Accepting request 611002 from home:pcerny:factory

- Upgrade to 7.7p1 (bsc#1094068)

- Upgrade to 7.7p1 (bsc#1094068)
  Most important changes (more details below):
  * Drop compatibility support for pre-2001 SSH implementations
  * sshd(1) does not load DSA keys by default
  Distilled upstream log:
  ---- Potentially-incompatible changes
  * ssh(1)/sshd(8): Drop compatibility support for some very old
    SSH implementations, including ssh.com <=2.* and OpenSSH <=
    3.*.  These versions were all released in or before 2001 and
    predate the final SSH RFCs. The support in question isn't
    necessary for RFC-compliant SSH implementations.
  ---- New Features
  * experimental support for PQC XMSS keys (Extended Hash-Based
    Signatures), not compiled in by default.
  * sshd(8): Add a "rdomain" criteria for the sshd_config Match
    keyword to allow conditional configuration that depends on
    which routing domain a connection was received on (currently
    supported on OpenBSD and Linux).
  * sshd_config(5): Add an optional rdomain qualifier to the
    ListenAddress directive to allow listening on different
    routing domains. This is supported only on OpenBSD and Linux
    at present.
  * sshd_config(5): Add RDomain directive to allow the
    authenticated session to be placed in an explicit routing
    domain. This is only supported on OpenBSD at present.
  * sshd(8): Add "expiry-time" option for authorized_keys files
    to allow for expiring keys.
  * ssh(1): Add a BindInterface option to allow binding the

OBS-URL: https://build.opensuse.org/request/show/611002
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=145

openssh-7.6p1-SUSE_patches.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:13854b50b2b34c148cab87ea676226342d871d11d4670fe2f93514d61fbcf9b1
-size 151540

openssh-7.6p1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723
-size 1489788

openssh-7.6p1.tar.gz.asc

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlnTtXUACgkQ0+X1a22S
-DTCQxgx+MJ1JjIWwVjXUxwpFfjj4aBv5xSqiKqwzGgVjnlmwtpTn+tqdGiACts3K
-46fh/8ujknJJ5lBIlWKBfqhKzC7A+gCBaFiLoXiad8Q3NIESbXGxRkuMe6jxFtR7
-SHidUjRqmn1kLCy1TSkj8mqg0/UZ5UZAJcsldQTmEAnxFVbK1l8CLB7vn4rJnj+v
-PdbtsSdw8ZHtakkoNHiqQD+mwy+FXY5QcN7IUEX2/E0hKx0wou1S/36j8k89UQf8
-Jbntg31N4EUOQ0fRwuxdRkHSUrJJpPgwWO4XgHw4u9yghsOCYr+X9Pa1+LCtL4PE
-o4+08UoD92VORzRETH5Cbtv1XmdUWrpHVHUjVORTgYxVgXbbnoDuzxfsrbfJRRLE
-NBsFxodltDxfdljL27PReBqpneWBxNJd6ruaY5wYxhu1qTEcszCGXuSd583TJ49b
-hhkWrk5+knErwFdDbtOy+l3L1pvxXvuyIuWl/aXaoVSPDwtPFui94Dl2G7QbSeEb
-PQDWU6PReeP+SRsMyYJSoxwgbZIzaQ==
-=K6iy
------END PGP SIGNATURE-----

openssh-7.7p1-SUSE_patches.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:87754e4234f7ed87e145cc61ea4c1e71121dd0ff10e28e86336f95033b8f7300
+size 147974

openssh-7.7p1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f
+size 1536900

