- upgrade to 7.6p1
see main package changelog for details
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
- Update to vanilla 7.6p1
Most important changes (more details below):
* complete removal of the ancient SSHv1 protocol
* sshd(8) cannot run without privilege separation
* removal of suport for arcfourm blowfish and CAST ciphers
and RIPE-MD160 HMAC
* refuse RSA keys shorter than 1024 bits
Distilled upstream log:
- OpenSSH 7.3
---- Security
* sshd(8): Mitigate a potential denial-of-service attack
against the system's crypt(3) function via sshd(8). An
attacker could send very long passwords that would cause
excessive CPU use in crypt(3). sshd(8) now refuses to accept
password authentication requests of length greater than 1024
characters. Independently reported by Tomas Kuthan (Oracle),
Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password
authentication that could be used to discern valid from
invalid account names when long passwords were sent and
particular password hashing algorithms are in use on the
server. CVE-2016-6210, reported by EddieEzra.Harari at
verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
OBS-URL: https://build.opensuse.org/request/show/551548
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=127
- upgrade to 7.2p2
- changing license to 2-clause BSD to match source
- enable trusted X11 forwarding by default
[-X11_trusted_forwarding]
- set UID for lastlog properly [-lastlog]
- enable use of PAM by default [-enable_PAM_by_default]
- copy command line arguments properly [-saveargv-fix]
- do not use pthreads in PAM code [-dont_use_pthreads_in_PAM]
- fix paths in documentation [-eal3]
- prevent race consitions triggered by SIGALRM [-blocksigalrm]
- do send and accept locale environment variables by default
[-send_locale]
- handle hostnames changes during X forwarding
[-hostname_changes_when_forwarding_X]
- try to remove xauth cookies on exit
[-remove_xauth_cookies_on_exit]
- properly format pts names for ?tmp? log files
[-pts_names_formatting]
- check locked accounts when using PAM [-pam_check_locks]
- chenge default PermitRootLogin to 'yes' to prevent unwanted
surprises on updates from older versions.
See README.SUSE for details
[-allow_root_password_login]
- Disable DH parameters under 2048 bits by default and allow
lowering the limit back to the RFC 4419 specified minimum
through an option (bsc#932483, bsc#948902)
[-disable_short_DH_parameters]
- Add getuid() and stat() syscalls to the seccomp filter
OBS-URL: https://build.opensuse.org/request/show/398802
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103