d83100ae13
- upgrade to 7.6p1
see main package changelog for details
- Update to vanilla 7.6p1
Most important changes (more details below):
* complete removal of the ancient SSHv1 protocol
* sshd(8) cannot run without privilege separation
* removal of suport for arcfourm blowfish and CAST ciphers
and RIPE-MD160 HMAC
* refuse RSA keys shorter than 1024 bits
Distilled upstream log:
- OpenSSH 7.3
---- Security
* sshd(8): Mitigate a potential denial-of-service attack
against the system's crypt(3) function via sshd(8). An
attacker could send very long passwords that would cause
excessive CPU use in crypt(3). sshd(8) now refuses to accept
password authentication requests of length greater than 1024
characters. Independently reported by Tomas Kuthan (Oracle),
Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password
authentication that could be used to discern valid from
invalid account names when long passwords were sent and
particular password hashing algorithms are in use on the
server. CVE-2016-6210, reported by EddieEzra.Harari at
verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
padding oracle countermeasures. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin
Albrecht. Note that CBC ciphers are disabled by default and
OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
146 lines
3.8 KiB
Diff
146 lines
3.8 KiB
Diff
# HG changeset patch
|
|
# Parent e4a7e5799420a3d4b8047c5984c75c4bd4331951
|
|
# -- uset do be called '-xauthlocalhostname'
|
|
handle hostname changes when forwarding X
|
|
|
|
bnc#98627
|
|
|
|
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
|
--- a/openssh-7.6p1/session.c
|
|
+++ b/openssh-7.6p1/session.c
|
|
@@ -953,17 +953,17 @@ copy_environment_blacklist(char **source
|
|
|
|
void
|
|
copy_environment(char **source, char ***env, u_int *envsize)
|
|
{
|
|
copy_environment_blacklist(source, env, envsize, NULL);
|
|
}
|
|
|
|
static char **
|
|
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
|
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
|
|
{
|
|
char buf[256];
|
|
u_int i, envsize;
|
|
char **env, *laddr;
|
|
struct passwd *pw = s->pw;
|
|
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
|
|
char *path = NULL;
|
|
#endif
|
|
@@ -1142,25 +1142,27 @@ do_setup_env(struct ssh *ssh, Session *s
|
|
read_environment_file(&env, &envsize, buf);
|
|
}
|
|
if (debug_flag) {
|
|
/* dump the environment */
|
|
fprintf(stderr, "Environment:\n");
|
|
for (i = 0; env[i]; i++)
|
|
fprintf(stderr, " %.200s\n", env[i]);
|
|
}
|
|
+
|
|
+ *env_size = envsize;
|
|
return env;
|
|
}
|
|
|
|
/*
|
|
* Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
|
|
* first in this order).
|
|
*/
|
|
static void
|
|
-do_rc_files(Session *s, const char *shell)
|
|
+do_rc_files(Session *s, const char *shell, char **env, int *env_size)
|
|
{
|
|
FILE *f = NULL;
|
|
char cmd[1024];
|
|
int do_xauth;
|
|
struct stat st;
|
|
|
|
do_xauth =
|
|
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
|
|
@@ -1205,22 +1207,30 @@ do_rc_files(Session *s, const char *shel
|
|
"%.500s add %.100s %.100s %.100s\n",
|
|
options.xauth_location, s->auth_display,
|
|
s->auth_proto, s->auth_data);
|
|
}
|
|
snprintf(cmd, sizeof cmd, "%s -q -",
|
|
options.xauth_location);
|
|
f = popen(cmd, "w");
|
|
if (f) {
|
|
+ char hostname[MAXHOSTNAMELEN];
|
|
+
|
|
fprintf(f, "remove %s\n",
|
|
s->auth_display);
|
|
fprintf(f, "add %s %s %s\n",
|
|
s->auth_display, s->auth_proto,
|
|
s->auth_data);
|
|
pclose(f);
|
|
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
|
|
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
|
|
+ hostname);
|
|
+ else
|
|
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
|
|
+ strerror(errno));
|
|
} else {
|
|
fprintf(stderr, "Could not run %s\n",
|
|
cmd);
|
|
}
|
|
}
|
|
}
|
|
|
|
static void
|
|
@@ -1461,16 +1471,17 @@ child_close_fds(struct ssh *ssh)
|
|
* ids, and executing the command or shell.
|
|
*/
|
|
#define ARGV_MAX 10
|
|
void
|
|
do_child(struct ssh *ssh, Session *s, const char *command)
|
|
{
|
|
extern char **environ;
|
|
char **env;
|
|
+ int env_size;
|
|
char *argv[ARGV_MAX];
|
|
const char *shell, *shell0;
|
|
struct passwd *pw = s->pw;
|
|
int r = 0;
|
|
|
|
/* remove hostkey from the child's memory */
|
|
destroy_sensitive_data();
|
|
packet_clear_keys();
|
|
@@ -1522,17 +1533,17 @@ do_child(struct ssh *ssh, Session *s, co
|
|
* legal, and means /bin/sh.
|
|
*/
|
|
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
|
|
|
|
/*
|
|
* Make sure $SHELL points to the shell from the password file,
|
|
* even if shell is overridden from login.conf
|
|
*/
|
|
- env = do_setup_env(ssh, s, shell);
|
|
+ env = do_setup_env(ssh, s, shell, &env_size);
|
|
|
|
#ifdef HAVE_LOGIN_CAP
|
|
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
|
#endif
|
|
|
|
/*
|
|
* Close the connection descriptors; note that this is the child, and
|
|
* the server will still have the socket open, and it is important
|
|
@@ -1586,17 +1597,17 @@ do_child(struct ssh *ssh, Session *s, co
|
|
strerror(errno));
|
|
}
|
|
if (r)
|
|
exit(1);
|
|
}
|
|
|
|
closefrom(STDERR_FILENO + 1);
|
|
|
|
- do_rc_files(s, shell);
|
|
+ do_rc_files(s, shell, env, &env_size);
|
|
|
|
/* restore SIGPIPE for child */
|
|
signal(SIGPIPE, SIG_DFL);
|
|
|
|
if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
|
|
printf("This service allows sftp connections only.\n");
|
|
fflush(NULL);
|
|
exit(1);
|