Commit Graph

163 Commits

Author SHA256 Message Date
Tomáš Chvátal
2d48f44a64 Accepting request 746672 from home:elvigia:branches:network
- Add openssh-8.1p1-seccomp-clock_nanosleep.patch, allow clock_nanosleep
  glibc master implements multiple functions using that syscall making
  the privsep sandbox kill the preauth process.

OBS-URL: https://build.opensuse.org/request/show/746672
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=201
2019-11-14 15:26:26 +00:00
Tomáš Chvátal
fbcab3da0e Accepting request 738490 from home:hpjansson:branches:network
Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).

Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes"
in /etc/sysconfig/ssh. This is set to "yes" by default, but
can be changed by the system administrator (bsc#1139089).

Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).

OBS-URL: https://build.opensuse.org/request/show/738490
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=198
2019-10-15 07:47:08 +00:00
Tomáš Chvátal
318211936a Accepting request 737034 from home:hpjansson:branches:network
Version update to 8.1p1:
  * ssh-keygen(1): when acting as a CA and signing certificates with
    an RSA key, default to using the rsa-sha2-512 signature algorithm.
    Certificates signed by RSA keys will therefore be incompatible
    with OpenSSH versions prior to 7.2 unless the default is
    overridden (using "ssh-keygen -t ssh-rsa -s ...").
  * ssh(1): Allow %n to be expanded in ProxyCommand strings
  * ssh(1), sshd(8): Allow prepending a list of algorithms to the
    default set by starting the list with the '^' character, E.g.
    "HostKeyAlgorithms ^ssh-ed25519"
  * ssh-keygen(1): add an experimental lightweight signature and
    verification ability. Signatures may be made using regular ssh keys
    held on disk or stored in a ssh-agent and verified against an
    authorized_keys-like list of allowed keys. Signatures embed a
    namespace that prevents confusion and attacks between different
    usage domains (e.g. files vs email).
  * ssh-keygen(1): print key comment when extracting public key from a
    private key.
  * ssh-keygen(1): accept the verbose flag when searching for host keys
    in known hosts (i.e. "ssh-keygen -vF host") to print the matching
    host's random-art signature too.
  * All: support PKCS8 as an optional format for storage of private
    keys to disk.  The OpenSSH native key format remains the default,
    but PKCS8 is a superior format to PEM if interoperability with
    non-OpenSSH software is required, as it may use a less insecure
    key derivation function than PEM's.
- Additional changes from 8.0p1 release:
  * scp(1): Add "-T" flag to disable client-side filtering of
    server file list.
  * sshd(8): Remove support for obsolete "host/port" syntax.

OBS-URL: https://build.opensuse.org/request/show/737034
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=197
2019-10-10 13:32:50 +00:00
Tomáš Chvátal
9a25e259e6 Accepting request 724531 from home:kukuk:branches:network
- don't install SuSEfirewall2 service on Factory, since SuSEfirewall2
  has been replaced by firewalld, see [1].
  [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

OBS-URL: https://build.opensuse.org/request/show/724531
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=195
2019-08-19 09:45:46 +00:00
Hans Petter Jansson
084c35400e Accepting request 717662 from home:Vogtinator:branches:network
- ssh-askpass: Try a fallback if the other option is not available

OBS-URL: https://build.opensuse.org/request/show/717662
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=192
2019-07-22 18:28:13 +00:00
5c0c497eea Accepting request 716585 from home:favogt:branches:network
- Supplement libgtk-3-0 instead to avoid installation on a textmode install
  (boo#1142000)

OBS-URL: https://build.opensuse.org/request/show/716585
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=191
2019-07-22 16:43:06 +00:00
Vítězslav Čížek
d9fe580505 Accepting request 684224 from home:vitezslav_cizek:branches:network
- Fix two race conditions in sshd relating to SIGHUP (bsc#1119183)
  * 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch

OBS-URL: https://build.opensuse.org/request/show/684224
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=184
2019-03-12 10:22:15 +00:00
Tomáš Chvátal
5fcc01190a Accepting request 679869 from home:vitezslav_cizek:branches:network
- Remove the "KexDHMin" config keyword (bsc#1127180)
  It used to allow lowering of the minimal allowed DH group size,
  which was increased to 2048 by upstream in the light of the Logjam
  attack.
  The code was broken since the upgrade to 7.6p1, but nobody noticed.
  As apparently no one needs the functionality any more, let's drop
  the patch.
  It's still possible to use the fixed 1024-bit diffie-hellman-group1-sha1
  key exchange method when working with legacy systems.
- drop openssh-7.7p1-disable_short_DH_parameters.patch
- updated patches:
  openssh-7.7p1-fips.patch
  openssh-7.7p1-fips_checks.patch
  openssh-7.7p1-gssapi_key_exchange.patch

