OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=12

openssh-4.6p1-challenge.patch

@@ -1,22 +0,0 @@
---- servconf.c
-+++ servconf.c
-@@ -266,6 +266,10 @@
- 	}
- #endif
- 
-+	/* challenge-response is implemented via keyboard interactive */
-+	if (options->challenge_response_authentication == 1)
-+		options->kbd_interactive_authentication = 1;
-+
- }
- 
- /* Keyword tokens. */
-@@ -1398,8 +1402,4 @@
- 	if (bad_options > 0)
- 		fatal("%s: terminating, %d bad configuration options",
- 		    filename, bad_options);
--
--	/* challenge-response is implemented via keyboard interactive */
--	if (options->challenge_response_authentication == 1)
--		options->kbd_interactive_authentication = 1;
- }

openssh-4.6p1-untrusted-cookie-CVE-2007-4752.diff

@@ -1,45 +0,0 @@
---- clientloop.c
-+++ clientloop.c
-@@ -290,19 +290,29 @@
- 					generated = 1;
- 			}
- 		}
--		snprintf(cmd, sizeof(cmd),
--		    "%s %s%s list %s 2>" _PATH_DEVNULL,
--		    xauth_path,
--		    generated ? "-f " : "" ,
--		    generated ? xauthfile : "",
--		    display);
--		debug2("x11_get_proto: %s", cmd);
--		f = popen(cmd, "r");
--		if (f && fgets(line, sizeof(line), f) &&
--		    sscanf(line, "%*s %511s %511s", proto, data) == 2)
--			got_data = 1;
--		if (f)
--			pclose(f);
-+
-+		/*
-+		 * When in untrusted mode, we read the cookie only if it was
-+		 * successfully generated as an untrusted one in the step
-+		 * above.
-+		 */
-+		if (trusted || generated) {
-+			snprintf(cmd, sizeof(cmd),
-+			    "%s %s%s list %s 2>" _PATH_DEVNULL,
-+			    xauth_path,
-+			    generated ? "-f " : "" ,
-+			    generated ? xauthfile : "",
-+			    display);
-+			debug2("x11_get_proto: %s", cmd);
-+			f = popen(cmd, "r");
-+			if (f && fgets(line, sizeof(line), f) &&
-+			    sscanf(line, "%*s %511s %511s", proto, data) == 2)
-+				got_data = 1;
-+			if (f)
-+				pclose(f);
-+		} else
-+			error("Warning: untrusted X11 forwarding setup failed: "
-+			    "xauth key data not generated");
- 	}
- 
- 	if (do_unlink) {

openssh-4.6p1.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c19f14140fbbbf912b9a033e961910ab5510a6c625bbd1a443e7aa9bbe6c09b9
-size 781338

openssh-4.7p1-audit.patch

@@ -1,26 +1,26 @@
 # add support for Linux audit (FATE #120269)
 ================================================================================
---- openssh-4.6p1/Makefile.in
-+++ openssh-4.6p1/Makefile.in
-@@ -45,6 +45,7 @@
+--- openssh-4.7p1/Makefile.in
++++ openssh-4.7p1/Makefile.in
+@@ -44,6 +44,7 @@
+ CFLAGS=@CFLAGS@
  CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
  LIBS=@LIBS@
- LIBSELINUX=@LIBSELINUX@
 +LIBAUDIT=@LIBAUDIT@
  SSHDLIBS=@SSHDLIBS@
  LIBEDIT=@LIBEDIT@
- LIBPAM=@LIBPAM@
-@@ -139,7 +140,7 @@
+ AR=@AR@
+@@ -136,7 +137,7 @@
  	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  
  sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
--	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
-+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
+-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
++	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT)
  
  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
  	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
---- openssh-4.6p1/auth.c
-+++ openssh-4.6p1/auth.c
+--- openssh-4.7p1/auth.c
++++ openssh-4.7p1/auth.c
 @@ -286,6 +286,12 @@
  		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
  # endif
@@ -45,9 +45,9 @@
  #ifdef SSH_AUDIT_EVENTS
  		audit_event(SSH_INVALID_USER);
  #endif /* SSH_AUDIT_EVENTS */
---- openssh-4.6p1/config.h.in
-+++ openssh-4.6p1/config.h.in
-@@ -1305,6 +1305,9 @@
+--- openssh-4.7p1/config.h.in
++++ openssh-4.7p1/config.h.in
+@@ -1334,6 +1334,9 @@
  /* Define if you want SELinux support. */
  #undef WITH_SELINUX
  
