OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=25

openssh-5.1p1-strnvis.diff

@@ -1,17 +0,0 @@
---- sshconnect2.c
-+++ sshconnect2.c
-@@ -387,11 +387,11 @@
- 	debug3("input_userauth_banner");
- 	raw = packet_get_string(&len);
- 	lang = packet_get_string(NULL);
--	if (options.log_level >= SYSLOG_LEVEL_INFO) {
-+	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
- 		if (len > 65536)
- 			len = 65536;
--		msg = xmalloc(len * 4); /* max expansion from strnvis() */
--		strnvis(msg, raw, len * 4, VIS_SAFE|VIS_OCTAL);
-+		msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
-+		strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
- 		fprintf(stderr, "%s", msg);
- 		xfree(msg);
- 	}

openssh-5.1p1.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bbe533aa4d2d083011035e3b63e558eaf8db83f7b062410a2035aeb822904472
-size 835720

openssh-5.2p1-audit.patch

@@ -1,7 +1,7 @@
 # add support for Linux audit (FATE #120269)
 ================================================================================
---- openssh-5.1p1/Makefile.in
-+++ openssh-5.1p1/Makefile.in
+--- openssh-5.2p1/Makefile.in
++++ openssh-5.2p1/Makefile.in
 @@ -44,6 +44,7 @@
  CFLAGS=@CFLAGS@
  CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
@@ -19,8 +19,8 @@
  
  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
  	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
---- openssh-5.1p1/auth.c
-+++ openssh-5.1p1/auth.c
+--- openssh-5.2p1/auth.c
++++ openssh-5.2p1/auth.c
 @@ -287,6 +287,12 @@
  		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
  # endif
@@ -45,9 +45,9 @@
  #ifdef SSH_AUDIT_EVENTS
  		audit_event(SSH_INVALID_USER);
  #endif /* SSH_AUDIT_EVENTS */
---- openssh-5.1p1/config.h.in
-+++ openssh-5.1p1/config.h.in
-@@ -1388,6 +1388,9 @@
+--- openssh-5.2p1/config.h.in
++++ openssh-5.2p1/config.h.in
+@@ -1397,6 +1397,9 @@
  /* Define if you want SELinux support. */
  #undef WITH_SELINUX
  
@@ -57,9 +57,9 @@
  /* Define to 1 if your processor stores words with the most significant byte
     first (like Motorola and SPARC, unlike Intel and VAX). */
  #undef WORDS_BIGENDIAN
---- openssh-5.1p1/configure.ac
-+++ openssh-5.1p1/configure.ac
-@@ -3314,6 +3314,20 @@
+--- openssh-5.2p1/configure.ac
++++ openssh-5.2p1/configure.ac
+@@ -3340,6 +3340,20 @@
  	fi ]
  )
  
@@ -80,7 +80,7 @@
  # Check whether user wants Kerberos 5 support
  KRB5_MSG="no"
  AC_ARG_WITH(kerberos5,
-@@ -4134,6 +4148,7 @@
+@@ -4160,6 +4174,7 @@
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
@@ -88,8 +88,8 @@
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
  echo "              TCP Wrappers support: $TCPW_MSG"
---- openssh-5.1p1/loginrec.c
-+++ openssh-5.1p1/loginrec.c
+--- openssh-5.2p1/loginrec.c
++++ openssh-5.2p1/loginrec.c
 @@ -176,6 +176,10 @@
  #include "auth.h"
  #include "buffer.h"
@@ -174,8 +174,8 @@
  /**
   ** Low-level libutil login() functions
   **/
---- openssh-5.1p1/loginrec.h
-+++ openssh-5.1p1/loginrec.h
+--- openssh-5.2p1/loginrec.h
++++ openssh-5.2p1/loginrec.h
 @@ -127,5 +127,9 @@
  char *line_abbrevname(char *dst, const char *src, int dstsize);
  

openssh-5.2p1-default-protocol.diff

@@ -7,5 +7,5 @@
 -#   Protocol 2,1
 +    Protocol 2
  #   Cipher 3des
- #   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+ #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
  #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

