From 223282b58ff843b935e62e501df0b4b719df94aaa34c21ff9d42877e7ff5e56d Mon Sep 17 00:00:00 2001 From: Petr Cerny Date: Mon, 21 May 2018 21:57:42 +0000 Subject: [PATCH] Accepting request 611002 from home:pcerny:factory - Upgrade to 7.7p1 (bsc#1094068) - Upgrade to 7.7p1 (bsc#1094068) Most important changes (more details below): * Drop compatibility support for pre-2001 SSH implementations * sshd(1) does not load DSA keys by default Distilled upstream log: ---- Potentially-incompatible changes * ssh(1)/sshd(8): Drop compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The support in question isn't necessary for RFC-compliant SSH implementations. ---- New Features * experimental support for PQC XMSS keys (Extended Hash-Based Signatures), not compiled in by default. * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which routing domain a connection was received on (currently supported on OpenBSD and Linux). * sshd_config(5): Add an optional rdomain qualifier to the ListenAddress directive to allow listening on different routing domains. This is supported only on OpenBSD and Linux at present. * sshd_config(5): Add RDomain directive to allow the authenticated session to be placed in an explicit routing domain. This is only supported on OpenBSD at present. * sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys. * ssh(1): Add a BindInterface option to allow binding the OBS-URL: https://build.opensuse.org/request/show/611002 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=145 --- openssh-7.6p1-SUSE_patches.tar.gz | 3 - openssh-7.6p1.tar.gz | 3 - openssh-7.6p1.tar.gz.asc | 14 ---- openssh-7.7p1-SUSE_patches.tar.gz | 3 + openssh-7.7p1.tar.gz | 3 + openssh-7.7p1.tar.gz.asc | 14 ++++ openssh-askpass-gnome.changes | 5 ++ openssh-askpass-gnome.spec | 2 +- openssh.changes | 106 ++++++++++++++++++++++++++++++ openssh.spec | 4 +- 10 files changed, 134 insertions(+), 23 deletions(-) delete mode 100644 openssh-7.6p1-SUSE_patches.tar.gz delete mode 100644 openssh-7.6p1.tar.gz delete mode 100644 openssh-7.6p1.tar.gz.asc create mode 100644 openssh-7.7p1-SUSE_patches.tar.gz create mode 100644 openssh-7.7p1.tar.gz create mode 100644 openssh-7.7p1.tar.gz.asc diff --git a/openssh-7.6p1-SUSE_patches.tar.gz b/openssh-7.6p1-SUSE_patches.tar.gz deleted file mode 100644 index f7ca541..0000000 --- a/openssh-7.6p1-SUSE_patches.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:13854b50b2b34c148cab87ea676226342d871d11d4670fe2f93514d61fbcf9b1 -size 151540 diff --git a/openssh-7.6p1.tar.gz b/openssh-7.6p1.tar.gz deleted file mode 100644 index 8a5be6b..0000000 --- a/openssh-7.6p1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 -size 1489788 diff --git a/openssh-7.6p1.tar.gz.asc b/openssh-7.6p1.tar.gz.asc deleted file mode 100644 index d49752a..0000000 --- a/openssh-7.6p1.tar.gz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlnTtXUACgkQ0+X1a22S -DTCQxgx+MJ1JjIWwVjXUxwpFfjj4aBv5xSqiKqwzGgVjnlmwtpTn+tqdGiACts3K -46fh/8ujknJJ5lBIlWKBfqhKzC7A+gCBaFiLoXiad8Q3NIESbXGxRkuMe6jxFtR7 -SHidUjRqmn1kLCy1TSkj8mqg0/UZ5UZAJcsldQTmEAnxFVbK1l8CLB7vn4rJnj+v -PdbtsSdw8ZHtakkoNHiqQD+mwy+FXY5QcN7IUEX2/E0hKx0wou1S/36j8k89UQf8 -Jbntg31N4EUOQ0fRwuxdRkHSUrJJpPgwWO4XgHw4u9yghsOCYr+X9Pa1+LCtL4PE -o4+08UoD92VORzRETH5Cbtv1XmdUWrpHVHUjVORTgYxVgXbbnoDuzxfsrbfJRRLE -NBsFxodltDxfdljL27PReBqpneWBxNJd6ruaY5wYxhu1qTEcszCGXuSd583TJ49b -hhkWrk5+knErwFdDbtOy+l3L1pvxXvuyIuWl/aXaoVSPDwtPFui94Dl2G7QbSeEb -PQDWU6PReeP+SRsMyYJSoxwgbZIzaQ== -=K6iy ------END PGP SIGNATURE----- diff --git a/openssh-7.7p1-SUSE_patches.tar.gz b/openssh-7.7p1-SUSE_patches.tar.gz new file mode 100644 index 0000000..8a1dc3e --- /dev/null +++ b/openssh-7.7p1-SUSE_patches.