Revisions of openssh
Automatic submission by obs-autosubmit
Automatic submission by obs-autosubmit
- Version upgrade to 8.8p1 * No changes for askpass, see main package changelog for details - Version update to 8.8p1: = Security * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege. Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5). = Potentially-incompatible changes * This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K. For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible. Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol. For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user
- Don't move user-modified ssh_config and sshd_config files to .rpmsave on upgrade. (forwarded request 901581 from hpjansson)
- Change vendor configuration dir from /usr/share/ssh/ to /usr/etc/ssh/. - Remove upgrade enablement hack. This has been fixed in systemd-rpm-macros (bsc#1180083). (forwarded request 887559 from hpjansson)
- Add openssh-whitelist-syscalls.patch (bsc#1182232), fixing failure to accept connections on 32-bit platforms with glibc 2.33+.
- Update openssh-8.1p1-audit.patch (bsc#1180501). This fixes occasional crashes on connection termination caused by accessing freed memory. (forwarded request 861491 from hpjansson)
- Support /usr/etc/pam.d (forwarded request 851366 from kukuk)
- Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. (forwarded request 849311 from hpjansson)
- Work around %service_add_post disabling sshd on upgrade with package name change (bsc#1177039). - Use of DISABLE_RESTART_ON_UPDATE is deprecated. Replace it with %service_del_postun_without_restart (forwarded request 840337 from hpjansson)
https://bugzilla.opensuse.org/show_bug.cgi?id=1177039
- Fix fillup-template usage: + %post server needs to reference ssh (not sshd), which matches the sysconfig.ssh file name the package ships. + %post client does not need any fillup_ calls, as there is no client-relevant sysconfig file present. The naming of the sysconfig file (ssh instead of sshd) is unfortunate. (forwarded request 837497 from dimstar)
Displaying revisions 21 - 40 of 178