pool/openssh
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1150500 from home:hpjansson:branches:network

Browse Source 
- Update to openssh 9.6p1:
  * No changes for askpass, see main package changelog for
    details.

- Update to openssh 9.6p1:
  = Security
  * ssh(1), sshd(8): implement protocol extensions to thwart the
    so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
    Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
    limited break of the integrity of the early encrypted SSH transport
    protocol by sending extra messages prior to the commencement of
    encryption, and deleting an equal number of consecutive messages
    immediately after encryption starts. A peer SSH client/server
    would not be able to detect that messages were deleted.
  * ssh-agent(1): when adding PKCS#11-hosted private keys while
    specifying destination constraints, if the PKCS#11 token returned
    multiple keys then only the first key had the constraints applied.
    Use of regular private keys, FIDO tokens and unconstrained keys
    are unaffected.
  * ssh(1): if an invalid user or hostname that contained shell
    metacharacters was passed to ssh(1), and a ProxyCommand,
    LocalCommand directive or "match exec" predicate referenced the
    user or hostname via %u, %h or similar expansion token, then
    an attacker who could supply arbitrary user/hostnames to ssh(1)
    could potentially perform command injection depending on what
    quoting was present in the user-supplied ssh_config(5) directive.
  = Potentially incompatible changes
  * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
    a TCP-like window mechanism that limits the amount of data that
    can be sent without acceptance from the peer. In cases where this

OBS-URL: https://build.opensuse.org/request/show/1150500
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=255
This commit is contained in:
Hans Petter Jansson 2024-02-25 18:43:17 +00:00 committed by Git OBS Bridge
parent 9778084948
commit b3ff99ae3c
14 changed files with 639 additions and 855 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
cb4ed12f.patch
View File

@ -1,23 +0,0 @@
From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Sat, 19 Aug 2023 07:39:08 +1000
Subject: [PATCH] Fix zlib version check for 1.3 and future version.
bz#3604.
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 07893e87065..e3128dfcbb4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1464,7 +1464,7 @@ else
[[
int a=0, b=0, c=0, d=0, n, v;
n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
- if (n != 3 && n != 4)
+ if (n < 1)
exit(1);
v = a*1000000 + b*10000 + c*100 + d;
fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);

31
openssh-6.6.1p1-selinux-contexts.patch
View File

@ -1,7 +1,7 @@
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
--- openssh-9.6p1.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
@@ -33,6 +33,7 @@
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
#include "servconf.h"
@ -92,23 +92,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
#endif
#endif
Index: openssh-9.3p2/openbsd-compat/port-linux.c
Index: openssh-9.6p1/openbsd-compat/port-linux.h
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux.c
+++ openssh-9.3p2/openbsd-compat/port-linux.c
@@ -182,7 +182,7 @@ ssh_selinux_change_context(const char *n
strlcpy(newctx + len, newname, newlen - len);
if ((cx = index(cx + 1, ':')))
strlcat(newctx, cx, newlen);
- debug3("%s: setting context from '%s' to '%s'", __func__,
+ debug_f("setting context from '%s' to '%s'",
oldctx, newctx);
if (setcon(newctx) < 0)
do_log2(log_level, "%s: setcon %s from %s failed with %s",
Index: openssh-9.3p2/openbsd-compat/port-linux.h
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
+++ openssh-9.3p2/openbsd-compat/port-linux.h
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
+++ openssh-9.6p1/openbsd-compat/port-linux.h
@@ -27,6 +27,7 @@ int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
@ -117,10 +104,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux.h
#endif
#ifdef LINUX_OOM_ADJUST
Index: openssh-9.3p2/sshd.c
Index: openssh-9.6p1/sshd.c
===================================================================
--- openssh-9.3p2.orig/sshd.c
+++ openssh-9.3p2/sshd.c
--- openssh-9.6p1.orig/sshd.c
+++ openssh-9.6p1/sshd.c
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
demote_sensitive_data(ssh);