OBS-URL: https://build.opensuse.org/request/show/679869
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=181
2019-02-27 15:39:11 +00:00
Tomáš Chvátal
adae0f9df2 Accepting request 677200 from home:pmonrealgonzalez:branches:network
- Handle brace expansion in scp when checking that filenames sent
  by the server side match what the client requested [bsc#1125687]

OBS-URL: https://build.opensuse.org/request/show/677200
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=178
2019-02-19 08:15:17 +00:00
Tomáš Chvátal
e882225f5d Accepting request 676348 from home:pmonrealgonzalez:branches:network
- Updated security fixes:
  * [bsc#1121816, CVE-2019-6109] Sanitize scp filenames via snmprintf
    and have progressmeter force an update at the beginning and end
    of each transfer. Added patches:
    - openssh-CVE-2019-6109-sanitize-scp-filenames.patch
    - openssh-CVE-2019-6109-force-progressmeter-update.patch
  * [bsc#1121821, CVE-2019-6111] Check in scp client that filenames
    sent during remote->local directory copies satisfy the wildcard
    specified by the user. Added patch:
    - openssh-CVE-2019-6111-scp-client-wildcard.patch
  * Removed openssh-7.9p1-scp-name-validator.patch

OBS-URL: https://build.opensuse.org/request/show/676348
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=177
2019-02-15 09:16:16 +00:00
Tomáš Chvátal
39cce89598 Accepting request 669019 from home:pmonrealgonzalez:branches:network
- Remove old conditionals

  * Mention the change in README.SUSE

OBS-URL: https://build.opensuse.org/request/show/669019
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=173
2019-01-28 10:41:40 +00:00
Tomáš Chvátal
ed403ddfcd Accepting request 668656 from home:pmonrealgonzalez:branches:network
- Move ssh-ldap* man pages into openssh-helpers [bsc#1051531]

- Allow root login by default [bsc#1118114, bsc#1121196]
  * Added/updated previous patch openssh-7.7p1-allow_root_password_login.patch

- Added SLE conditionals in the spec files:
  * Keep gtk2-devel in openssh-askpass-gnome in SLE
  * Keep krb5-mini-devel in SLE
- Removed obsolete configure options:
  * SSH protocol 1 --with-ssh1
  * Smart card --with-opensc
- Cleaned spec file with spec-cleaner

OBS-URL: https://build.opensuse.org/request/show/668656
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=172
2019-01-28 08:02:07 +00:00
Tomáš Chvátal
be528d6e10 Accepting request 666511 from home:pmonrealgonzalez:branches:network
- Security fix:
  * [bsc#1121816, CVE-2019-6109] scp client spoofing via object name
  * [bsc#1121818, CVE-2019-6110] scp client spoofing via stderr
  * [bsc#1121821, CVE-2019-6111] scp client missing received object
    name validation
  * Added patch openssh-7.9p1-scp-name-validator.patch

OBS-URL: https://build.opensuse.org/request/show/666511
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=170
2019-01-17 08:11:36 +00:00
Tomáš Chvátal
a485b7f4e0 Accepting request 664725 from home:pmonrealgonzalez:branches:network
- Security fix: [bsc#1121571, CVE-2018-20685]
  * The scp client allows remote SSH servers to bypass intended
    access restrictions
  * Added patch openssh-7.9p1-CVE-2018-20685.patch

OBS-URL: https://build.opensuse.org/request/show/664725
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=169
2019-01-11 17:55:43 +00:00
Tomáš Chvátal
518034998f Accepting request 662676 from home:pmonrealgonzalez:branches:network
- Added compatibility with SuSEfirewall2 [bsc#1118044]

OBS-URL: https://build.opensuse.org/request/show/662676
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=167
2019-01-04 06:19:36 +00:00
Tomáš Chvátal
cf45c4e386 Accepting request 657258 from home:pmonrealgonzalez:branches:network
- Update the firewall rules in Tumbleweed

