Go to file
Marcus Meissner 67a17999e6 Accepting request 1099810 from home:simotek:branches:network
- Update to openssh 9.3p2
  * No changes for askpass, see main package changelog for
    details
- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
  Security
  ========
  Fix CVE-2023-38408 - a condition where specific libaries loaded via
  ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
  code execution via a forwarded agent socket if the following
  conditions are met:
  * Exploitation requires the presence of specific libraries on
    the victim system.
  * Remote exploitation requires that the agent was forwarded
    to an attacker-controlled system.
  Exploitation can also be prevented by starting ssh-agent(1) with an
  empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
  an allowlist that contains only specific provider libraries.
  This vulnerability was discovered and demonstrated to be exploitable
  by the Qualys Security Advisory team. 
 
  In addition to removing the main precondition for exploitation,
  this release removes the ability for remote ssh-agent(1) clients
  to load PKCS#11 modules by default (see below).
  Potentially-incompatible changes
  --------------------------------
   * ssh-agent(8): the agent will now refuse requests to load PKCS#11
     modules issued by remote clients by default. A flag has been added
     to restore the previous behaviour "-Oallow-remote-pkcs11".
     Note that ssh-agent(8) depends on the SSH client to identify
     requests that are remote. The OpenSSH >=8.9 ssh(1) client does
     this, but forwarding access to an agent socket using other tools
     may circumvent this restriction.

OBS-URL: https://build.opensuse.org/request/show/1099810
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=249
2023-07-21 07:35:33 +00:00
_multibuild Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
.gitattributes OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 16:26:05 +00:00
.gitignore OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 16:26:05 +00:00
cavs_driver-ssh.pl Accepting request 642573 from home:scarabeus_iv:branches:network 2018-10-17 08:57:56 +00:00
fix-missing-lz.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-7.7p1-cavstest-ctr.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-cavstest-kdf.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-disable_openssl_abi_check.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-eal3.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-enable_PAM_by_default.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-fips_checks.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-7.7p1-fips.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-7.7p1-host_ident.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-hostname_changes_when_forwarding_X.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-IPv6_X_forwarding.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-ldap.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-7.7p1-no_fork-no_pid_file.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-pam_check_locks.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-7.7p1-pts_names_formatting.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-remove_xauth_cookies_on_exit.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-seccomp_ipc_flock.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-7.7p1-seccomp_stat.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-send_locale.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-sftp_force_permissions.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-sftp_print_diagnostic_messages.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-7.7p1-systemd-notify.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-7.7p1-X11_trusted_forwarding.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.7p1-X_forward_with_disabled_ipv6.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.9p1-keygen-preserve-perms.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-7.9p1-revert-new-qos-defaults.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-8.0p1-gssapi-keyex.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-8.1p1-audit.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-8.1p1-ed25519-use-openssl-rng.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-8.1p1-seccomp-clock_gettime64.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-8.1p1-seccomp-clock_nanosleep_time64.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-8.1p1-seccomp-clock_nanosleep.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-8.1p1-use-openssl-kdf.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-8.4p1-pam_motd.patch Accepting request 898969 from home:kukuk:branches:network 2021-06-23 18:30:23 +00:00
openssh-8.4p1-ssh_config_d.patch Accepting request 997549 from home:adamm:branches:network 2022-08-17 12:48:06 +00:00
openssh-8.4p1-vendordir.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-9.3p2.tar.gz Accepting request 1099810 from home:simotek:branches:network 2023-07-21 07:35:33 +00:00
openssh-9.3p2.tar.gz.asc Accepting request 1099810 from home:simotek:branches:network 2023-07-21 07:35:33 +00:00
openssh-askpass-gnome.changes Accepting request 1099810 from home:simotek:branches:network 2023-07-21 07:35:33 +00:00
openssh-askpass-gnome.spec Accepting request 1099810 from home:simotek:branches:network 2023-07-21 07:35:33 +00:00
openssh-do-not-send-empty-message.patch Accepting request 1034974 from home:hpjansson:openssh-tw 2022-11-15 15:28:59 +00:00
openssh-fips-ensure-approved-moduli.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-link-with-sk.patch Accepting request 922068 from home:hpjansson:branches:network 2021-10-07 08:06:58 +00:00
openssh-openssl-3.patch Accepting request 1043949 from home:ohollmann:branches:network 2022-12-21 10:48:51 +00:00
openssh-reenable-dh-group14-sha1-default.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh-whitelist-syscalls.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00
openssh.changes Accepting request 1099810 from home:simotek:branches:network 2023-07-21 07:35:33 +00:00
openssh.keyring - openssh.keyring: rotated to new key from https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc 2021-10-07 15:19:27 +00:00
openssh.spec Accepting request 1099810 from home:simotek:branches:network 2023-07-21 07:35:33 +00:00
README.FIPS Accepting request 432093 from home:pcerny:factory 2016-09-30 20:34:19 +00:00
README.kerberos Accepting request 642573 from home:scarabeus_iv:branches:network 2018-10-17 08:57:56 +00:00
README.SUSE Accepting request 873406 from home:jsegitz:branches:network 2021-04-17 14:22:02 +00:00
ssh-askpass Accepting request 718210 from home:Vogtinator:branches:network 2019-07-24 12:05:07 +00:00
ssh.reg OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 16:26:05 +00:00
sshd-gen-keys-start Accepting request 914000 from home:kukuk:tiu 2021-09-01 18:03:45 +00:00
sshd-sle.pamd Accepting request 1074609 from home:kukuk:branches:network 2023-04-13 21:23:05 +00:00
sshd.fw OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=7 2007-07-27 00:01:43 +00:00
sshd.pamd Accepting request 1074609 from home:kukuk:branches:network 2023-04-13 21:23:05 +00:00
sshd.service - Mention upstream bugs on multiple local patches 2018-10-19 13:24:01 +00:00
sysconfig.ssh Accepting request 738490 from home:hpjansson:branches:network 2019-10-15 07:47:08 +00:00
sysusers-sshd.conf Accepting request 866259 from home:hpjansson:branches:network 2021-01-24 18:19:54 +00:00
wtmpdb.patch Accepting request 1087770 from home:alarrosa:branches:network 2023-05-22 19:32:26 +00:00

There are following changes in default settings of ssh client and server:

* Accepting and sending of locale environment variables in protocol 2 is
  enabled.

* PAM authentication is enabled and mostly even required, do not turn it off.

* DSA authentication is enabled by default for maximum compatibility.
  NOTE: do not use DSA authentication since it is being phased out for a reason
  - the size of DSA keys is limited by the standard to 1024 bits which cannot
  be considered safe any more.

* Accepting all RFC4419 specified DH group parameters. See KexDHMin in
  ssh_config and sshd_config manual pages.

For more information on differences in SUSE OpenSSH package see README.FIPS