OBS User unknown 2007-12-06 15:29:46 +00:00 committed by Git OBS Bridge
parent cf2a4eda22
commit 37cfaaa01c
28 changed files with 88 additions and 131 deletions

View File

@ -1,22 +0,0 @@
--- servconf.c
+++ servconf.c
@@ -266,6 +266,10 @@
}
#endif
+ /* challenge-response is implemented via keyboard interactive */
+ if (options->challenge_response_authentication == 1)
+ options->kbd_interactive_authentication = 1;
+
}
/* Keyword tokens. */
@@ -1398,8 +1402,4 @@
if (bad_options > 0)
fatal("%s: terminating, %d bad configuration options",
filename, bad_options);
-
- /* challenge-response is implemented via keyboard interactive */
- if (options->challenge_response_authentication == 1)
- options->kbd_interactive_authentication = 1;
}

View File

@ -1,45 +0,0 @@
--- clientloop.c
+++ clientloop.c
@@ -290,19 +290,29 @@
generated = 1;
}
}
- snprintf(cmd, sizeof(cmd),
- "%s %s%s list %s 2>" _PATH_DEVNULL,
- xauth_path,
- generated ? "-f " : "" ,
- generated ? xauthfile : "",
- display);
- debug2("x11_get_proto: %s", cmd);
- f = popen(cmd, "r");
- if (f && fgets(line, sizeof(line), f) &&
- sscanf(line, "%*s %511s %511s", proto, data) == 2)
- got_data = 1;
- if (f)
- pclose(f);
+
+ /*
+ * When in untrusted mode, we read the cookie only if it was
+ * successfully generated as an untrusted one in the step
+ * above.
+ */
+ if (trusted || generated) {
+ snprintf(cmd, sizeof(cmd),
+ "%s %s%s list %s 2>" _PATH_DEVNULL,
+ xauth_path,
+ generated ? "-f " : "" ,
+ generated ? xauthfile : "",
+ display);
+ debug2("x11_get_proto: %s", cmd);
+ f = popen(cmd, "r");
+ if (f && fgets(line, sizeof(line), f) &&
+ sscanf(line, "%*s %511s %511s", proto, data) == 2)
+ got_data = 1;
+ if (f)
+ pclose(f);
+ } else
+ error("Warning: untrusted X11 forwarding setup failed: "
+ "xauth key data not generated");
}
if (do_unlink) {

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c19f14140fbbbf912b9a033e961910ab5510a6c625bbd1a443e7aa9bbe6c09b9
size 781338

