SLFO-pool/openssh
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main openssh revision 4067d74684558f5cec75d724a4170215

Browse Source
This commit is contained in:
Adrian Schröter 2025-02-25 17:21:27 +01:00
parent 094cd910aa
commit 27b76bf9b3
11 changed files with 76 additions and 517 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
0001-fix-utmpx-ifdef.patch
View File

@ -1,36 +0,0 @@
From c7fda601186ff28128cfe3eab9c9c0622de096e1 Mon Sep 17 00:00:00 2001
From: Christoph Ostarek <christoph@zededa.com>
Date: Wed, 3 Jul 2024 12:46:59 +0200
Subject: fix utmpx ifdef
02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for
utmpx, but forgot to change the ifdef appropriately
---
loginrec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/loginrec.c b/loginrec.c
index 7460bb2c..45f13dee 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
void
construct_utmpx(struct logininfo *li, struct utmpx *utx)
{
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
struct sockaddr_in6 *sa6;
# endif
memset(utx, '\0', sizeof(*utx));
@@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
if (li->hostaddr.sa.sa_family == AF_INET)
utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
# endif
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
/* this is just a 128-bit IPv6 address */
if (li->hostaddr.sa.sa_family == AF_INET6) {
sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
--
cgit v1.2.3

291
0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
View File

@ -1,291 +0,0 @@
From 66878e12a207fa9746dee3e2bdcca29b704cf035 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 25 Sep 2024 01:24:04 +0000
Subject: upstream: fix regression introduced when I switched the "Match"
criteria tokeniser to a more shell-like one. Apparently the old tokeniser
(accidentally?) allowed "Match criteria=argument" as well as the "Match
criteria argument" syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
---
misc.c | 23 ++++++++++++++++++++++-
misc.h | 3 ++-
readconf.c | 28 +++++++++++++++++++++++-----
servconf.c | 57 ++++++++++++++++++++++++++++++++++++++++++---------------
4 files changed, 89 insertions(+), 22 deletions(-)
diff --git a/misc.c b/misc.c
index afdf5142..1b4b55c5 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@@ -107,6 +107,27 @@ rtrim(char *s)
}
}
+/*
+ * returns pointer to character after 'prefix' in 's' or otherwise NULL
+ * if the prefix is not present.
+ */
+const char *
+strprefix(const char *s, const char *prefix, int ignorecase)
+{
+ size_t prefixlen;
+
+ if ((prefixlen = strlen(prefix)) == 0)
+ return s;
+ if (ignorecase) {
+ if (strncasecmp(s, prefix, prefixlen) != 0)
+ return NULL;
+ } else {
+ if (strncmp(s, prefix, prefixlen) != 0)
+ return NULL;
+ }
+ return s + prefixlen;
+}
+
/* set/unset filedescriptor to non-blocking */
int
set_nonblock(int fd)
diff --git a/misc.h b/misc.h
index 11340389..efecdf1a 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -56,6 +56,7 @@ struct ForwardOptions {
char *chop(char *);
void rtrim(char *);
void skip_space(char **);
+const char *strprefix(const char *, const char *, int);
char *strdelim(char **);
char *strdelimw(char **);
int set_nonblock(int);
diff --git a/readconf.c b/readconf.c
index 3d9cc6db..de42fb6f 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
int final_pass, int *want_final_pass, const char *filename, int linenum)
{
- char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
+ char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
const char *ruser;
int r, this_result, result = 1, attributes = 0, negate;
@@ -731,7 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
debug2("checking match for '%s' host %s originally %s",
full_line, host, original_host);
- while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
+ attrib = xstrdup(oattrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp);
@@ -777,9 +778,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
this_result ? "" : "not ", oattrib);
continue;
}
+
+ /* Keep this list in sync with below */
+ if (strprefix(attrib, "host=", 1) != NULL ||
+ strprefix(attrib, "originalhost=", 1) != NULL ||
+ strprefix(attrib, "user=", 1) != NULL ||
+ strprefix(attrib, "localuser=", 1) != NULL ||
+ strprefix(attrib, "localnetwork=", 1) != NULL ||
+ strprefix(attrib, "tagged=", 1) != NULL ||
+ strprefix(attrib, "exec=", 1) != NULL) {
+ arg = strchr(attrib, '=');
+ *(arg++) = '\0';
+ } else {
+ arg = argv_next(acp, avp);
+ }
+
/* All other criteria require an argument */
- if ((arg = argv_next(acp, avp)) == NULL ||
- *arg == '\0' || *arg == '#') {
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
result = -1;
goto out;
@@ -856,6 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
criteria == NULL ? "" : criteria,
criteria == NULL ? "" : "\"");
free(criteria);
+ free(attrib);
+ attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
@@ -865,6 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
out:
if (result != -1)
debug2("match %sfound", result ? "" : "not ");
+ free(attrib);
free(host);
return result;
}
diff --git a/servconf.c b/servconf.c