173
openssh-7.7p1-fips.patch
View File

@ -3,11 +3,11 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
Index: openssh-8.8p1/Makefile.in
Index: openssh-9.6p1/Makefile.in
===================================================================
--- openssh-8.8p1.orig/Makefile.in
+++ openssh-8.8p1/Makefile.in
@@ -113,6 +113,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
--- openssh-9.6p1.orig/Makefile.in
+++ openssh-9.6p1/Makefile.in
@@ -115,6 +115,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
SKOBJS= ssh-sk-client.o
@ -16,32 +16,10 @@ Index: openssh-8.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
#Index: openssh-8.8p1/cipher-ctr.c
#===================================================================
#--- openssh-8.8p1.orig/cipher-ctr.c
#+++ openssh-8.8p1/cipher-ctr.c
#@@ -27,6 +27,8 @@
# #include "xmalloc.h"
# #include "log.h"
#
#+#include "fips.h"
#+
# /* compatibility with old or broken OpenSSL versions */
# #include "openbsd-compat/openssl-compat.h"
#
#@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
# #ifndef SSH_OLD_EVP
# aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
# EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
#+ if (fips_mode())
#+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
# #endif
# return (&aes_ctr);
# }
Index: openssh-8.8p1/cipher.c
Index: openssh-9.6p1/cipher.c
===================================================================
--- openssh-8.8p1.orig/cipher.c
+++ openssh-8.8p1/cipher.c
--- openssh-9.6p1.orig/cipher.c
+++ openssh-9.6p1/cipher.c
@@ -51,6 +51,9 @@
#include "openbsd-compat/openssl-compat.h"
@ -61,7 +39,7 @@ Index: openssh-8.8p1/cipher.c
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
@@ -112,8 +115,52 @@ static const struct sshcipher ciphers[]
@@ -110,8 +113,52 @@ static const struct sshcipher ciphers[]
{ NULL, 0, 0, 0, 0, 0, NULL }
};
@ -114,7 +92,7 @@ Index: openssh-8.8p1/cipher.c
/* Returns a comma-separated list of supported ciphers. */
char *
cipher_alg_list(char sep, int auth_only)
@@ -122,7 +169,7 @@ cipher_alg_list(char sep, int auth_only)
@@ -120,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0;
const struct sshcipher *c;
@ -123,7 +101,7 @@ Index: openssh-8.8p1/cipher.c
if ((c->flags & CFLAG_INTERNAL) != 0)
continue;
if (auth_only && c->auth_len == 0)
@@ -205,7 +252,7 @@ const struct sshcipher *
@@ -203,7 +250,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
const struct sshcipher *c;
@ -132,10 +110,10 @@ Index: openssh-8.8p1/cipher.c
if (strcmp(c->name, name) == 0)
return c;
return NULL;
Index: openssh-8.8p1/fips.c
Index: openssh-9.6p1/fips.c
===================================================================
--- /dev/null
+++ openssh-8.8p1/fips.c
+++ openssh-9.6p1/fips.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -349,10 +327,10 @@ Index: openssh-8.8p1/fips.c
+ return dgst;
+}
+
Index: openssh-8.8p1/fips.h
Index: openssh-9.6p1/fips.h
===================================================================
--- /dev/null
+++ openssh-8.8p1/fips.h
+++ openssh-9.6p1/fips.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -398,10 +376,10 @@ Index: openssh-8.8p1/fips.h
+
+#endif
+
Index: openssh-8.8p1/hmac.c
Index: openssh-9.6p1/hmac.c
===================================================================
--- openssh-8.8p1.orig/hmac.c
+++ openssh-8.8p1/hmac.c
--- openssh-9.6p1.orig/hmac.c
+++ openssh-9.6p1/hmac.c
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
size_t i;
u_char digest[16];
@ -411,20 +389,20 @@ Index: openssh-8.8p1/hmac.c
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
Index: openssh-8.8p1/kex.c
Index: openssh-9.6p1/kex.c
===================================================================
--- openssh-8.8p1.orig/kex.c
+++ openssh-8.8p1/kex.c
@@ -62,6 +62,8 @@
--- openssh-9.6p1.orig/kex.c
+++ openssh-9.6p1/kex.c
@@ -64,6 +64,8 @@
#include "digest.h"
#include "xmalloc.h"
+#include "fips.h"
+
/* prototype */
static int kex_choose_conf(struct ssh *);
static int kex_choose_conf(struct ssh *, uint32_t seq);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
@@ -85,7 +87,7 @@ struct kexalg {
@@ -87,7 +89,7 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@ -433,7 +411,7 @@ Index: openssh-8.8p1/kex.c
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
@@ -118,6 +120,47 @@ static const struct kexalg kexalgs[] = {
@@ -120,6 +122,47 @@ static const struct kexalg kexalgs[] = {
{ NULL, 0, -1, -1},
};
@ -481,7 +459,7 @@ Index: openssh-8.8p1/kex.c
char *
kex_alg_list(char sep)
{
@@ -125,7 +168,7 @@ kex_alg_list(char sep)
@@ -127,7 +170,7 @@ kex_alg_list(char sep)
size_t nlen, rlen = 0;
const struct kexalg *k;
@ -490,7 +468,7 @@ Index: openssh-8.8p1/kex.c
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
@@ -145,7 +188,7 @@ kex_alg_by_name(const char *name)
@@ -147,7 +190,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@ -499,7 +477,7 @@ Index: openssh-8.8p1/kex.c
if (strcmp(k->name, name) == 0)
return k;
}
@@ -165,7 +208,10 @@ kex_names_valid(const char *names)
@@ -167,7 +210,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@ -510,10 +488,10 @@ Index: openssh-8.8p1/kex.c
free(s);
return 0;
}
Index: openssh-8.8p1/mac.c
Index: openssh-9.6p1/mac.c
===================================================================
--- openssh-8.8p1.orig/mac.c
+++ openssh-8.8p1/mac.c
--- openssh-9.6p1.orig/mac.c
+++ openssh-9.6p1/mac.c
@@ -41,6 +41,9 @@
#include "openbsd-compat/openssl-compat.h"
@ -593,11 +571,11 @@ Index: openssh-8.8p1/mac.c
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
Index: openssh-8.8p1/readconf.c
Index: openssh-9.6p1/readconf.c
===================================================================
--- openssh-8.8p1.orig/readconf.c
+++ openssh-8.8p1/readconf.c
@@ -68,6 +68,8 @@
--- openssh-9.6p1.orig/readconf.c
