- enable support for SSHv1 protocol and discourage its usage
(bsc#983307)
- enable DSA by default for backward compatibility and discourage
its usage (bsc#983784)
[openssh-7.2p2-allow_DSS_by_default.patch]
- upgrade to 7.2p2
upstream package without any SUSE patches
Distilled upstream log:
- OpenSSH 6.7
Potentially-incompatible changes:
* sshd(8): The default set of ciphers and MACs has been
altered to remove unsafe algorithms. In particular, CBC
ciphers and arcfour* are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.
* sshd(8): Support for tcpwrappers/libwrap has been removed.
* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of
connections using the curve25519-sha256@libssh.org KEX
exchange method to fail when connecting with something that
implements the specification correctly. OpenSSH 6.7 disables
this KEX method when speaking to one of the affected
versions.
New Features:
* ssh(1), sshd(8): Add support for Unix domain socket
forwarding. A remote TCP port may be forwarded to a local
Unix domain socket and vice versa or both ends may be a Unix
domain socket.
* ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
ED25519 key types.
OBS-URL: https://build.opensuse.org/request/show/407066
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107
[openssh-7.2p2-X11_trusted_forwarding.patch]
- set UID for lastlog properly
[openssh-7.2p2-lastlog.patch]
- enable use of PAM by default
[openssh-7.2p2-enable_PAM_by_default.patch]
- copy command line arguments properly
[openssh-7.2p2-saveargv-fix.patch]
- do not use pthreads in PAM code
[openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
- fix paths in documentation
[openssh-7.2p2-eal3.patch]
- prevent race consitions triggered by SIGALRM
[openssh-7.2p2-blocksigalrm.patch]
[openssh-7.2p2-send_locale.patch]
[openssh-7.2p2-hostname_changes_when_forwarding_X.patch]
[openssh-7.2p2-remove_xauth_cookies_on_exit.patch]
[openssh-7.2p2-pts_names_formatting.patch]
- check locked accounts when using PAM
[openssh-7.2p2-pam_check_locks.patch]
[openssh-7.2p2-allow_root_password_login.patch]
[openssh-7.2p2-disable_short_DH_parameters.patch]
[openssh-7.2p2-seccomp_getuid.patch,
openssh-7.2p2-seccomp_stat.patch]
OBS-URL: https://build.opensuse.org/request/show/398857
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=104
- upgrade to 7.2p2
- changing license to 2-clause BSD to match source
- enable trusted X11 forwarding by default
[-X11_trusted_forwarding]
- set UID for lastlog properly [-lastlog]
- enable use of PAM by default [-enable_PAM_by_default]
- copy command line arguments properly [-saveargv-fix]
- do not use pthreads in PAM code [-dont_use_pthreads_in_PAM]
- fix paths in documentation [-eal3]
- prevent race consitions triggered by SIGALRM [-blocksigalrm]
- do send and accept locale environment variables by default
[-send_locale]
- handle hostnames changes during X forwarding
[-hostname_changes_when_forwarding_X]
- try to remove xauth cookies on exit
[-remove_xauth_cookies_on_exit]
- properly format pts names for ?tmp? log files
[-pts_names_formatting]
- check locked accounts when using PAM [-pam_check_locks]
- chenge default PermitRootLogin to 'yes' to prevent unwanted
surprises on updates from older versions.
See README.SUSE for details
[-allow_root_password_login]
- Disable DH parameters under 2048 bits by default and allow
lowering the limit back to the RFC 4419 specified minimum
through an option (bsc#932483, bsc#948902)
[-disable_short_DH_parameters]
- Add getuid() and stat() syscalls to the seccomp filter
OBS-URL: https://build.opensuse.org/request/show/398802
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103
- openssh-alloc_size.patch: anotate xmalloc.h with alloc_size
attribute so the compiler knows these functions allocate memory
so overflow or misuse can be detected sooner.
- openssh-allow_getrandom.patch; allow the getrandom(2) system
call in the seccomp sandbox, upstream commit 26ad18247213
- openssh-fix-b64_xx-detection.patch: configure.ac has incorrect
tests for b64_ntop, b64_pton on linux/glibc.
OBS-URL: https://build.opensuse.org/request/show/358392
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=96
- Cleanup with spec-cleaner
- Update of the master OpenSSH to 7.1p2
- Take refreshed and updated audit patch from redhat
* Remove our old patches:
+ openssh-6.6p1-audit1-remove_duplicit_audit.patch
+ openssh-6.6p1-audit2-better_audit_of_user_actions.patch
+ openssh-6.6p1-audit3-key_auth_usage-fips.patch
+ openssh-6.6p1-audit3-key_auth_usage.patch
+ openssh-6.6p1-audit4-kex_results-fips.patch
+ openssh-6.6p1-audit4-kex_results.patch
+ openssh-6.6p1-audit5-session_key_destruction.patch
+ openssh-6.6p1-audit6-server_key_destruction.patch
+ openssh-6.6p1-audit7-libaudit_compat.patch
+ openssh-6.6p1-audit8-libaudit_dns_timeouts.patch
* add openssh-6.7p1-audit.patch
- Reenable the openssh-6.6p1-ldap.patch
- Update the fips patch from RH build openssh-6.6p1-fips.patch
- Update and refresh openssh-6.6p1-gssapi_key_exchange.patch
- Remove fips-check patch as it is merged to fips patch
* openssh-6.6p1-fips-checks.patch
- Rebase and enable chroot patch:
* openssh-6.6p1-sftp_homechroot.patch
- Reenable rebased patch for linux seed:
* openssh-6.6p1-seed-prng.patch
- Reenable key converting patch:
* openssh-6.6p1-key-converter.patch
- Version update to 7.1p2:
* various upstream bugfixes and cleanups
OBS-URL: https://build.opensuse.org/request/show/354941
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=95
- Update of the underlying OpenSSH to 6.6p1
- Remove uneeded dependency on the OpenLDAP server (openldap2)
from openssh-helpers. openssh-helpers just depends on the
openldap client libraries, which will be auto-generated by rpm.