OBS-URL: https://build.opensuse.org/request/show/657258
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=165
2018-12-11 16:01:09 +00:00
Tomáš Chvátal
c41fcd05a7 Accepting request 651986 from home:vitezslav_cizek:branches:network
- Fix build with openssl < 1.1.0
  * add openssh-openssl-1_0_0-compatibility.patch

OBS-URL: https://build.opensuse.org/request/show/651986
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=163
2018-11-26 14:06:38 +00:00
Tomáš Chvátal
b21be4c6b4 Accepting request 643660 from home:pmonrealgonzalez:branches:network
- Version update to 7.9p1
  * No actual changes for the askpass
  * See main package changelog for details

- Version update to 7.9p1
  * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
    option (see below) bans the use of DSA keys as certificate
    authorities.
  * sshd(8): the authentication success/failure log message has
    changed format slightly. It now includes the certificate
    fingerprint (previously it included only key ID and CA key
    fingerprint).
  * ssh(1), sshd(8): allow most port numbers to be specified using
    service names from getservbyname(3) (typically /etc/services).
  * sshd(8): support signalling sessions via the SSH protocol.
    A limited subset of signals is supported and only for login or
    command sessions (i.e. not subsystems) that were not subject to
    a forced command via authorized_keys or sshd_config. bz#1424
  * ssh(1): support "ssh -Q sig" to list supported signature options.
    Also "ssh -Q help" to show the full set of supported queries.
  * ssh(1), sshd(8): add a CASignatureAlgorithms option for the
    client and server configs to allow control over which signature
    formats are allowed for CAs to sign certificates. For example,
    this allows banning CAs that sign certificates using the RSA-SHA1
    signature algorithm.
  * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
    revoke keys specified by SHA256 hash.
  * ssh-keygen(1): allow creation of key revocation lists directly
    from base64-encoded SHA256 fingerprints. This supports revoking
    keys using only the information contained in sshd(8)

OBS-URL: https://build.opensuse.org/request/show/643660
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=159
2018-10-22 09:08:19 +00:00
Tomáš Chvátal
c1e40270e4 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=158 2018-10-19 13:44:30 +00:00
Tomáš Chvátal
1d3b4a412f - Mention upstream bugs on multiple local patches
- Adjust service to not spam restart and reload only on fails

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=157
2018-10-19 13:24:01 +00:00
Tomáš Chvátal
59e5b4e5de - Update openssh-7.7p1-sftp_force_permissions.patch from the
upstream bug, and mention the bug in the spec

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=156
2018-10-19 13:12:48 +00:00
Tomáš Chvátal
704eb5c303 - Drop patch openssh-7.7p1-allow_root_password_login.patch
* There is no reason to set less secure default value, if
    users need the behaviour they can still set it up themselves
- Drop patch openssh-7.7p1-blocksigalrm.patch
  * We had a bug way in past about this but it was never reproduced
    or even confirmed in the ticket, thus rather drop the patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=155
2018-10-19 08:41:04 +00:00
Tomáš Chvátal
c159d0ce66 - Disable ssh1 protocol support as neither RH or Debian enable
this protocol by default anymore either.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=154
2018-10-17 09:24:31 +00:00
Tomáš Chvátal
7bccbbd821 Accepting request 642573 from home:scarabeus_iv:branches:network
- Update to 7.8p1:
  * no actual changes for the askpass
- Format with spec-cleaner
- Respect cflags
- Use gtk3 rather than gtk2 which is being phased out

- Remove the mention of the SLE12 in the README.SUSE
- Install firewall rules only when really needed (<SLE15)

- Version update to 7.8p1:
  * For most details see release notes file
  * ssh-keygen(1): write OpenSSH format private keys by default
    instead of using OpenSSL's PEM format
- Rebase patches to apply on 7.8p1 release:
  * openssh-7.7p1-fips.patch
  * openssh-7.7p1-cavstest-kdf.patch
  * openssh-7.7p1-fips_checks.patch
  * openssh-7.7p1-gssapi_key_exchange.patch
  * openssh-7.7p1-audit.patch
  * openssh-7.7p1-openssl_1.1.0.patch
  * openssh-7.7p1-ldap.patch
  * openssh-7.7p1-IPv6_X_forwarding.patch
  * openssh-7.7p1-sftp_print_diagnostic_messages.patch
  * openssh-7.7p1-disable_short_DH_parameters.patch
  * openssh-7.7p1-hostname_changes_when_forwarding_X.patch
  * openssh-7.7p1-pam_check_locks.patch
  * openssh-7.7p1-seed-prng.patch
  * openssh-7.7p1-systemd-notify.patch
  * openssh-7.7p1-X11_trusted_forwarding.patch
- Dropped patches:

OBS-URL: https://build.opensuse.org/request/show/642573
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=153
2018-10-17 08:57:56 +00:00
f56a5ff67f Accepting request 636347 from home:Andreas_Schwab:Factory
- seccomp_filter sandbox is not supported on ppc

OBS-URL: https://build.opensuse.org/request/show/636347
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=151
2018-09-21 09:56:44 +00:00
Ismail Dönmez
3a2700bb0a Accepting request 631714 from home:scarabeus_iv:branches:network
- Depend explicitly on zlib-devel, previously pulled in by openssl

OBS-URL: https://build.opensuse.org/request/show/631714
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=149
2018-08-27 09:51:09 +00:00
4d4a31fec0 Accepting request 619019 from home:AndreasStieger:branches:network
- BuildRequire pkgconfig(krb5) instead of krb5-mini-devel to ensure
  zypper si can pick a resolvable provider. Build cycle remains
  solved via project config pulling in -mini. (bsc#1099044)

OBS-URL: https://build.opensuse.org/request/show/619019
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=147
2018-07-04 07:19:08 +00:00
Petr Cerny
223282b58f Accepting request 611002 from home:pcerny:factory
- Upgrade to 7.7p1 (bsc#1094068)

- Upgrade to 7.7p1 (bsc#1094068)
  Most important changes (more details below):
  * Drop compatibility support for pre-2001 SSH implementations
  * sshd(1) does not load DSA keys by default
  Distilled upstream log:
  ---- Potentially-incompatible changes
  * ssh(1)/sshd(8): Drop compatibility support for some very old
    SSH implementations, including ssh.com <=2.* and OpenSSH <=
    3.*.  These versions were all released in or before 2001 and
    predate the final SSH RFCs. The support in question isn't
    necessary for RFC-compliant SSH implementations.
  ---- New Features
  * experimental support for PQC XMSS keys (Extended Hash-Based
    Signatures), not compiled in by default.
  * sshd(8): Add a "rdomain" criteria for the sshd_config Match
    keyword to allow conditional configuration that depends on
    which routing domain a connection was received on (currently
    supported on OpenBSD and Linux).
  * sshd_config(5): Add an optional rdomain qualifier to the
    ListenAddress directive to allow listening on different
    routing domains. This is supported only on OpenBSD and Linux
    at present.
  * sshd_config(5): Add RDomain directive to allow the
    authenticated session to be placed in an explicit routing
    domain. This is only supported on OpenBSD at present.
  * sshd(8): Add "expiry-time" option for authorized_keys files
    to allow for expiring keys.
  * ssh(1): Add a BindInterface option to allow binding the

OBS-URL: https://build.opensuse.org/request/show/611002
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=145
2018-05-21 21:57:42 +00:00
Petr Cerny
5e850f6d73 Accepting request 602971 from home:dimstar:Factory
- Use TIRPC on suse_version >= 1500: sunrpc is deprecated and
  should be replaced by TIRPC.

This has several effects:
* We get RPC support back... from build log in oS:F/standard:

[   48s] checking rpc/types.h usability... no
[   48s] checking rpc/types.h presence... no
[   48s] checking for rpc/types.h... no

vs this branch:
[   50s] checking rpc/types.h usability... yes
[   50s] checking rpc/types.h presence... yes
[   50s] checking for rpc/types.h... yes

AND as a side-effect, FALSE for ldapbody.c is now defined (not the
  nicest of side-effects, but seems that ldap patch relies on RPC
  headers to be included.

