Commit Graph

198 Commits

Author SHA256 Message Date
Dominique Leuenberger
adf0854dff Accepting request 583081 from network
- add OpenSSL 1.0 to 1.1 shim to remove dependency on old OpenSSL
  (update tracker: bsc#1080779)

OBS-URL: https://build.opensuse.org/request/show/583081
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=115
2018-03-08 09:54:05 +00:00
01100ac5fc OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=138 2018-03-05 16:42:43 +00:00
f82cf6b5da (update tracker: bsc#1080779)
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=137
2018-03-05 16:40:33 +00:00
Petr Cerny
0a67e4f87e Accepting request 575957 from home:pcerny:factory
- add OpenSSL 1.0 to 1.1 shim to remove dependency on old OpenSSL

OBS-URL: https://build.opensuse.org/request/show/575957
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=136
2018-02-12 23:48:52 +00:00
Dominique Leuenberger
5a5ff32c7e Accepting request 571577 from network
- .spec file cleanup

- upgrade to 7.6p1
  see main package changelog for details

- Add missing crypto hardware enablement patches for IBM mainframes
  (FATE#323902)

- add missing part of systemd integration (unit type) (forwarded request 571576 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/571577
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=114
2018-02-02 21:19:52 +00:00
Petr Cerny
183de6e669 Accepting request 571576 from home:pcerny:factory
- .spec file cleanup

- upgrade to 7.6p1
  see main package changelog for details

- Add missing crypto hardware enablement patches for IBM mainframes
  (FATE#323902)

- add missing part of systemd integration (unit type)

OBS-URL: https://build.opensuse.org/request/show/571576
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=134
2018-02-01 00:18:29 +00:00
Dominique Leuenberger
3515cf0083 Accepting request 567941 from network
OBS-URL: https://build.opensuse.org/request/show/567941
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=113
2018-01-22 14:56:41 +00:00
OBS User mrdocs
2baed0da9e Accepting request 566484 from home:dimstar:Factory
- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
  allow the scheduler to pick systemd-mini flavors to get build
  going.


I shortened the diff, to have less conversation topics - this part should be undisputed

OBS-URL: https://build.opensuse.org/request/show/566484
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=132
2018-01-21 05:39:42 +00:00
Dominique Leuenberger
97dc338ae5 Accepting request 563834 from network
- Replace forgotten references to /var/adm/fillup-templates
  with new %_fillupdir macro (boo#1069468)
- tighten configuration access rights (forwarded request 563833 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/563834
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=112
2018-01-16 08:41:33 +00:00
Petr Cerny
d8a13def71 Accepting request 563833 from home:pcerny:factory
- Replace forgotten references to /var/adm/fillup-templates
  with new %_fillupdir macro (boo#1069468)
- tighten configuration access rights

OBS-URL: https://build.opensuse.org/request/show/563833
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=130
2018-01-12 12:57:27 +00:00
Petr Cerny
13e1fadf84 Accepting request 563725 from home:pcerny:factory
reworking packaging, gssapi kex patch

OBS-URL: https://build.opensuse.org/request/show/563725
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=129
2018-01-12 00:48:48 +00:00
Petr Cerny
a03a137de1 Accepting request 563724 from home:pcerny:factory
reworking packaging, gssapi kex patch

OBS-URL: https://build.opensuse.org/request/show/563724
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=128
2018-01-12 00:42:53 +00:00
Petr Cerny
b813991fe5 Accepting request 551548 from home:pcerny:factory
- upgrade to 7.6p1
  see main package changelog for details

- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)

- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  ---- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC

OBS-URL: https://build.opensuse.org/request/show/551548
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=127
2017-12-05 12:47:07 +00:00
Petr Cerny
ad9209ae06 Accepting request 547285 from home:pcerny:factory-temp
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches

OBS-URL: https://build.opensuse.org/request/show/547285
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=126
2017-12-01 22:12:05 +00:00
Petr Cerny
09d123e96c Accepting request 547161 from home:pcerny:factory
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches

OBS-URL: https://build.opensuse.org/request/show/547161
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=125
2017-12-01 15:46:07 +00:00
Petr Cerny
56e0af8154 Accepting request 547144 from home:pcerny:factory
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches

OBS-URL: https://build.opensuse.org/request/show/547144
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=124
2017-12-01 15:03:13 +00:00
3a77b6ed2a Accepting request 544667 from home:RBrownSUSE:branches:network
Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)

OBS-URL: https://build.opensuse.org/request/show/544667
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=123
2017-11-24 10:22:32 +00:00
Petr Cerny
d83100ae13 Accepting request 539322 from home:pcerny:factory
- upgrade to 7.6p1
  see main package changelog for details

- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  ---- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC
    padding oracle countermeasures. Reported by Jean Paul
    Degabriele, Kenny Paterson, Torben Hansen and Martin
    Albrecht. Note that CBC ciphers are disabled by default and

OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
2017-11-06 14:50:53 +00:00
Dominique Leuenberger
b071b0b1fc Accepting request 536831 from network
1

OBS-URL: https://build.opensuse.org/request/show/536831
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=111
2017-10-28 12:20:45 +00:00
c84af5da00 Accepting request 536578 from home:jsegitz:branches:network
- sshd_config is has now permissions 0600 in secure mode

OBS-URL: https://build.opensuse.org/request/show/536578
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=120
2017-10-26 10:23:16 +00:00
Dominique Leuenberger
e2b87ac074 Accepting request 500282 from network
- require OpenSSL < 1.1 where that one is a default (forwarded request 500281 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/500282
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=110
2017-06-03 23:48:33 +00:00
Petr Cerny
a1a66bf54b Accepting request 500281 from home:pcerny:factory
- require OpenSSL < 1.1 where that one is a default

OBS-URL: https://build.opensuse.org/request/show/500281
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=118
2017-05-31 23:14:37 +00:00
Petr Cerny
e8b9919265 Accepting request 500279 from home:pcerny:factory
- Fix preauth seccomp separation on mainframes (bsc#1016709)
  [openssh-7.2p2-s390_hw_crypto_syscalls.patch]
  [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
- enable case-insensitive hostname matching (bsc#1017099)
  [openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
- add CAVS tests 
  [openssh-7.2p2-cavstest-ctr.patch]
  [openssh-7.2p2-cavstest-kdf.patch]
- Adding missing pieces for user matching (bsc#1021626)
- Properly verify CIDR masks in configuration
  (bsc#1005893)
  [openssh-7.2p2-verify_CIDR_address_ranges.patch]
- Remove pre-auth compression support from the server to prevent
  possible cryptographic attacks.
  (CVE-2016-10012, bsc#1016370)
  [openssh-7.2p2-disable_preauth_compression.patch]
- limit directories for loading PKCS11 modules
  (CVE-2016-10009, bsc#1016366)
  [openssh-7.2p2-restrict_pkcs11-modules.patch]
- Prevent possible leaks of host private keys to low-privilege
  process handling authentication
  (CVE-2016-10011, bsc#1016369)
  [openssh-7.2p2-prevent_private_key_leakage.patch]
- Do not allow unix socket forwarding when running without
  privilege separation
  (CVE-2016-10010, bsc#1016368)
  [openssh-7.2p2-secure_unix_sockets_forwarding.patch]
- prevent resource depletion during key exchange
  (bsc#1005480, CVE-2016-8858)
  [openssh-7.2p2-kex_resource_depletion.patch]

OBS-URL: https://build.opensuse.org/request/show/500279
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
2017-05-31 23:09:14 +00:00
Dominique Leuenberger
1c742905ef Accepting request 461303 from network
1

OBS-URL: https://build.opensuse.org/request/show/461303
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=109
2017-03-05 16:55:20 +00:00
5829a44f01 Accepting request 459897 from home:elvigia:branches:network
- sshd.service: Set TasksMax=infinity, as there should be
  no limit on the amount of tasks sshd can run.