- update to 6.6p1
Security:
* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that
contains the characters before the wildcard character.
Features since 6.5p1:
* ssh(1), sshd(8): removal of the J-PAKE authentication code,
which was experimental, never enabled and has been
unmaintained for some time.
* ssh(1): skip 'exec' clauses other clauses predicates failed
to match while processing Match blocks.
* ssh(1): if hostname canonicalisation is enabled and results
in the destination hostname being changed, then re-parse
ssh_config(5) files using the new destination hostname. This
gives 'Host' and 'Match' directives that use the expanded
hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file
descriptor" in ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
systrace sandbox modes, as it is reachable if the connection
is terminated during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
OBS-URL: https://build.opensuse.org/request/show/230190
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=95
- Update of the underlying OpenSSH to 6.6p1
- update to 6.6p1
Security:
* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that
contains the characters before the wildcard character.
Features since 6.5p1:
* ssh(1), sshd(8): removal of the J-PAKE authentication code,
which was experimental, never enabled and has been
unmaintained for some time.
* ssh(1): skip 'exec' clauses other clauses predicates failed
to match while processing Match blocks.
* ssh(1): if hostname canonicalisation is enabled and results
in the destination hostname being changed, then re-parse
ssh_config(5) files using the new destination hostname. This
gives 'Host' and 'Match' directives that use the expanded
hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file
descriptor" in ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
systrace sandbox modes, as it is reachable if the connection
is terminated during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
bignum parsing. Minimum key length checks render this bug
unexploitable to compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears
in multiple matching Match blocks. bz#2184
OBS-URL: https://build.opensuse.org/request/show/230097
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
- Update of the underlying OpenSSH to 6.5p1
- Update to 6.5p1
Features since 6.4p1:
* ssh(1), sshd(8): support for key exchange using ECDH in
Daniel Bernstein's Curve25519; default when both the client
and server support it.
* ssh(1), sshd(8): support for Ed25519 as a public key type fo
rboth server and client. Ed25519 is an EC signature offering
better security than ECDSA and DSA and good performance.
* Add a new private key format that uses a bcrypt KDF to better
protect keys at rest. Used unconditionally for Ed25519 keys,
on demand for other key types via the -o ssh-keygen(1)
option. Intended to become default in the near future.
Details documented in PROTOCOL.key.
* ssh(1), sshd(8): new transport cipher
"chacha20-poly1305@openssh.com" combining Daniel Bernstein's
ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode. Details documented
PROTOCOL.chacha20poly1305.
* ssh(1), sshd(8): refuse RSA keys from old proprietary clients
and servers that use the obsolete RSA+MD5 signature scheme.
It will still be possible to connect with these
clients/servers but only DSA keys will be accepted, and
OpenSSH will refuse connection entirely in a future release.
* ssh(1), sshd(8): refuse old proprietary clients and servers
that use a weaker key exchange hash calculation.
* ssh(1): increase the size of the Diffie-Hellman groups
requested for each symmetric key size. New values from NIST
Special Publication 800-57 with the upper limit specified by (forwarded request 222365 from pcerny)
OBS-URL: https://build.opensuse.org/request/show/222366
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=90
- Update of the underlying OpenSSH to 6.5p1
- Update to 6.5p1
Features since 6.4p1:
* ssh(1), sshd(8): support for key exchange using ECDH in
Daniel Bernstein's Curve25519; default when both the client
and server support it.
* ssh(1), sshd(8): support for Ed25519 as a public key type fo
rboth server and client. Ed25519 is an EC signature offering
better security than ECDSA and DSA and good performance.
* Add a new private key format that uses a bcrypt KDF to better
protect keys at rest. Used unconditionally for Ed25519 keys,
on demand for other key types via the -o ssh-keygen(1)
option. Intended to become default in the near future.
Details documented in PROTOCOL.key.
* ssh(1), sshd(8): new transport cipher
"chacha20-poly1305@openssh.com" combining Daniel Bernstein's
ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode. Details documented
PROTOCOL.chacha20poly1305.
* ssh(1), sshd(8): refuse RSA keys from old proprietary clients
and servers that use the obsolete RSA+MD5 signature scheme.
It will still be possible to connect with these
clients/servers but only DSA keys will be accepted, and
OpenSSH will refuse connection entirely in a future release.
* ssh(1), sshd(8): refuse old proprietary clients and servers
that use a weaker key exchange hash calculation.
* ssh(1): increase the size of the Diffie-Hellman groups
requested for each symmetric key size. New values from NIST
Special Publication 800-57 with the upper limit specified by
OBS-URL: https://build.opensuse.org/request/show/222365
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63