Commit Graph

7 Commits

Author SHA256 Message Date
Petr Cerny
56e0af8154 Accepting request 547144 from home:pcerny:factory
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches

OBS-URL: https://build.opensuse.org/request/show/547144
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=124
2017-12-01 15:03:13 +00:00
Petr Cerny
d83100ae13 Accepting request 539322 from home:pcerny:factory
- upgrade to 7.6p1
  see main package changelog for details

- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  ---- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC
    padding oracle countermeasures. Reported by Jean Paul
    Degabriele, Kenny Paterson, Torben Hansen and Martin
    Albrecht. Note that CBC ciphers are disabled by default and

OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
2017-11-06 14:50:53 +00:00
Petr Cerny
e8b9919265 Accepting request 500279 from home:pcerny:factory
- Fix preauth seccomp separation on mainframes (bsc#1016709)
  [openssh-7.2p2-s390_hw_crypto_syscalls.patch]
  [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
- enable case-insensitive hostname matching (bsc#1017099)
  [openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
- add CAVS tests 
  [openssh-7.2p2-cavstest-ctr.patch]
  [openssh-7.2p2-cavstest-kdf.patch]
- Adding missing pieces for user matching (bsc#1021626)
- Properly verify CIDR masks in configuration
  (bsc#1005893)
  [openssh-7.2p2-verify_CIDR_address_ranges.patch]
- Remove pre-auth compression support from the server to prevent
  possible cryptographic attacks.
  (CVE-2016-10012, bsc#1016370)
  [openssh-7.2p2-disable_preauth_compression.patch]
- limit directories for loading PKCS11 modules
  (CVE-2016-10009, bsc#1016366)
  [openssh-7.2p2-restrict_pkcs11-modules.patch]
- Prevent possible leaks of host private keys to low-privilege
  process handling authentication
  (CVE-2016-10011, bsc#1016369)
  [openssh-7.2p2-prevent_private_key_leakage.patch]
- Do not allow unix socket forwarding when running without
  privilege separation
  (CVE-2016-10010, bsc#1016368)
  [openssh-7.2p2-secure_unix_sockets_forwarding.patch]
- prevent resource depletion during key exchange
  (bsc#1005480, CVE-2016-8858)
  [openssh-7.2p2-kex_resource_depletion.patch]

OBS-URL: https://build.opensuse.org/request/show/500279
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
2017-05-31 23:09:14 +00:00
Petr Cerny
6c861e0b33 Accepting request 433779 from home:pcerny:factory
- remaining patches that were still missing
  since the update to 7.2p2 (FATE#319675):
  [openssh-7.2p2-disable_openssl_abi_check.patch]
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
  [openssh-7.2p2-IPv6_X_forwarding.patch]
- ignore PAM environment when using login
  (bsc#975865, CVE-2015-8325)
  [openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
- limit accepted password length (prevents possible DoS)
  (bsc#992533, CVE-2016-6515)
  [openssh-7.2p2-limit_password_length.patch]
- Prevent user enumeration through the timing of password
  processing (bsc#989363, CVE-2016-6210)
  [openssh-7.2p2-prevent_timing_user_enumeration.patch]
- Add auditing for PRNG re-seeding
  [openssh-7.2p2-audit_seed_prng.patch]

OBS-URL: https://build.opensuse.org/request/show/433779
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=113
2016-10-07 15:57:29 +00:00
Petr Cerny
fe873a1c10 Accepting request 432093 from home:pcerny:factory
next round of patches
- allow X forwarding over IPv4 when IPv6 sockets is not available
  [openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
- do not write PID file when not daemonizing
  [openssh-7.2p2-no_fork-no_pid_file.patch]
- use correct options when invoking login
  [openssh-7.2p2-login_options.patch]
- helper application for retrieving users' public keys from
  an LDAP server
  [openssh-7.2p2-ldap.patch]
- allow forcing permissions over sftp
  [openssh-7.2p2-sftp_force_permissions.patch]
- do not perform run-time checks for OpenSSL API/ABI change
  [openssh-7.2p2-disable-openssl-abi-check.patch]
- suggest commands for cleaning known hosts file
  [openssh-7.2p2-host_ident.patch]
- sftp home chroot patch
  [openssh-7.2p2-sftp_homechroot.patch]
- ssh sessions auditing
  [openssh-7.2p2-audit.patch]
- enable seccomp sandbox on additional architectures
  [openssh-7.2p2-additional_seccomp_archs.patch]

OBS-URL: https://build.opensuse.org/request/show/432093
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=112
2016-09-30 20:34:19 +00:00
Petr Cerny
6dac324cb7 Accepting request 407066 from home:pcerny:factory
- enable support for SSHv1 protocol and discourage its usage
  (bsc#983307)
- enable DSA by default for backward compatibility and discourage
  its usage (bsc#983784)
  [openssh-7.2p2-allow_DSS_by_default.patch]

- upgrade to 7.2p2
  upstream package without any SUSE patches
  Distilled upstream log:
- OpenSSH 6.7
  Potentially-incompatible changes:
  * sshd(8): The default set of ciphers and MACs has been
    altered to remove unsafe algorithms. In particular, CBC
    ciphers and arcfour* are disabled by default.
    The full set of algorithms remains available if configured
    explicitly via the Ciphers and MACs sshd_config options.
  * sshd(8): Support for tcpwrappers/libwrap has been removed.
  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of
    connections using the curve25519-sha256@libssh.org KEX
    exchange method to fail when connecting with something that
    implements the specification correctly. OpenSSH 6.7 disables
    this KEX method when speaking to one of the affected
    versions.
  New Features:
  * ssh(1), sshd(8): Add support for Unix domain socket
    forwarding. A remote TCP port may be forwarded to a local
    Unix domain socket and vice versa or both ends may be a Unix
    domain socket.
  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
    ED25519 key types.

OBS-URL: https://build.opensuse.org/request/show/407066
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107
2016-07-07 07:07:23 +00:00
Petr Cerny
5093e42eaa Accepting request 398802 from home:pcerny:factory
- upgrade to 7.2p2

- changing license to 2-clause BSD to match source

- enable trusted X11 forwarding by default
  [-X11_trusted_forwarding]
- set UID for lastlog properly [-lastlog]
- enable use of PAM by default [-enable_PAM_by_default]
- copy command line arguments properly [-saveargv-fix]
- do not use pthreads in PAM code [-dont_use_pthreads_in_PAM]
- fix paths in documentation [-eal3]
- prevent race consitions triggered by SIGALRM [-blocksigalrm]
- do send and accept locale environment variables by default
  [-send_locale]
- handle hostnames changes during X forwarding
  [-hostname_changes_when_forwarding_X]
- try to remove xauth cookies on exit
  [-remove_xauth_cookies_on_exit]
- properly format pts names for ?tmp? log files
  [-pts_names_formatting]
- check locked accounts when using PAM [-pam_check_locks]
- chenge default PermitRootLogin to 'yes' to prevent unwanted
  surprises on updates from older versions.
  See README.SUSE for details
  [-allow_root_password_login]
- Disable DH parameters under 2048 bits by default and allow
  lowering the limit back to the RFC 4419 specified minimum
  through an option (bsc#932483, bsc#948902)
  [-disable_short_DH_parameters]
- Add getuid() and stat() syscalls to the seccomp filter

OBS-URL: https://build.opensuse.org/request/show/398802
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103
2016-05-30 01:36:18 +00:00