openssh

pool/openssh

SHA256

Fork 1

Commit Graph

Author	SHA256	Message	Date
Hans Petter Jansson	b3ff99ae3c	Accepting request 1150500 from home:hpjansson:branches:network - Update to openssh 9.6p1: * No changes for askpass, see main package changelog for details. - Update to openssh 9.6p1: = Security * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. = Potentially incompatible changes * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this OBS-URL: https://build.opensuse.org/request/show/1150500 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=255	2024-02-25 18:43:17 +00:00
Hans Petter Jansson	74e20db9ed	Accepting request 1123220 from home:jsegitz:branches:network - Enhanced SELinux functionality. Added Fedora patches: * openssh-7.8p1-role-mls.patch Proper handling of MLS systems and basis for other SELinux improvements * openssh-6.6p1-privsep-selinux.patch Properly set contexts during privilege separation * openssh-6.6p1-keycat.patch Add ssh-keycat command to allow retrival of authorized_keys on MLS setups with polyinstantiation * openssh-6.6.1p1-selinux-contexts.patch Additional changes to set the proper context during privilege separation * openssh-7.6p1-cleanup-selinux.patch Various changes and putting the pieces together For now we don't ship the ssh-keycat command, but we need the patch for the other SELinux infrastructure This change fixes issues like bsc#1214788, where the ssh daemon needs to act on behalf of a user and needs a proper context for this OBS-URL: https://build.opensuse.org/request/show/1123220 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=252	2023-11-28 16:35:34 +00:00

Author

SHA256

Message

Date

Hans Petter Jansson

b3ff99ae3c

Accepting request 1150500 from home:hpjansson:branches:network

- Update to openssh 9.6p1:
  * No changes for askpass, see main package changelog for
    details.

- Update to openssh 9.6p1:
  = Security
  * ssh(1), sshd(8): implement protocol extensions to thwart the
    so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
    Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
    limited break of the integrity of the early encrypted SSH transport
    protocol by sending extra messages prior to the commencement of
    encryption, and deleting an equal number of consecutive messages
    immediately after encryption starts. A peer SSH client/server
    would not be able to detect that messages were deleted.
  * ssh-agent(1): when adding PKCS#11-hosted private keys while
    specifying destination constraints, if the PKCS#11 token returned
    multiple keys then only the first key had the constraints applied.
    Use of regular private keys, FIDO tokens and unconstrained keys
    are unaffected.
  * ssh(1): if an invalid user or hostname that contained shell
    metacharacters was passed to ssh(1), and a ProxyCommand,
    LocalCommand directive or "match exec" predicate referenced the
    user or hostname via %u, %h or similar expansion token, then
    an attacker who could supply arbitrary user/hostnames to ssh(1)
    could potentially perform command injection depending on what
    quoting was present in the user-supplied ssh_config(5) directive.
  = Potentially incompatible changes
  * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
    a TCP-like window mechanism that limits the amount of data that
    can be sent without acceptance from the peer. In cases where this

OBS-URL: https://build.opensuse.org/request/show/1150500
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=255

2024-02-25 18:43:17 +00:00

Hans Petter Jansson

74e20db9ed

Accepting request 1123220 from home:jsegitz:branches:network

- Enhanced SELinux functionality. Added Fedora patches:
  * openssh-7.8p1-role-mls.patch
    Proper handling of MLS systems and basis for other SELinux
    improvements
  * openssh-6.6p1-privsep-selinux.patch
    Properly set contexts during privilege separation
  * openssh-6.6p1-keycat.patch
    Add ssh-keycat command to allow retrival of authorized_keys
    on MLS setups with polyinstantiation
  * openssh-6.6.1p1-selinux-contexts.patch
    Additional changes to set the proper context during privilege 
    separation
  * openssh-7.6p1-cleanup-selinux.patch
    Various changes and putting the pieces together
  For now we don't ship the ssh-keycat command, but we need the patch
  for the other SELinux infrastructure
  This change fixes issues like bsc#1214788, where the ssh daemon 
  needs to act on behalf of a user and needs a proper context for this

OBS-URL: https://build.opensuse.org/request/show/1123220
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=252

2023-11-28 16:35:34 +00:00

2 Commits