OBS-URL: https://build.opensuse.org/request/show/459897
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=115
2017-03-01 11:01:26 +00:00
Dominique Leuenberger
81b879f76f Accepting request 433780 from network
- remaining patches that were still missing
  since the update to 7.2p2 (FATE#319675):
  [openssh-7.2p2-disable_openssl_abi_check.patch]
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
  [openssh-7.2p2-IPv6_X_forwarding.patch]
- ignore PAM environment when using login
  (bsc#975865, CVE-2015-8325)
  [openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
- limit accepted password length (prevents possible DoS)
  (bsc#992533, CVE-2016-6515)
  [openssh-7.2p2-limit_password_length.patch]
- Prevent user enumeration through the timing of password
  processing (bsc#989363, CVE-2016-6210)
  [openssh-7.2p2-prevent_timing_user_enumeration.patch]
- Add auditing for PRNG re-seeding
  [openssh-7.2p2-audit_seed_prng.patch] (forwarded request 433779 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/433780
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=108
2016-10-10 15:35:10 +00:00
Petr Cerny
6c861e0b33 Accepting request 433779 from home:pcerny:factory
- remaining patches that were still missing
  since the update to 7.2p2 (FATE#319675):
  [openssh-7.2p2-disable_openssl_abi_check.patch]
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
  [openssh-7.2p2-IPv6_X_forwarding.patch]
- ignore PAM environment when using login
  (bsc#975865, CVE-2015-8325)
  [openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
- limit accepted password length (prevents possible DoS)
  (bsc#992533, CVE-2016-6515)
  [openssh-7.2p2-limit_password_length.patch]
- Prevent user enumeration through the timing of password
  processing (bsc#989363, CVE-2016-6210)
  [openssh-7.2p2-prevent_timing_user_enumeration.patch]
- Add auditing for PRNG re-seeding
  [openssh-7.2p2-audit_seed_prng.patch]

OBS-URL: https://build.opensuse.org/request/show/433779
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=113
2016-10-07 15:57:29 +00:00
Petr Cerny
fe873a1c10 Accepting request 432093 from home:pcerny:factory
next round of patches
- allow X forwarding over IPv4 when IPv6 sockets is not available
  [openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
- do not write PID file when not daemonizing
  [openssh-7.2p2-no_fork-no_pid_file.patch]
- use correct options when invoking login
  [openssh-7.2p2-login_options.patch]
- helper application for retrieving users' public keys from
  an LDAP server
  [openssh-7.2p2-ldap.patch]
- allow forcing permissions over sftp
  [openssh-7.2p2-sftp_force_permissions.patch]
- do not perform run-time checks for OpenSSL API/ABI change
  [openssh-7.2p2-disable-openssl-abi-check.patch]
- suggest commands for cleaning known hosts file
  [openssh-7.2p2-host_ident.patch]
- sftp home chroot patch
  [openssh-7.2p2-sftp_homechroot.patch]
- ssh sessions auditing
  [openssh-7.2p2-audit.patch]
- enable seccomp sandbox on additional architectures
  [openssh-7.2p2-additional_seccomp_archs.patch]

OBS-URL: https://build.opensuse.org/request/show/432093
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=112
2016-09-30 20:34:19 +00:00
Dominique Leuenberger
32cb5a3260 Accepting request 428545 from network
- FIPS compatibility (no selfchecks, only crypto restrictions)
  [openssh-7.2p2-fips.patch]
- PRNG re-seeding
  [openssh-7.2p2-seed-prng.patch]
- preliminary version of GSSAPI KEX
  [openssh-7.2p2-gssapi_key_exchange.patch] (forwarded request 428544 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/428545
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=107
2016-09-27 11:40:59 +00:00
Petr Cerny
e0d7fb0744 Accepting request 428544 from home:pcerny:factory
- FIPS compatibility (no selfchecks, only crypto restrictions)
  [openssh-7.2p2-fips.patch]
- PRNG re-seeding
  [openssh-7.2p2-seed-prng.patch]
- preliminary version of GSSAPI KEX
  [openssh-7.2p2-gssapi_key_exchange.patch]

OBS-URL: https://build.opensuse.org/request/show/428544
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=110
2016-09-18 23:04:18 +00:00
Dominique Leuenberger
7ac008cd87 Accepting request 415094 from network
- fixed url

- upgrade to 7.2p2

- changing license to 2-clause BSD to match source

- added gpg signature 

- enable support for SSHv1 protocol and discourage its usage
  (bsc#983307)
- enable DSA by default for backward compatibility and discourage
  its usage (bsc#983784)
  [openssh-7.2p2-allow_DSS_by_default.patch]