+++ openssh-9.6p1/readconf.c
@@ -71,6 +71,8 @@
#include "myproposal.h"
#include "digest.h"
@ -606,7 +584,7 @@ Index: openssh-8.8p1/readconf.c
/* Format of the configuration file:
# Configuration data is parsed as follows:
@@ -2307,6 +2309,23 @@ config_has_permitted_cnames(Options *opt
@@ -2478,6 +2480,23 @@ config_has_permitted_cnames(Options *opt
return options->num_permitted_cnames > 0;
}
@ -630,7 +608,7 @@ Index: openssh-8.8p1/readconf.c
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
@@ -2618,6 +2637,9 @@ fill_default_options(Options * options)
@@ -2796,6 +2815,9 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -640,7 +618,7 @@ Index: openssh-8.8p1/readconf.c
#ifdef ENABLE_SK_INTERNAL
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
@@ -2654,6 +2676,8 @@ fill_default_options(Options * options)
@@ -2840,6 +2862,8 @@ fill_default_options(Options * options)
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
@ -649,23 +627,23 @@ Index: openssh-8.8p1/readconf.c
#define CLEAR_ON_NONE(v) \
do { \
if (option_clear_or_none(v)) { \
Index: openssh-8.8p1/readconf.h
Index: openssh-9.6p1/readconf.h
===================================================================
--- openssh-8.8p1.orig/readconf.h
+++ openssh-8.8p1/readconf.h
@@ -212,6 +212,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
--- openssh-9.6p1.orig/readconf.h
+++ openssh-9.6p1/readconf.h
@@ -231,6 +231,7 @@ typedef struct {
#define SSH_KEYSTROKE_CHAFF_MIN_MS 1024
#define SSH_KEYSTROKE_CHAFF_RNG_MS 2048
+void filter_fips_algorithms(Options *o);
const char *kex_default_pk_alg(void);
char *ssh_connection_hash(const char *thishost, const char *host,
const char *portstr, const char *user);
Index: openssh-8.8p1/servconf.c
const char *portstr, const char *user, const char *jump_host);
Index: openssh-9.6p1/servconf.c
===================================================================
--- openssh-8.8p1.orig/servconf.c
+++ openssh-8.8p1/servconf.c
@@ -70,6 +70,7 @@
--- openssh-9.6p1.orig/servconf.c
+++ openssh-9.6p1/servconf.c
@@ -68,6 +68,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
@ -673,7 +651,7 @@ Index: openssh-8.8p1/servconf.c
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
@@ -205,6 +206,23 @@ option_clear_or_none(const char *o)
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@ -697,7 +675,7 @@ Index: openssh-8.8p1/servconf.c
static void
assemble_algorithms(ServerOptions *o)
{
@@ -246,6 +264,8 @@ assemble_algorithms(ServerOptions *o)
@@ -248,6 +266,8 @@ assemble_algorithms(ServerOptions *o)
free(def_kex);
free(def_key);
free(def_sig);
@ -706,7 +684,7 @@ Index: openssh-8.8p1/servconf.c
}
void
@@ -438,6 +458,8 @@ fill_default_server_options(ServerOption
@@ -440,6 +460,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -715,20 +693,20 @@ Index: openssh-8.8p1/servconf.c
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
Index: openssh-8.8p1/ssh-keygen.c
Index: openssh-9.6p1/ssh-keygen.c
===================================================================
--- openssh-8.8p1.orig/ssh-keygen.c
+++ openssh-8.8p1/ssh-keygen.c
@@ -67,6 +67,8 @@
#include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
#include "cipher.h"
--- openssh-9.6p1.orig/ssh-keygen.c
+++ openssh-9.6p1/ssh-keygen.c
@@ -18,6 +18,8 @@
#include <sys/socket.h>
#include <sys/stat.h>
+#include "fips.h"
+
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
@@ -1037,11 +1039,13 @@ do_fingerprint(struct passwd *pw)
#include <openssl/evp.h>
#include <openssl/pem.h>
@@ -1040,11 +1042,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@ -744,8 +722,7 @@ Index: openssh-8.8p1/ssh-keygen.c
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
#ifdef OPENSSL_HAS_ECC
# { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1058,6 +1062,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@ -763,7 +740,7 @@ Index: openssh-8.8p1/ssh-keygen.c
u_int32_t bits = 0;
int first = 0;
struct stat st;
@@ -1063,6 +1078,12 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1065,6 +1080,12 @@ do_gen_all_hostkeys(struct passwd *pw)
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
int i, type, fd, r;
@ -776,7 +753,7 @@ Index: openssh-8.8p1/ssh-keygen.c
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
@@ -3620,6 +3641,15 @@ main(int argc, char **argv)
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@ -792,11 +769,11 @@ Index: openssh-8.8p1/ssh-keygen.c
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
Index: openssh-8.8p1/ssh_config.5
Index: openssh-9.6p1/ssh_config.5
===================================================================
--- openssh-8.8p1.orig/ssh_config.5
+++ openssh-8.8p1/ssh_config.5
@@ -736,6 +736,8 @@ The argument to this keyword must be
--- openssh-9.6p1.orig/ssh_config.5
+++ openssh-9.6p1/ssh_config.5
@@ -831,6 +831,8 @@ The argument to this keyword must be
option) or
.Cm no
(the default).
@ -805,11 +782,11 @@ Index: openssh-8.8p1/ssh_config.5
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
Index: openssh-8.8p1/sshd.c
Index: openssh-9.6p1/sshd.c
===================================================================
--- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c
@@ -126,6 +126,8 @@
--- openssh-9.6p1.orig/sshd.c
+++ openssh-9.6p1/sshd.c
@@ -128,6 +128,8 @@
#include "srclimit.h"
#include "dh.h"
@ -818,11 +795,11 @@ Index: openssh-8.8p1/sshd.c
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
Index: openssh-8.8p1/sshd_config.5
Index: openssh-9.6p1/sshd_config.5
===================================================================
--- openssh-8.8p1.orig/sshd_config.5
+++ openssh-8.8p1/sshd_config.5
@@ -600,6 +600,8 @@ and
--- openssh-9.6p1.orig/sshd_config.5
+++ openssh-9.6p1/sshd_config.5
@@ -681,6 +681,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .

148
openssh-7.8p1-role-mls.patch
View File

@ -1,8 +1,8 @@
Index: openssh-9.3p2/auth2.c
Index: openssh-9.6p1/auth2.c
===================================================================
--- openssh-9.3p2.orig/auth2.c
+++ openssh-9.3p2/auth2.c
@@ -262,6 +262,9 @@ input_userauth_request(int type, u_int32
--- openssh-9.6p1.orig/auth2.c
+++ openssh-9.6p1/auth2.c
@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL;
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
@ -12,7 +12,7 @@ Index: openssh-9.3p2/auth2.c
int r, authenticated = 0;
double tstart = monotime_double();
@@ -275,6 +278,11 @@ input_userauth_request(int type, u_int32
@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -24,7 +24,7 @@ Index: openssh-9.3p2/auth2.c
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -302,8 +310,15 @@ input_userauth_request(int type, u_int32
@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
@ -39,13 +39,13 @@ Index: openssh-9.3p2/auth2.c
+#endif
+ }
userauth_banner(ssh);
if (auth2_setup_methods_lists(authctxt) != 0)
ssh_packet_disconnect(ssh,
Index: openssh-9.3p2/auth2-gss.c
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
Index: openssh-9.6p1/auth2-gss.c
===================================================================
--- openssh-9.3p2.orig/auth2-gss.c
+++ openssh-9.3p2/auth2-gss.c
@@ -325,6 +325,7 @@ input_gssapi_mic(int type, u_int32_t ple
--- openssh-9.6p1.orig/auth2-gss.c
+++ openssh-9.6p1/auth2-gss.c
@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ssh->authctxt;
Gssctxt *gssctxt;
int r, authenticated = 0;
@ -53,7 +53,7 @@ Index: openssh-9.3p2/auth2-gss.c
struct sshbuf *b;
gss_buffer_desc mic, gssbuf;
const char *displayname;
@@ -342,7 +343,13 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple
fatal_f("sshbuf_new failed");
mic.value = p;
mic.length = len;
@ -68,7 +68,7 @@ Index: openssh-9.3p2/auth2-gss.c
"gssapi-with-mic", ssh->kex->session_id);
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
@@ -356,6 +363,8 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
sshbuf_free(b);
@ -77,10 +77,10 @@ Index: openssh-9.3p2/auth2-gss.c
free(mic.value);
if ((!use_privsep || mm_is_monitor()) &&
Index: openssh-9.3p2/auth2-hostbased.c
Index: openssh-9.6p1/auth2-hostbased.c
===================================================================
--- openssh-9.3p2.orig/auth2-hostbased.c
+++ openssh-9.3p2/auth2-hostbased.c
--- openssh-9.6p1.orig/auth2-hostbased.c
+++ openssh-9.6p1/auth2-hostbased.c
@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons
/* reconstruct packet */
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
@ -98,10 +98,10 @@ Index: openssh-9.3p2/auth2-hostbased.c
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
(r = sshbuf_put_cstring(b, method)) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
Index: openssh-9.3p2/auth2-pubkey.c
Index: openssh-9.6p1/auth2-pubkey.c
===================================================================
--- openssh-9.3p2.orig/auth2-pubkey.c
+++ openssh-9.3p2/auth2-pubkey.c
--- openssh-9.6p1.orig/auth2-pubkey.c
+++ openssh-9.6p1/auth2-pubkey.c
@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c
goto done;
}
@ -121,10 +121,10 @@ Index: openssh-9.3p2/auth2-pubkey.c
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
Index: openssh-9.3p2/auth.h
Index: openssh-9.6p1/auth.h
===================================================================
--- openssh-9.3p2.orig/auth.h
+++ openssh-9.3p2/auth.h
--- openssh-9.6p1.orig/auth.h
+++ openssh-9.6p1/auth.h
@@ -65,6 +65,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
@ -135,11 +135,11 @@ Index: openssh-9.3p2/auth.h
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
Index: openssh-9.3p2/auth-pam.c
Index: openssh-9.6p1/auth-pam.c
===================================================================
--- openssh-9.3p2.orig/auth-pam.c
+++ openssh-9.3p2/auth-pam.c
@@ -1240,7 +1240,7 @@ is_pam_session_open(void)
--- openssh-9.6p1.orig/auth-pam.c
+++ openssh-9.6p1/auth-pam.c
@@ -1242,7 +1242,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
@ -148,10 +148,10 @@ Index: openssh-9.3p2/auth-pam.c
{
int ret = 1;
char *compound;
Index: openssh-9.3p2/auth-pam.h
Index: openssh-9.6p1/auth-pam.h
===================================================================
--- openssh-9.3p2.orig/auth-pam.h
+++ openssh-9.3p2/auth-pam.h
--- openssh-9.6p1.orig/auth-pam.h
+++ openssh-9.6p1/auth-pam.h
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
void do_pam_session(struct ssh *);
void do_pam_setcred(int );
@ -161,11 +161,11 @@ Index: openssh-9.3p2/auth-pam.h
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
Index: openssh-9.3p2/misc.c
Index: openssh-9.6p1/misc.c
===================================================================
--- openssh-9.3p2.orig/misc.c
+++ openssh-9.3p2/misc.c
@@ -745,6 +745,7 @@ char *
--- openssh-9.6p1.orig/misc.c
+++ openssh-9.6p1/misc.c
@@ -771,6 +771,7 @@ char *
colon(char *cp)
{
int flag = 0;
@ -173,7 +173,7 @@ Index: openssh-9.3p2/misc.c
if (*cp == ':') /* Leading colon is part of file name. */
return NULL;
@@ -760,6 +761,13 @@ colon(char *cp)
@@ -786,6 +787,13 @@ colon(char *cp)
return (cp);
if (*cp == '/')
return NULL;
@ -187,10 +187,10 @@ Index: openssh-9.3p2/misc.c
}
return NULL;
}
Index: openssh-9.3p2/monitor.c
Index: openssh-9.6p1/monitor.c
===================================================================
--- openssh-9.3p2.orig/monitor.c
+++ openssh-9.3p2/monitor.c
--- openssh-9.6p1.orig/monitor.c
+++ openssh-9.6p1/monitor.c
@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
@ -201,7 +201,7 @@ Index: openssh-9.3p2/monitor.c
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
@@ -203,6 +206,9 @@ struct mon_table mon_dispatch_proto20[]
