Commit Graph

385 Commits

Author SHA256 Message Date
Ana Guerrero
67e6fdb025 Accepting request 1218789 from network
OBS-URL: https://build.opensuse.org/request/show/1218789
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=188
2024-10-29 13:31:58 +00:00
717dd2da2c - Don't force using gcc11 on SLFO/ALP which have a newer version.
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=280
2024-10-28 11:22:01 +00:00
33d804a345 - Add patches from upstream:
- To fix a copy&paste oversight in an ifdef :
  * 0001-fix-utmpx-ifdef.patch
  - To fix a regression introduced when the "Match" criteria
    tokenizer was modified since it stopped supporting the
    "Match criteria=argument" format:
  * 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
  - To fix the previous patch which broke on negated Matches:
  * 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
  - To fix the ML-KEM768x25519 kex algorithm on big-endian systems:
  * 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=279
2024-10-28 11:16:49 +00:00
Ana Guerrero
01365117e3 Accepting request 1207974 from network
OBS-URL: https://build.opensuse.org/request/show/1207974
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=187
2024-10-15 12:57:58 +00:00
219dd97d90 - Use %{with ...} instead of 0%{with ...}
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=278
2024-10-14 15:20:38 +00:00
Dominique Leuenberger
77745960a4 Accepting request 1207806 from network
OBS-URL: https://build.opensuse.org/request/show/1207806
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=186
2024-10-14 11:06:29 +00:00
77273f8679 Updated the patch with a suggestion from upstream.
- Add a patch to fix a regression introduced in 9.6 that makes X11
  forwarding very slow. Submitted to upstream in
  https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4 . Fixes
  bsc#1229449:
  * fix-x11-regression-bsc1229449.patch
- Remove empty line at the end of sshd-sle.pamd (bsc#1227456)

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=277
2024-10-14 06:33:00 +00:00
Ana Guerrero
fef82d94da Accepting request 1203550 from network
OBS-URL: https://build.opensuse.org/request/show/1203550
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=185
2024-09-26 16:52:30 +00:00
a77a72fabb - Add a const to the openssl 1.1/RSA section of sshkey_is_private
to keep it similar to what it used before the 9.9 rebase:
  * openssh-8.1p1-audit.patch
- Add a openssl11 bcond to the spec file for the SLE12 case
  instead of checking suse_version in different parts.
- Move conditional patches to a number >= 1000.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=276
2024-09-25 11:55:37 +00:00
3f6eda5c88 - Update to openssh 9.9p1:
* No changes for askpass, see main package changelog for
    details.

- Update to openssh 9.9p1:
  = Future deprecation notice
  * OpenSSH plans to remove support for the DSA signature algorithm
    in early 2025. This release disables DSA by default at compile
    time. DSA, as specified in the SSHv2 protocol, is inherently
    weak - being limited to a 160 bit private key and use of the
    SHA1 digest. Its estimated security level is only 80 bits
    symmetric equivalent.
    OpenSSH has disabled DSA keys by default since 2015 but has
    retained run-time optional support for them. DSA was the only
    mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
    because alternative algorithms were encumbered by patents when
    the SSHv2 protocol was specified.
    This has not been the case for decades at this point and better
    algorithms are well supported by all actively-maintained SSH
    implementations. We do not consider the costs of maintaining
    DSA in OpenSSH to be justified and hope that removing it from
    OpenSSH can accelerate its wider deprecation in supporting
    cryptography libraries.
  = Potentially-incompatible changes
  * ssh(1): remove support for pre-authentication compression.
    OpenSSH has only supported post-authentication compression in
    the server for some years. Compression before authentication
    significantly increases the attack surface of SSH servers and
    risks creating oracles that reveal information about
    information sent during authentication.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=275
2024-09-25 08:42:29 +00:00
Ana Guerrero
f15242edbd Accepting request 1200282 from network
OBS-URL: https://build.opensuse.org/request/show/1200282
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=184
2024-09-13 12:26:08 +00:00
fef1b16e66 - Drop most of openssh-6.6p1-keycat.patch (actually, it was just
commented out). The keycat binary isn't really installed nor
  supported, so we can drop it, except for the code that is used
  by other SELinux patches, which is what I kept from that patch
  (boo#1229072).
- Add patch submitted to upstream to fix RFC4256 implementation
  so that keyboard-interactive authentication method can send
  instructions and sshd shows them to users even before a prompt
  is requested. This fixes MFA push notifications (boo#1229010).
  * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=274
2024-09-12 10:24:41 +00:00
Dominique Leuenberger
fbdd7af379 Accepting request 1196434 from network
- Update to openssh 9.8p1:
  * No changes for askpass, see main package changelog for
    details.