- enable trusted X11 forwarding by default
  [openssh-7.2p2-X11_trusted_forwarding.patch]
- set UID for lastlog properly 
  [openssh-7.2p2-lastlog.patch]
- enable use of PAM by default 
  [openssh-7.2p2-enable_PAM_by_default.patch]
- copy command line arguments properly 
  [openssh-7.2p2-saveargv-fix.patch]
- do not use pthreads in PAM code 
  [openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
- fix paths in documentation 
  [openssh-7.2p2-eal3.patch]
- prevent race consitions triggered by SIGALRM 
  [openssh-7.2p2-blocksigalrm.patch]
- do send and accept locale environment variables by default
  [openssh-7.2p2-send_locale.patch]

OBS-URL: https://build.opensuse.org/request/show/415094
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=106
2016-07-28 21:45:11 +00:00
a412ed9d8d - fixed url, added gpg signature
- added gpg signature and keyring from 
  http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh_gzsig_key.pub

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=108
2016-07-25 13:47:29 +00:00
Petr Cerny
6dac324cb7 Accepting request 407066 from home:pcerny:factory
- enable support for SSHv1 protocol and discourage its usage
  (bsc#983307)
- enable DSA by default for backward compatibility and discourage
  its usage (bsc#983784)
  [openssh-7.2p2-allow_DSS_by_default.patch]

- upgrade to 7.2p2
  upstream package without any SUSE patches
  Distilled upstream log:
- OpenSSH 6.7
  Potentially-incompatible changes:
  * sshd(8): The default set of ciphers and MACs has been
    altered to remove unsafe algorithms. In particular, CBC
    ciphers and arcfour* are disabled by default.
    The full set of algorithms remains available if configured
    explicitly via the Ciphers and MACs sshd_config options.
  * sshd(8): Support for tcpwrappers/libwrap has been removed.
  * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of
    connections using the curve25519-sha256@libssh.org KEX
    exchange method to fail when connecting with something that
    implements the specification correctly. OpenSSH 6.7 disables
    this KEX method when speaking to one of the affected
    versions.
  New Features:
  * ssh(1), sshd(8): Add support for Unix domain socket
    forwarding. A remote TCP port may be forwarded to a local
    Unix domain socket and vice versa or both ends may be a Unix
    domain socket.
  * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
    ED25519 key types.

OBS-URL: https://build.opensuse.org/request/show/407066
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107
2016-07-07 07:07:23 +00:00
Petr Cerny
b22c39e677 Accepting request 398992 from home:pcerny:factory
OBS-URL: https://build.opensuse.org/request/show/398992
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=106
2016-05-30 15:53:09 +00:00
Petr Cerny
ea9f2c011c Accepting request 398922 from home:pcerny:factory
(removing patches from previous version:
  * CVE-2016-0777_CVE-2016-0778.patch
  * openssh-6.6p1-X11-forwarding.patch
  * openssh-6.6p1-X_forward_with_disabled_ipv6.patch
  * openssh-6.6p1-audit1-remove_duplicit_audit.patch
  * openssh-6.6p1-audit2-better_audit_of_user_actions.patch
  * openssh-6.6p1-audit3-key_auth_usage-fips.patch
  * openssh-6.6p1-audit3-key_auth_usage.patch
  * openssh-6.6p1-audit4-kex_results-fips.patch
  * openssh-6.6p1-audit4-kex_results.patch
  * openssh-6.6p1-audit5-session_key_destruction.patch
  * openssh-6.6p1-audit6-server_key_destruction.patch
  * openssh-6.6p1-audit7-libaudit_compat.patch
  * openssh-6.6p1-audit8-libaudit_dns_timeouts.patch
  * openssh-6.6p1-blocksigalrm.patch
  * openssh-6.6p1-curve25519-6.6.1p1.patch
  * openssh-6.6p1-default-protocol.patch
  * openssh-6.6p1-disable-openssl-abi-check.patch
  * openssh-6.6p1-eal3.patch
  * openssh-6.6p1-fingerprint_hash.patch
  * openssh-6.6p1-fips-checks.patch
  * openssh-6.6p1-fips.patch
  * openssh-6.6p1-gssapi_key_exchange.patch
  * openssh-6.6p1-gssapimitm.patch
  * openssh-6.6p1-host_ident.patch
  * openssh-6.6p1-key-converter.patch
  * openssh-6.6p1-lastlog.patch
  * openssh-6.6p1-ldap.patch
  * openssh-6.6p1-login_options.patch
  * openssh-6.6p1-no_fork-no_pid_file.patch

