Request 398334: Incident openssh - openSUSE Build Service

Overview

Request 398334 revoked

- Maintenance update
* Correctly parse GSSAPI KEX algorithms (bsc#961368)
* Sanitise input for xauth(1) (bsc#970632, CVE-2016-3115)
[-sanitise_xauth_input]
* prevent X11 SECURITY circumvention when forwarding X11
connections (bsc#962313, CVE-2016-1908)
[-untrusted_X_forwarding]
* FIPS patches from certified SLE-12 package with relaxed
failure mode (FIPS checkusm mismatch doesn't result in the
binary shutting down)
[-fips, -fips-checks, -fips-checks-softening]
* more verbose FIPS mode/CC related documentation in README.FIPS
(bsc#965576, bsc#960414)
* fix PRNG re-seeding (bsc#960414, bsc#729190)
* Disable DH parameters under 2048 bits by default and allow
lowering the limit back to the RFC 4419 specified minimum
through an option (bsc#932483, bsc#948902)
[-disable_short_DH_parameters, -remove_moduli_under_1536b]
* ignore PAM environment when using login
(bsc#975865, CVE-2015-8325)
[-ignore_PAM_with_UseLogin]
* better timeouting of X11 forwards (CVE-2015-5352/bsc#936695)
[-X11_forwarding_timeout] and hardening of ssh-agent(1)
locking (bsc#936695) [-agent_locking_hardening]
* disable accdess to procfs from sftp (bsc#903649)
[-sftp_procfs_restrictions]
* Allow each keyboard authentication method to be used only
once per login (CVE-2015-5600/bsc#938746)
[-use_each_kbd_method_just_once]
* Don't resend username to PAM, it can be misused for privilege

Created by pcerny almost 8 years ago
In state revoked

Incident openssh

Comments for request 398334 0

Login required, please login in order to comment

Request History

pcerny created request almost 8 years ago

- Maintenance update
* Correctly parse GSSAPI KEX algorithms (bsc#961368)
* Sanitise input for xauth(1) (bsc#970632, CVE-2016-3115)
[-sanitise_xauth_input]
* prevent X11 SECURITY circumvention when forwarding X11
connections (bsc#962313, CVE-2016-1908)
[-untrusted_X_forwarding]
* FIPS patches from certified SLE-12 package with relaxed
failure mode (FIPS checkusm mismatch doesn't result in the
binary shutting down)
[-fips, -fips-checks, -fips-checks-softening]
* more verbose FIPS mode/CC related documentation in README.FIPS
(bsc#965576, bsc#960414)
* fix PRNG re-seeding (bsc#960414, bsc#729190)
* Disable DH parameters under 2048 bits by default and allow
lowering the limit back to the RFC 4419 specified minimum
through an option (bsc#932483, bsc#948902)
[-disable_short_DH_parameters, -remove_moduli_under_1536b]
* ignore PAM environment when using login
(bsc#975865, CVE-2015-8325)
[-ignore_PAM_with_UseLogin]
* better timeouting of X11 forwards (CVE-2015-5352/bsc#936695)
[-X11_forwarding_timeout] and hardening of ssh-agent(1)
locking (bsc#936695) [-agent_locking_hardening]
* disable accdess to procfs from sftp (bsc#903649)
[-sftp_procfs_restrictions]
* Allow each keyboard authentication method to be used only
once per login (CVE-2015-5600/bsc#938746)
[-use_each_kbd_method_just_once]
* Don't resend username to PAM, it can be misused for privilege

maintbot accepted review almost 8 years ago

accepted

maintbot approved review almost 8 years ago

accepted

krahmer declined request almost 8 years ago

no patch filenames

pcerny revoked request over 5 years ago

The source project 'home:pcerny:13.2' has been removed

openSUSE Build Service is sponsored by