03fc1a6def
- Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 OBS-URL: https://build.opensuse.org/request/show/1087770 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
Index: openssh-8.9p1/myproposal.h
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/myproposal.h
|
|
+++ openssh-8.9p1/myproposal.h
|
|
@@ -34,7 +34,8 @@
|
|
"diffie-hellman-group-exchange-sha256," \
|
|
"diffie-hellman-group16-sha512," \
|
|
"diffie-hellman-group18-sha512," \
|
|
- "diffie-hellman-group14-sha256"
|
|
+ "diffie-hellman-group14-sha256," \
|
|
+ "diffie-hellman-group14-sha1"
|
|
|
|
#define KEX_CLIENT_KEX KEX_SERVER_KEX
|
|
|
|
Index: openssh-8.9p1/ssh_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh_config.5
|
|
+++ openssh-8.9p1/ssh_config.5
|
|
@@ -1228,7 +1228,8 @@ sntrup761x25519-sha512@openssh.com,
|
|
diffie-hellman-group-exchange-sha256,
|
|
diffie-hellman-group16-sha512,
|
|
diffie-hellman-group18-sha512,
|
|
-diffie-hellman-group14-sha256
|
|
+diffie-hellman-group14-sha256,
|
|
+diffie-hellman-group14-sha1
|
|
.Ed
|
|
.Pp
|
|
The list of available key exchange algorithms may also be obtained using
|
|
Index: openssh-8.9p1/sshd_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/sshd_config.5
|
|
+++ openssh-8.9p1/sshd_config.5
|
|
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
|
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
diffie-hellman-group-exchange-sha256,
|
|
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
|
-diffie-hellman-group14-sha256
|
|
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
|
.Ed
|
|
.Pp
|
|
The list of available key exchange algorithms may also be obtained using
|