OBS-URL: https://build.opensuse.org/request/show/398922
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=105
2016-05-30 11:00:44 +00:00
Petr Cerny
b006bb4b85 Accepting request 398857 from home:pcerny:factory
[openssh-7.2p2-X11_trusted_forwarding.patch]
- set UID for lastlog properly 
  [openssh-7.2p2-lastlog.patch]
- enable use of PAM by default 
  [openssh-7.2p2-enable_PAM_by_default.patch]
- copy command line arguments properly 
  [openssh-7.2p2-saveargv-fix.patch]
- do not use pthreads in PAM code 
  [openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
- fix paths in documentation 
  [openssh-7.2p2-eal3.patch]
- prevent race consitions triggered by SIGALRM 
  [openssh-7.2p2-blocksigalrm.patch]
  [openssh-7.2p2-send_locale.patch]
  [openssh-7.2p2-hostname_changes_when_forwarding_X.patch]
  [openssh-7.2p2-remove_xauth_cookies_on_exit.patch]
  [openssh-7.2p2-pts_names_formatting.patch]
- check locked accounts when using PAM 
  [openssh-7.2p2-pam_check_locks.patch]
  [openssh-7.2p2-allow_root_password_login.patch]
  [openssh-7.2p2-disable_short_DH_parameters.patch]
  [openssh-7.2p2-seccomp_getuid.patch,
   openssh-7.2p2-seccomp_stat.patch]

OBS-URL: https://build.opensuse.org/request/show/398857
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=104
2016-05-30 08:23:00 +00:00
Petr Cerny
5093e42eaa Accepting request 398802 from home:pcerny:factory
- upgrade to 7.2p2

- changing license to 2-clause BSD to match source

- enable trusted X11 forwarding by default
  [-X11_trusted_forwarding]
- set UID for lastlog properly [-lastlog]
- enable use of PAM by default [-enable_PAM_by_default]
- copy command line arguments properly [-saveargv-fix]
- do not use pthreads in PAM code [-dont_use_pthreads_in_PAM]
- fix paths in documentation [-eal3]
- prevent race consitions triggered by SIGALRM [-blocksigalrm]
- do send and accept locale environment variables by default
  [-send_locale]
- handle hostnames changes during X forwarding
  [-hostname_changes_when_forwarding_X]
- try to remove xauth cookies on exit
  [-remove_xauth_cookies_on_exit]
- properly format pts names for ?tmp? log files
  [-pts_names_formatting]
- check locked accounts when using PAM [-pam_check_locks]
- chenge default PermitRootLogin to 'yes' to prevent unwanted
  surprises on updates from older versions.
  See README.SUSE for details
  [-allow_root_password_login]
- Disable DH parameters under 2048 bits by default and allow
  lowering the limit back to the RFC 4419 specified minimum
  through an option (bsc#932483, bsc#948902)
  [-disable_short_DH_parameters]
- Add getuid() and stat() syscalls to the seccomp filter

OBS-URL: https://build.opensuse.org/request/show/398802
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103
2016-05-30 01:36:18 +00:00
Dominique Leuenberger
7c21c564dc Accepting request 392910 from network
fix broken seccomp sandbox (forwarded request 392909 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/392910
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=105
2016-05-05 11:18:08 +00:00
Petr Cerny
252ed8ae18 Accepting request 392909 from home:pcerny:factory
fix broken seccomp sandbox

OBS-URL: https://build.opensuse.org/request/show/392909
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=101
2016-04-29 16:34:58 +00:00
Dominique Leuenberger
7f9fe1884f Accepting request 386262 from network
1

OBS-URL: https://build.opensuse.org/request/show/386262
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=104
2016-04-12 16:59:51 +00:00
6045514505 Accepting request 385260 from home:kukuk:branches:network
- openssh-6.6p1-ldap.patch: replace TRUE/FALSE with 1/0, since
  this defines did come via an indirect header inclusion and are
  not everywhere defined.

