Accepting request 1185823 from network
OBS-URL: https://build.opensuse.org/request/show/1185823 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=180
This commit is contained in:
commit
d5d292d413
@ -0,0 +1,55 @@
|
||||
From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Tue, 30 Apr 2024 02:14:10 +0000
|
||||
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
|
||||
reported
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
by Tõivo Leedjärv; ok deraadt@
|
||||
|
||||
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
|
||||
---
|
||||
clientloop.c | 4 ++--
|
||||
serverloop.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index be8bb5fc1f2..8ea2ada4216 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
#@@ -1,4 +1,4 @@
|
||||
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
|
||||
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
|
||||
# /*
|
||||
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
||||
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
|
||||
&npfd_active, channel_did_enqueue, &osigset,
|
||||
&conn_in_ready, &conn_out_ready);
|
||||
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||
|
||||
if (quit_pending)
|
||||
diff --git a/serverloop.c b/serverloop.c
|
||||
index f3683c2e4a6..94c8943a616 100644
|
||||
--- a/serverloop.c
|
||||
+++ b/serverloop.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
|
||||
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
|
||||
wait_until_can_do_something(ssh, connection_in, connection_out,
|
||||
&pfd, &npfd_alloc, &npfd_active, &osigset,
|
||||
&conn_in_ready, &conn_out_ready);
|
||||
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||
|
||||
if (received_sigterm) {
|
@ -0,0 +1,32 @@
|
||||
From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Wed, 21 Feb 2024 05:57:34 +0000
|
||||
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
|
||||
timing
|
||||
|
||||
obfuscation was added. GHPR#463 from montag451
|
||||
|
||||
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
|
||||
---
|
||||
clientloop.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index eb4902905fb..8ec36af94b3 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
|
||||
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
|
||||
{
|
||||
int r;
|
||||
|
||||
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||
return 0;
|
||||
/* XXX probabilistically send chaff? */
|
||||
/*
|
@ -0,0 +1,38 @@
|
||||
From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Mon, 1 Jul 2024 04:31:17 +0000
|
||||
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
|
||||
we
|
||||
|
||||
can't rely on channel_did_enqueue to tell that there is data to send. This
|
||||
flag indicates that the channels code enqueued a packet on _this_ ppoll()
|
||||
iteration, not that data was enqueued in _any_ ppoll() iteration in the
|
||||
timeslice. ok markus@
|
||||
|
||||
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
|
||||
---
|
||||
clientloop.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index 0b6f3c9be02..8ed8b1c3449 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
#@@ -1,4 +1,4 @@
|
||||
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
|
||||
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
|
||||
# /*
|
||||
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
|
||||
if (timespeccmp(&now, &chaff_until, >=)) {
|
||||
/* Stop if there have been no keystrokes for a while */
|
||||
stop_reason = "chaff time expired";
|
||||
- } else if (timespeccmp(&now, &next_interval, >=)) {
|
||||
- /* Otherwise if we were due to send, then send chaff */
|
||||
+ } else if (timespeccmp(&now, &next_interval, >=) &&
|
||||
+ !ssh_packet_have_data_to_write(ssh)) {
|
||||
+ /* If due to send but have no data, then send chaff */
|
||||
if (send_chaff(ssh))
|
||||
nchaff++;
|
||||
}
|
@ -1,3 +1,25 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Add patch from upstream to fix proxy multiplexing mode:
|
||||
* 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
|
||||
- Add patch from upstream to restore correctly sigprocmask
|
||||
* 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
|
||||
- Add patch from upstream to fix a logic error in
|
||||
ObscureKeystrokeTiming that rendered this feature ineffective,
|
||||
allowing a passive observer to detect which network packets
|
||||
contained real keystrokes (bsc#1227318, CVE-2024-39894):
|
||||
* 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 3 16:53:53 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Add obsoletes for openssh-server-config-rootlogin since that
|
||||
package existed for a brief period of time during SLE 15 SP6/
|
||||
Leap 15.6 development but even if it was removed from the
|
||||
repositories before GM, some users might have it in their
|
||||
systems from having tried a beta/RC release (boo#1227350).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
@ -131,7 +153,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
|
||||
user or hostname via %u, %h or similar expansion token, then
|
||||
an attacker who could supply arbitrary user/hostnames to ssh(1)
|
||||
could potentially perform command injection depending on what
|
||||
quoting was present in the user-supplied ssh_config(5) directive.
|
||||
quoting was present in the user-supplied ssh_config(5) directive
|
||||
(bsc#1218215, CVE-2023-51385).
|
||||
|
||||
= Potentially incompatible changes
|
||||
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
|
||||
|
14
openssh.spec
14
openssh.spec
@ -128,8 +128,14 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch
|
||||
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
||||
Patch107: openssh-9.6p1-crypto-policies.patch
|
||||
Patch108: openssh-9.6p1-crypto-policies-man.patch
|
||||
# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387
|
||||
# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
|
||||
Patch109: fix-CVE-2024-6387.patch
|
||||
# PATCH-FIX-UPSTREAM
|
||||
Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
|
||||
# PATCH-FIX-UPSTREAM
|
||||
Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
|
||||
Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
Patch1000: openssh-7.7p1-allow_root_password_login.patch
|
||||
%endif
|
||||
@ -204,6 +210,12 @@ Requires(pre): grep
|
||||
Requires(post): %fillup_prereq
|
||||
Requires(post): permissions
|
||||
Provides: openssh:%{_sbindir}/sshd
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
# For a brief period of time this package existed in SLE/Leap.
|
||||
# It was removed before GM but some people might have it from
|
||||
# a beta distribution version (boo#1227350)
|
||||
Obsoletes: openssh-server-config-rootlogin <= %{version}
|
||||
%endif
|
||||
%sysusers_requires
|
||||
|
||||
%description server
|
||||
|
Loading…
Reference in New Issue
Block a user