OBS User unknown 2009-03-03 21:42:45 +00:00 committed by Git OBS Bridge
parent 95f0239801
commit 608c9a76d0
26 changed files with 198 additions and 103 deletions

View File

@ -1,17 +0,0 @@
--- sshconnect2.c
+++ sshconnect2.c
@@ -387,11 +387,11 @@
debug3("input_userauth_banner");
raw = packet_get_string(&len);
lang = packet_get_string(NULL);
- if (options.log_level >= SYSLOG_LEVEL_INFO) {
+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
if (len > 65536)
len = 65536;
- msg = xmalloc(len * 4); /* max expansion from strnvis() */
- strnvis(msg, raw, len * 4, VIS_SAFE|VIS_OCTAL);
+ msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+ strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
fprintf(stderr, "%s", msg);
xfree(msg);
}

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bbe533aa4d2d083011035e3b63e558eaf8db83f7b062410a2035aeb822904472
size 835720

View File

@ -1,7 +1,7 @@
# add support for Linux audit (FATE #120269) # add support for Linux audit (FATE #120269)
================================================================================ ================================================================================
--- openssh-5.1p1/Makefile.in --- openssh-5.2p1/Makefile.in
+++ openssh-5.1p1/Makefile.in +++ openssh-5.2p1/Makefile.in
@@ -44,6 +44,7 @@ @@ -44,6 +44,7 @@
CFLAGS=@CFLAGS@ CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
@ -19,8 +19,8 @@
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-5.1p1/auth.c --- openssh-5.2p1/auth.c
+++ openssh-5.1p1/auth.c +++ openssh-5.2p1/auth.c
@@ -287,6 +287,12 @@ @@ -287,6 +287,12 @@
get_canonical_hostname(options.use_dns), "ssh", &loginmsg); get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif # endif
@ -45,9 +45,9 @@
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER); audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
--- openssh-5.1p1/config.h.in --- openssh-5.2p1/config.h.in
+++ openssh-5.1p1/config.h.in +++ openssh-5.2p1/config.h.in
@@ -1388,6 +1388,9 @@ @@ -1397,6 +1397,9 @@
/* Define if you want SELinux support. */ /* Define if you want SELinux support. */
#undef WITH_SELINUX #undef WITH_SELINUX
@ -57,9 +57,9 @@
/* Define to 1 if your processor stores words with the most significant byte /* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */ first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN #undef WORDS_BIGENDIAN
--- openssh-5.1p1/configure.ac --- openssh-5.2p1/configure.ac
+++ openssh-5.1p1/configure.ac +++ openssh-5.2p1/configure.ac
@@ -3314,6 +3314,20 @@ @@ -3340,6 +3340,20 @@
fi ] fi ]
) )
@ -80,7 +80,7 @@
# Check whether user wants Kerberos 5 support # Check whether user wants Kerberos 5 support
KRB5_MSG="no" KRB5_MSG="no"
AC_ARG_WITH(kerberos5, AC_ARG_WITH(kerberos5,
@@ -4134,6 +4148,7 @@ @@ -4160,6 +4174,7 @@
echo " OSF SIA support: $SIA_MSG" echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG" echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG" echo " SELinux support: $SELINUX_MSG"
@ -88,8 +88,8 @@
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG" echo " TCP Wrappers support: $TCPW_MSG"
--- openssh-5.1p1/loginrec.c --- openssh-5.2p1/loginrec.c
+++ openssh-5.1p1/loginrec.c +++ openssh-5.2p1/loginrec.c
@@ -176,6 +176,10 @@ @@ -176,6 +176,10 @@
#include "auth.h" #include "auth.h"
#include "buffer.h" #include "buffer.h"
@ -174,8 +174,8 @@
/** /**
** Low-level libutil login() functions ** Low-level libutil login() functions
**/ **/
--- openssh-5.1p1/loginrec.h --- openssh-5.2p1/loginrec.h
+++ openssh-5.1p1/loginrec.h +++ openssh-5.2p1/loginrec.h
@@ -127,5 +127,9 @@ @@ -127,5 +127,9 @@
char *line_abbrevname(char *dst, const char *src, int dstsize); char *line_abbrevname(char *dst, const char *src, int dstsize);