index 89b8413e..dd774f46 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1033,7 +1033,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
int line, struct connection_info *ci)
{
int result = 1, attributes = 0, port;
- char *arg, *attrib;
+ char *arg, *attrib = NULL, *oattrib;
if (ci == NULL)
debug3("checking syntax for 'Match %s'", full_line);
@@ -1047,7 +1047,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
ci->laddress ? ci->laddress : "(null)", ci->lport);
}
- while ((attrib = argv_next(acp, avp)) != NULL) {
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
+ attrib = xstrdup(oattrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp); /* mark all arguments consumed */
@@ -1062,11 +1063,13 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
*arg != '\0' && *arg != '#')) {
error("'all' cannot be combined with other "
"Match attributes");
- return -1;
+ result = -1;
+ goto out;
}
if (arg != NULL && *arg == '#')
argv_consume(acp); /* consume remaining args */
- return 1;
+ result = 1;
+ goto out;
}
/* Criterion "invalid-user" also has no argument */
if (strcasecmp(attrib, "invalid-user") == 0) {
@@ -1078,11 +1081,26 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
debug("matched invalid-user at line %d", line);
continue;
}
+
+ /* Keep this list in sync with below */
+ if (strprefix(attrib, "user=", 1) != NULL ||
+ strprefix(attrib, "group=", 1) != NULL ||
+ strprefix(attrib, "host=", 1) != NULL ||
+ strprefix(attrib, "address=", 1) != NULL ||
+ strprefix(attrib, "localaddress=", 1) != NULL ||
+ strprefix(attrib, "localport=", 1) != NULL ||
+ strprefix(attrib, "rdomain=", 1) != NULL) {
+ arg = strchr(attrib, '=');
+ *(arg++) = '\0';
+ } else {
+ arg = argv_next(acp, avp);
+ }
+
/* All other criteria require an argument */
- if ((arg = argv_next(acp, avp)) == NULL ||
- *arg == '\0' || *arg == '#') {
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
- return -1;
+ result = -1;
+ goto out;
}
if (strcasecmp(attrib, "user") == 0) {
if (ci == NULL || (ci->test && ci->user == NULL)) {
@@ -1105,7 +1123,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
match_test_missing_fatal("Group", "user");
switch (match_cfg_line_group(arg, line, ci->user)) {
case -1:
- return -1;
+ result = -1;
+ goto out;
case 0:
result = 0;
}
@@ -1141,7 +1160,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
result = 0;
break;
case -2:
- return -1;
+ result = -1;
+ goto out;
}
} else if (strcasecmp(attrib, "localaddress") == 0){
if (ci == NULL || (ci->test && ci->laddress == NULL)) {
@@ -1166,13 +1186,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
result = 0;
break;
case -2:
- return -1;
+ result = -1;
+ goto out;
}
} else if (strcasecmp(attrib, "localport") == 0) {
if ((port = a2port(arg)) == -1) {
error("Invalid LocalPort '%s' on Match line",
arg);
- return -1;
+ result = -1;
+ goto out;
}
if (ci == NULL || (ci->test && ci->lport == -1)) {
result = 0;
@@ -1200,16 +1222,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
debug("user %.100s matched 'RDomain %.100s' at "
"line %d", ci->rdomain, arg, line);
} else {
- error("Unsupported Match attribute %s", attrib);
- return -1;
+ error("Unsupported Match attribute %s", oattrib);
+ result = -1;
+ goto out;
}
+ free(attrib);
+ attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
return -1;
}
- if (ci != NULL)
+ out:
+ if (ci != NULL && result != -1)
debug3("match %sfound", result ? "" : "not ");
+ free(attrib);
return result;
}
--
cgit v1.2.3

65
0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
View File

@ -1,65 +0,0 @@
From 19bcb2d90c6caf14abf386b644fb24eb7afab889 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 26 Sep 2024 23:55:08 +0000
Subject: upstream: fix previous change to ssh_config Match, which broken on
negated Matches; spotted by phessler@ ok deraadt@
OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
---
readconf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/readconf.c b/readconf.c
index de42fb6f..9f559269 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
int final_pass, int *want_final_pass, const char *filename, int linenum)
{
- char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
+ char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria;
const char *ruser;
int r, this_result, result = 1, attributes = 0, negate;
@@ -731,8 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
debug2("checking match for '%s' host %s originally %s",
full_line, host, original_host);
- while ((oattrib = argv_next(acp, avp)) != NULL) {
- attrib = xstrdup(oattrib);
+ while ((attrib = argv_next(acp, avp)) != NULL) {
+ attrib = oattrib = xstrdup(attrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp);
@@ -871,8 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
criteria == NULL ? "" : criteria,
criteria == NULL ? "" : "\"");
free(criteria);
- free(attrib);
- attrib = NULL;
+ free(oattrib);
+ oattrib = attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
@@ -882,7 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
out:
if (result != -1)
debug2("match %sfound", result ? "" : "not ");
- free(attrib);
+ free(oattrib);
free(host);
return result;
}
--
cgit v1.2.3