openssh-5.2p1-eal3.diff

@@ -1,6 +1,6 @@
---- openssh-5.1p1/sshd.8
-+++ openssh-5.1p1/sshd.8
-@@ -785,7 +785,7 @@
+--- openssh-5.2p1/sshd.8
++++ openssh-5.2p1/sshd.8
+@@ -783,7 +783,7 @@
  The file format is described in
  .Xr moduli 5 .
  .Pp
@@ -9,7 +9,7 @@
  See
  .Xr motd 5 .
  .Pp
-@@ -798,7 +798,7 @@
+@@ -796,7 +796,7 @@
  refused.
  The file should be world-readable.
  .Pp
@@ -18,7 +18,7 @@
  This file is used in exactly the same way as
  .Pa hosts.equiv ,
  but allows host-based authentication without permitting login with
-@@ -875,8 +875,7 @@
+@@ -873,8 +873,7 @@
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -28,8 +28,8 @@
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
  .Xr sftp-server 8
---- openssh-5.1p1/sshd_config.5
-+++ openssh-5.1p1/sshd_config.5
+--- openssh-5.2p1/sshd_config.5
++++ openssh-5.2p1/sshd_config.5
 @@ -177,9 +177,6 @@
  By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication

openssh-5.2p1-engines.diff

@@ -1,5 +1,5 @@
---- openssh-5.1p1/ssh-add.c
-+++ openssh-5.1p1/ssh-add.c
+--- openssh-5.2p1/ssh-add.c
++++ openssh-5.2p1/ssh-add.c
 @@ -43,6 +43,7 @@
  
  #include <openssl/evp.h>
@@ -19,8 +19,8 @@
  	/* At first, get a connection to the authentication agent. */
  	ac = ssh_get_authentication_connection();
  	if (ac == NULL) {
---- openssh-5.1p1/ssh-agent.c
-+++ openssh-5.1p1/ssh-agent.c
+--- openssh-5.2p1/ssh-agent.c
++++ openssh-5.2p1/ssh-agent.c
 @@ -52,6 +52,7 @@
  #include <openssl/evp.h>
  #include <openssl/md5.h>
@@ -40,8 +40,8 @@
  	__progname = ssh_get_progname(av[0]);
  	init_rng();
  	seed_rng();
---- openssh-5.1p1/ssh-keygen.c
-+++ openssh-5.1p1/ssh-keygen.c
+--- openssh-5.2p1/ssh-keygen.c
++++ openssh-5.2p1/ssh-keygen.c
 @@ -22,6 +22,7 @@
  #include <openssl/evp.h>
  #include <openssl/pem.h>
@@ -62,8 +62,8 @@
  	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
  
  	init_rng();
---- openssh-5.1p1/ssh-keysign.c
-+++ openssh-5.1p1/ssh-keysign.c
+--- openssh-5.2p1/ssh-keysign.c
++++ openssh-5.2p1/ssh-keysign.c
 @@ -38,6 +38,7 @@
  #include <openssl/evp.h>
  #include <openssl/rand.h>
@@ -84,8 +84,8 @@
  	for (i = 0; i < 256; i++)
  		rnd[i] = arc4random();
  	RAND_seed(rnd, sizeof(rnd));
---- openssh-5.1p1/ssh.c
-+++ openssh-5.1p1/ssh.c
+--- openssh-5.2p1/ssh.c
++++ openssh-5.2p1/ssh.c
 @@ -73,6 +73,7 @@
  #include <openssl/err.h>
  #include "openbsd-compat/openssl-compat.h"
@@ -94,7 +94,7 @@
  
  #include "xmalloc.h"
  #include "ssh.h"
-@@ -562,6 +563,10 @@
+@@ -550,6 +551,10 @@
  	SSLeay_add_all_algorithms();
  	ERR_load_crypto_strings();
  
@@ -105,8 +105,8 @@
  	/* Initialize the command to execute on remote host. */
  	buffer_init(&command);
  
---- openssh-5.1p1/sshd.c
-+++ openssh-5.1p1/sshd.c
+--- openssh-5.2p1/sshd.c
++++ openssh-5.2p1/sshd.c
 @@ -77,6 +77,7 @@
  #include <openssl/md5.h>
  #include <openssl/rand.h>
@@ -115,7 +115,7 @@
  