View File

@ -7,5 +7,5 @@
-# Protocol 2,1 -# Protocol 2,1
+ Protocol 2 + Protocol 2
# Cipher 3des # Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

View File

@ -1,6 +1,6 @@
--- openssh-5.1p1/sshd.8 --- openssh-5.2p1/sshd.8
+++ openssh-5.1p1/sshd.8 +++ openssh-5.2p1/sshd.8
@@ -785,7 +785,7 @@ @@ -783,7 +783,7 @@
The file format is described in The file format is described in
.Xr moduli 5 . .Xr moduli 5 .
.Pp .Pp
@ -9,7 +9,7 @@
See See
.Xr motd 5 . .Xr motd 5 .
.Pp .Pp
@@ -798,7 +798,7 @@ @@ -796,7 +796,7 @@
refused. refused.
The file should be world-readable. The file should be world-readable.
.Pp .Pp
@ -18,7 +18,7 @@
This file is used in exactly the same way as This file is used in exactly the same way as
.Pa hosts.equiv , .Pa hosts.equiv ,
but allows host-based authentication without permitting login with but allows host-based authentication without permitting login with
@@ -875,8 +875,7 @@ @@ -873,8 +873,7 @@
.Xr ssh-keyscan 1 , .Xr ssh-keyscan 1 ,
.Xr chroot 2 , .Xr chroot 2 ,
.Xr hosts_access 5 , .Xr hosts_access 5 ,
@ -28,8 +28,8 @@
.Xr sshd_config 5 , .Xr sshd_config 5 ,
.Xr inetd 8 , .Xr inetd 8 ,
.Xr sftp-server 8 .Xr sftp-server 8
--- openssh-5.1p1/sshd_config.5 --- openssh-5.2p1/sshd_config.5
+++ openssh-5.1p1/sshd_config.5 +++ openssh-5.2p1/sshd_config.5
@@ -177,9 +177,6 @@ @@ -177,9 +177,6 @@
By default, no banner is displayed. By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication .It Cm ChallengeResponseAuthentication

View File

@ -1,5 +1,5 @@
--- openssh-5.1p1/ssh-add.c --- openssh-5.2p1/ssh-add.c
+++ openssh-5.1p1/ssh-add.c +++ openssh-5.2p1/ssh-add.c
@@ -43,6 +43,7 @@ @@ -43,6 +43,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
@ -19,8 +19,8 @@
/* At first, get a connection to the authentication agent. */ /* At first, get a connection to the authentication agent. */
ac = ssh_get_authentication_connection(); ac = ssh_get_authentication_connection();
if (ac == NULL) { if (ac == NULL) {
--- openssh-5.1p1/ssh-agent.c --- openssh-5.2p1/ssh-agent.c
+++ openssh-5.1p1/ssh-agent.c +++ openssh-5.2p1/ssh-agent.c
@@ -52,6 +52,7 @@ @@ -52,6 +52,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/md5.h> #include <openssl/md5.h>
@ -40,8 +40,8 @@
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
init_rng(); init_rng();
seed_rng(); seed_rng();
--- openssh-5.1p1/ssh-keygen.c --- openssh-5.2p1/ssh-keygen.c
+++ openssh-5.1p1/ssh-keygen.c +++ openssh-5.2p1/ssh-keygen.c
@@ -22,6 +22,7 @@ @@ -22,6 +22,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/pem.h> #include <openssl/pem.h>
@ -62,8 +62,8 @@
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
init_rng(); init_rng();
--- openssh-5.1p1/ssh-keysign.c --- openssh-5.2p1/ssh-keysign.c
+++ openssh-5.1p1/ssh-keysign.c +++ openssh-5.2p1/ssh-keysign.c
@@ -38,6 +38,7 @@ @@ -38,6 +38,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/rand.h> #include <openssl/rand.h>
@ -84,8 +84,8 @@
for (i = 0; i < 256; i++) for (i = 0; i < 256; i++)
rnd[i] = arc4random(); rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd)); RAND_seed(rnd, sizeof(rnd));
--- openssh-5.1p1/ssh.c --- openssh-5.2p1/ssh.c
+++ openssh-5.1p1/ssh.c +++ openssh-5.2p1/ssh.c
@@ -73,6 +73,7 @@ @@ -73,6 +73,7 @@
#include <openssl/err.h> #include <openssl/err.h>
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
@ -94,7 +94,7 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "ssh.h" #include "ssh.h"
@@ -562,6 +563,10 @@ @@ -550,6 +551,10 @@
SSLeay_add_all_algorithms(); SSLeay_add_all_algorithms();
ERR_load_crypto_strings(); ERR_load_crypto_strings();
@ -105,8 +105,8 @@
/* Initialize the command to execute on remote host. */ /* Initialize the command to execute on remote host. */
buffer_init(&command); buffer_init(&command);
--- openssh-5.1p1/sshd.c --- openssh-5.2p1/sshd.c
+++ openssh-5.1p1/sshd.c +++ openssh-5.2p1/sshd.c
@@ -77,6 +77,7 @@ @@ -77,6 +77,7 @@
#include <openssl/md5.h> #include <openssl/md5.h>
#include <openssl/rand.h> #include <openssl/rand.h>
@ -115,7 +115,7 @@
#ifdef HAVE_SECUREWARE #ifdef HAVE_SECUREWARE
#include <sys/security.h> #include <sys/security.h>
@@ -1416,6 +1417,10 @@ @@ -1415,6 +1416,10 @@
SSLeay_add_all_algorithms(); SSLeay_add_all_algorithms();

