Accepting request 1185823 from network
OBS-URL: https://build.opensuse.org/request/show/1185823 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=180
This commit is contained in:
commit
d5d292d413
@ -0,0 +1,55 @@
|
|||||||
|
From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
|
||||||
|
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||||
|
Date: Tue, 30 Apr 2024 02:14:10 +0000
|
||||||
|
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
|
||||||
|
reported
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
by Tõivo Leedjärv; ok deraadt@
|
||||||
|
|
||||||
|
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
|
||||||
|
---
|
||||||
|
clientloop.c | 4 ++--
|
||||||
|
serverloop.c | 4 ++--
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/clientloop.c b/clientloop.c
|
||||||
|
index be8bb5fc1f2..8ea2ada4216 100644
|
||||||
|
--- a/clientloop.c
|
||||||
|
+++ b/clientloop.c
|
||||||
|
#@@ -1,4 +1,4 @@
|
||||||
|
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
|
||||||
|
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
|
||||||
|
# /*
|
||||||
|
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
||||||
|
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
|
||||||
|
&npfd_active, channel_did_enqueue, &osigset,
|
||||||
|
&conn_in_ready, &conn_out_ready);
|
||||||
|
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||||
|
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||||
|
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||||
|
|
||||||
|
if (quit_pending)
|
||||||
|
diff --git a/serverloop.c b/serverloop.c
|
||||||
|
index f3683c2e4a6..94c8943a616 100644
|
||||||
|
--- a/serverloop.c
|
||||||
|
+++ b/serverloop.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
|
||||||
|
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
|
||||||
|
/*
|
||||||
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
|
||||||
|
wait_until_can_do_something(ssh, connection_in, connection_out,
|
||||||
|
&pfd, &npfd_alloc, &npfd_active, &osigset,
|
||||||
|
&conn_in_ready, &conn_out_ready);
|
||||||
|
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||||
|
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||||
|
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||||
|
|
||||||
|
if (received_sigterm) {
|
@ -0,0 +1,32 @@
|
|||||||
|
From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||||
|
Date: Wed, 21 Feb 2024 05:57:34 +0000
|
||||||
|
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
|
||||||
|
timing
|
||||||
|
|
||||||
|
obfuscation was added. GHPR#463 from montag451
|
||||||
|
|
||||||
|
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
|
||||||
|
---
|
||||||
|
clientloop.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/clientloop.c b/clientloop.c
|
||||||
|
index eb4902905fb..8ec36af94b3 100644
|
||||||
|
--- a/clientloop.c
|
||||||
|
+++ b/clientloop.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
|
||||||
|
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
|
||||||
|
/*
|
||||||
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
|
||||||
|
{
|
||||||
|
int r;
|
||||||
|
|
||||||
|
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||||
|
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||||
|
return 0;
|
||||||
|
/* XXX probabilistically send chaff? */
|
||||||
|
/*
|
@ -0,0 +1,38 @@
|
|||||||
|
From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||||
|
Date: Mon, 1 Jul 2024 04:31:17 +0000
|
||||||
|
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
|
||||||
|
we
|
||||||
|
|
||||||
|
can't rely on channel_did_enqueue to tell that there is data to send. This
|
||||||
|
flag indicates that the channels code enqueued a packet on _this_ ppoll()
|
||||||
|
iteration, not that data was enqueued in _any_ ppoll() iteration in the
|
||||||
|
timeslice. ok markus@
|
||||||
|
|
||||||
|
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
|
||||||
|
---
|
||||||
|
clientloop.c | 7 ++++---
|
||||||
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/clientloop.c b/clientloop.c
|
||||||
|
index 0b6f3c9be02..8ed8b1c3449 100644
|
||||||
|
--- a/clientloop.c
|
||||||
|
+++ b/clientloop.c
|
||||||
|
#@@ -1,4 +1,4 @@
|
||||||
|
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
|
||||||
|
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
|
||||||
|
# /*
|
||||||
|
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
|
||||||
|
if (timespeccmp(&now, &chaff_until, >=)) {
|
||||||
|