@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -211,7 +211,7 @@ Index: openssh-9.3p2/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -832,6 +838,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -221,7 +221,7 @@ Index: openssh-9.3p2/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM
@@ -906,6 +915,26 @@ key_base_type_match(const char *method,
@@ -908,6 +917,26 @@ key_base_type_match(const char *method,
return found;
}
@ -248,7 +248,7 @@ Index: openssh-9.3p2/monitor.c
int
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{
@@ -1278,7 +1307,7 @@ monitor_valid_userblob(struct ssh *ssh,
@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh,
struct sshbuf *b;
struct sshkey *hostkey = NULL;
const u_char *p;
@ -257,7 +257,7 @@ Index: openssh-9.3p2/monitor.c
size_t len;
u_char type;
int hostbound = 0, r, fail = 0;
@@ -1309,6 +1338,8 @@ monitor_valid_userblob(struct ssh *ssh,
@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh,
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle");
@ -266,7 +266,7 @@ Index: openssh-9.3p2/monitor.c
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
@@ -1359,7 +1390,7 @@ monitor_valid_hostbasedblob(const u_char
@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char
{
struct sshbuf *b;
const u_char *p;
@ -275,7 +275,7 @@ Index: openssh-9.3p2/monitor.c
size_t len;
int r, fail = 0;
u_char type;
@@ -1380,6 +1411,8 @@ monitor_valid_hostbasedblob(const u_char
@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle");
@ -284,10 +284,10 @@ Index: openssh-9.3p2/monitor.c
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
Index: openssh-9.3p2/monitor.h
Index: openssh-9.6p1/monitor.h
===================================================================
--- openssh-9.3p2.orig/monitor.h
+++ openssh-9.3p2/monitor.h
--- openssh-9.6p1.orig/monitor.h
+++ openssh-9.6p1/monitor.h
@@ -55,6 +55,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50,
@ -299,10 +299,10 @@ Index: openssh-9.3p2/monitor.h
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
Index: openssh-9.3p2/monitor_wrap.c
Index: openssh-9.6p1/monitor_wrap.c
===================================================================
--- openssh-9.3p2.orig/monitor_wrap.c
+++ openssh-9.3p2/monitor_wrap.c
--- openssh-9.6p1.orig/monitor_wrap.c
+++ openssh-9.6p1/monitor_wrap.c
@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char *
sshbuf_free(m);
}
@ -331,10 +331,10 @@ Index: openssh-9.3p2/monitor_wrap.c
/* Do the password authentication */
int
mm_auth_password(struct ssh *ssh, char *password)
Index: openssh-9.3p2/monitor_wrap.h
Index: openssh-9.6p1/monitor_wrap.h
===================================================================
--- openssh-9.3p2.orig/monitor_wrap.h
+++ openssh-9.3p2/monitor_wrap.h
--- openssh-9.6p1.orig/monitor_wrap.h
+++ openssh-9.6p1/monitor_wrap.h
@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct
const u_char *, size_t, const char *, const char *,
const char *, u_int compat);
@ -345,10 +345,10 @@ Index: openssh-9.3p2/monitor_wrap.h
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
Index: openssh-9.3p2/openbsd-compat/Makefile.in
Index: openssh-9.6p1/openbsd-compat/Makefile.in
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/Makefile.in
+++ openssh-9.3p2/openbsd-compat/Makefile.in
--- openssh-9.6p1.orig/openbsd-compat/Makefile.in
+++ openssh-9.6p1/openbsd-compat/Makefile.in
@@ -100,7 +100,8 @@ PORTS= port-aix.o \
port-prngd.o \
port-solaris.o \
@ -359,11 +359,11 @@ Index: openssh-9.3p2/openbsd-compat/Makefile.in
.c.o:
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
Index: openssh-9.3p2/openbsd-compat/port-linux.c
Index: openssh-9.6p1/openbsd-compat/port-linux.c
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux.c
+++ openssh-9.3p2/openbsd-compat/port-linux.c
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
--- openssh-9.6p1.orig/openbsd-compat/port-linux.c
+++ openssh-9.6p1/openbsd-compat/port-linux.c
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
return sc;
}
@ -401,7 +401,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux.c
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
@@ -143,7 +112,11 @@ ssh_selinux_setup_pty(char *pwname, cons
@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
@ -414,10 +414,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux.c
/* XXX: should these calls fatal() upon failure in enforcing mode? */
Index: openssh-9.3p2/openbsd-compat/port-linux.h
Index: openssh-9.6p1/openbsd-compat/port-linux.h
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
+++ openssh-9.3p2/openbsd-compat/port-linux.h
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
+++ openssh-9.6p1/openbsd-compat/port-linux.h
@@ -20,9 +20,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
@ -430,10 +430,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux.h
#endif
#ifdef LINUX_OOM_ADJUST
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
===================================================================
--- /dev/null
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
@@ -0,0 +1,421 @@
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@ -856,10 +856,10 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
+#endif
+#endif
+
Index: openssh-9.3p2/platform.c
Index: openssh-9.6p1/platform.c
===================================================================
--- openssh-9.3p2.orig/platform.c
+++ openssh-9.3p2/platform.c
--- openssh-9.6p1.orig/platform.c
+++ openssh-9.6p1/platform.c
@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
@ -869,11 +869,11 @@ Index: openssh-9.3p2/platform.c
#endif
}
Index: openssh-9.3p2/sshd.c
Index: openssh-9.6p1/sshd.c
===================================================================
--- openssh-9.3p2.orig/sshd.c
+++ openssh-9.3p2/sshd.c
@@ -2388,6 +2388,9 @@ main(int ac, char **av)
--- openssh-9.6p1.orig/sshd.c
+++ openssh-9.6p1/sshd.c
@@ -2387,6 +2387,9 @@ main(int ac, char **av)
restore_uid();
}
#endif