OBS-URL: https://build.opensuse.org/request/show/385260
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=99
2016-04-08 12:39:18 +00:00
13651d3d21 restore factory state, so we can fix bugs.
old stuff is still in the old revisions

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=98
2016-04-06 11:34:51 +00:00
Petr Cerny
c818e705ca bothed update, DO NOT TOUCH UNITL PROPERLY REVIEWED
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=97
2016-02-17 19:00:04 +00:00
Petr Cerny
b83f96744f Accepting request 358392 from home:elvigia:branches:network
- openssh-alloc_size.patch: anotate xmalloc.h with alloc_size
 attribute so the compiler knows these functions allocate memory
 so overflow or misuse can be detected sooner.
- openssh-allow_getrandom.patch; allow the getrandom(2) system
  call in the seccomp sandbox, upstream commit 26ad18247213
- openssh-fix-b64_xx-detection.patch: configure.ac has incorrect
  tests for b64_ntop, b64_pton on linux/glibc.

OBS-URL: https://build.opensuse.org/request/show/358392
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=96
2016-02-10 15:40:35 +00:00
Ismail Dönmez
642f5e8889 Accepting request 354941 from home:scarabeus_iv:branches:network
- Cleanup with spec-cleaner
- Update of the master OpenSSH to 7.1p2

- Take refreshed and updated audit patch from redhat
  * Remove our old patches:
    + openssh-6.6p1-audit1-remove_duplicit_audit.patch
    + openssh-6.6p1-audit2-better_audit_of_user_actions.patch
    + openssh-6.6p1-audit3-key_auth_usage-fips.patch
    + openssh-6.6p1-audit3-key_auth_usage.patch
    + openssh-6.6p1-audit4-kex_results-fips.patch
    + openssh-6.6p1-audit4-kex_results.patch
    + openssh-6.6p1-audit5-session_key_destruction.patch
    + openssh-6.6p1-audit6-server_key_destruction.patch
    + openssh-6.6p1-audit7-libaudit_compat.patch
    + openssh-6.6p1-audit8-libaudit_dns_timeouts.patch
  * add openssh-6.7p1-audit.patch
- Reenable the openssh-6.6p1-ldap.patch
- Update the fips patch from RH build openssh-6.6p1-fips.patch
- Update and refresh openssh-6.6p1-gssapi_key_exchange.patch
- Remove fips-check patch as it is merged to fips patch
  * openssh-6.6p1-fips-checks.patch
- Rebase and enable chroot patch:
  * openssh-6.6p1-sftp_homechroot.patch
- Reenable rebased patch for linux seed:
  * openssh-6.6p1-seed-prng.patch
- Reenable key converting patch:
  * openssh-6.6p1-key-converter.patch

- Version update to 7.1p2:
  * various upstream bugfixes and cleanups

OBS-URL: https://build.opensuse.org/request/show/354941
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=95
2016-01-21 07:28:30 +00:00
Dominique Leuenberger
52f32e2ae4 Accepting request 353732 from network
1

OBS-URL: https://build.opensuse.org/request/show/353732
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=103
2016-01-16 10:55:44 +00:00
Ismail Dönmez
1c5ff2cc6c Accepting request 353717 from home:AndreasStieger:branches:network
Security update for OpenSSH
CVE-2016-0777, bsc#961642, CVE-2016-0778, bsc#961645
https://lists.mindrot.org/pipermail/openssh-unix-announce/2016-January/000124.html

OBS-URL: https://build.opensuse.org/request/show/353717
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=93
2016-01-14 16:36:52 +00:00
Dominique Leuenberger
d41fccc195 Accepting request 282346 from network
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/282346
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=102
2015-01-23 15:19:13 +00:00
d9f8a6a210 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=91 2015-01-12 10:45:13 +00:00
a86956def1 - gpg signature and keyring added.
pub  3200R/6D920D30 2013-12-10 [expires: 2021-01-01]
  uid                            Damien Miller <djm@mindrot.org>
  sub  3200R/672A1105 2013-12-10 [expires: 2021-01-01]

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=90
2015-01-12 10:35:52 +00:00