  #ifdef HAVE_SECUREWARE
  #include <sys/security.h>
-@@ -1416,6 +1417,10 @@
+@@ -1415,6 +1416,10 @@
  
  	SSLeay_add_all_algorithms();
  

openssh-5.2p1-forwards.diff

@@ -1,8 +1,8 @@
 --- channels.c
 +++ channels.c
-@@ -2418,6 +2418,9 @@
- 	const char *host, *addr;
+@@ -2471,6 +2471,9 @@
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+ 	in_port_t *lport_p;
  
 +	if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
 +		fatal("channel_setup_fwd_listener: too many forwards");

openssh-5.2p1-gssapimitm.patch

@@ -52,16 +52,16 @@ Index: auth2-gss.c
  extern Authmethod method_gssapi;
 +extern Authmethod method_gssapi_old;
  #endif
- 
- Authmethod *authmethods[] = {
-@@ -77,6 +78,7 @@
+ #ifdef JPAKE
+ extern Authmethod method_jpake;
+@@ -80,6 +81,7 @@
  	&method_pubkey,
  #ifdef GSSAPI
  	&method_gssapi,
 +	&method_gssapi_old,
  #endif
- 	&method_passwd,
- 	&method_kbdint,
+ #ifdef JPAKE
+ 	&method_jpake,
 --- readconf.c
 +++ readconf.c
 @@ -126,7 +126,7 @@
@@ -85,7 +85,7 @@ Index: auth2-gss.c
  #endif
  	{ "fallbacktorsh", oDeprecated },
  	{ "usersh", oDeprecated },
-@@ -447,6 +449,10 @@
+@@ -456,6 +458,10 @@
  	case oGssDelegateCreds:
  		intptr = &options->gss_deleg_creds;
  		goto parse_flag;
@@ -96,7 +96,7 @@ Index: auth2-gss.c
  
  	case oBatchMode:
  		intptr = &options->batch_mode;
-@@ -1017,6 +1023,7 @@
+@@ -1009,6 +1015,7 @@
  	options->challenge_response_authentication = -1;
  	options->gss_authentication = -1;
  	options->gss_deleg_creds = -1;
@@ -104,7 +104,7 @@ Index: auth2-gss.c
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->kbd_interactive_devices = NULL;
-@@ -1108,6 +1115,8 @@
+@@ -1101,6 +1108,8 @@
  		options->gss_authentication = 0;
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
@@ -133,7 +133,7 @@ Index: auth2-gss.c
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->challenge_response_authentication = -1;
-@@ -211,6 +212,8 @@
+@@ -212,6 +213,8 @@
  		options->gss_authentication = 0;
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
@@ -142,7 +142,7 @@ Index: auth2-gss.c
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
-@@ -299,7 +302,7 @@
+@@ -302,7 +305,7 @@
  	sBanner, sUseDNS, sHostbasedAuthentication,
  	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
  	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -150,8 +150,8 @@ Index: auth2-gss.c
 +	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
  	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
- 	sDeprecated, sUnsupported
-@@ -360,9 +363,11 @@
+ 	sZeroKnowledgePasswordAuthentication,
+@@ -364,9 +367,11 @@
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
  	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -163,7 +163,7 @@ Index: auth2-gss.c
  #endif
  	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
  	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -885,6 +890,10 @@
+@@ -894,6 +899,10 @@
  	case sGssCleanupCreds:
  		intptr = &options->gss_cleanup_creds;
  		goto parse_flag;
@@ -186,7 +186,7 @@ Index: auth2-gss.c
  	int     kbd_interactive_authentication;	/* If true, permit */
 --- ssh_config
 +++ ssh_config
-@@ -54,3 +54,13 @@
+@@ -54,4 +54,14 @@
  #   Tunnel no
  #   TunnelDevice any:any
  #   PermitLocalCommand no
@@ -200,10 +200,11 @@ Index: auth2-gss.c
 +#   GSSAPIEnableMITMAttack no
 +
 +>>>>>>>
+ #   VisualHostKey no
 --- sshconnect2.c
 +++ sshconnect2.c
-@@ -246,6 +246,10 @@
- 		userauth_gssapi,
+@@ -255,6 +255,10 @@
+ 		NULL,
  		&options.gss_authentication,
  		NULL},
 +	{"gssapi",
@@ -213,7 +214,7 @@ Index: auth2-gss.c
  #endif
  	{"hostbased",
  		userauth_hostbased,
-@@ -587,7 +591,9 @@
+@@ -617,7 +621,9 @@
  