- Add patch to fix sshd not logging in the audit failed login
  attempts (submitted to upstream in
  https://github.com/openssh/openssh-portable/pull/516):
  * fix-audit-fail-attempt.patch
- Use --enable-dsa-keys when building openssh. It's required if
  the user sets the crypto-policy mode to LEGACY, where DSA keys
  should be allowed. The option was added by upstream in 9.7 and
  set to disabled by default.
- These two changes fix 2 of the 3 issues reported in bsc#1229650.

- Fix a dbus connection leaked in the logind patch that was
  missing a sd_bus_unref call (found by Matthias Gerstner):
  * logind_set_tty.patch
- Add a patch that fixes a small memory leak when parsing the
  subsystem configuration option:
  * fix-memleak-in-process_server_config_line_depth.patch

- Update to openssh 9.8p1:
  = Security
  * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
    A critical vulnerability in sshd(8) was present in Portable
    OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
    allow arbitrary code execution with root privileges.
    Successful exploitation has been demonstrated on 32-bit
    Linux/glibc systems with ASLR. Under lab conditions, the attack
    requires on average 6-8 hours of continuous connections up to

OBS-URL: https://build.opensuse.org/request/show/1196434
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=183
2024-08-29 13:42:55 +00:00
dd9c4b9bb1 - Add patch to fix sshd not logging in the audit failed login
attempts (submitted to upstream in
  https://github.com/openssh/openssh-portable/pull/516):
  * fix-audit-fail-attempt.patch
- Use --enable-dsa-keys when building openssh. It's required if
  the user sets the crypto-policy mode to LEGACY, where DSA keys
  should be allowed. The option was added by upstream in 9.7 and
  set to disabled by default.
- These two changes fix 2 of the 3 issues reported in bsc#1229650.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=273
2024-08-23 12:36:12 +00:00
Ana Guerrero
e7740396e0 https://bugzilla.opensuse.org/show_bug.cgi?id=1229650
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=182
2024-08-22 10:34:42 +00:00
Ana Guerrero
8a8ed57387 Accepting request 1194679 from network
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1194679
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=181
2024-08-21 21:24:44 +00:00
da2c6cc517 - Update to openssh 9.8p1:
* No changes for askpass, see main package changelog for
    details.

- Fix a dbus connection leaked in the logind patch that was
  missing a sd_bus_unref call (found by Matthias Gerstner):
  * logind_set_tty.patch
- Add a patch that fixes a small memory leak when parsing the
  subsystem configuration option:
  * fix-memleak-in-process_server_config_line_depth.patch

- Update to openssh 9.8p1:
  = Security
  * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
    A critical vulnerability in sshd(8) was present in Portable
    OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
    allow arbitrary code execution with root privileges.
    Successful exploitation has been demonstrated on 32-bit
    Linux/glibc systems with ASLR. Under lab conditions, the attack
    requires on average 6-8 hours of continuous connections up to
    the maximum the server will accept. Exploitation on 64-bit
    systems is believed to be possible but has not been
    demonstrated at this time. It's likely that these attacks will
    be improved upon.
    Exploitation on non-glibc systems is conceivable but has not
    been examined. Systems that lack ASLR or users of downstream
    Linux distributions that have modified OpenSSH to disable
    per-connection ASLR re-randomisation (yes - this is a thing, no
    - we don't understand why) may potentially have an easier path
    to exploitation. OpenBSD is not vulnerable.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=272
2024-08-12 09:54:46 +00:00
Ana Guerrero
d5d292d413 Accepting request 1185823 from network
OBS-URL: https://build.opensuse.org/request/show/1185823
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=180
2024-07-08 17:06:54 +00:00
869b2ae788 - Add patch from upstream to fix proxy multiplexing mode:
* 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
- Add patch from upstream to restore correctly sigprocmask
  * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
- Add patch from upstream to fix a logic error in
  ObscureKeystrokeTiming that rendered this feature ineffective,
  allowing a passive observer to detect which network packets
  contained real keystrokes (bsc#1227318, CVE-2024-39894):
  * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=271
2024-07-05 19:01:36 +00:00
45f6d17800 - Add obsoletes for openssh-server-config-rootlogin since that
package existed for a brief period of time during SLE 15 SP6/
  Leap 15.6 development but even if it was removed from the
  repositories before GM, some users might have it in their
  systems from having tried a beta/RC release (boo#1227350).

    quoting was present in the user-supplied ssh_config(5) directive
    (bsc#1218215, CVE-2023-51385).