@@ -57,11 +57,11 @@
  /* Define to 1 if your processor stores words with the most significant byte
     first (like Motorola and SPARC, unlike Intel and VAX). */
  #undef WORDS_BIGENDIAN
---- openssh-4.6p1/configure.ac
-+++ openssh-4.6p1/configure.ac
-@@ -3170,6 +3170,20 @@
+--- openssh-4.7p1/configure.ac
++++ openssh-4.7p1/configure.ac
+@@ -3216,6 +3216,20 @@
+ 	fi ]
  )
- AC_SUBST(LIBSELINUX)
  
 +# Check whether user wants Linux audit support
 +LINUX_AUDIT_MSG="no"
@@ -80,7 +80,7 @@
  # Check whether user wants Kerberos 5 support
  KRB5_MSG="no"
  AC_ARG_WITH(kerberos5,
-@@ -3990,6 +4004,7 @@
+@@ -4036,6 +4050,7 @@
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
@@ -88,9 +88,9 @@
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
  echo "              TCP Wrappers support: $TCPW_MSG"
---- openssh-4.6p1/loginrec.c
-+++ openssh-4.6p1/loginrec.c
-@@ -175,6 +175,10 @@
+--- openssh-4.7p1/loginrec.c
++++ openssh-4.7p1/loginrec.c
+@@ -176,6 +176,10 @@
  #include "auth.h"
  #include "buffer.h"
  
@@ -101,7 +101,7 @@
  #ifdef HAVE_UTIL_H
  # include <util.h>
  #endif
-@@ -201,6 +205,9 @@
+@@ -202,6 +206,9 @@
  int utmpx_write_entry(struct logininfo *li);
  int wtmp_write_entry(struct logininfo *li);
  int wtmpx_write_entry(struct logininfo *li);
@@ -111,7 +111,7 @@
  int lastlog_write_entry(struct logininfo *li);
  int syslogin_write_entry(struct logininfo *li);
  
-@@ -439,6 +446,10 @@
+@@ -440,6 +447,10 @@
  
  	/* set the timestamp */
  	login_set_current_time(li);
@@ -122,7 +122,7 @@
  #ifdef USE_LOGIN
  	syslogin_write_entry(li);
  #endif
-@@ -1393,6 +1404,51 @@
+@@ -1394,6 +1405,51 @@
  }
  #endif /* USE_WTMPX */
  
@@ -174,8 +174,8 @@
  /**
   ** Low-level libutil login() functions
   **/
---- openssh-4.6p1/loginrec.h
-+++ openssh-4.6p1/loginrec.h
+--- openssh-4.7p1/loginrec.h
++++ openssh-4.7p1/loginrec.h
 @@ -127,5 +127,9 @@
  char *line_abbrevname(char *dst, const char *src, int dstsize);
  

openssh-4.7p1-blocksigalrm.diff

@@ -1,6 +1,6 @@
 --- log.c
 +++ log.c
-@@ -50,6 +50,7 @@
+@@ -51,6 +51,7 @@
  
  #include "xmalloc.h"
  #include "log.h"
@@ -8,23 +8,15 @@
  
  static LogLevel log_level = SYSLOG_LEVEL_INFO;
  static int log_on_stderr = 1;
-@@ -313,6 +314,7 @@
+@@ -314,6 +315,7 @@
  	char fmtbuf[MSGBUFSIZ];
  	char *txt = NULL;
  	int pri = LOG_INFO;
 +	sigset_t nset, oset;
+ 	int saved_errno = errno;
  
  	if (level > log_level)
- 		return;
-@@ -351,6 +353,7 @@
- 		pri = LOG_ERR;
- 		break;
- 	}
-+	
- 	if (txt != NULL) {
- 		snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
- 		vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
-@@ -363,6 +366,14 @@
+@@ -365,6 +367,14 @@
  		snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
  		write(STDERR_FILENO, msgbuf, strlen(msgbuf));
  	} else {
@@ -39,10 +31,11 @@
  #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
  		openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
  		syslog_r(pri, &sdata, "%.500s", fmtbuf);
-@@ -372,5 +383,6 @@
+@@ -374,6 +384,7 @@
  		syslog(pri, "%.500s", fmtbuf);
  		closelog();
  #endif
 +		sigprocmask(SIG_SETMASK, &oset, NULL);
  	}
+ 	errno = saved_errno;
  }

openssh-4.7p1-default-protocol.diff

@@ -9,14 +9,3 @@
  #   Cipher 3des
  #   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
  #   EscapeChar ~
---- sshd_config
-+++ sshd_config
-@@ -11,7 +11,7 @@
- # default value.
- 
- #Port 22
--#Protocol 2,1
-+Protocol 2
- #AddressFamily any
- #ListenAddress 0.0.0.0
- #ListenAddress ::

openssh-4.7p1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8263902702790d82d0e34006d7b3849d57e8fbd1d31278f9598798bd1765e237
+size 796599