  	if (status == GSS_S_COMPLETE) {
  		/* send either complete or MIC, depending on mechanism */

openssh-5.2p1-pam-fix4.diff

@@ -1,8 +1,8 @@
 Index: openssh-5.1p1/auth-pam.c
-===================================================================
---- openssh-5.1p1.orig/auth-pam.c
-+++ openssh-5.1p1/auth-pam.c
-@@ -602,16 +602,16 @@ sshpam_cleanup(void)
+================================================================================
+--- openssh-5.2p1/auth-pam.c
++++ openssh-5.2p1/auth-pam.c
+@@ -602,16 +602,16 @@
  		return;
  	debug("PAM: cleanup");
  	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);

openssh-5.2p1-saveargv-fix.diff

@@ -1,6 +1,6 @@
 --- sshd.c
 +++ sshd.c
-@@ -305,6 +305,7 @@
+@@ -304,6 +304,7 @@
  static void
  sighup_restart(void)
  {
@@ -8,7 +8,7 @@
  	logit("Received SIGHUP; restarting.");
  	close_listen_socks();
  	close_startup_pipes();
-@@ -1270,7 +1271,11 @@
+@@ -1269,7 +1270,11 @@
  #ifndef HAVE_SETPROCTITLE
  	/* Prepare for later setproctitle emulation */
  	compat_init_setproctitle(ac, av);

openssh-5.2p1-send_locale.diff

@@ -1,6 +1,6 @@
 --- ssh_config
 +++ ssh_config
-@@ -63,4 +63,7 @@
+@@ -63,5 +63,8 @@
  # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
  #   GSSAPIEnableMITMAttack no
  
@@ -9,6 +9,7 @@
 +SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 +SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +SendEnv LC_IDENTIFICATION LC_ALL
+ #   VisualHostKey no
 --- sshd_config
 +++ sshd_config
 @@ -119,6 +119,11 @@

openssh-5.2p1-xauth.diff

@@ -1,6 +1,6 @@
 --- session.c
 +++ session.c
-@@ -2487,8 +2487,41 @@
+@@ -2493,8 +2493,41 @@
  session_close(Session *s)
  {
  	u_int i;

openssh-5.2p1-xauthlocalhostname.diff

@@ -1,6 +1,6 @@
 --- session.c
 +++ session.c
-@@ -1104,7 +1104,7 @@
+@@ -1110,7 +1110,7 @@
  }
  
  static char **
@@ -9,7 +9,7 @@
  {
  	char buf[256];
  	u_int i, envsize;
-@@ -1291,6 +1291,8 @@
+@@ -1297,6 +1297,8 @@
  		for (i = 0; env[i]; i++)
  			fprintf(stderr, "  %.200s\n", env[i]);
  	}
@@ -18,7 +18,7 @@
  	return env;
  }
  
-@@ -1299,7 +1301,7 @@
+@@ -1305,7 +1307,7 @@
   * first in this order).
   */
  static void
@@ -27,7 +27,7 @@
  {
  	FILE *f = NULL;
  	char cmd[1024];
-@@ -1353,12 +1355,20 @@
+@@ -1359,12 +1361,20 @@
  		    options.xauth_location);
  		f = popen(cmd, "w");
  		if (f) {
@@ -48,7 +48,7 @@
  		} else {
  			fprintf(stderr, "Could not run %s\n",
  			    cmd);
-@@ -1644,6 +1654,7 @@
+@@ -1650,6 +1660,7 @@
  {
  	extern char **environ;
  	char **env;
@@ -56,7 +56,7 @@
  	char *argv[ARGV_MAX];
  	const char *shell, *shell0, *hostname = NULL;
  	struct passwd *pw = s->pw;
-@@ -1710,7 +1721,7 @@
+@@ -1716,7 +1727,7 @@
  	 * Make sure $SHELL points to the shell from the password file,
  	 * even if shell is overridden from login.conf
  	 */
@@ -65,7 +65,7 @@
  