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=270
2024-07-05 11:34:53 +00:00
Ana Guerrero
414e74b526 Accepting request 1184302 from network
OBS-URL: https://build.opensuse.org/request/show/1184302
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=179
2024-07-02 16:16:12 +00:00
0aa4b1876f - Add patch to fix a race condition in a signal handler by removing
the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
  * fix-CVE-2024-6387.patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=269
2024-07-01 11:50:15 +00:00
Ana Guerrero
909e5eb8e7 Accepting request 1179624 from network
OBS-URL: https://build.opensuse.org/request/show/1179624
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=178
2024-06-10 15:37:06 +00:00
b4dab4a6f7 Accepting request 1179619 from home:alarrosa:branches:network:openssh
- Add #include <stdlib.h> in some files added by the ldap patch to
  fix build with gcc14 (boo#1225904).
  * openssh-7.7p1-ldap.patch

OBS-URL: https://build.opensuse.org/request/show/1179619
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=268
2024-06-10 07:34:57 +00:00
Ana Guerrero
9b110f7def Accepting request 1174781 from network
OBS-URL: https://build.opensuse.org/request/show/1174781
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=177
2024-05-17 18:03:57 +00:00
e11bee9499 Accepting request 1174779 from home:alarrosa:branches:network:openssh-permit-root-login
- Remove the recommendation for openssh-server-config-rootlogin
  from openssh-server. Since the default for that config option
  was changed in SLE it's not needed anymore in SLE nor in TW
  (boo#1224392).

- Add a warning in %post of openssh-clients, openssh-server and 
  openssh-server-config-disallow-rootlogin to warn the user if
  the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
  being used (bsc#1223486).

OBS-URL: https://build.opensuse.org/request/show/1174779
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=267
2024-05-17 08:01:30 +00:00
Dominique Leuenberger
b81f1e76c1 https://bugzilla.opensuse.org/show_bug.cgi?id=1224392
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=176
2024-05-17 07:34:04 +00:00
Ana Guerrero
5d0cbae36f Accepting request 1173885 from network
OBS-URL: https://build.opensuse.org/request/show/1173885
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=175
2024-05-15 19:25:44 +00:00
f2379e82ce Accepting request 1173783 from home:alarrosa:branches:network:openssh-permit-root-login
- Only for SLE15, restore the patch file removed in
  Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
  from SP5 of having root password login allowed by default
  (fixes bsc#1223486, related to bsc#1173067):
  * openssh-7.7p1-allow_root_password_login.patch
- Since the default value for this config option is now set to
  permit root to use password logins in SLE15, the
  openssh-server-config-rootlogin subpackage isn't useful there so 
  we now create an openssh-server-config-disallow-rootlogin
  subpackage that sets the configuration the other way around
  than openssh-server-config-rootlogin.

OBS-URL: https://build.opensuse.org/request/show/1173783
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=266
2024-05-14 06:52:13 +00:00
Ana Guerrero
04d08a5024 Accepting request 1167856 from network
OBS-URL: https://build.opensuse.org/request/show/1167856
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=174
2024-04-16 18:03:15 +00:00
9d3cbd48d5 Accepting request 1167855 from home:alarrosa:branches:network
Add bugzilla reference to bsc#1221005

OBS-URL: https://build.opensuse.org/request/show/1167855
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=265
2024-04-15 17:00:32 +00:00
6016b8b08a Accepting request 1167816 from home:msmeissn:branches:network
- openssh-8.0p1-gssapi-keyex.patch: Added missing struct initializer,
  added missing parameter (bsc#1222840)

OBS-URL: https://build.opensuse.org/request/show/1167816
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=264
2024-04-15 15:41:38 +00:00
1f2a4cd9cc Accepting request 1167038 from home:alarrosa:branches:network
- Make openssh-server recommend the openssh-server-config-rootlogin
  package in SLE in order to keep the same behaviour of previous
  SPs where the PermitRootLogin default was set to yes.
- Fix crypto-policies requirement to be set by openssh-server, not
  the config-rootlogin subpackage.
- Add back %config(noreplace) tag for more config files that were
  already set like this in previous SPs.