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:87754e4234f7ed87e145cc61ea4c1e71121dd0ff10e28e86336f95033b8f7300 +size 147974 diff --git a/openssh-7.7p1.tar.gz b/openssh-7.7p1.tar.gz new file mode 100644 index 0000000..c518c6f --- /dev/null +++ b/openssh-7.7p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f +size 1536900 diff --git a/openssh-7.7p1.tar.gz.asc b/openssh-7.7p1.tar.gz.asc new file mode 100644 index 0000000..c3c3b95 --- /dev/null +++ b/openssh-7.7p1.tar.gz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- + +iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlrBwh4ACgkQ0+X1a22S +DTCqGwyAgQuR+5b6dAEK3PV3WnzuPSJ8KKnw3/HlqQw40QfWotVOX4+On3+yOYy+ +txjAWkbocjHa5/6IzKVU0y9GD3A0H7XwJAwjqqQg3pKD3kXyl7Lz5nkwWWICN0z+ +fU8HUwJv3SOhilD7XRZqWHUfSL69AR5CbYPraurMQWDNwHY0i4n3vDFp1WrSJx8q +mcSgAEwucKavr3+PDm0MbmYINAqgqn1USVDalGy8U6ICnCyzXvu4o8gMuiGGwwKR +Jlt2zCs5CBnF2LAaFgawwNh6NO/TOLvvNrW3zUm3s3DzLKqYtl4Jfs39Coii9LEE +PqF8YFhgbzm+JPPe9/k5zBSEZOWwkzu33cXm7nC1rypt4PQVZLB8BvRE5HXE9QOx +xpGi+BFVeMIMqjsW+nOAAdl4S+FNtzR/OABAhwRveLGMPMFRQ9/GqN5B1L9Wezut +V/6SUUzQUyf5Kn6Gjo+ktJB1i7ufPTLSjH9eYjS/7Fn5cMdjF5iezOAzp3FNWXln +cDZzHkVgrwqYqTKkekDFTwJD+q/QJQ== +=gz3x +-----END PGP SIGNATURE----- diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index 4bd8e95..593fbee 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon May 21 15:19:03 UTC 2018 - pcerny@suse.com + +- Upgrade to 7.7p1 (bsc#1094068) + ------------------------------------------------------------------- Wed Jan 31 22:54:55 UTC 2018 - pcerny@suse.com diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index a1ae655..cae8063 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -19,7 +19,7 @@ %define _name openssh Name: openssh-askpass-gnome BuildRequires: gtk2-devel -Version: 7.6p1 +Version: 7.7p1 Release: 0 Requires: %{_name} = %{version} Summary: A GNOME-Based Passphrase Dialog for OpenSSH diff --git a/openssh.changes b/openssh.changes index 2f43ed2..82d0ad0 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,109 @@ +------------------------------------------------------------------- +Mon May 21 15:19:03 UTC 2018 - pcerny@suse.com + +- Upgrade to 7.7p1 (bsc#1094068) + Most important changes (more details below): + * Drop compatibility support for pre-2001 SSH implementations + * sshd(1) does not load DSA keys by default + Distilled upstream log: + ---- Potentially-incompatible changes + * ssh(1)/sshd(8): Drop compatibility support for some very old + SSH implementations, including ssh.com <=2.* and OpenSSH <= + 3.*. These versions were all released in or before 2001 and + predate the final SSH RFCs. The support in question isn't + necessary for RFC-compliant SSH implementations. + ---- New Features + * experimental support for PQC XMSS keys (Extended Hash-Based + Signatures), not compiled in by default. + * sshd(8): Add a "rdomain" criteria for the sshd_config Match + keyword to allow conditional configuration that depends on + which routing domain a connection was received on (currently + supported on OpenBSD and Linux). + * sshd_config(5): Add an optional rdomain qualifier to the + ListenAddress directive to allow listening on different + routing domains. This is supported only on OpenBSD and Linux + at present. + * sshd_config(5): Add RDomain directive to allow the + authenticated session to be placed in an explicit routing + domain. This is only supported on OpenBSD at present. + * sshd(8): Add "expiry-time" option for authorized_keys files + to allow for expiring keys. + * ssh(1): Add a BindInterface option to allow binding the + outgoing connection to an interface's address (basically a + more usable BindAddress) + * ssh(1): Expose device allocated for tun/tap forwarding via a + new %T expansion for LocalCommand. This allows LocalCommand + to be %used to prepare the interface. + * sshd(8): Expose the device allocated for tun/tap forwarding + via a new SSH_TUNNEL environment variable. This allows + automatic setup of the interface and surrounding network + configuration automatically on the server. + * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, + e.g. ssh://user@host or sftp://user@host/path. Additional + connection parameters that use deporecated