Dominique Leuenberger (dimstar_suse) accepted request 611071 from Petr Cerny (pcerny) about 6 years ago (revision 118)

- Upgrade to 7.7p1 (bsc#1094068)

- Upgrade to 7.7p1 (bsc#1094068)
  Most important changes (more details below):
  * Drop compatibility support for pre-2001 SSH implementations
  * sshd(1) does not load DSA keys by default
  Distilled upstream log:
  ---- Potentially-incompatible changes
  * ssh(1)/sshd(8): Drop compatibility support for some very old
    SSH implementations, including ssh.com <=2.* and OpenSSH <=
    3.*.  These versions were all released in or before 2001 and
    predate the final SSH RFCs. The support in question isn't
    necessary for RFC-compliant SSH implementations.
  ---- New Features
  * experimental support for PQC XMSS keys (Extended Hash-Based
    Signatures), not compiled in by default.
  * sshd(8): Add a "rdomain" criteria for the sshd_config Match
    keyword to allow conditional configuration that depends on
    which routing domain a connection was received on (currently
    supported on OpenBSD and Linux).
  * sshd_config(5): Add an optional rdomain qualifier to the
    ListenAddress directive to allow listening on different
    routing domains. This is supported only on OpenBSD and Linux
    at present.
  * sshd_config(5): Add RDomain directive to allow the
    authenticated session to be placed in an explicit routing
    domain. This is only supported on OpenBSD at present.
  * sshd(8): Add "expiry-time" option for authorized_keys files
    to allow for expiring keys.
  * ssh(1): Add a BindInterface option to allow binding the (forwarded request 611002 from pcerny)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 603107 from Petr Cerny (pcerny) about 6 years ago (revision 117)

- Use TIRPC on suse_version >= 1500: sunrpc is deprecated and
  should be replaced by TIRPC.

This has several effects:
* We get RPC support back... from build log in oS:F/standard:

[   48s] checking rpc/types.h usability... no
[   48s] checking rpc/types.h presence... no
[   48s] checking for rpc/types.h... no

vs this branch:
[   50s] checking rpc/types.h usability... yes
[   50s] checking rpc/types.h presence... yes
[   50s] checking for rpc/types.h... yes

AND as a side-effect, FALSE for ldapbody.c is now defined (not the
  nicest of side-effects, but seems that ldap patch relies on RPC
  headers to be included.

So all in all: this fixes the build failures for openSUSE Tumblewee (forwarded request 602971 from dimstar)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 593882 from mrdocs about 6 years ago (revision 116)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 583081 from Marcus Meissner (msmeissn) over 6 years ago (revision 115)

- add OpenSSL 1.0 to 1.1 shim to remove dependency on old OpenSSL
  (update tracker: bsc#1080779)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 571577 from Petr Cerny (pcerny) over 6 years ago (revision 114)

- .spec file cleanup

- upgrade to 7.6p1
  see main package changelog for details

- Add missing crypto hardware enablement patches for IBM mainframes
  (FATE#323902)

- add missing part of systemd integration (unit type) (forwarded request 571576 from pcerny)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 567941 from mrdocs over 6 years ago (revision 113)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 563834 from Petr Cerny (pcerny) over 6 years ago (revision 112)

- Replace forgotten references to /var/adm/fillup-templates
  with new %_fillupdir macro (boo#1069468)
- tighten configuration access rights (forwarded request 563833 from pcerny)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 536831 from Dirk Mueller (dirkmueller) over 6 years ago (revision 111)

1

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 500282 from Petr Cerny (pcerny) about 7 years ago (revision 110)

- require OpenSSL < 1.1 where that one is a default (forwarded request 500281 from pcerny)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 461303 from Dirk Mueller (dirkmueller) over 7 years ago (revision 109)

1

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 433780 from Petr Cerny (pcerny) over 7 years ago (revision 108)

- remaining patches that were still missing
  since the update to 7.2p2 (FATE#319675):
  [openssh-7.2p2-disable_openssl_abi_check.patch]
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
  [openssh-7.2p2-IPv6_X_forwarding.patch]
- ignore PAM environment when using login
  (bsc#975865, CVE-2015-8325)
  [openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
- limit accepted password length (prevents possible DoS)
  (bsc#992533, CVE-2016-6515)
  [openssh-7.2p2-limit_password_length.patch]
- Prevent user enumeration through the timing of password
  processing (bsc#989363, CVE-2016-6210)
  [openssh-7.2p2-prevent_timing_user_enumeration.patch]
- Add auditing for PRNG re-seeding
  [openssh-7.2p2-audit_seed_prng.patch] (forwarded request 433779 from pcerny)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 428545 from Petr Cerny (pcerny) over 7 years ago (revision 107)

- FIPS compatibility (no selfchecks, only crypto restrictions)
  [openssh-7.2p2-fips.patch]
- PRNG re-seeding
  [openssh-7.2p2-seed-prng.patch]
- preliminary version of GSSAPI KEX
  [openssh-7.2p2-gssapi_key_exchange.patch] (forwarded request 428544 from pcerny)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 415094 from Marcus Meissner (msmeissn) almost 8 years ago (revision 106)

- fixed url

- upgrade to 7.2p2

- changing license to 2-clause BSD to match source

- added gpg signature 

- enable support for SSHv1 protocol and discourage its usage
  (bsc#983307)
- enable DSA by default for backward compatibility and discourage
  its usage (bsc#983784)
  [openssh-7.2p2-allow_DSS_by_default.patch]

- enable trusted X11 forwarding by default
  [openssh-7.2p2-X11_trusted_forwarding.patch]
- set UID for lastlog properly 
  [openssh-7.2p2-lastlog.patch]
- enable use of PAM by default 
  [openssh-7.2p2-enable_PAM_by_default.patch]
- copy command line arguments properly 
  [openssh-7.2p2-saveargv-fix.patch]
- do not use pthreads in PAM code 
  [openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
- fix paths in documentation 
  [openssh-7.2p2-eal3.patch]
- prevent race consitions triggered by SIGALRM 
  [openssh-7.2p2-blocksigalrm.patch]
- do send and accept locale environment variables by default
  [openssh-7.2p2-send_locale.patch]

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 392910 from Petr Cerny (pcerny) about 8 years ago (revision 105)

fix broken seccomp sandbox (forwarded request 392909 from pcerny)

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 386262 from Marcus Meissner (msmeissn) about 8 years ago (revision 104)

1

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 353732 from Ismail Dönmez (namtrac) over 8 years ago (revision 103)

1

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 282346 from Factory Maintainer (factory-maintainer) over 9 years ago (revision 102)

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Dominique Leuenberger (dimstar_suse) accepted request 266606 from Marcus Meissner (msmeissn) over 9 years ago (revision 101)

1

• Files Changed
• Browse Source

Stephan Kulow (coolo) accepted request 255040 from Andrey Karepin (EGDFree) over 9 years ago (revision 100)

1

• Files Changed
• Browse Source

Adrian Schröter (adrianSuSE) committed almost 10 years ago (revision 99)

Split 13.2 from Factory

• Files Changed
• Browse Source