/* Stop if there have been no keystrokes for a while */
|
||||||
|
stop_reason = "chaff time expired";
|
||||||
|
- } else if (timespeccmp(&now, &next_interval, >=)) {
|
||||||
|
- /* Otherwise if we were due to send, then send chaff */
|
||||||
|
+ } else if (timespeccmp(&now, &next_interval, >=) &&
|
||||||
|
+ !ssh_packet_have_data_to_write(ssh)) {
|
||||||
|
+ /* If due to send but have no data, then send chaff */
|
||||||
|
if (send_chaff(ssh))
|
||||||
|
nchaff++;
|
||||||
|
}
|
@ -1,3 +1,25 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
- Add patch from upstream to fix proxy multiplexing mode:
|
||||||
|
* 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
|
||||||
|
- Add patch from upstream to restore correctly sigprocmask
|
||||||
|
* 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
|
||||||
|
- Add patch from upstream to fix a logic error in
|
||||||
|
ObscureKeystrokeTiming that rendered this feature ineffective,
|
||||||
|
allowing a passive observer to detect which network packets
|
||||||
|
contained real keystrokes (bsc#1227318, CVE-2024-39894):
|
||||||
|
* 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 3 16:53:53 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
- Add obsoletes for openssh-server-config-rootlogin since that
|
||||||
|
package existed for a brief period of time during SLE 15 SP6/
|
||||||
|
Leap 15.6 development but even if it was removed from the
|
||||||
|
repositories before GM, some users might have it in their
|
||||||
|
systems from having tried a beta/RC release (boo#1227350).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
@ -131,7 +153,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
|
|||||||
user or hostname via %u, %h or similar expansion token, then
|
user or hostname via %u, %h or similar expansion token, then
|
||||||
an attacker who could supply arbitrary user/hostnames to ssh(1)
|
an attacker who could supply arbitrary user/hostnames to ssh(1)
|
||||||
could potentially perform command injection depending on what
|
could potentially perform command injection depending on what
|
||||||
quoting was present in the user-supplied ssh_config(5) directive.
|
quoting was present in the user-supplied ssh_config(5) directive
|
||||||
|
(bsc#1218215, CVE-2023-51385).
|
||||||
|
|
||||||
= Potentially incompatible changes
|
= Potentially incompatible changes
|
||||||
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
|
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
|
||||||
|
14
openssh.spec
14
openssh.spec
@ -128,8 +128,14 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch
|
|||||||
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
||||||
Patch107: openssh-9.6p1-crypto-policies.patch
|
Patch107: openssh-9.6p1-crypto-policies.patch
|
||||||
Patch108: openssh-9.6p1-crypto-policies-man.patch
|
Patch108: openssh-9.6p1-crypto-policies-man.patch
|
||||||
# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387
|
# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
|
||||||
Patch109: fix-CVE-2024-6387.patch
|
Patch109: fix-CVE-2024-6387.patch
|
||||||
|
# PATCH-FIX-UPSTREAM
|
||||||
|
Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
|
||||||
|
# PATCH-FIX-UPSTREAM
|
||||||
|
Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
|
||||||
|
# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
|
||||||
|
Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
|
||||||
%if 0%{with allow_root_password_login_by_default}
|
%if 0%{with allow_root_password_login_by_default}
|
||||||
Patch1000: openssh-7.7p1-allow_root_password_login.patch
|
Patch1000: openssh-7.7p1-allow_root_password_login.patch
|
||||||
%endif
|
%endif
|
||||||
@ -204,6 +210,12 @@ Requires(pre): grep
|
|||||||
Requires(post): %fillup_prereq
|
Requires(post): %fillup_prereq
|
||||||
Requires(post): permissions
|
Requires(post): permissions
|
||||||
Provides: openssh:%{_sbindir}/sshd
|
Provides: openssh:%{_sbindir}/sshd
|
||||||
|
%if 0%{with allow_root_password_login_by_default}
|
||||||
|
# For a brief period of time this package existed in SLE/Leap.
|
||||||
|
# It was removed before GM but some people might have it from
|
||||||
|
# a beta distribution version (boo#1227350)
|
||||||
|
Obsoletes: openssh-server-config-rootlogin <= %{version}
|
||||||
|
%endif
|
||||||
%sysusers_requires
|
%sysusers_requires
|
||||||
|
|
||||||
%description server
|
%description server
|
||||||
|
Loading…
Reference in New Issue
Block a user