MD5 are not + implemented. + * ssh-keygen(1): Allow certificate validity intervals that + specify only a start or stop time (instead of both or + neither). + * sftp(1): Allow "cd" and "lcd" commands with no explicit path + argument. lcd will change to the local user's home directory + as usual. cd will change to the starting directory for + session (because the protocol offers no way to obtain the + remote user's home directory). bz#2760 + * sshd(8): When doing a config test with sshd -T, only require + the attributes that are actually used in Match criteria + rather than (an incomplete list of) all criteria. + ---- Bugfixes + * ssh(1)/sshd(8): More strictly check signature types during + key exchange against what was negotiated. Prevents downgrade + of RSA signatures made with SHA-256/512 to SHA-1. + * sshd(8): Fix support for client that advertise a protocol + version of "1.99" (indicating that they are prepared to + accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6 + during the removal of SSHv1 support. bz#2810 + * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) + signature when a rsa-sha2-256/512 signature was requested. + This condition is possible when an old or non-OpenSSH agent + is in use. bz#2799 + * ssh-agent(1): Fix regression introduced in 7.6 that caused + ssh-agent to fatally exit if presented an invalid signature + request message. + * sshd_config(5): Accept yes/no flag options + case-insensitively, as has been the case in ssh_config(5) for + a long time. bz#2664 + * ssh(1): Improve error reporting for failures during + connection. Under some circumstances misleading errors were + being shown. bz#2814 + * ssh-keyscan(1): Add -D option to allow printing of results + directly in SSHFP format. bz#2821 + * regress tests: fix PuTTY interop test broken in last + release's SSHv1 removal. bz#2823 + * ssh(1): Compatibility fix for some servers that erroneously + drop the connection when the IUTF8 (RFC8160) option is sent. + * scp(1): Disable RemoteCommand and RequestTTY in the ssh + session started by scp (sftp was already doing this.) + * ssh-keygen(1): Refuse to create a certificate with an + unusable number of principals. + * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write + all the public key during key generation. Previously it would + silently ignore errors writing the comment and terminating + newline. + * ssh(1): Do not modify hostname arguments that are addresses + by automatically forcing them to lower-case. Instead + canonicalise them to resolve ambiguities (e.g. ::0001 => ::1) + before they are matched against known_hosts. bz#2763 + * ssh(1): Don't accept junk after "yes" or "no" responses to + hostkey prompts. bz#2803 + * sftp(1): Have sftp print a warning about shell cleanliness + when decoding the first packet fails, which is usually caused + by shells polluting stdout of non-interactive startups. + bz#2800 + * ssh(1)/sshd(8): Switch timers in packet code from using + wall-clock time to monotonic time, allowing the packet layer + to better function over a clock step and avoiding possible + integer overflows during steps. + * Numerous manual page fixes and improvements. + ------------------------------------------------------------------- Wed May 2 08:14:41 UTC 2018 - dimstar@opensuse.org diff --git a/openssh.spec b/openssh.spec index 1ca6b44..918aed3 100644 --- a/openssh.spec +++ b/openssh.spec @@ -101,7 +101,7 @@ PreReq: pwdutils %{fillup_prereq} coreutils %if ! %{uses_systemd} PreReq: %{insserv_prereq} %endif -Version: 7.6p1 +Version: 7.7p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT @@ -190,7 +190,7 @@ done # set libexec dir in the LDAP patch sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ $( grep -Rl @LIBEXECDIR@ \ - $( grep "^+++" $PATCH_DIR/openssh-7.6p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) + $( grep "^+++" $PATCH_DIR/openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) ) %build