View File

@ -1,8 +1,8 @@
--- channels.c --- channels.c
+++ channels.c +++ channels.c
@@ -2418,6 +2418,9 @@ @@ -2471,6 +2471,9 @@
const char *host, *addr;
char ntop[NI_MAXHOST], strport[NI_MAXSERV]; char ntop[NI_MAXHOST], strport[NI_MAXSERV];
in_port_t *lport_p;
+ if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) + if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
+ fatal("channel_setup_fwd_listener: too many forwards"); + fatal("channel_setup_fwd_listener: too many forwards");

View File

@ -52,16 +52,16 @@ Index: auth2-gss.c
extern Authmethod method_gssapi; extern Authmethod method_gssapi;
+extern Authmethod method_gssapi_old; +extern Authmethod method_gssapi_old;
#endif #endif
#ifdef JPAKE
Authmethod *authmethods[] = { extern Authmethod method_jpake;
@@ -77,6 +78,7 @@ @@ -80,6 +81,7 @@
&method_pubkey, &method_pubkey,
#ifdef GSSAPI #ifdef GSSAPI
&method_gssapi, &method_gssapi,
+ &method_gssapi_old, + &method_gssapi_old,
#endif #endif
&method_passwd, #ifdef JPAKE
&method_kbdint, &method_jpake,
--- readconf.c --- readconf.c
+++ readconf.c +++ readconf.c
@@ -126,7 +126,7 @@ @@ -126,7 +126,7 @@
@ -85,7 +85,7 @@ Index: auth2-gss.c
#endif #endif
{ "fallbacktorsh", oDeprecated }, { "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated }, { "usersh", oDeprecated },
@@ -447,6 +449,10 @@ @@ -456,6 +458,10 @@
case oGssDelegateCreds: case oGssDelegateCreds:
intptr = &options->gss_deleg_creds; intptr = &options->gss_deleg_creds;
goto parse_flag; goto parse_flag;
@ -96,7 +96,7 @@ Index: auth2-gss.c
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
@@ -1017,6 +1023,7 @@ @@ -1009,6 +1015,7 @@
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
options->gss_authentication = -1; options->gss_authentication = -1;
options->gss_deleg_creds = -1; options->gss_deleg_creds = -1;
@ -104,7 +104,7 @@ Index: auth2-gss.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL; options->kbd_interactive_devices = NULL;
@@ -1108,6 +1115,8 @@ @@ -1101,6 +1108,8 @@
options->gss_authentication = 0; options->gss_authentication = 0;
if (options->gss_deleg_creds == -1) if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0; options->gss_deleg_creds = 0;
@ -133,7 +133,7 @@ Index: auth2-gss.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@@ -211,6 +212,8 @@ @@ -212,6 +213,8 @@
options->gss_authentication = 0; options->gss_authentication = 0;
if (options->gss_cleanup_creds == -1) if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1; options->gss_cleanup_creds = 1;
@ -142,7 +142,7 @@ Index: auth2-gss.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -299,7 +302,7 @@ @@ -302,7 +305,7 @@
sBanner, sUseDNS, sHostbasedAuthentication, sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -150,8 +150,8 @@ Index: auth2-gss.c