OBS-URL: https://build.opensuse.org/request/show/1167038
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=263
2024-04-15 06:21:11 +00:00
Ana Guerrero
e40d53fa8e Accepting request 1166980 from network
OBS-URL: https://build.opensuse.org/request/show/1166980
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=173
2024-04-14 09:53:40 +00:00
83215f33b6 Accepting request 1166764 from home:Arnavion
- Fix duplicate loading of dropins. (boo#1222467)

OBS-URL: https://build.opensuse.org/request/show/1166764
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=262
2024-04-12 06:38:08 +00:00
Ana Guerrero
6b2f2760ef Accepting request 1166157 from network
OBS-URL: https://build.opensuse.org/request/show/1166157
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=172
2024-04-08 15:37:41 +00:00
2793e0783a Accepting request 1166156 from home:alarrosa:branches:network
Add one more bsc/CVE reference

OBS-URL: https://build.opensuse.org/request/show/1166156
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=261
2024-04-08 11:15:17 +00:00
2f5a8dd315 Accepting request 1165554 from home:alarrosa:branches:network
- Add missing bugzilla/CVE references to the changelog

OBS-URL: https://build.opensuse.org/request/show/1165554
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=260
2024-04-05 11:11:29 +00:00
b0b10ece31 Accepting request 1165549 from home:alarrosa:branches:network2
- Add patch from SLE which was missing in Factory:
  * Mon Jun  7 20:54:09 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
- Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which
  attempts to mitigate instances of secrets lingering in memory
  after a session exits. (bsc#1213004 bsc#1213008) 
- Rebase patch:
  * openssh-6.6p1-privsep-selinux.patch

OBS-URL: https://build.opensuse.org/request/show/1165549
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=259
2024-04-05 11:08:11 +00:00
2399b4e4c2 Accepting request 1165438 from home:alarrosa:branches:network2
Forward a fix for a patch from SLE
   
- Rebase openssh-7.7p1-fips.patch (bsc#1221928) 
  Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by
  upstream

OBS-URL: https://build.opensuse.org/request/show/1165438
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=258
2024-04-05 07:57:21 +00:00
Ana Guerrero
bf408fc2b0 Accepting request 1164536 from network
OBS-URL: https://build.opensuse.org/request/show/1164536
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=171
2024-04-04 20:24:47 +00:00
c133b2d567 Accepting request 1164145 from home:alarrosa:branches:network
- Use %config(noreplace) for sshd_config . In any case, it's
  recommended to drop a file in sshd_config.d instead of editing
  sshd_config (bsc#1221063)
- Use %{_libexecdir} when removing ssh-keycat instead of the
  hardcoded path so it works in TW and SLE.

OBS-URL: https://build.opensuse.org/request/show/1164145
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=257
2024-04-04 09:11:43 +00:00
5252cd62e2 Accepting request 1155471 from home:pmonrealgonzalez:branches:network
- Add crypto-policies support [bsc#1211301]
  * Add patches:
    - openssh-9.6p1-crypto-policies.patch
    - openssh-9.6p1-crypto-policies-man.patch

OBS-URL: https://build.opensuse.org/request/show/1155471
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=256
2024-04-04 09:11:25 +00:00
Ana Guerrero
2446674e73 Accepting request 1150501 from network
- Update to openssh 9.6p1:
  * No changes for askpass, see main package changelog for
    details.

- Update to openssh 9.6p1:
  = Security
  * ssh(1), sshd(8): implement protocol extensions to thwart the
    so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
    Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
    limited break of the integrity of the early encrypted SSH transport
    protocol by sending extra messages prior to the commencement of
    encryption, and deleting an equal number of consecutive messages
    immediately after encryption starts. A peer SSH client/server
    would not be able to detect that messages were deleted.
  * ssh-agent(1): when adding PKCS#11-hosted private keys while
    specifying destination constraints, if the PKCS#11 token returned
    multiple keys then only the first key had the constraints applied.
    Use of regular private keys, FIDO tokens and unconstrained keys
    are unaffected.
  * ssh(1): if an invalid user or hostname that contained shell
    metacharacters was passed to ssh(1), and a ProxyCommand,
    LocalCommand directive or "match exec" predicate referenced the
    user or hostname via %u, %h or similar expansion token, then
    an attacker who could supply arbitrary user/hostnames to ssh(1)
    could potentially perform command injection depending on what
    quoting was present in the user-supplied ssh_config(5) directive.
  = Potentially incompatible changes
  * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
    a TCP-like window mechanism that limits the amount of data that
    can be sent without acceptance from the peer. In cases where this (forwarded request 1150500 from hpjansson)