View File

@ -1,26 +1,26 @@
# add support for Linux audit (FATE #120269) # add support for Linux audit (FATE #120269)
================================================================================ ================================================================================
--- openssh-4.6p1/Makefile.in --- openssh-4.7p1/Makefile.in
+++ openssh-4.6p1/Makefile.in +++ openssh-4.7p1/Makefile.in
@@ -45,6 +45,7 @@ @@ -44,6 +44,7 @@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@ LIBS=@LIBS@
LIBSELINUX=@LIBSELINUX@
+LIBAUDIT=@LIBAUDIT@ +LIBAUDIT=@LIBAUDIT@
SSHDLIBS=@SSHDLIBS@ SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@ LIBEDIT=@LIBEDIT@
LIBPAM=@LIBPAM@ AR=@AR@
@@ -139,7 +140,7 @@ @@ -136,7 +137,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-4.6p1/auth.c --- openssh-4.7p1/auth.c
+++ openssh-4.6p1/auth.c +++ openssh-4.7p1/auth.c
@@ -286,6 +286,12 @@ @@ -286,6 +286,12 @@
get_canonical_hostname(options.use_dns), "ssh", &loginmsg); get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif # endif
@ -45,9 +45,9 @@
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER); audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
--- openssh-4.6p1/config.h.in --- openssh-4.7p1/config.h.in
+++ openssh-4.6p1/config.h.in +++ openssh-4.7p1/config.h.in
@@ -1305,6 +1305,9 @@ @@ -1334,6 +1334,9 @@
/* Define if you want SELinux support. */ /* Define if you want SELinux support. */
#undef WITH_SELINUX #undef WITH_SELINUX
@ -57,11 +57,11 @@
/* Define to 1 if your processor stores words with the most significant byte /* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */ first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN #undef WORDS_BIGENDIAN
--- openssh-4.6p1/configure.ac --- openssh-4.7p1/configure.ac
+++ openssh-4.6p1/configure.ac +++ openssh-4.7p1/configure.ac
@@ -3170,6 +3170,20 @@ @@ -3216,6 +3216,20 @@
fi ]
) )
AC_SUBST(LIBSELINUX)
+# Check whether user wants Linux audit support +# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no" +LINUX_AUDIT_MSG="no"
@ -80,7 +80,7 @@
# Check whether user wants Kerberos 5 support # Check whether user wants Kerberos 5 support
KRB5_MSG="no" KRB5_MSG="no"
AC_ARG_WITH(kerberos5, AC_ARG_WITH(kerberos5,
@@ -3990,6 +4004,7 @@ @@ -4036,6 +4050,7 @@
echo " OSF SIA support: $SIA_MSG" echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG" echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG" echo " SELinux support: $SELINUX_MSG"
@ -88,9 +88,9 @@
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG" echo " TCP Wrappers support: $TCPW_MSG"
--- openssh-4.6p1/loginrec.c --- openssh-4.7p1/loginrec.c
+++ openssh-4.6p1/loginrec.c +++ openssh-4.7p1/loginrec.c
@@ -175,6 +175,10 @@ @@ -176,6 +176,10 @@
#include "auth.h" #include "auth.h"
#include "buffer.h" #include "buffer.h"
@ -101,7 +101,7 @@
#ifdef HAVE_UTIL_H #ifdef HAVE_UTIL_H
# include <util.h> # include <util.h>
#endif #endif
@@ -201,6 +205,9 @@ @@ -202,6 +206,9 @@
int utmpx_write_entry(struct logininfo *li); int utmpx_write_entry(struct logininfo *li);
int wtmp_write_entry(struct logininfo *li); int wtmp_write_entry(struct logininfo *li);
int wtmpx_write_entry(struct logininfo *li); int wtmpx_write_entry(struct logininfo *li);
@ -111,7 +111,7 @@
int lastlog_write_entry(struct logininfo *li); int lastlog_write_entry(struct logininfo *li);
int syslogin_write_entry(struct logininfo *li); int syslogin_write_entry(struct logininfo *li);
@@ -439,6 +446,10 @@ @@ -440,6 +447,10 @@
/* set the timestamp */ /* set the timestamp */
login_set_current_time(li); login_set_current_time(li);
@ -122,7 +122,7 @@
#ifdef USE_LOGIN #ifdef USE_LOGIN
syslogin_write_entry(li); syslogin_write_entry(li);
#endif #endif
@@ -1393,6 +1404,51 @@ @@ -1394,6 +1405,51 @@
} }
#endif /* USE_WTMPX */ #endif /* USE_WTMPX */
@ -174,8 +174,8 @@
/** /**
** Low-level libutil login() functions ** Low-level libutil login() functions
**/ **/
--- openssh-4.6p1/loginrec.h --- openssh-4.7p1/loginrec.h
+++ openssh-4.6p1/loginrec.h +++ openssh-4.7p1/loginrec.h
@@ -127,5 +127,9 @@ @@ -127,5 +127,9 @@
char *line_abbrevname(char *dst, const char *src, int dstsize); char *line_abbrevname(char *dst, const char *src, int dstsize);