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sDeprecated, sUnsupported sZeroKnowledgePasswordAuthentication,
@@ -360,9 +363,11 @@ @@ -364,9 +367,11 @@
#ifdef GSSAPI #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -163,7 +163,7 @@ Index: auth2-gss.c
#endif #endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -885,6 +890,10 @@ @@ -894,6 +899,10 @@
case sGssCleanupCreds: case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds; intptr = &options->gss_cleanup_creds;
goto parse_flag; goto parse_flag;
@ -186,7 +186,7 @@ Index: auth2-gss.c
int kbd_interactive_authentication; /* If true, permit */ int kbd_interactive_authentication; /* If true, permit */
--- ssh_config --- ssh_config
+++ ssh_config +++ ssh_config
@@ -54,3 +54,13 @@ @@ -54,4 +54,14 @@
# Tunnel no # Tunnel no
# TunnelDevice any:any # TunnelDevice any:any
# PermitLocalCommand no # PermitLocalCommand no
@ -200,10 +200,11 @@ Index: auth2-gss.c
+# GSSAPIEnableMITMAttack no +# GSSAPIEnableMITMAttack no
+ +
+>>>>>>> +>>>>>>>
# VisualHostKey no
--- sshconnect2.c --- sshconnect2.c
+++ sshconnect2.c +++ sshconnect2.c
@@ -246,6 +246,10 @@ @@ -255,6 +255,10 @@
userauth_gssapi, NULL,
&options.gss_authentication, &options.gss_authentication,
NULL}, NULL},
+ {"gssapi", + {"gssapi",
@ -213,7 +214,7 @@ Index: auth2-gss.c
#endif #endif
{"hostbased", {"hostbased",
userauth_hostbased, userauth_hostbased,
@@ -587,7 +591,9 @@ @@ -617,7 +621,9 @@
if (status == GSS_S_COMPLETE) { if (status == GSS_S_COMPLETE) {
/* send either complete or MIC, depending on mechanism */ /* send either complete or MIC, depending on mechanism */

View File

@ -1,8 +1,8 @@
Index: openssh-5.1p1/auth-pam.c Index: openssh-5.1p1/auth-pam.c
=================================================================== ================================================================================
--- openssh-5.1p1.orig/auth-pam.c --- openssh-5.2p1/auth-pam.c
+++ openssh-5.1p1/auth-pam.c +++ openssh-5.2p1/auth-pam.c
@@ -602,16 +602,16 @@ sshpam_cleanup(void) @@ -602,16 +602,16 @@
return; return;
debug("PAM: cleanup"); debug("PAM: cleanup");
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);

View File

@ -1,6 +1,6 @@
--- sshd.c --- sshd.c
+++ sshd.c +++ sshd.c
@@ -305,6 +305,7 @@ @@ -304,6 +304,7 @@
static void static void
sighup_restart(void) sighup_restart(void)
{ {
@ -8,7 +8,7 @@
logit("Received SIGHUP; restarting."); logit("Received SIGHUP; restarting.");
close_listen_socks(); close_listen_socks();
close_startup_pipes(); close_startup_pipes();
@@ -1270,7 +1271,11 @@ @@ -1269,7 +1270,11 @@
#ifndef HAVE_SETPROCTITLE #ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */ /* Prepare for later setproctitle emulation */
compat_init_setproctitle(ac, av); compat_init_setproctitle(ac, av);