449
openssh-8.0p1-gssapi-keyex.patch
View File

File diff suppressed because it is too large Load Diff

BIN
openssh-9.3p2.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
openssh-9.3p2.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg
YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3
pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH
8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa
jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5
8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4
PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl
iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/
kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh
LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w
VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/
jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg=
=yVD2
-----END PGP SIGNATURE-----

BIN
openssh-9.6p1.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openssh-9.6p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
=G9YA
-----END PGP SIGNATURE-----

7
openssh-askpass-gnome.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
- Update to openssh 9.6p1:
* No changes for askpass, see main package changelog for
details.
-------------------------------------------------------------------
Fri Jul 21 05:13:56 UTC 2023 - Simon Lees <sflees@suse.de>

2
openssh-askpass-gnome.spec
View File

@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
Version: 9.3p2
Version: 9.6p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause

399
openssh-cve-2023-48795.patch
View File

@ -1,399 +0,0 @@
Index: openssh-9.3p2/PROTOCOL
===================================================================
--- openssh-9.3p2.orig/PROTOCOL
+++ openssh-9.3p2/PROTOCOL
@@ -104,6 +104,25 @@ http://git.libssh.org/users/aris/libssh.
This is identical to curve25519-sha256 as later published in RFC8731.
+1.9 transport: strict key exchange extension
+
+OpenSSH supports a number of transport-layer hardening measures under
+a "strict KEX" feature. This feature is signalled similarly to the
+RFC8305 ext-info feature: by including a additional algorithm in the
+SSH2_MSG_KEXINIT kex_algorithms field. The client may append
+"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
+may append "kex-strict-s-v00@openssh.com".
+
+When endpoint that supports this extension observes this algorithm
+name in a peer's KEXINIT packet, it MUST make the following changes to
+the the protocol:
+
+a) During initial KEX, terminate the connection if any unexpected or
+ out-of-sequence packet is received. This includes terminating the
+ connection if the first packet received is not SSH2_MSG_KEXINIT.
+b) At each SSH2_MSG_NEWKEYS message, reset the packet sequence number
+ to zero.
+
2. Connection protocol changes
2.1. connection: Channel write close extension "eow@openssh.com"
Index: openssh-9.3p2/kex.c
===================================================================
--- openssh-9.3p2.orig/kex.c
+++ openssh-9.3p2/kex.c
@@ -76,7 +76,7 @@
#include "fips.h"
/* prototype */
-static int kex_choose_conf(struct ssh *);
+static int kex_choose_conf(struct ssh *, uint32_t seq);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
static const char * const proposal_names[PROPOSAL_MAX] = {
@@ -261,6 +261,18 @@ kex_names_valid(const char *names)
return 1;
}
+/* returns non-zero if proposal contains any algorithm from algs */
+static int
+has_any_alg(const char *proposal, const char *algs)
+{
+ char *cp;
+
+ if ((cp = match_list(proposal, algs, NULL)) == NULL)
+ return 0;
+ free(cp);
+ return 1;
+}
+
/*
* Concatenate algorithm names, avoiding duplicates in the process.
* Caller must free returned string.
@@ -268,7 +280,7 @@ kex_names_valid(const char *names)
char *
kex_names_cat(const char *a, const char *b)
{
- char *ret = NULL, *tmp = NULL, *cp, *p, *m;
+ char *ret = NULL, *tmp = NULL, *cp, *p;
size_t len;
if (a == NULL || *a == '\0')
@@ -285,10 +297,8 @@ kex_names_cat(const char *a, const char
}
strlcpy(ret, a, len);
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
- if ((m = match_list(ret, p, NULL)) != NULL) {
- free(m);
+ if (has_any_alg(ret, p))
continue; /* Algorithm already present */
- }
if (strlcat(ret, ",", len) >= len ||
strlcat(ret, p, len) >= len) {
free(tmp);
@@ -441,15 +451,23 @@ kex_proposal_populate_entries(struct ssh
const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT };
const char **defprop = ssh->kex->server ? defpropserver : defpropclient;
u_int i;
+ char *cp;
if (prop == NULL)
fatal_f("proposal missing");
+ /* Append EXT_INFO signalling to KexAlgorithms */
+ if (kexalgos == NULL)
+ kexalgos = defprop[PROPOSAL_KEX_ALGS];
+ if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
+ "kex-strict-s-v00@openssh.com" :
+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
+ fatal_f("kex_names_cat");
+
for (i = 0; i < PROPOSAL_MAX; i++) {
switch(i) {
case PROPOSAL_KEX_ALGS:
- prop[i] = compat_kex_proposal(ssh,
- kexalgos ? kexalgos : defprop[i]);
+ prop[i] = compat_kex_proposal(ssh, cp);
break;
case PROPOSAL_ENC_ALGS_CTOS:
case PROPOSAL_ENC_ALGS_STOC:
@@ -470,6 +488,7 @@ kex_proposal_populate_entries(struct ssh
prop[i] = xstrdup(defprop[i]);
}
}
+ free(cp);
}
void
@@ -573,7 +592,12 @@ kex_protocol_error(int type, u_int32_t s
{
int r;
- error("kex protocol error: type %d seq %u", type, seq);
+ /* If in strict mode, any unexpected message is an error */
+ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
+ ssh_packet_disconnect(ssh, "strict KEX violation: "
+ "unexpected packet type %u (seqnr %u)", type, seq);
+ }
+ error_f("type %u seq %u", type, seq);
if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
(r = sshpkt_put_u32(ssh, seq)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
@@ -651,7 +675,7 @@ kex_input_ext_info(int type, u_int32_t s
if (ninfo >= 1024) {
error("SSH2_MSG_EXT_INFO with too many entries, expected "
"<=1024, received %u", ninfo);
- return SSH_ERR_INVALID_FORMAT;
+ return dispatch_protocol_error(type, seq, ssh);
}
for (i = 0; i < ninfo; i++) {
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
@@ -767,7 +791,7 @@ kex_input_kexinit(int type, u_int32_t se
error_f("no kex");
return SSH_ERR_INTERNAL_ERROR;
}
- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
@@ -803,7 +827,7 @@ kex_input_kexinit(int type, u_int32_t se
if (!(kex->flags & KEX_INIT_SENT))
if ((r = kex_send_kexinit(ssh)) != 0)
return r;
- if ((r = kex_choose_conf(ssh)) != 0)
+ if ((r = kex_choose_conf(ssh, seq)) != 0)
return r;
if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
@@ -1082,20 +1106,14 @@ proposals_match(char *my[PROPOSAL_MAX],
return (1);
}
-/* returns non-zero if proposal contains any algorithm from algs */
static int
-has_any_alg(const char *proposal, const char *algs)
+kexalgs_contains(char **peer, const char *ext)
{
- char *cp;
-
- if ((cp = match_list(proposal, algs, NULL)) == NULL)
- return 0;
- free(cp);
- return 1;
+ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
}
static int
-kex_choose_conf(struct ssh *ssh)
+kex_choose_conf(struct ssh *ssh, uint32_t seq)
{
struct kex *kex = ssh->kex;
struct newkeys *newkeys;