OBS-URL: https://build.opensuse.org/request/show/1150501
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=170
2024-02-27 21:43:12 +00:00
Hans Petter Jansson
b3ff99ae3c Accepting request 1150500 from home:hpjansson:branches:network
- Update to openssh 9.6p1:
  * No changes for askpass, see main package changelog for
    details.

- Update to openssh 9.6p1:
  = Security
  * ssh(1), sshd(8): implement protocol extensions to thwart the
    so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
    Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
    limited break of the integrity of the early encrypted SSH transport
    protocol by sending extra messages prior to the commencement of
    encryption, and deleting an equal number of consecutive messages
    immediately after encryption starts. A peer SSH client/server
    would not be able to detect that messages were deleted.
  * ssh-agent(1): when adding PKCS#11-hosted private keys while
    specifying destination constraints, if the PKCS#11 token returned
    multiple keys then only the first key had the constraints applied.
    Use of regular private keys, FIDO tokens and unconstrained keys
    are unaffected.
  * ssh(1): if an invalid user or hostname that contained shell
    metacharacters was passed to ssh(1), and a ProxyCommand,
    LocalCommand directive or "match exec" predicate referenced the
    user or hostname via %u, %h or similar expansion token, then
    an attacker who could supply arbitrary user/hostnames to ssh(1)
    could potentially perform command injection depending on what
    quoting was present in the user-supplied ssh_config(5) directive.
  = Potentially incompatible changes
  * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
    a TCP-like window mechanism that limits the amount of data that
    can be sent without acceptance from the peer. In cases where this

OBS-URL: https://build.opensuse.org/request/show/1150500
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=255
2024-02-25 18:43:17 +00:00
Ana Guerrero
b339dda6d3 Accepting request 1133933 from network
Added openssh-cve-2023-48795.patch (forwarded request 1133932 from hpjansson)

OBS-URL: https://build.opensuse.org/request/show/1133933
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=169
2023-12-19 22:15:40 +00:00
Hans Petter Jansson
9778084948 Accepting request 1133932 from home:hpjansson:branches:network
Added openssh-cve-2023-48795.patch

OBS-URL: https://build.opensuse.org/request/show/1133932
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=254
2023-12-19 01:54:09 +00:00
Hans Petter Jansson
f716c85e71 Accepting request 1113799 from home:kukuk:branches:network
- Disable SLP by default for Factory and ALP (bsc#1214884)

OBS-URL: https://build.opensuse.org/request/show/1113799
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=253
2023-12-19 01:39:20 +00:00
Ana Guerrero
cb6e8d7fb0 Accepting request 1129646 from network
OBS-URL: https://build.opensuse.org/request/show/1129646
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=168
2023-11-30 20:59:01 +00:00
Hans Petter Jansson
74e20db9ed Accepting request 1123220 from home:jsegitz:branches:network
- Enhanced SELinux functionality. Added Fedora patches:
  * openssh-7.8p1-role-mls.patch
    Proper handling of MLS systems and basis for other SELinux
    improvements
  * openssh-6.6p1-privsep-selinux.patch
    Properly set contexts during privilege separation
  * openssh-6.6p1-keycat.patch
    Add ssh-keycat command to allow retrival of authorized_keys
    on MLS setups with polyinstantiation
  * openssh-6.6.1p1-selinux-contexts.patch
    Additional changes to set the proper context during privilege 
    separation
  * openssh-7.6p1-cleanup-selinux.patch
    Various changes and putting the pieces together
  For now we don't ship the ssh-keycat command, but we need the patch
  for the other SELinux infrastructure
  This change fixes issues like bsc#1214788, where the ssh daemon 
  needs to act on behalf of a user and needs a proper context for this

OBS-URL: https://build.opensuse.org/request/show/1123220
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=252
2023-11-28 16:35:34 +00:00