View File

@ -1,6 +1,6 @@
--- log.c --- log.c
+++ log.c +++ log.c
@@ -50,6 +50,7 @@ @@ -51,6 +51,7 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "log.h" #include "log.h"
@ -8,23 +8,15 @@
static LogLevel log_level = SYSLOG_LEVEL_INFO; static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1; static int log_on_stderr = 1;
@@ -313,6 +314,7 @@ @@ -314,6 +315,7 @@
char fmtbuf[MSGBUFSIZ]; char fmtbuf[MSGBUFSIZ];
char *txt = NULL; char *txt = NULL;
int pri = LOG_INFO; int pri = LOG_INFO;
+ sigset_t nset, oset; + sigset_t nset, oset;
int saved_errno = errno;
if (level > log_level) if (level > log_level)
return; @@ -365,6 +367,14 @@
@@ -351,6 +353,7 @@
pri = LOG_ERR;
break;
}
+
if (txt != NULL) {
snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
@@ -363,6 +366,14 @@
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
write(STDERR_FILENO, msgbuf, strlen(msgbuf)); write(STDERR_FILENO, msgbuf, strlen(msgbuf));
} else { } else {
@ -39,10 +31,11 @@
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf); syslog_r(pri, &sdata, "%.500s", fmtbuf);
@@ -372,5 +383,6 @@ @@ -374,6 +384,7 @@
syslog(pri, "%.500s", fmtbuf); syslog(pri, "%.500s", fmtbuf);
closelog(); closelog();
#endif #endif
+ sigprocmask(SIG_SETMASK, &oset, NULL); + sigprocmask(SIG_SETMASK, &oset, NULL);
} }
errno = saved_errno;
} }

View File

@ -9,14 +9,3 @@
# Cipher 3des # Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~ # EscapeChar ~
--- sshd_config
+++ sshd_config
@@ -11,7 +11,7 @@
# default value.
#Port 22
-#Protocol 2,1
+Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

3
openssh-4.7p1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8263902702790d82d0e34006d7b3849d57e8fbd1d31278f9598798bd1765e237
size 796599

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Dec 5 10:56:07 CET 2007 - anicka@suse.cz
- - update to 4.7p1
* Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. This is symmetric with -k
* make scp try to skip FIFOs rather than blocking when nothing is
listening.
* increase default channel windows
* put the MAC list into a display
* many bugfixes
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz

View File

@ -1,5 +1,5 @@
# #
# spec file for package openssh-askpass-gnome (Version 4.6p1) # spec file for package openssh-askpass-gnome (Version 4.7p1)
# #
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine # This file and all modifications and additions to the pristine
@ -14,8 +14,8 @@ Name: openssh-askpass-gnome
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
License: BSD 3-Clause License: BSD 3-Clause
Group: Productivity/Networking/SSH Group: Productivity/Networking/SSH
Version: 4.6p1 Version: 4.7p1
Release: 67 Release: 1
Requires: openssh = %{version} openssh-askpass = %{version} Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on AutoReqProv: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH
@ -63,6 +63,7 @@ Authors:
Damien Miller <djm@ibs.com.au> Damien Miller <djm@ibs.com.au>
%define prefix /usr %define prefix /usr
%prep %prep
%setup -q -n %{_name}-%{version} %setup -q -n %{_name}-%{version}
%patch %patch
@ -109,7 +110,17 @@ rm -rf $RPM_BUILD_ROOT
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass %attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass
%changelog %changelog
* Wed Dec 05 2007 - anicka@suse.cz
- - update to 4.7p1
* Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. This is symmetric with -k
* make scp try to skip FIFOs rather than blocking when nothing is
listening.
* increase default channel windows
* put the MAC list into a display
* many bugfixes
* Tue Dec 12 2006 - anicka@suse.cz * Tue Dec 12 2006 - anicka@suse.cz
- update to 4.5p1 - update to 4.5p1
* Use privsep_pw if we have it, but only require it if we * Use privsep_pw if we have it, but only require it if we