View File

@ -1,6 +1,6 @@
--- ssh_config --- ssh_config
+++ ssh_config +++ ssh_config
@@ -63,4 +63,7 @@ @@ -63,5 +63,8 @@
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
# GSSAPIEnableMITMAttack no # GSSAPIEnableMITMAttack no
@ -9,6 +9,7 @@
+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+SendEnv LC_IDENTIFICATION LC_ALL +SendEnv LC_IDENTIFICATION LC_ALL
# VisualHostKey no
--- sshd_config --- sshd_config
+++ sshd_config +++ sshd_config
@@ -119,6 +119,11 @@ @@ -119,6 +119,11 @@

View File

@ -1,6 +1,6 @@
--- session.c --- session.c
+++ session.c +++ session.c
@@ -2487,8 +2487,41 @@ @@ -2493,8 +2493,41 @@
session_close(Session *s) session_close(Session *s)
{ {
u_int i; u_int i;

View File

@ -1,6 +1,6 @@
--- session.c --- session.c
+++ session.c +++ session.c
@@ -1104,7 +1104,7 @@ @@ -1110,7 +1110,7 @@
} }
static char ** static char **
@ -9,7 +9,7 @@
{ {
char buf[256]; char buf[256];
u_int i, envsize; u_int i, envsize;
@@ -1291,6 +1291,8 @@ @@ -1297,6 +1297,8 @@
for (i = 0; env[i]; i++) for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]); fprintf(stderr, " %.200s\n", env[i]);
} }
@ -18,7 +18,7 @@
return env; return env;
} }
@@ -1299,7 +1301,7 @@ @@ -1305,7 +1307,7 @@
* first in this order). * first in this order).
*/ */
static void static void
@ -27,7 +27,7 @@
{ {
FILE *f = NULL; FILE *f = NULL;
char cmd[1024]; char cmd[1024];
@@ -1353,12 +1355,20 @@ @@ -1359,12 +1361,20 @@
options.xauth_location); options.xauth_location);
f = popen(cmd, "w"); f = popen(cmd, "w");
if (f) { if (f) {
@ -48,7 +48,7 @@
} else { } else {
fprintf(stderr, "Could not run %s\n", fprintf(stderr, "Could not run %s\n",
cmd); cmd);
@@ -1644,6 +1654,7 @@ @@ -1650,6 +1660,7 @@
{ {
extern char **environ; extern char **environ;
char **env; char **env;
@ -56,7 +56,7 @@
char *argv[ARGV_MAX]; char *argv[ARGV_MAX];
const char *shell, *shell0, *hostname = NULL; const char *shell, *shell0, *hostname = NULL;
struct passwd *pw = s->pw; struct passwd *pw = s->pw;
@@ -1710,7 +1721,7 @@ @@ -1716,7 +1727,7 @@
* Make sure $SHELL points to the shell from the password file, * Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf * even if shell is overridden from login.conf
*/ */
@ -65,7 +65,7 @@
#ifdef HAVE_LOGIN_CAP #ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
@@ -1778,7 +1789,7 @@ @@ -1784,7 +1795,7 @@
closefrom(STDERR_FILENO + 1); closefrom(STDERR_FILENO + 1);
if (!options.use_login) if (!options.use_login)

3
openssh-5.2p1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5de561b64b659e21d66b4f1c04690e94f922f3f5fb3f070e81fbd8f9f4403de8
size 816819

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz
- update to 5.2p1
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 9 14:35:42 CEST 2008 - anicka@suse.cz Wed Apr 9 14:35:42 CEST 2008 - anicka@suse.cz