94
0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
View File

@ -1,94 +0,0 @@
From 11f348196b3fb51c3d8d1f4f36db9d73f03149ed Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 27 Oct 2024 02:06:01 +0000
Subject: upstream: fix ML-KEM768x25519 KEX on big-endian systems; spotted by
jsg@ feedback/ok deraadt@
OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
---
libcrux_mlkem768_sha3.h | 8 +++++---
mlkem768.sh | 17 ++++++++++++-----
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
index a82d60e8..b8ac1436 100644
--- a/libcrux_mlkem768_sha3.h
+++ b/libcrux_mlkem768_sha3.h
@@ -1,4 +1,5 @@
-/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
+
/* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */
/*
@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
// CORE STUFF (conversions, endianness, ...)
static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
+ v = htole64(v);
memcpy(buf, &v, sizeof(v));
}
static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
uint64_t v;
memcpy(&v, buf, sizeof(v));
- return v;
+ return le64toh(v);
}
static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
uint32_t v;
memcpy(&v, buf, sizeof(v));
- return v;
+ return le32toh(v);
}
static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
diff --git a/mlkem768.sh b/mlkem768.sh
index 2fdc2831..3d12b2ed 100644
--- a/mlkem768.sh
+++ b/mlkem768.sh
@@ -1,9 +1,10 @@
#!/bin/sh
-# $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $
+# $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $
# Placed in the Public Domain.
#
-WANT_LIBCRUX_REVISION="origin/main"
+#WANT_LIBCRUX_REVISION="origin/main"
+WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35"
FILES="
libcrux/libcrux-ml-kem/cg/eurydice_glue.h
@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
echo '#define KRML_HOST_EPRINTF(...)'
echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
echo
+
for i in $FILES; do
echo "/* from $i */"
# Changes to all files:
@@ -56,11 +58,16 @@ for i in $FILES; do
-e 's/[ ]*$//' \
$i | \
case "$i" in
- # XXX per-file handling goes here.
+ */libcrux-ml-kem/cg/eurydice_glue.h)
+ # Replace endian functions with versions that work.
+ perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' |
+ perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
+ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
+ ;;
# Default: pass through.
*)
- cat
- ;;
+ cat
+ ;;
esac
echo
done
--
cgit v1.2.3

BIN
openssh-9.9p1.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
openssh-9.9p1.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmbspccACgkQKj9BTnNg
YLppxRAAv7eU/Xd2w9MX9vWQdhugiPByEcKg7KuKXUUs9xJGy+HbLqPqUCvn1UW6
qodKoSAdeBuSB7AjzuIQ1lTVX7C67OmZaVPRq25ar5b+Wq4SSlv23KMRq0b4EVyw
pOW6R9tsxqYBwYaiXQ50APcYL8SpepnGU+b/iR15f7q3SU2XMVVtkVb149UdLOqK
smfurbDGwUKFb2Q009MUfEV/d9zq31tdSjphvkqAXCcmxc8siuOYWYcByuysie+m
NpaOpee0047L5JIxNSLsa2yZrJZhClP8LbTCH1Vfwr7l0KE5nvL2qAtPKI2XxGQC
3jXrDLzp10RFxV8sCym+QlY9pZyzGj9d3G7vCHtxWGQ1Y0Qt+xs18OeBpjiehRhl
WM3Y+cjoN35jBaGhOoHdh3ePZQdTUyZ16aSv0h/cUHOohiM7i/4XW+dQtkqsJsw4
a81O0E64WrL8ho3Ju9mwcVZ9A0aEaftJsmJPDB+qYBjF/i7xcnH32LginzP5pel7
/W0aS2C1ZNo3QKHezI6IA9MyENMZiAMy2ybvfmN0HgLBaBY1plJ8a5GvMwJc+Qwh
iCHLCQ6Qgf/1hh+F6liTXnhtedtFHneJdyqvd7XOoardDEipZjxcnGa4HthbDFU+
8XdHKnWWhn4BLA+y7KB3ZGURniQK+qibwkF6J63CuMU+LmG+bvQ=
=Ukrb
-----END PGP SIGNATURE-----