openssh-askpass-gnome.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Dec  5 10:56:07 CET 2007 - anicka@suse.cz
+
+- - update to 4.7p1
+  * Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
+    GSSAPIDelegateCredentials=yes. This is symmetric with -k
+  * make scp try to skip FIFOs rather than blocking when nothing is
+    listening.
+  * increase default channel windows
+  * put the MAC list into a display
+  * many bugfixes
+
 -------------------------------------------------------------------
 Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz
 

openssh-askpass-gnome.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package openssh-askpass-gnome (Version 4.6p1)
+# spec file for package openssh-askpass-gnome (Version 4.7p1)
 #
 # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
@@ -14,8 +14,8 @@ Name:           openssh-askpass-gnome
 BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
 License:        BSD 3-Clause
 Group:          Productivity/Networking/SSH
-Version:        4.6p1
-Release:        67
+Version:        4.7p1
+Release:        1
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
@@ -63,6 +63,7 @@ Authors:
     Damien Miller <djm@ibs.com.au>
 
 %define prefix   /usr
+
 %prep
 %setup -q -n %{_name}-%{version}
 %patch 
@@ -109,7 +110,17 @@ rm -rf $RPM_BUILD_ROOT
 %files
 %defattr(-,root,root)
 %attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass
+
 %changelog
+* Wed Dec 05 2007 - anicka@suse.cz
+- - update to 4.7p1
+  * Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
+  GSSAPIDelegateCredentials=yes. This is symmetric with -k
+  * make scp try to skip FIFOs rather than blocking when nothing is
+  listening.
+  * increase default channel windows
+  * put the MAC list into a display
+  * many bugfixes
 * Tue Dec 12 2006 - anicka@suse.cz
 - update to 4.5p1
   * Use privsep_pw if we have it, but only require it if we

openssh-gssapi_krb5-fix.patch

@@ -1,6 +1,6 @@
 --- configure.ac
 +++ configure.ac
-@@ -3237,7 +3237,14 @@
+@@ -3283,7 +3283,14 @@
  				  K5LIBS="-lgssapi $K5LIBS" ],
  				[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
  					[ AC_DEFINE(GSSAPI)

openssh.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Dec  5 10:45:36 CET 2007 - anicka@suse.cz
+
+- update to 4.7p1 
+  * Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
+    GSSAPIDelegateCredentials=yes. This is symmetric with -k
+  * make scp try to skip FIFOs rather than blocking when nothing is 
+    listening.
+  * increase default channel windows
+  * put the MAC list into a display
+  * many bugfixes 
+
 -------------------------------------------------------------------
 Mon Oct  8 16:34:06 CEST 2007 - anicka@suse.cz
 

openssh.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package openssh (Version 4.6p1)
+# spec file for package openssh (Version 4.7p1)
 #
 # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
@@ -28,8 +28,8 @@ Requires:       /bin/netstat
 PreReq:         /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq  %fillup_prereq /bin/mkdir /bin/cat permissions
 Conflicts:      nonfreessh
 AutoReqProv:    on
-Version:        4.6p1
-Release:        60
+Version:        4.7p1
+Release:        1
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/
@@ -63,8 +63,6 @@ Patch41:        %{name}-%{version}-gcc-fix.patch
 Patch42:        %{name}-gssapi_krb5-fix.patch
 Patch43:        %{name}-%{version}-default-protocol.diff
 Patch44:        %{name}-%{version}-audit.patch
-Patch45:        %{name}-%{version}-challenge.patch
-Patch46:        %{name}-%{version}-untrusted-cookie-CVE-2007-4752.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %package      askpass
@@ -134,6 +132,7 @@ Authors:
     Damien Miller <djm@ibs.com.au>
 
 %define prefix   /usr
+
 %prep
 %setup -q -b 3 -a 1 -a 5
 %patch 
@@ -155,8 +154,6 @@ Authors:
 %patch42
 %patch43
 %patch44 -p1
-%patch45
-%patch46
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}
@@ -297,7 +294,17 @@ rm -rf $RPM_BUILD_ROOT
 %doc %_mandir/man1/ssh-askpass.1x.gz
 %doc %_mandir/man1/x11-ssh-askpass.1x.gz
 %config %_appdefdir/SshAskpass
+
 %changelog
+* Wed Dec 05 2007 - anicka@suse.cz
+- update to 4.7p1
+  * Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
+  GSSAPIDelegateCredentials=yes. This is symmetric with -k
+  * make scp try to skip FIFOs rather than blocking when nothing is
+  listening.
+  * increase default channel windows
+  * put the MAC list into a display
+  * many bugfixes
 * Mon Oct 08 2007 - anicka@suse.cz
 - block SIGALRM only during calling syslog() [#331032]
 * Thu Sep 13 2007 - nadvornik@suse.cz