  #ifdef HAVE_LOGIN_CAP
  	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1778,7 +1789,7 @@
+@@ -1784,7 +1795,7 @@
  	closefrom(STDERR_FILENO + 1);
  
  	if (!options.use_login)

openssh-5.2p1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5de561b64b659e21d66b4f1c04690e94f922f3f5fb3f070e81fbd8f9f4403de8
+size 816819

openssh-askpass-gnome.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz
+
+- update to 5.2p1
+
 -------------------------------------------------------------------
 Wed Apr  9 14:35:42 CEST 2008 - anicka@suse.cz
 

openssh-askpass-gnome.spec

@@ -1,7 +1,7 @@
 #
-# spec file for package openssh-askpass-gnome (Version 5.1p1)
+# spec file for package openssh-askpass-gnome (Version 5.2p1)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,8 +22,8 @@ Name:           openssh-askpass-gnome
 BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
 License:        BSD 3-Clause
 Group:          Productivity/Networking/SSH
-Version:        5.1p1
-Release:        41
+Version:        5.2p1
+Release:        1
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
@@ -118,6 +118,8 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass
 
 %changelog
+* Mon Feb 23 2009 anicka@suse.cz
+- update to 5.2p1
 * Wed Apr 09 2008 anicka@suse.cz
 - update to 5.0p1
 * Wed Apr 02 2008 anicka@suse.cz

openssh.changes

@@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Mon Feb 23 17:27:45 CET 2009 - anicka@suse.cz
+
+- update to 5.2p1
+ * This release changes the default cipher order to prefer the AES CTR
+   modes and the revised "arcfour256" mode to CBC mode ciphers that are
+   susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
+ * This release also adds countermeasures to mitigate CPNI-957037-style
+   attacks against the SSH protocol's use of CBC-mode ciphers. Upon
+   detection of an invalid packet length or Message Authentication
+   Code, ssh/sshd will continue reading up to the maximum supported
+   packet length rather than immediately terminating the connection.
+   This eliminates most of the known differences in behaviour that
+   leaked information about the plaintext of injected data which formed
+   the basis of this attack. We believe that these attacks are rendered
+   infeasible by these changes.
+ * Added a -y option to ssh(1) to force logging to syslog rather than
+   stderr, which is useful when running daemonised (ssh -f)
+ * The sshd_config(5) ForceCommand directive now accepts commandline
+   arguments for the internal-sftp server.
+ * The ssh(1) ~C escape commandline now support runtime creation of
+   dynamic (-D) port forwards.
+ * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
+   (bz#1482)
+ * Support remote port forwarding with a listen port of '0'. This
+   informs the server that it should dynamically allocate a listen
+   port and report it back to the client. (bz#1003)
+ * sshd(8) now supports setting PermitEmptyPasswords and
+   AllowAgentForwarding in Match blocks
+ * Repair a ssh(1) crash introduced in openssh-5.1 when the client is
+   sent a zero-length banner (bz#1496)
+ * Due to interoperability problems with certain
+   broken SSH implementations, the eow@openssh.com and
+   no-more-sessions@openssh.com protocol extensions are now only sent
+   to peers that identify themselves as OpenSSH.
+ * Make ssh(1) send the correct channel number for
+   SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
+   avoid triggering 'Non-public channel' error messages on sshd(8) in
+   openssh-5.1.
+ * Avoid printing 'Non-public channel' warnings in sshd(8), since the
+   ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
+   a behaviour introduced in openssh-5.1).
+ * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
+ * Correct fail-on-error behaviour in sftp(1) batchmode for remote
+   stat operations. (bz#1541)
+ * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
+   connections. (bz#1543)
+ * Avoid hang in ssh(1) when attempting to connect to a server that
+   has MaxSessions=0 set.
+ * Multiple fixes to sshd(8) configuration test (-T) mode
+ * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
+   1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
+ * Many manual page improvements.
+
 -------------------------------------------------------------------
 Mon Dec  1 15:43:14 CET 2008 - anicka@suse.cz
 