@@ -1120,13 +1138,23 @@ kex_choose_conf(struct ssh *ssh)
sprop=peer;
}
- /* Check whether client supports ext_info_c */
- if (kex->server && (kex->flags & KEX_INITIAL)) {
- char *ext;
-
- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
- kex->ext_info_c = (ext != NULL);
- free(ext);
+ /* Check whether peer supports ext_info/kex_strict */
+ if ((kex->flags & KEX_INITIAL) != 0) {
+ if (kex->server) {
+ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
+ kex->kex_strict = kexalgs_contains(peer,
+ "kex-strict-c-v00@openssh.com");
+ } else {
+ kex->kex_strict = kexalgs_contains(peer,
+ "kex-strict-s-v00@openssh.com");
+ }
+ if (kex->kex_strict) {
+ debug3_f("will use strict KEX ordering");
+ if (seq != 0)
+ ssh_packet_disconnect(ssh,
+ "strict KEX violation: "
+ "KEXINIT was not the first packet");
+ }
}
/* Check whether client supports rsa-sha2 algorithms */
Index: openssh-9.3p2/kex.h
===================================================================
--- openssh-9.3p2.orig/kex.h
+++ openssh-9.3p2/kex.h
@@ -157,6 +157,7 @@ struct kex {
u_int kex_type;
char *server_sig_algs;
int ext_info_c;
+ int kex_strict;
struct sshbuf *my;
struct sshbuf *peer;
struct sshbuf *client_version;
Index: openssh-9.3p2/packet.c
===================================================================
--- openssh-9.3p2.orig/packet.c
+++ openssh-9.3p2/packet.c
@@ -1236,6 +1236,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh
state->p_send.bytes += len;
sshbuf_reset(state->outgoing_packet);
+ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
+ debug_f("resetting send seqnr %u", state->p_send.seqnr);
+ state->p_send.seqnr = 0;
+ }
+
if (type == SSH2_MSG_NEWKEYS)
r = ssh_set_newkeys(ssh, MODE_OUT);
else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
@@ -1364,8 +1369,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u
/* Stay in the loop until we have received a complete packet. */
for (;;) {
/* Try to read a packet from the buffer. */
- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
- if (r != 0)
+ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
break;
/* If we got a packet, return it. */
if (*typep != SSH_MSG_NONE)
@@ -1649,6 +1630,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u
if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
goto out;
}
+
if (seqnr_p != NULL)
*seqnr_p = state->p_read.seqnr;
if (++state->p_read.seqnr == 0)
@@ -1718,6 +1700,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u
#endif
/* reset for next packet */
state->packlen = 0;
+ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
+ debug_f("resetting read seqnr %u", state->p_read.seqnr);
+ state->p_read.seqnr = 0;
+ }
if ((r = ssh_packet_check_rekey(ssh)) != 0)
return r;
@@ -1738,10 +1724,39 @@ ssh_packet_read_poll_seqnr(struct ssh *s
r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
if (r != 0)
return r;
- if (*typep) {
- state->keep_alive_timeouts = 0;
- DBG(debug("received packet type %d", *typep));
+ if (*typep == 0) {
+ /* no message ready */
+ return 0;
}
+ state->keep_alive_timeouts = 0;
+ DBG(debug("received packet type %d", *typep));
+
+ /* Always process disconnect messages */
+ if (*typep == SSH2_MSG_DISCONNECT) {
+ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
+ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
+ return r;
+ /* Ignore normal client exit notifications */
+ do_log2(ssh->state->server_side &&
+ reason == SSH2_DISCONNECT_BY_APPLICATION ?
+ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
+ "Received disconnect from %s port %d:"
+ "%u: %.400s", ssh_remote_ipaddr(ssh),
+ ssh_remote_port(ssh), reason, msg);
+ free(msg);
+ return SSH_ERR_DISCONNECTED;
+ }
+
+ /*
+ * Do not implicitly handle any messages here during initial
+ * KEX when in strict mode. They will be need to be allowed
+ * explicitly by the KEX dispatch table or they will generate
+ * protocol errors.
+ */
+ if (ssh->kex != NULL &&
+ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
+ return 0;
+ /* Implicitly handle transport-level messages */
switch (*typep) {
case SSH2_MSG_IGNORE:
debug3("Received SSH2_MSG_IGNORE");
@@ -1756,19 +1771,6 @@ ssh_packet_read_poll_seqnr(struct ssh *s
debug("Remote: %.900s", msg);
free(msg);
break;
- case SSH2_MSG_DISCONNECT:
- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
- return r;
- /* Ignore normal client exit notifications */
- do_log2(ssh->state->server_side &&
- reason == SSH2_DISCONNECT_BY_APPLICATION ?
- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
- "Received disconnect from %s port %d:"
- "%u: %.400s", ssh_remote_ipaddr(ssh),
- ssh_remote_port(ssh), reason, msg);
- free(msg);
- return SSH_ERR_DISCONNECTED;
case SSH2_MSG_UNIMPLEMENTED:
if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
return r;
@@ -2300,6 +2302,7 @@ kex_to_blob(struct sshbuf *m, struct kex
(r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
(r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
(r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
+ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
(r = sshbuf_put_stringb(m, kex->my)) != 0 ||
(r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
(r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
@@ -2462,6 +2465,7 @@ kex_from_blob(struct sshbuf *m, struct k
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
(r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
+ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
(r = sshbuf_get_stringb(m, kex->my)) != 0 ||
(r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
(r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
@@ -2790,6 +2794,7 @@ sshpkt_disconnect(struct ssh *ssh, const
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
+ debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf);
if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
(r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
(r = sshpkt_put_cstring(ssh, buf)) != 0 ||
Index: openssh-9.3p2/sshconnect2.c
===================================================================
--- openssh-9.3p2.orig/sshconnect2.c
+++ openssh-9.3p2/sshconnect2.c
@@ -420,7 +420,6 @@ struct cauthmethod {
};
static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
-static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
static int input_userauth_success(int, u_int32_t, struct ssh *);
static int input_userauth_failure(int, u_int32_t, struct ssh *);
static int input_userauth_banner(int, u_int32_t, struct ssh *);
@@ -540,7 +539,7 @@ ssh_userauth2(struct ssh *ssh, const cha
ssh->authctxt = &authctxt;
ssh_dispatch_init(ssh, &input_userauth_error);
- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
pubkey_cleanup(ssh);
@@ -591,12 +590,6 @@ input_userauth_service_accept(int type,
return r;
}
-static int
-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
-{
- return kex_input_ext_info(type, seqnr, ssh);
-}
-
void
userauth(struct ssh *ssh, char *authlist)
{
@@ -675,6 +668,7 @@ input_userauth_success(int type, u_int32
free(authctxt->methoddata);
authctxt->methoddata = NULL;
authctxt->success = 1; /* break out */
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
return 0;
}