BIN
openssh-9.9p2.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openssh-9.9p2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAme0QfUACgkQKj9BTnNg
YLo91A/7BcRjsaDO7VydmhkGWrQOtD/7p4LaSjJE8JY23YsEVRvOkUKJ8OPo7uVq
LxcpDqlaVxHSO/zVfgZg4tQHJct4MLp20PvokMCi6+k7GcioL+TOB19ON0FAx/Pq
vgUWv7jd7w0kT/Rpkygtrg4i0oFf2lg5cJEGFTHAuXsny+Sj+vmcCk92K2TW4e/8
tKgBsZrN7qVnmOAUeyAxFLZ7WiDVzfLTlPiVOfrGjEkbzNLiavjiCGBhGspkluRi
16O5txRp248FqlLgv42sgfUmJOqLSuSNchqk5ioB/9lHia5tDFG/d/4uNP/ELX6M
cAKvs0C0XV3QZxCxBQDL7/49YMsdFnbRIin86mPcahqb75ZpkK9rIgHuKhpgY8Jo
q8WlIPehai3vBWAkpFAsPWOZZwjd6a4C/YmD3pGyjH32rL6gxdHjKGs49nhKkDG9
izwIeCmNu3Ta+e/wEPcOBSX75bFfC83f51yhJb6PUvBl9OSm/L0LeoszmsKWd32j
Iu19zqlabAH7zZSEl1ZWd6Ct0X5XOEaOXGamz5Qw7XIEqfYmQyX/aY5M3/mWmq0K
1Z29MCEtFOirIiwcwUw80d4MCIIEol26M97Y00ZmZMBO7bCoCVr8FldHBfqbHBtC
dTdqesVDiRD/j5VZ3y/MgYo5e13F2OvtdCbvUi3DF2Uh5Rnk2nw=
=r4jr
-----END PGP SIGNATURE-----

2
openssh-askpass-gnome.spec
View File

@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
Version: 9.9p1
Version: 9.9p2
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause

51
openssh.changes
View File

@ -1,3 +1,54 @@
-------------------------------------------------------------------
Tue Feb 18 09:15:48 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.9p2:
= Security
* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by
default.
* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service
related to the handling of SSH2_MSG_PING packets. This
condition may be mitigated using the existing
PerSourcePenalties feature.
Both vulnerabilities were discovered and demonstrated to be
exploitable by the Qualys Security Advisory team. The openSSH
team thanks them for their detailed review of OpenSSH.
= Bugfixes
* ssh(1), sshd(8): fix regression in Match directive that caused
failures when predicates and their arguments were separated by
'=' characters instead of whitespace (bz3739).
* sshd(8): fix the "Match invalid-user" predicate, which was
matching incorrectly in the initial pass of config evaluation.
* ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key
exchange on big-endian systems.
* Fix a number of build problems on particular operating systems
and configurations.
- Remove patches that are already included in 9.9p2:
* 0001-fix-utmpx-ifdef.patch
* 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
* 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
* 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
* fix-CVE-2025-26465-and-CVE-2025-26466.patch
-------------------------------------------------------------------
Thu Feb 13 11:29:19 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
- Fix a MitM attack against OpenSSH's VerifyHostKeyDNS-enabled
client and a DoS attack against OpenSSH's client and server
(bsc#1237040, CVE-2025-26465, bsc#1237041, CVE-2025-26466):
* fix-CVE-2025-26465-and-CVE-2025-26466.patch
-------------------------------------------------------------------
Wed Jan 22 15:25:28 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
- Drop rcFOO symlinks for CODE16 (PED-266).
-------------------------------------------------------------------
Mon Oct 28 11:18:04 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

16
openssh.spec
View File

@ -51,7 +51,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 9.9p1
Version: 9.9p2
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@ -138,21 +138,11 @@ Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
# 200 - 300 -- Patches submitted to upstream
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
Patch200: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
# PATCH-FIX-UPSTREAM -- https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4
Patch201: fix-x11-regression-bsc1229449.patch
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
Patch202: 0001-fix-utmpx-ifdef.patch
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
Patch203: 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
Patch204: 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
Patch205: 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
# 1000 - 2000 -- Conditional patches
%if %{with crypto_policies}
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
@ -434,7 +424,9 @@ install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
%if 0%{?suse_version} < 1600
ln -s service %{buildroot}%{_sbindir}/rcsshd
%endif
install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
# install shell script to automate the process of adding your public key to a remote machine
@ -618,7 +610,9 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%files server
%attr(0755,root,root) %{_sbindir}/sshd
%if 0%{?suse_version} < 1600
%attr(0755,root,root) %{_sbindir}/rcsshd
%endif
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d