View File

@ -1,7 +1,7 @@
# #
# spec file for package openssh-askpass-gnome (Version 5.1p1) # spec file for package openssh-askpass-gnome (Version 5.2p1)
# #
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -22,8 +22,8 @@ Name: openssh-askpass-gnome
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
License: BSD 3-Clause License: BSD 3-Clause
Group: Productivity/Networking/SSH Group: Productivity/Networking/SSH
Version: 5.1p1 Version: 5.2p1
Release: 41 Release: 1
Requires: openssh = %{version} openssh-askpass = %{version} Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on AutoReqProv: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH
@ -118,6 +118,8 @@ rm -rf $RPM_BUILD_ROOT
%attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass %attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass
%changelog %changelog
* Mon Feb 23 2009 anicka@suse.cz
- update to 5.2p1
* Wed Apr 09 2008 anicka@suse.cz * Wed Apr 09 2008 anicka@suse.cz
- update to 5.0p1 - update to 5.0p1
* Wed Apr 02 2008 anicka@suse.cz * Wed Apr 02 2008 anicka@suse.cz

View File

@ -1,3 +1,57 @@
-------------------------------------------------------------------
Mon Feb 23 17:27:45 CET 2009 - anicka@suse.cz
- update to 5.2p1
* This release changes the default cipher order to prefer the AES CTR
modes and the revised "arcfour256" mode to CBC mode ciphers that are
susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
* This release also adds countermeasures to mitigate CPNI-957037-style
attacks against the SSH protocol's use of CBC-mode ciphers. Upon
detection of an invalid packet length or Message Authentication
Code, ssh/sshd will continue reading up to the maximum supported
packet length rather than immediately terminating the connection.
This eliminates most of the known differences in behaviour that
leaked information about the plaintext of injected data which formed
the basis of this attack. We believe that these attacks are rendered
infeasible by these changes.
* Added a -y option to ssh(1) to force logging to syslog rather than
stderr, which is useful when running daemonised (ssh -f)
* The sshd_config(5) ForceCommand directive now accepts commandline
arguments for the internal-sftp server.
* The ssh(1) ~C escape commandline now support runtime creation of
dynamic (-D) port forwards.
* Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
(bz#1482)
* Support remote port forwarding with a listen port of '0'. This
informs the server that it should dynamically allocate a listen
port and report it back to the client. (bz#1003)
* sshd(8) now supports setting PermitEmptyPasswords and
AllowAgentForwarding in Match blocks
* Repair a ssh(1) crash introduced in openssh-5.1 when the client is
sent a zero-length banner (bz#1496)
* Due to interoperability problems with certain
broken SSH implementations, the eow@openssh.com and
no-more-sessions@openssh.com protocol extensions are now only sent
to peers that identify themselves as OpenSSH.
* Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
* Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
a behaviour introduced in openssh-5.1).
* Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
* Correct fail-on-error behaviour in sftp(1) batchmode for remote
stat operations. (bz#1541)
* Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
connections. (bz#1543)
* Avoid hang in ssh(1) when attempting to connect to a server that
has MaxSessions=0 set.
* Multiple fixes to sshd(8) configuration test (-T) mode
* Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
* Many manual page improvements.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Dec 1 15:43:14 CET 2008 - anicka@suse.cz Mon Dec 1 15:43:14 CET 2008 - anicka@suse.cz