View File

@ -1,6 +1,6 @@
--- configure.ac --- configure.ac
+++ configure.ac +++ configure.ac
@@ -3237,7 +3237,14 @@ @@ -3283,7 +3283,14 @@
K5LIBS="-lgssapi $K5LIBS" ], K5LIBS="-lgssapi $K5LIBS" ],
[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
[ AC_DEFINE(GSSAPI) [ AC_DEFINE(GSSAPI)

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Dec 5 10:45:36 CET 2007 - anicka@suse.cz
- update to 4.7p1
* Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. This is symmetric with -k
* make scp try to skip FIFOs rather than blocking when nothing is
listening.
* increase default channel windows
* put the MAC list into a display
* many bugfixes
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Oct 8 16:34:06 CEST 2007 - anicka@suse.cz Mon Oct 8 16:34:06 CEST 2007 - anicka@suse.cz

View File

@ -1,5 +1,5 @@
# #
# spec file for package openssh (Version 4.6p1) # spec file for package openssh (Version 4.7p1)
# #
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine # This file and all modifications and additions to the pristine
@ -28,8 +28,8 @@ Requires: /bin/netstat
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh Conflicts: nonfreessh
AutoReqProv: on AutoReqProv: on
Version: 4.6p1 Version: 4.7p1
Release: 60 Release: 1
%define xversion 1.2.4.1 %define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
Url: http://www.openssh.com/ Url: http://www.openssh.com/
@ -63,8 +63,6 @@ Patch41: %{name}-%{version}-gcc-fix.patch
Patch42: %{name}-gssapi_krb5-fix.patch Patch42: %{name}-gssapi_krb5-fix.patch
Patch43: %{name}-%{version}-default-protocol.diff Patch43: %{name}-%{version}-default-protocol.diff
Patch44: %{name}-%{version}-audit.patch Patch44: %{name}-%{version}-audit.patch
Patch45: %{name}-%{version}-challenge.patch
Patch46: %{name}-%{version}-untrusted-cookie-CVE-2007-4752.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%package askpass %package askpass
@ -134,6 +132,7 @@ Authors:
Damien Miller <djm@ibs.com.au> Damien Miller <djm@ibs.com.au>
%define prefix /usr %define prefix /usr
%prep %prep
%setup -q -b 3 -a 1 -a 5 %setup -q -b 3 -a 1 -a 5
%patch %patch
@ -155,8 +154,6 @@ Authors:
%patch42 %patch42
%patch43 %patch43
%patch44 -p1 %patch44 -p1
%patch45
%patch46
cp -v %{SOURCE4} . cp -v %{SOURCE4} .
cp -v %{SOURCE6} . cp -v %{SOURCE6} .
cd ../x11-ssh-askpass-%{xversion} cd ../x11-ssh-askpass-%{xversion}
@ -297,7 +294,17 @@ rm -rf $RPM_BUILD_ROOT
%doc %_mandir/man1/ssh-askpass.1x.gz %doc %_mandir/man1/ssh-askpass.1x.gz
%doc %_mandir/man1/x11-ssh-askpass.1x.gz %doc %_mandir/man1/x11-ssh-askpass.1x.gz
%config %_appdefdir/SshAskpass %config %_appdefdir/SshAskpass
%changelog %changelog
* Wed Dec 05 2007 - anicka@suse.cz
- update to 4.7p1
* Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. This is symmetric with -k
* make scp try to skip FIFOs rather than blocking when nothing is
listening.
* increase default channel windows
* put the MAC list into a display
* many bugfixes
* Mon Oct 08 2007 - anicka@suse.cz * Mon Oct 08 2007 - anicka@suse.cz
- block SIGALRM only during calling syslog() [#331032] - block SIGALRM only during calling syslog() [#331032]
* Thu Sep 13 2007 - nadvornik@suse.cz * Thu Sep 13 2007 - nadvornik@suse.cz