Revisions of openssh
- Upgrade to 7.7p1 (bsc#1094068) - Upgrade to 7.7p1 (bsc#1094068) Most important changes (more details below): * Drop compatibility support for pre-2001 SSH implementations * sshd(1) does not load DSA keys by default Distilled upstream log: ---- Potentially-incompatible changes * ssh(1)/sshd(8): Drop compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The support in question isn't necessary for RFC-compliant SSH implementations. ---- New Features * experimental support for PQC XMSS keys (Extended Hash-Based Signatures), not compiled in by default. * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which routing domain a connection was received on (currently supported on OpenBSD and Linux). * sshd_config(5): Add an optional rdomain qualifier to the ListenAddress directive to allow listening on different routing domains. This is supported only on OpenBSD and Linux at present. * sshd_config(5): Add RDomain directive to allow the authenticated session to be placed in an explicit routing domain. This is only supported on OpenBSD at present. * sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys. * ssh(1): Add a BindInterface option to allow binding the (forwarded request 611002 from pcerny)
- Use TIRPC on suse_version >= 1500: sunrpc is deprecated and should be replaced by TIRPC. This has several effects: * We get RPC support back... from build log in oS:F/standard: [ 48s] checking rpc/types.h usability... no [ 48s] checking rpc/types.h presence... no [ 48s] checking for rpc/types.h... no vs this branch: [ 50s] checking rpc/types.h usability... yes [ 50s] checking rpc/types.h presence... yes [ 50s] checking for rpc/types.h... yes AND as a side-effect, FALSE for ldapbody.c is now defined (not the nicest of side-effects, but seems that ldap patch relies on RPC headers to be included. So all in all: this fixes the build failures for openSUSE Tumblewee (forwarded request 602971 from dimstar)
- add OpenSSL 1.0 to 1.1 shim to remove dependency on old OpenSSL (update tracker: bsc#1080779)
- .spec file cleanup - upgrade to 7.6p1 see main package changelog for details - Add missing crypto hardware enablement patches for IBM mainframes (FATE#323902) - add missing part of systemd integration (unit type) (forwarded request 571576 from pcerny)
- Replace forgotten references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - tighten configuration access rights (forwarded request 563833 from pcerny)
1
- require OpenSSL < 1.1 where that one is a default (forwarded request 500281 from pcerny)
1
- remaining patches that were still missing since the update to 7.2p2 (FATE#319675): [openssh-7.2p2-disable_openssl_abi_check.patch] - fix forwarding with IPv6 addresses in DISPLAY (bnc#847710) [openssh-7.2p2-IPv6_X_forwarding.patch] - ignore PAM environment when using login (bsc#975865, CVE-2015-8325) [openssh-7.2p2-ignore_PAM_with_UseLogin.patch] - limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515) [openssh-7.2p2-limit_password_length.patch] - Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) [openssh-7.2p2-prevent_timing_user_enumeration.patch] - Add auditing for PRNG re-seeding [openssh-7.2p2-audit_seed_prng.patch] (forwarded request 433779 from pcerny)
- FIPS compatibility (no selfchecks, only crypto restrictions) [openssh-7.2p2-fips.patch] - PRNG re-seeding [openssh-7.2p2-seed-prng.patch] - preliminary version of GSSAPI KEX [openssh-7.2p2-gssapi_key_exchange.patch] (forwarded request 428544 from pcerny)
- fixed url - upgrade to 7.2p2 - changing license to 2-clause BSD to match source - added gpg signature - enable support for SSHv1 protocol and discourage its usage (bsc#983307) - enable DSA by default for backward compatibility and discourage its usage (bsc#983784) [openssh-7.2p2-allow_DSS_by_default.patch] - enable trusted X11 forwarding by default [openssh-7.2p2-X11_trusted_forwarding.patch] - set UID for lastlog properly [openssh-7.2p2-lastlog.patch] - enable use of PAM by default [openssh-7.2p2-enable_PAM_by_default.patch] - copy command line arguments properly [openssh-7.2p2-saveargv-fix.patch] - do not use pthreads in PAM code [openssh-7.2p2-dont_use_pthreads_in_PAM.patch] - fix paths in documentation [openssh-7.2p2-eal3.patch] - prevent race consitions triggered by SIGALRM [openssh-7.2p2-blocksigalrm.patch] - do send and accept locale environment variables by default [openssh-7.2p2-send_locale.patch]
fix broken seccomp sandbox (forwarded request 392909 from pcerny)
1
1
Automatic submission by obs-autosubmit
1
Displaying revisions 61 - 80 of 178