinux.patch
- Rebase openssh-7.7p1-fips.patch (bsc#1221928)
TB Adm (tbadm)
committed
(revision 9)
- Add cb4ed12f.patch: Fix build using zlib 1.3. The check expected a version in the form a.b.c[.d], which no longer matches 1.3.
TB Adm (tbadm)
committed
(revision 8)
- Disable old lastlog, we use pam_lastlog2 - openssh-8.4p1-pam_motd.patch: adjust to remove PrintLastLog - logind_set_tty.patch: tell systemd-logind our current TTY
TB Adm (tbadm)
committed
(revision 6)
- Update to openssh 9.3p1 + openssh-9.3p1-susshi.patch
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p1:
= Security
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in
OpenSSH 8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This
problem was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the
system's standard library lacks this function and portable
OpenSSH was not compiled with the ldns library (--with-ldns).
getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
fetch SSHFP records. This problem was found by the Coverity
static analyzer.
= New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
when outputting SSHFP fingerprints to allow algorithm
selection. bz3493
TB Adm (tbadm)
committed
(revision 3)
- Rename sshd.pamd to sshd-sle.pamd and fix order of pam_keyinit - Add new sshd.pamd including postlogin-* config files - Remove BuildRequires for libtirpc, we don't use it - Remove pam_lastlog from sshd PAM config. sshd is doing the same, too, which leads to e.g. duplicate entries in wtmp [bsc#1208243]
TB Adm (tbadm)
committed
(revision 1)
Displaying all 12 revisions
