Commit Graph

2 Commits

Author SHA256 Message Date
Hans Petter Jansson
03fc1a6def Accepting request 1087770 from home:alarrosa:branches:network
- Update to openssh 9.3p1
  * No changes for askpass, see main package changelog for
    details

- Update to openssh 9.3p1:
  = Security
  * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop destination constraints (ssh-add -h ...) added in
   OpenSSH 8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This
   problem was reported by Luci Stanescu.
 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.
   The getrrsetbyname(3) replacement is only included if the
   system's standard library lacks this function and portable
   OpenSSH was not compiled with the ldns library (--with-ldns).
   getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
   fetch SSHFP records. This problem was found by the Coverity
   static analyzer.
  = New features
  * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
    when outputting SSHFP fingerprints to allow algorithm
    selection. bz3493

OBS-URL: https://build.opensuse.org/request/show/1087770
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247
2023-05-22 19:32:26 +00:00
Hans Petter Jansson
916f9ab5d2 Accepting request 849311 from home:hpjansson:branches:network
- Fix build breakage caused by missing security key objects:
  + Modify openssh-7.7p1-cavstest-ctr.patch.
  + Modify openssh-7.7p1-cavstest-kdf.patch.
  + Add openssh-link-with-sk.patch.

- Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939).
  This ensures only approved DH parameters are used in FIPS mode.

- Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799).
  This uses OpenSSL's RAND_bytes() directly instead of the internal
  ChaCha20-based implementation to obtain random bytes for Ed25519
  curve computations. This is required for FIPS compliance.

OBS-URL: https://build.opensuse.org/request/show/849311
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219
2020-11-22 16:59:16 +00:00