So all in all: this fixes the build failures for openSUSE Tumblewee

OBS-URL: https://build.opensuse.org/request/show/602971
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=143
2018-05-02 12:05:42 +00:00
Petr Cerny
67804a0124 Accepting request 602709 from home:pcerny:factory
- additional rebased patches (bsc#1080779)
  * auditing support
  * LDAP integration
  * various distribution tweaks from SLE12 
    (X forwarding over IPv6, sftp forced permissions
     and verbose batch mode)

OBS-URL: https://build.opensuse.org/request/show/602709
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=142
2018-04-30 23:44:41 +00:00
OBS User mrdocs
731c398148 Accepting request 593522 from home:kukuk:branches:network
- Use %license instead of %doc [bsc#1082318]

OBS-URL: https://build.opensuse.org/request/show/593522
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=140
2018-04-06 04:49:00 +00:00
01100ac5fc OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=138 2018-03-05 16:42:43 +00:00
f82cf6b5da (update tracker: bsc#1080779)
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=137
2018-03-05 16:40:33 +00:00
Petr Cerny
0a67e4f87e Accepting request 575957 from home:pcerny:factory
- add OpenSSL 1.0 to 1.1 shim to remove dependency on old OpenSSL

OBS-URL: https://build.opensuse.org/request/show/575957
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=136
2018-02-12 23:48:52 +00:00
OBS User mrdocs
2baed0da9e Accepting request 566484 from home:dimstar:Factory
- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
  allow the scheduler to pick systemd-mini flavors to get build
  going.


I shortened the diff, to have less conversation topics - this part should be undisputed

OBS-URL: https://build.opensuse.org/request/show/566484
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=132
2018-01-21 05:39:42 +00:00
Petr Cerny
d8a13def71 Accepting request 563833 from home:pcerny:factory
- Replace forgotten references to /var/adm/fillup-templates
  with new %_fillupdir macro (boo#1069468)
- tighten configuration access rights

OBS-URL: https://build.opensuse.org/request/show/563833
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=130
2018-01-12 12:57:27 +00:00
Petr Cerny
13e1fadf84 Accepting request 563725 from home:pcerny:factory
reworking packaging, gssapi kex patch

OBS-URL: https://build.opensuse.org/request/show/563725
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=129
2018-01-12 00:48:48 +00:00
Petr Cerny
a03a137de1 Accepting request 563724 from home:pcerny:factory
reworking packaging, gssapi kex patch

OBS-URL: https://build.opensuse.org/request/show/563724
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=128
2018-01-12 00:42:53 +00:00
Petr Cerny
b813991fe5 Accepting request 551548 from home:pcerny:factory
- upgrade to 7.6p1
  see main package changelog for details

- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)

- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  ---- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC

OBS-URL: https://build.opensuse.org/request/show/551548
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=127
2017-12-05 12:47:07 +00:00
Petr Cerny
ad9209ae06 Accepting request 547285 from home:pcerny:factory-temp
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches

OBS-URL: https://build.opensuse.org/request/show/547285
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=126
2017-12-01 22:12:05 +00:00
Petr Cerny
56e0af8154 Accepting request 547144 from home:pcerny:factory
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches

OBS-URL: https://build.opensuse.org/request/show/547144
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=124
2017-12-01 15:03:13 +00:00
3a77b6ed2a Accepting request 544667 from home:RBrownSUSE:branches:network
Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)

OBS-URL: https://build.opensuse.org/request/show/544667
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=123
2017-11-24 10:22:32 +00:00
Petr Cerny
d83100ae13 Accepting request 539322 from home:pcerny:factory
- upgrade to 7.6p1
  see main package changelog for details

- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  ---- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC
    padding oracle countermeasures. Reported by Jean Paul
    Degabriele, Kenny Paterson, Torben Hansen and Martin
    Albrecht. Note that CBC ciphers are disabled by default and

OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
2017-11-06 14:50:53 +00:00
c84af5da00 Accepting request 536578 from home:jsegitz:branches:network
- sshd_config is has now permissions 0600 in secure mode