openssh-7.7p1.tar.gz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlrBwh4ACgkQ0+X1a22S
+DTCqGwyAgQuR+5b6dAEK3PV3WnzuPSJ8KKnw3/HlqQw40QfWotVOX4+On3+yOYy+
+txjAWkbocjHa5/6IzKVU0y9GD3A0H7XwJAwjqqQg3pKD3kXyl7Lz5nkwWWICN0z+
+fU8HUwJv3SOhilD7XRZqWHUfSL69AR5CbYPraurMQWDNwHY0i4n3vDFp1WrSJx8q
+mcSgAEwucKavr3+PDm0MbmYINAqgqn1USVDalGy8U6ICnCyzXvu4o8gMuiGGwwKR
+Jlt2zCs5CBnF2LAaFgawwNh6NO/TOLvvNrW3zUm3s3DzLKqYtl4Jfs39Coii9LEE
+PqF8YFhgbzm+JPPe9/k5zBSEZOWwkzu33cXm7nC1rypt4PQVZLB8BvRE5HXE9QOx
+xpGi+BFVeMIMqjsW+nOAAdl4S+FNtzR/OABAhwRveLGMPMFRQ9/GqN5B1L9Wezut
+V/6SUUzQUyf5Kn6Gjo+ktJB1i7ufPTLSjH9eYjS/7Fn5cMdjF5iezOAzp3FNWXln
+cDZzHkVgrwqYqTKkekDFTwJD+q/QJQ==
+=gz3x
+-----END PGP SIGNATURE-----

openssh-askpass-gnome.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon May 21 15:19:03 UTC 2018 - pcerny@suse.com
+
+- Upgrade to 7.7p1 (bsc#1094068)
+
 -------------------------------------------------------------------
 Wed Jan 31 22:54:55 UTC 2018 - pcerny@suse.com
 

openssh-askpass-gnome.spec

@@ -19,7 +19,7 @@
 %define _name openssh
 Name:           openssh-askpass-gnome
 BuildRequires:  gtk2-devel
-Version:        7.6p1
+Version:        7.7p1
 Release:        0
 Requires:       %{_name} = %{version}
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH

openssh.changes

@@ -1,3 +1,109 @@
+-------------------------------------------------------------------
+Mon May 21 15:19:03 UTC 2018 - pcerny@suse.com
+
+- Upgrade to 7.7p1 (bsc#1094068)
+  Most important changes (more details below):
+  * Drop compatibility support for pre-2001 SSH implementations
+  * sshd(1) does not load DSA keys by default
+  Distilled upstream log:
+  ---- Potentially-incompatible changes
+  * ssh(1)/sshd(8): Drop compatibility support for some very old
+    SSH implementations, including ssh.com <=2.* and OpenSSH <=
+    3.*.  These versions were all released in or before 2001 and
+    predate the final SSH RFCs. The support in question isn't
+    necessary for RFC-compliant SSH implementations.
+  ---- New Features
+  * experimental support for PQC XMSS keys (Extended Hash-Based
+    Signatures), not compiled in by default.
+  * sshd(8): Add a "rdomain" criteria for the sshd_config Match
+    keyword to allow conditional configuration that depends on
+    which routing domain a connection was received on (currently
+    supported on OpenBSD and Linux).
+  * sshd_config(5): Add an optional rdomain qualifier to the
+    ListenAddress directive to allow listening on different
+    routing domains. This is supported only on OpenBSD and Linux
+    at present.
+  * sshd_config(5): Add RDomain directive to allow the
+    authenticated session to be placed in an explicit routing
+    domain. This is only supported on OpenBSD at present.
+  * sshd(8): Add "expiry-time" option for authorized_keys files
+    to allow for expiring keys.
+  * ssh(1): Add a BindInterface option to allow binding the
+    outgoing connection to an interface's address (basically a
+    more usable BindAddress)
+  * ssh(1): Expose device allocated for tun/tap forwarding via a
+    new %T expansion for LocalCommand. This allows LocalCommand
+    to be %used to prepare the interface.
+  * sshd(8): Expose the device allocated for tun/tap forwarding
+    via a new SSH_TUNNEL environment variable. This allows
+    automatic setup of the interface and surrounding network
+    configuration automatically on the server.
+  * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp,
+    e.g.  ssh://user@host or sftp://user@host/path.  Additional
+    connection parameters that use deporecated MD5 are not
+    implemented.
+  * ssh-keygen(1): Allow certificate validity intervals that
+    specify only a start or stop time (instead of both or
+    neither).
+  * sftp(1): Allow "cd" and "lcd" commands with no explicit path
+    argument. lcd will change to the local user's home directory
+    as usual. cd will change to the starting directory for
+    session (because the protocol offers no way to obtain the
+    remote user's home directory). bz#2760
+  * sshd(8): When doing a config test with sshd -T, only require
+    the attributes that are actually used in Match criteria
+    rather than (an incomplete list of) all criteria.
+  ---- Bugfixes
+  * ssh(1)/sshd(8): More strictly check signature types during
+    key exchange against what was negotiated. Prevents downgrade
+    of RSA signatures made with SHA-256/512 to SHA-1.
+  * sshd(8): Fix support for client that advertise a protocol
+    version of "1.99" (indicating that they are prepared to
+    accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6
+    during the removal of SSHv1 support. bz#2810
+  * ssh(1): Warn when the agent returns a ssh-rsa (SHA1)
+    signature when a rsa-sha2-256/512 signature was requested.
+    This condition is possible when an old or non-OpenSSH agent
+    is in use. bz#2799
+  * ssh-agent(1): Fix regression introduced in 7.6 that caused
+    ssh-agent to fatally exit if presented an invalid signature
+    request message.
+  * sshd_config(5): Accept yes/no flag options
+    case-insensitively, as has been the case in ssh_config(5) for
+    a long time. bz#2664
+  * ssh(1): Improve error reporting for failures during
+    connection.  Under some circumstances misleading errors were
+    being shown. bz#2814
+  * ssh-keyscan(1): Add -D option to allow printing of results
+    directly in SSHFP format. bz#2821
+  * regress tests: fix PuTTY interop test broken in last
+    release's SSHv1 removal. bz#2823
+  * ssh(1): Compatibility fix for some servers that erroneously
+    drop the connection when the IUTF8 (RFC8160) option is sent.
+  * scp(1): Disable RemoteCommand and RequestTTY in the ssh
+    session started by scp (sftp was already doing this.)
+  * ssh-keygen(1): Refuse to create a certificate with an
+    unusable number of principals.
+  * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write
+    all the public key during key generation. Previously it would
+    silently ignore errors writing the comment and terminating
+    newline.
+  * ssh(1): Do not modify hostname arguments that are addresses
+    by automatically forcing them to lower-case. Instead
+    canonicalise them to resolve ambiguities (e.g. ::0001 => ::1)
+    before they are matched against known_hosts. bz#2763
+  * ssh(1): Don't accept junk after "yes" or "no" responses to
+    hostkey prompts. bz#2803
+  * sftp(1): Have sftp print a warning about shell cleanliness
+    when decoding the first packet fails, which is usually caused
+    by shells polluting stdout of non-interactive startups.
+    bz#2800
+  * ssh(1)/sshd(8): Switch timers in packet code from using
+    wall-clock time to monotonic time, allowing the packet layer
+    to better function over a clock step and avoiding possible
+    integer overflows during steps.
+  * Numerous manual page fixes and improvements.
+
 -------------------------------------------------------------------
 Wed May  2 08:14:41 UTC 2018 - dimstar@opensuse.org
 

openssh.spec

@@ -101,7 +101,7 @@ PreReq:         pwdutils %{fillup_prereq} coreutils
 %if ! %{uses_systemd}
 PreReq:         %{insserv_prereq}
 %endif
-Version:        7.6p1
+Version:        7.7p1
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-2-Clause AND MIT
@@ -190,7 +190,7 @@ done
 # set libexec dir in the LDAP patch
 sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
     $( grep -Rl @LIBEXECDIR@ \
-        $( grep "^+++" $PATCH_DIR/openssh-7.6p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
+        $( grep "^+++" $PATCH_DIR/openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
     )
 
 %build