e8b9919265
- Fix preauth seccomp separation on mainframes (bsc#1016709) [openssh-7.2p2-s390_hw_crypto_syscalls.patch] [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch] - enable case-insensitive hostname matching (bsc#1017099) [openssh-7.2p2-ssh_case_insensitive_host_matching.patch] - add CAVS tests [openssh-7.2p2-cavstest-ctr.patch] [openssh-7.2p2-cavstest-kdf.patch] - Adding missing pieces for user matching (bsc#1021626) - Properly verify CIDR masks in configuration (bsc#1005893) [openssh-7.2p2-verify_CIDR_address_ranges.patch] - Remove pre-auth compression support from the server to prevent possible cryptographic attacks. (CVE-2016-10012, bsc#1016370) [openssh-7.2p2-disable_preauth_compression.patch] - limit directories for loading PKCS11 modules (CVE-2016-10009, bsc#1016366) [openssh-7.2p2-restrict_pkcs11-modules.patch] - Prevent possible leaks of host private keys to low-privilege process handling authentication (CVE-2016-10011, bsc#1016369) [openssh-7.2p2-prevent_private_key_leakage.patch] - Do not allow unix socket forwarding when running without privilege separation (CVE-2016-10010, bsc#1016368) [openssh-7.2p2-secure_unix_sockets_forwarding.patch] - prevent resource depletion during key exchange (bsc#1005480, CVE-2016-8858) [openssh-7.2p2-kex_resource_depletion.patch] OBS-URL: https://build.opensuse.org/request/show/500279 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
65 lines
1.9 KiB
Diff
65 lines
1.9 KiB
Diff
# HG changeset patch
|
|
# Parent 4821397c95e57962905e6d47554bef9e4ea57483
|
|
disable run-time check for OpenSSL ABI by version number as that is not a
|
|
reliable indicator of ABI changes and doesn't make much sense in a
|
|
distribution package
|
|
|
|
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
|
--- a/openssh-7.2p2/configure.ac
|
|
+++ b/openssh-7.2p2/configure.ac
|
|
@@ -4663,16 +4663,29 @@ AC_ARG_WITH([bsd-auth],
|
|
if test "x$withval" != "xno" ; then
|
|
AC_DEFINE([BSD_AUTH], [1],
|
|
[Define if you have BSD auth support])
|
|
BSD_AUTH_MSG=yes
|
|
fi
|
|
]
|
|
)
|
|
|
|
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
|
|
+DISTRO_SSL=no
|
|
+AC_ARG_WITH([distro-ssl],
|
|
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
|
|
+ [
|
|
+ if test "x$withval" != "xno" ; then
|
|
+ AC_DEFINE([DISTRO_SSL], [1],
|
|
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
|
|
+ DISTRO_SSL=yes
|
|
+ fi
|
|
+ ]
|
|
+)
|
|
+
|
|
# Where to place sshd.pid
|
|
piddir=/var/run
|
|
# make sure the directory exists
|
|
if test ! -d $piddir ; then
|
|
piddir=`eval echo ${sysconfdir}`
|
|
case $piddir in
|
|
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
|
|
esac
|
|
diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
|
|
--- a/openssh-7.2p2/entropy.c
|
|
+++ b/openssh-7.2p2/entropy.c
|
|
@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
|
|
#endif /* OPENSSL_PRNG_ONLY */
|
|
|
|
void
|
|
seed_rng(void)
|
|
{
|
|
#ifndef OPENSSL_PRNG_ONLY
|
|
unsigned char buf[RANDOM_SEED_SIZE];
|
|
#endif
|
|
+#ifndef DISTRO_SSL
|
|
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
|
|
fatal("OpenSSL version mismatch. Built against %lx, you "
|
|
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
|
+#endif
|
|
|
|
#ifndef OPENSSL_PRNG_ONLY
|
|
if (RAND_status() == 1) {
|
|
debug3("RNG is ready, skipping seeding");
|
|
return;
|
|
}
|
|
|
|
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|