View File

@ -1,7 +1,7 @@
# #
# spec file for package openssh (Version 5.1p1) # spec file for package openssh (Version 5.2p1)
# #
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -37,8 +37,8 @@ Requires: /bin/netstat
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh Conflicts: nonfreessh
AutoReqProv: on AutoReqProv: on
Version: 5.1p1 Version: 5.2p1
Release: 41 Release: 1
%define xversion 1.2.4.1 %define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
Url: http://www.openssh.com/ Url: http://www.openssh.com/
@ -70,7 +70,6 @@ Patch43: %{name}-%{version}-default-protocol.diff
Patch44: %{name}-%{version}-audit.patch Patch44: %{name}-%{version}-audit.patch
Patch45: %{name}-%{version}-pts.diff Patch45: %{name}-%{version}-pts.diff
Patch46: %{name}-%{version}-pam-fix4.diff Patch46: %{name}-%{version}-pam-fix4.diff
Patch47: %{name}-%{version}-strnvis.diff
Patch48: %{name}-%{version}-forwards.diff Patch48: %{name}-%{version}-forwards.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -162,7 +161,6 @@ Authors:
%patch44 -p1 %patch44 -p1
%patch45 %patch45
%patch46 -p1 %patch46 -p1
%patch47
%patch48 %patch48
cp -v %{SOURCE4} . cp -v %{SOURCE4} .
cp -v %{SOURCE6} . cp -v %{SOURCE6} .
@ -294,7 +292,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(0755,root,root) /usr/%_lib/ssh/sftp-server %attr(0755,root,root) /usr/%_lib/ssh/sftp-server
%attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign %attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign
%dir /etc/slp.reg.d %dir /etc/slp.reg.d
/etc/slp.reg.d/ssh.reg %config /etc/slp.reg.d/ssh.reg
/var/adm/fillup-templates/sysconfig.ssh /var/adm/fillup-templates/sysconfig.ssh
%config %{_fwdefdir}/sshd %config %{_fwdefdir}/sshd
@ -304,9 +302,60 @@ rm -rf $RPM_BUILD_ROOT
%attr(0755,root,root) /usr/%_lib/ssh/x11-ssh-askpass %attr(0755,root,root) /usr/%_lib/ssh/x11-ssh-askpass
%doc %_mandir/man1/ssh-askpass.1x.gz %doc %_mandir/man1/ssh-askpass.1x.gz
%doc %_mandir/man1/x11-ssh-askpass.1x.gz %doc %_mandir/man1/x11-ssh-askpass.1x.gz
%config %_appdefdir/SshAskpass %_appdefdir/SshAskpass
%changelog %changelog
* Mon Feb 23 2009 anicka@suse.cz
- update to 5.2p1
* This release changes the default cipher order to prefer the AES CTR
modes and the revised "arcfour256" mode to CBC mode ciphers that are
susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
* This release also adds countermeasures to mitigate CPNI-957037-style
attacks against the SSH protocol's use of CBC-mode ciphers. Upon
detection of an invalid packet length or Message Authentication
Code, ssh/sshd will continue reading up to the maximum supported
packet length rather than immediately terminating the connection.
This eliminates most of the known differences in behaviour that
leaked information about the plaintext of injected data which formed
the basis of this attack. We believe that these attacks are rendered
infeasible by these changes.
* Added a -y option to ssh(1) to force logging to syslog rather than
stderr, which is useful when running daemonised (ssh -f)
* The sshd_config(5) ForceCommand directive now accepts commandline
arguments for the internal-sftp server.
* The ssh(1) ~C escape commandline now support runtime creation of
dynamic (-D) port forwards.
* Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
(bz#1482)
* Support remote port forwarding with a listen port of '0'. This
informs the server that it should dynamically allocate a listen
port and report it back to the client. (bz#1003)
* sshd(8) now supports setting PermitEmptyPasswords and
AllowAgentForwarding in Match blocks
* Repair a ssh(1) crash introduced in openssh-5.1 when the client is
sent a zero-length banner (bz#1496)
* Due to interoperability problems with certain
broken SSH implementations, the eow@openssh.com and
no-more-sessions@openssh.com protocol extensions are now only sent
to peers that identify themselves as OpenSSH.
* Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
* Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
a behaviour introduced in openssh-5.1).
* Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
* Correct fail-on-error behaviour in sftp(1) batchmode for remote
stat operations. (bz#1541)
* Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
connections. (bz#1543)
* Avoid hang in ssh(1) when attempting to connect to a server that
has MaxSessions=0 set.
* Multiple fixes to sshd(8) configuration test (-T) mode
* Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
* Many manual page improvements.
* Mon Dec 01 2008 anicka@suse.cz * Mon Dec 01 2008 anicka@suse.cz
- respect SSH_MAX_FORWARDS_PER_DIRECTION (bnc#448775) - respect SSH_MAX_FORWARDS_PER_DIRECTION (bnc#448775)
* Mon Nov 10 2008 anicka@suse.cz * Mon Nov 10 2008 anicka@suse.cz