OBS-URL: https://build.opensuse.org/request/show/536578
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=120
2017-10-26 10:23:16 +00:00
Petr Cerny
e8b9919265 Accepting request 500279 from home:pcerny:factory
- Fix preauth seccomp separation on mainframes (bsc#1016709)
  [openssh-7.2p2-s390_hw_crypto_syscalls.patch]
  [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
- enable case-insensitive hostname matching (bsc#1017099)
  [openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
- add CAVS tests 
  [openssh-7.2p2-cavstest-ctr.patch]
  [openssh-7.2p2-cavstest-kdf.patch]
- Adding missing pieces for user matching (bsc#1021626)
- Properly verify CIDR masks in configuration
  (bsc#1005893)
  [openssh-7.2p2-verify_CIDR_address_ranges.patch]
- Remove pre-auth compression support from the server to prevent
  possible cryptographic attacks.
  (CVE-2016-10012, bsc#1016370)
  [openssh-7.2p2-disable_preauth_compression.patch]
- limit directories for loading PKCS11 modules
  (CVE-2016-10009, bsc#1016366)
  [openssh-7.2p2-restrict_pkcs11-modules.patch]
- Prevent possible leaks of host private keys to low-privilege
  process handling authentication
  (CVE-2016-10011, bsc#1016369)
  [openssh-7.2p2-prevent_private_key_leakage.patch]
- Do not allow unix socket forwarding when running without
  privilege separation
  (CVE-2016-10010, bsc#1016368)
  [openssh-7.2p2-secure_unix_sockets_forwarding.patch]
- prevent resource depletion during key exchange
  (bsc#1005480, CVE-2016-8858)
  [openssh-7.2p2-kex_resource_depletion.patch]

OBS-URL: https://build.opensuse.org/request/show/500279
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
2017-05-31 23:09:14 +00:00
5829a44f01 Accepting request 459897 from home:elvigia:branches:network
- sshd.service: Set TasksMax=infinity, as there should be
  no limit on the amount of tasks sshd can run.

OBS-URL: https://build.opensuse.org/request/show/459897
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=115
2017-03-01 11:01:26 +00:00
Petr Cerny
6c861e0b33 Accepting request 433779 from home:pcerny:factory
- remaining patches that were still missing
  since the update to 7.2p2 (FATE#319675):
  [openssh-7.2p2-disable_openssl_abi_check.patch]
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
  [openssh-7.2p2-IPv6_X_forwarding.patch]
- ignore PAM environment when using login
  (bsc#975865, CVE-2015-8325)
  [openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
- limit accepted password length (prevents possible DoS)
  (bsc#992533, CVE-2016-6515)
  [openssh-7.2p2-limit_password_length.patch]
- Prevent user enumeration through the timing of password
  processing (bsc#989363, CVE-2016-6210)
  [openssh-7.2p2-prevent_timing_user_enumeration.patch]
- Add auditing for PRNG re-seeding
  [openssh-7.2p2-audit_seed_prng.patch]

OBS-URL: https://build.opensuse.org/request/show/433779
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=113
2016-10-07 15:57:29 +00:00
Petr Cerny
fe873a1c10 Accepting request 432093 from home:pcerny:factory
next round of patches
- allow X forwarding over IPv4 when IPv6 sockets is not available
  [openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
- do not write PID file when not daemonizing
  [openssh-7.2p2-no_fork-no_pid_file.patch]
- use correct options when invoking login
  [openssh-7.2p2-login_options.patch]
- helper application for retrieving users' public keys from
  an LDAP server
  [openssh-7.2p2-ldap.patch]
- allow forcing permissions over sftp
  [openssh-7.2p2-sftp_force_permissions.patch]
- do not perform run-time checks for OpenSSL API/ABI change
  [openssh-7.2p2-disable-openssl-abi-check.patch]
- suggest commands for cleaning known hosts file
  [openssh-7.2p2-host_ident.patch]
- sftp home chroot patch
  [openssh-7.2p2-sftp_homechroot.patch]
- ssh sessions auditing
  [openssh-7.2p2-audit.patch]
- enable seccomp sandbox on additional architectures
  [openssh-7.2p2-additional_seccomp_archs.patch]

OBS-URL: https://build.opensuse.org/request/show/432093
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=112
2016-09-30 20:34:19 +00:00
Petr Cerny
e0d7fb0744 Accepting request 428544 from home:pcerny:factory
- FIPS compatibility (no selfchecks, only crypto restrictions)
  [openssh-7.2p2-fips.patch]
- PRNG re-seeding
  [openssh-7.2p2-seed-prng.patch]
- preliminary version of GSSAPI KEX
  [openssh-7.2p2-gssapi_key_exchange.patch]

OBS-URL: https://build.opensuse.org/request/show/428544
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=110
2016-09-18 23:04:18 +00:00
a412ed9d8d - fixed url, added gpg signature
- added gpg signature and keyring from 
  http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh_gzsig_key.pub

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=108
2016-07-25 13:47:29 +00:00