openssh.spec

@@ -1,7 +1,7 @@
 #
-# spec file for package openssh (Version 5.1p1)
+# spec file for package openssh (Version 5.2p1)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -37,8 +37,8 @@ Requires:       /bin/netstat
 PreReq:         /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq  %fillup_prereq /bin/mkdir /bin/cat permissions
 Conflicts:      nonfreessh
 AutoReqProv:    on
-Version:        5.1p1
-Release:        41
+Version:        5.2p1
+Release:        1
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/
@@ -70,7 +70,6 @@ Patch43:        %{name}-%{version}-default-protocol.diff
 Patch44:        %{name}-%{version}-audit.patch
 Patch45:        %{name}-%{version}-pts.diff
 Patch46:        %{name}-%{version}-pam-fix4.diff
-Patch47:        %{name}-%{version}-strnvis.diff
 Patch48:        %{name}-%{version}-forwards.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -162,7 +161,6 @@ Authors:
 %patch44 -p1
 %patch45
 %patch46 -p1
-%patch47
 %patch48
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
@@ -294,7 +292,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0755,root,root) /usr/%_lib/ssh/sftp-server
 %attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign
 %dir /etc/slp.reg.d
-/etc/slp.reg.d/ssh.reg
+%config /etc/slp.reg.d/ssh.reg
 /var/adm/fillup-templates/sysconfig.ssh
 %config %{_fwdefdir}/sshd
 
@@ -304,9 +302,60 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0755,root,root) /usr/%_lib/ssh/x11-ssh-askpass
 %doc %_mandir/man1/ssh-askpass.1x.gz
 %doc %_mandir/man1/x11-ssh-askpass.1x.gz
-%config %_appdefdir/SshAskpass
+%_appdefdir/SshAskpass
 
 %changelog
+* Mon Feb 23 2009 anicka@suse.cz
+- update to 5.2p1
+  * This release changes the default cipher order to prefer the AES CTR
+  modes and the revised "arcfour256" mode to CBC mode ciphers that are
+  susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
+  * This release also adds countermeasures to mitigate CPNI-957037-style
+  attacks against the SSH protocol's use of CBC-mode ciphers. Upon
+  detection of an invalid packet length or Message Authentication
+  Code, ssh/sshd will continue reading up to the maximum supported
+  packet length rather than immediately terminating the connection.
+  This eliminates most of the known differences in behaviour that
+  leaked information about the plaintext of injected data which formed
+  the basis of this attack. We believe that these attacks are rendered
+  infeasible by these changes.
+  * Added a -y option to ssh(1) to force logging to syslog rather than
+  stderr, which is useful when running daemonised (ssh -f)
+  * The sshd_config(5) ForceCommand directive now accepts commandline
+  arguments for the internal-sftp server.
+  * The ssh(1) ~C escape commandline now support runtime creation of
+  dynamic (-D) port forwards.
+  * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
+  (bz#1482)
+  * Support remote port forwarding with a listen port of '0'. This
+  informs the server that it should dynamically allocate a listen
+  port and report it back to the client. (bz#1003)
+  * sshd(8) now supports setting PermitEmptyPasswords and
+  AllowAgentForwarding in Match blocks
+  * Repair a ssh(1) crash introduced in openssh-5.1 when the client is
+  sent a zero-length banner (bz#1496)
+  * Due to interoperability problems with certain
+  broken SSH implementations, the eow@openssh.com and
+  no-more-sessions@openssh.com protocol extensions are now only sent
+  to peers that identify themselves as OpenSSH.
+  * Make ssh(1) send the correct channel number for
+  SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
+  avoid triggering 'Non-public channel' error messages on sshd(8) in
+  openssh-5.1.
+  * Avoid printing 'Non-public channel' warnings in sshd(8), since the
+  ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
+  a behaviour introduced in openssh-5.1).
+  * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
+  * Correct fail-on-error behaviour in sftp(1) batchmode for remote
+  stat operations. (bz#1541)
+  * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
+  connections. (bz#1543)
+  * Avoid hang in ssh(1) when attempting to connect to a server that
+  has MaxSessions=0 set.
+  * Multiple fixes to sshd(8) configuration test (-T) mode
+  * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
+  1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
+  * Many manual page improvements.
 * Mon Dec 01 2008 anicka@suse.cz
 - respect SSH_MAX_FORWARDS_PER_DIRECTION (bnc#448775)
 * Mon Nov 10 2008 anicka@suse.cz