openssh

rpm/openssh

SHA256

Fork 0

forked from pool/openssh

Commit Graph

Author	SHA256	Message	Date
Hans Petter Jansson	03fc1a6def	Accepting request 1087770 from home:alarrosa:branches:network - Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1\|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 OBS-URL: https://build.opensuse.org/request/show/1087770 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247	2023-05-22 19:32:26 +00:00
Hans Petter Jansson	916f9ab5d2	Accepting request 849311 from home:hpjansson:branches:network - Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. OBS-URL: https://build.opensuse.org/request/show/849311 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219	2020-11-22 16:59:16 +00:00

Author

SHA256

Message

Date

Hans Petter Jansson

03fc1a6def

Accepting request 1087770 from home:alarrosa:branches:network

- Update to openssh 9.3p1
  * No changes for askpass, see main package changelog for
    details

- Update to openssh 9.3p1:
  = Security
  * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop destination constraints (ssh-add -h ...) added in
   OpenSSH 8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This
   problem was reported by Luci Stanescu.
 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.
   The getrrsetbyname(3) replacement is only included if the
   system's standard library lacks this function and portable
   OpenSSH was not compiled with the ldns library (--with-ldns).
   getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
   fetch SSHFP records. This problem was found by the Coverity
   static analyzer.
  = New features
  * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
    when outputting SSHFP fingerprints to allow algorithm
    selection. bz3493

OBS-URL: https://build.opensuse.org/request/show/1087770
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247

2023-05-22 19:32:26 +00:00

Hans Petter Jansson

916f9ab5d2

Accepting request 849311 from home:hpjansson:branches:network

- Fix build breakage caused by missing security key objects:
  + Modify openssh-7.7p1-cavstest-ctr.patch.
  + Modify openssh-7.7p1-cavstest-kdf.patch.
  + Add openssh-link-with-sk.patch.

- Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939).
  This ensures only approved DH parameters are used in FIPS mode.

- Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799).
  This uses OpenSSL's RAND_bytes() directly instead of the internal
  ChaCha20-based implementation to obtain random bytes for Ed25519
  curve computations. This is required for FIPS compliance.

OBS-URL: https://build.opensuse.org/request/show/849311
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219

2020-11-22 16:59:16 +00:00

2 Commits