d83100ae13
- upgrade to 7.6p1
see main package changelog for details
- Update to vanilla 7.6p1
Most important changes (more details below):
* complete removal of the ancient SSHv1 protocol
* sshd(8) cannot run without privilege separation
* removal of suport for arcfourm blowfish and CAST ciphers
and RIPE-MD160 HMAC
* refuse RSA keys shorter than 1024 bits
Distilled upstream log:
- OpenSSH 7.3
---- Security
* sshd(8): Mitigate a potential denial-of-service attack
against the system's crypt(3) function via sshd(8). An
attacker could send very long passwords that would cause
excessive CPU use in crypt(3). sshd(8) now refuses to accept
password authentication requests of length greater than 1024
characters. Independently reported by Tomas Kuthan (Oracle),
Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password
authentication that could be used to discern valid from
invalid account names when long passwords were sent and
particular password hashing algorithms are in use on the
server. CVE-2016-6210, reported by EddieEzra.Harari at
verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
padding oracle countermeasures. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin
Albrecht. Note that CBC ciphers are disabled by default and
OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
54 lines
1.9 KiB
Diff
54 lines
1.9 KiB
Diff
# HG changeset patch
|
|
# Parent f258e8b7fc48a4b0f60fc436dc9ec72423a11bfc
|
|
send locales in default configuration
|
|
bnc#65747
|
|
|
|
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
|
--- a/openssh-7.6p1/ssh_config
|
|
+++ b/openssh-7.6p1/ssh_config
|
|
@@ -26,16 +26,21 @@ Host *
|
|
# security reasons: Someone stealing the authentification data on the
|
|
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
# keystrokes as you type, just like any other X11 client could do.
|
|
# Set this to "no" here for global effect or in your own ~/.ssh/config
|
|
# file if you want to have the remote X11 authentification data to
|
|
# expire after twenty minutes after remote login.
|
|
ForwardX11Trusted yes
|
|
|
|
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
|
|
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
+ SendEnv LC_IDENTIFICATION LC_ALL
|
|
+
|
|
# PasswordAuthentication yes
|
|
# HostbasedAuthentication no
|
|
# GSSAPIAuthentication no
|
|
# GSSAPIDelegateCredentials no
|
|
# BatchMode no
|
|
# CheckHostIP yes
|
|
# AddressFamily any
|
|
# ConnectTimeout 0
|
|
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
|
--- a/openssh-7.6p1/sshd_config
|
|
+++ b/openssh-7.6p1/sshd_config
|
|
@@ -105,14 +105,19 @@ X11Forwarding yes
|
|
#VersionAddendum none
|
|
|
|
# no default banner path
|
|
#Banner none
|
|
|
|
# override default of no subsystems
|
|
Subsystem sftp /usr/libexec/sftp-server
|
|
|
|
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
|
|
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
+AcceptEnv LC_IDENTIFICATION LC_ALL
|
|
+
|
|
# Example of overriding settings on a per-user basis
|
|
#Match User anoncvs
|
|
# X11Forwarding no
|
|
# AllowTcpForwarding no
|
|
# PermitTTY no
|
|
# ForceCommand cvs server
|