d83100ae13
- upgrade to 7.6p1
see main package changelog for details
- Update to vanilla 7.6p1
Most important changes (more details below):
* complete removal of the ancient SSHv1 protocol
* sshd(8) cannot run without privilege separation
* removal of suport for arcfourm blowfish and CAST ciphers
and RIPE-MD160 HMAC
* refuse RSA keys shorter than 1024 bits
Distilled upstream log:
- OpenSSH 7.3
---- Security
* sshd(8): Mitigate a potential denial-of-service attack
against the system's crypt(3) function via sshd(8). An
attacker could send very long passwords that would cause
excessive CPU use in crypt(3). sshd(8) now refuses to accept
password authentication requests of length greater than 1024
characters. Independently reported by Tomas Kuthan (Oracle),
Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password
authentication that could be used to discern valid from
invalid account names when long passwords were sent and
particular password hashing algorithms are in use on the
server. CVE-2016-6210, reported by EddieEzra.Harari at
verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
padding oracle countermeasures. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin
Albrecht. Note that CBC ciphers are disabled by default and
OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
35 lines
904 B
Diff
35 lines
904 B
Diff
# HG changeset patch
|
|
# Parent 85f3cd6c8291c7feb0c1e7a0a3645c130532d206
|
|
Add the 'geteuid' syscall to allowed list, since it may becalled on the
|
|
mainframes when OpenSSL is using hardware crypto accelerator via libica
|
|
(via ibmica)
|
|
|
|
bsc#1004258
|
|
|
|
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
@@ -161,16 +161,22 @@ static const struct sock_filter preauth_
|
|
SC_ALLOW(__NR_close),
|
|
#endif
|
|
#ifdef __NR_exit
|
|
SC_ALLOW(__NR_exit),
|
|
#endif
|
|
#ifdef __NR_exit_group
|
|
SC_ALLOW(__NR_exit_group),
|
|
#endif
|
|
+#ifdef __NR_geteuid
|
|
+ SC_ALLOW(__NR_geteuid),
|
|
+#endif
|
|
+#ifdef __NR_geteuid32
|
|
+ SC_ALLOW(__NR_geteuid32),
|
|
+#endif
|
|
#ifdef __NR_getpgid
|
|
SC_ALLOW(__NR_getpgid),
|
|
#endif
|
|
#ifdef __NR_getpid
|
|
SC_ALLOW(__NR_getpid),
|
|
#endif
|
|
#ifdef __NR_getrandom
|
|
SC_ALLOW(__NR_getrandom),
|