219
openssh.changes
View File

@ -1,3 +1,222 @@
-------------------------------------------------------------------
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
- Update to openssh 9.6p1:
= Security
* ssh(1), sshd(8): implement protocol extensions to thwart the
so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server
would not be able to detect that messages were deleted.
* ssh-agent(1): when adding PKCS#11-hosted private keys while
specifying destination constraints, if the PKCS#11 token returned
multiple keys then only the first key had the constraints applied.
Use of regular private keys, FIDO tokens and unconstrained keys
are unaffected.
* ssh(1): if an invalid user or hostname that contained shell
metacharacters was passed to ssh(1), and a ProxyCommand,
LocalCommand directive or "match exec" predicate referenced the
user or hostname via %u, %h or similar expansion token, then
an attacker who could supply arbitrary user/hostnames to ssh(1)
could potentially perform command injection depending on what
quoting was present in the user-supplied ssh_config(5) directive.
= Potentially incompatible changes
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
a TCP-like window mechanism that limits the amount of data that
can be sent without acceptance from the peer. In cases where this
limit was exceeded by a non-conforming peer SSH implementation,
ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH
9.6, ssh(1)/sshd(8) will now terminate the connection if a peer
exceeds the window limit by more than a small grace factor. This
change should have no effect of SSH implementations that follow
the specification.
= New features
* ssh(1): add a %j token that expands to the configured ProxyJump
hostname (or the empty string if this option is not being used)
that can be used in a number of ssh_config(5) keywords. bz3610
* ssh(1): add ChannelTimeout support to the client, mirroring the
same option in the server and allowing ssh(1) to terminate
quiescent channels.
* ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for
reading ED25519 private keys in PEM PKCS8 format. Previously
only the OpenSSH private key format was supported.
* ssh(1), sshd(8): introduce a protocol extension to allow
renegotiation of acceptable signature algorithms for public key
authentication after the server has learned the username being
used for authentication. This allows varying sshd_config(5)
PubkeyAcceptedAlgorithms in a "Match user" block.
* ssh-add(1), ssh-agent(1): add an agent protocol extension to allow
specifying certificates when loading PKCS#11 keys. This allows the
use of certificates backed by PKCS#11 private keys in all OpenSSH
tools that support ssh-agent(1). Previously only ssh(1) supported
this use-case.
= Bugfixes
* ssh(1): when deciding whether to enable the keystroke timing
obfuscation, enable it only if a channel with a TTY is active.
* ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals
before checking flags set in signal handler. Avoids potential
race condition between signaling ssh to exit and polling. bz3531
* ssh(1): when connecting to a destination with both the
AddressFamily and CanonicalizeHostname directives in use,
the AddressFamily directive could be ignored. bz5326
* sftp(1): correct handling of the limits@openssh.com option when
the server returned an unexpected message.
* A number of fixes to the PuTTY and Dropbear regress/integration
tests.
* ssh(1): release GSS OIDs only at end of authentication, avoiding
unnecessary init/cleanup cycles. bz2982
* ssh_config(5): mention "none" is a valid argument to IdentityFile
in the manual. bz3080
* scp(1): improved debugging for paths from the server rejected for
not matching the client's glob(3) pattern in old SCP/RCP protocol
mode.
* ssh-agent(1): refuse signing operations on destination-constrained
keys if a previous session-bind operation has failed. This may
prevent a fail-open situation in future if a user uses a mismatched
ssh(1) client and ssh-agent(1) where the client supports a key type
that the agent does not support.
- Update to openssh 9.5p1:
= Potentially incompatible changes
* ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
are very convenient due to their small size. Ed25519 keys are
specified in RFC 8709 and OpenSSH has supported them since version 6.5
(January 2014).
* sshd(8): the Subsystem directive now accurately preserves quoting of
subsystem commands and arguments. This may change behaviour for exotic
configurations, but the most common subsystem configuration
(sftp-server) is unlikely to be affected.
= New features
* ssh(1): add keystroke timing obfuscation to the client. This attempts
to hide inter-keystroke timings by sending interactive traffic at
fixed intervals (default: every 20ms) when there is only a small
amount of data being sent. It also sends fake "chaff" keystrokes for
a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword.
* ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".
* sshd(8): allow override of Subsystem directives in sshd Match blocks.
= Bugfixes
* scp(1): fix scp in SFTP mode recursive upload and download of
directories that contain symlinks to other directories. In scp mode,
the links would be followed, but in SFTP mode they were not. bz3611
* ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
sshsig signature files.
* ssh(1): interactive mode for ControlPersist sessions if they
originally requested a tty.
* sshd(8): make PerSourceMaxStartups first-match-wins
* sshd(8): limit artificial login delay to a reasonable maximum (5s)
and don't delay at all for the "none" authentication mechanism.
bz3602
* sshd(8): Log errors in kex_exchange_identification() with level
verbose instead of error to reduce preauth log spam. All of those
get logged with a more generic error message by sshpkt_fatal().
* sshd(8): correct math for ClientAliveInterval that caused the probes
to be sent less frequently than configured.
* ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
multiplexed sessions to ignore SIGINT under some circumstances.
- Update to openssh 9.4p1:
= Potentially incompatible changes
* This release removes support for older versions of libcrypto.
OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
Note that these versions are already deprecated by their upstream
vendors.
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
= New features
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
* ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions
and implements parsing of the new submessages. No actual extensions
are supported at this point.
* sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
accept two additional %-expansion sequences: %D which expands to
the routing domain of the connected session and %C which expands
to the addresses and port numbers for the source and destination
of the connection.
* ssh-keygen(1): increase the default work factor (rounds) for the
bcrypt KDF used to derive symmetric encryption keys for passphrase
protected key files by 50%.
= Bugfixes
* ssh-agent(1): improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.
* ssh(1): make -f (fork after authentication) work correctly with
multiplexed connections, including ControlPersist. bz3589 bz3589
* ssh(1): make ConnectTimeout apply to multiplexing sockets and not
just to network connections.
* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
modules being loaded by checking that the requested module
contains the required symbol before loading it.
* sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
appears before it in sshd_config. Since OpenSSH 8.7 the
AuthorizedPrincipalsCommand directive was incorrectly ignored in
this situation. bz3574
* sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
signatures When the KRL format was originally defined, it included
support for signing of KRL objects. However, the code to sign KRLs
and verify KRL signatues was never completed in OpenSSH. This
release removes the partially-implemented code to verify KRLs.
All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
KRL files.
* All: fix a number of memory leaks and unreachable/harmless integer
overflows.
* ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
modules; GHPR406
* sshd(8), ssh(1): better validate CASignatureAlgorithms in
ssh_config and sshd_config. Previously this directive would accept
certificate algorithm names, but these were unusable in practice as
OpenSSH does not support CA chains. bz3577
* ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
algorithms that are valid for CA signing. Previous behaviour was
to list all signing algorithms, including certificate algorithms.
* ssh-keyscan(1): gracefully handle systems where rlimits or the
maximum number of open files is larger than INT_MAX; bz3581
* ssh-keygen(1): fix "no comment" not showing on when running
`ssh-keygen -l` on multiple keys where one has a comment and other
following keys do not. bz3580
* scp(1), sftp(1): adjust ftruncate() logic to handle servers that
reorder requests. Previously, if the server reordered requests then
the resultant file would be erroneously truncated.
* ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was expicitly set to
"none". bz3567
* scp(1): when copying local->remote, check that the source file
exists before opening an SFTP connection to the server. Based on
GHPR#370
- Dropped patches:
* cb4ed12f.patch - implemented upstream.
* openssh-cve-2023-48795.patch - implemented upstream.
- Rebased patches:
* openssh-6.6p1-selinux-contexts.patch
* openssh-7.7p1-fips.patch
* openssh-7.8p1-role-mls.patch
* openssh-8.0p1-gssapi-keyex.patch
-------------------------------------------------------------------
Tue Dec 19 01:42:55 UTC 2023 - Hans Petter Jansson <hpj@suse.com>

5
openssh.spec
View File

@ -37,7 +37,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 9.3p2
Version: 9.6p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@ -116,15 +116,12 @@ Patch49: openssh-do-not-send-empty-message.patch
Patch50: openssh-openssl-3.patch
Patch51: wtmpdb.patch
Patch52: logind_set_tty.patch
# PATCH-FIx-UPSTREAM cb4ed12f.patch -- Fix build with zlib 1.3
Patch53: https://github.com/openssh/openssh-portable/commit/cb4ed12f.patch
Patch100: fix-missing-lz.patch
Patch102: openssh-7.8p1-role-mls.patch
Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
Patch107: openssh-cve-2023-48795.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff