Accepting request 1218789 from network

OBS-URL: https://build.opensuse.org/request/show/1218789
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=188

0001-fix-utmpx-ifdef.patch

@@ -0,0 +1,36 @@
+From c7fda601186ff28128cfe3eab9c9c0622de096e1 Mon Sep 17 00:00:00 2001
+From: Christoph Ostarek <christoph@zededa.com>
+Date: Wed, 3 Jul 2024 12:46:59 +0200
+Subject: fix utmpx ifdef
+
+02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for
+utmpx, but forgot to change the ifdef appropriately
+---
+ loginrec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/loginrec.c b/loginrec.c
+index 7460bb2c..45f13dee 100644
+--- a/loginrec.c
++++ b/loginrec.c
+@@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
+ void
+ construct_utmpx(struct logininfo *li, struct utmpx *utx)
+ {
+-# ifdef HAVE_ADDR_V6_IN_UTMP
++# ifdef HAVE_ADDR_V6_IN_UTMPX
+ 	struct sockaddr_in6 *sa6;
+ #  endif
+ 	memset(utx, '\0', sizeof(*utx));
+@@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
+ 	if (li->hostaddr.sa.sa_family == AF_INET)
+ 		utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
+ # endif
+-# ifdef HAVE_ADDR_V6_IN_UTMP
++# ifdef HAVE_ADDR_V6_IN_UTMPX
+ 	/* this is just a 128-bit IPv6 address */
+ 	if (li->hostaddr.sa.sa_family == AF_INET6) {
+ 		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
+-- 
+cgit v1.2.3
+

0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch

@@ -0,0 +1,291 @@
+From 66878e12a207fa9746dee3e2bdcca29b704cf035 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 25 Sep 2024 01:24:04 +0000
+Subject: upstream: fix regression introduced when I switched the "Match"
+
+criteria tokeniser to a more shell-like one. Apparently the old tokeniser
+(accidentally?) allowed "Match criteria=argument" as well as the "Match
+criteria argument" syntax that we tested for.
+
+People were using this syntax so this adds back support for
+"Match criteria=argument"
+
+bz3739 ok dtucker
+
+OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
+---
+ misc.c     | 23 ++++++++++++++++++++++-
+ misc.h     |  3 ++-
+ readconf.c | 28 +++++++++++++++++++++++-----
+ servconf.c | 57 ++++++++++++++++++++++++++++++++++++++++++---------------
+ 4 files changed, 89 insertions(+), 22 deletions(-)
+
+diff --git a/misc.c b/misc.c
+index afdf5142..1b4b55c5 100644
+--- a/misc.c
++++ b/misc.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
++/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
+@@ -107,6 +107,27 @@ rtrim(char *s)
+ 	}
+ }
+ 
++/*
++ * returns pointer to character after 'prefix' in 's' or otherwise NULL
++ * if the prefix is not present.
++ */
++const char *
++strprefix(const char *s, const char *prefix, int ignorecase)
++{
++	size_t prefixlen;
++
++	if ((prefixlen = strlen(prefix)) == 0)
++		return s;
++	if (ignorecase) {
++		if (strncasecmp(s, prefix, prefixlen) != 0)
++			return NULL;
++	} else {
++		if (strncmp(s, prefix, prefixlen) != 0)
++			return NULL;
++	}
++	return s + prefixlen;
++}
++
+ /* set/unset filedescriptor to non-blocking */
+ int
+ set_nonblock(int fd)
+diff --git a/misc.h b/misc.h
+index 11340389..efecdf1a 100644
+--- a/misc.h
++++ b/misc.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */
++/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */
+ 
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+@@ -56,6 +56,7 @@ struct ForwardOptions {
+ char	*chop(char *);
+ void	 rtrim(char *);
+ void	skip_space(char **);
++const char *strprefix(const char *, const char *, int);
+ char	*strdelim(char **);
+ char	*strdelimw(char **);
+ int	 set_nonblock(int);
+diff --git a/readconf.c b/readconf.c
+index 3d9cc6db..de42fb6f 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
++/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
+     struct passwd *pw, const char *host_arg, const char *original_host,
+     int final_pass, int *want_final_pass, const char *filename, int linenum)
+ {
+-	char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
++	char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
+ 	const char *ruser;
+ 	int r, this_result, result = 1, attributes = 0, negate;
+ 
+@@ -731,7 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
+ 
+ 	debug2("checking match for '%s' host %s originally %s",
+ 	    full_line, host, original_host);
+-	while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
++	while ((oattrib = argv_next(acp, avp)) != NULL) {
++		attrib = xstrdup(oattrib);
+ 		/* Terminate on comment */
+ 		if (*attrib == '#') {
+ 			argv_consume(acp);
+@@ -777,9 +778,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
+ 			    this_result ? "" : "not ", oattrib);
+ 			continue;
+ 		}
++
++		/* Keep this list in sync with below */
++		if (strprefix(attrib, "host=", 1)  != NULL ||
++		    strprefix(attrib, "originalhost=", 1) != NULL ||
++		    strprefix(attrib, "user=", 1) != NULL ||
++		    strprefix(attrib, "localuser=", 1) != NULL ||
++		    strprefix(attrib, "localnetwork=", 1) != NULL ||
++		    strprefix(attrib, "tagged=", 1) != NULL ||
++		    strprefix(attrib, "exec=", 1) != NULL) {
++			arg = strchr(attrib, '=');
++			*(arg++) = '\0';
++		} else {
++			arg = argv_next(acp, avp);
++		}
++
+ 		/* All other criteria require an argument */
+-		if ((arg = argv_next(acp, avp)) == NULL ||
+-		    *arg == '\0' || *arg == '#') {
++		if (arg == NULL || *arg == '\0' || *arg == '#') {
+ 			error("Missing Match criteria for %s", attrib);
+ 			result = -1;
+ 			goto out;
+@@ -856,6 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
+ 		    criteria == NULL ? "" : criteria,
+ 		    criteria == NULL ? "" : "\"");
+ 		free(criteria);
++		free(attrib);
++		attrib = NULL;
+ 	}
+ 	if (attributes == 0) {
+ 		error("One or more attributes required for Match");
+@@ -865,6 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
+  out:
+ 	if (result != -1)
+ 		debug2("match %sfound", result ? "" : "not ");
++	free(attrib);
+ 	free(host);
+ 	return result;
+ }
+diff --git a/servconf.c b/servconf.c
+index 89b8413e..dd774f46 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
++/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */
+ /*
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+  *                    All rights reserved
+@@ -1033,7 +1033,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
+     int line, struct connection_info *ci)
+ {
+ 	int result = 1, attributes = 0, port;
+-	char *arg, *attrib;
++	char *arg, *attrib = NULL, *oattrib;
+ 
+ 	if (ci == NULL)
+ 		debug3("checking syntax for 'Match %s'", full_line);
+@@ -1047,7 +1047,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
+ 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
+ 	}
+ 
+-	while ((attrib = argv_next(acp, avp)) != NULL) {
++	while ((oattrib = argv_next(acp, avp)) != NULL) {
++		attrib = xstrdup(oattrib);
+ 		/* Terminate on comment */
+ 		if (*attrib == '#') {
+ 			argv_consume(acp); /* mark all arguments consumed */
+@@ -1062,11 +1063,13 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
+ 			    *arg != '\0' && *arg != '#')) {
+ 				error("'all' cannot be combined with other "
+ 				    "Match attributes");
+-				return -1;
++				result = -1;
++				goto out;
+ 			}
+ 			if (arg != NULL && *arg == '#')
+ 				argv_consume(acp); /* consume remaining args */
+-			return 1;
++			result = 1;
++			goto out;
+ 		}
+ 		/* Criterion "invalid-user" also has no argument */
+ 		if (strcasecmp(attrib, "invalid-user") == 0) {
+@@ -1078,11 +1081,26 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
+ 				debug("matched invalid-user at line %d", line);
+ 			continue;
+ 		}
++
++		/* Keep this list in sync with below */
++		if (strprefix(attrib, "user=", 1) != NULL ||
++		    strprefix(attrib, "group=", 1) != NULL ||
++		    strprefix(attrib, "host=", 1) != NULL ||
++		    strprefix(attrib, "address=", 1) != NULL ||
++		    strprefix(attrib, "localaddress=", 1) != NULL ||
++		    strprefix(attrib, "localport=", 1) != NULL ||
++		    strprefix(attrib, "rdomain=", 1) != NULL) {
++			arg = strchr(attrib, '=');
++			*(arg++) = '\0';
++		} else {
++			arg = argv_next(acp, avp);
++		}
++
+ 		/* All other criteria require an argument */
+-		if ((arg = argv_next(acp, avp)) == NULL ||
+-		    *arg == '\0' || *arg == '#') {
++		if (arg == NULL || *arg == '\0' || *arg == '#') {
+ 			error("Missing Match criteria for %s", attrib);
+-			return -1;
++			result = -1;
++			goto out;
+ 		}
+ 		if (strcasecmp(attrib, "user") == 0) {
+ 			if (ci == NULL || (ci->test && ci->user == NULL)) {
+@@ -1105,7 +1123,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
+ 				match_test_missing_fatal("Group", "user");
+ 			switch (match_cfg_line_group(arg, line, ci->user)) {
+ 			case -1:
+-				return -1;
++				result = -1;
++				goto out;
+ 			case 0:
+ 				result = 0;
+ 			}
+@@ -1141,7 +1160,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
+ 				result = 0;
+ 				break;
+ 			case -2:
+-				return -1;
++				result = -1;
++				goto out;
+ 			}
+ 		} else if (strcasecmp(attrib, "localaddress") == 0){
+ 			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
+@@ -1166,13 +1186,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
+ 				result = 0;
+ 				break;
+ 			case -2:
+-				return -1;
++				result = -1;
++				goto out;
+ 			}
+ 		} else if (strcasecmp(attrib, "localport") == 0) {
+ 			if ((port = a2port(arg)) == -1) {
+ 				error("Invalid LocalPort '%s' on Match line",
+ 				    arg);
+-				return -1;
++				result = -1;
++				goto out;
+ 			}
+ 			if (ci == NULL || (ci->test && ci->lport == -1)) {
+ 				result = 0;
+@@ -1200,16 +1222,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
+ 				debug("user %.100s matched 'RDomain %.100s' at "
+ 				    "line %d", ci->rdomain, arg, line);
+ 		} else {
+-			error("Unsupported Match attribute %s", attrib);
+-			return -1;
++			error("Unsupported Match attribute %s", oattrib);
++			result = -1;
++			goto out;
+ 		}
++		free(attrib);
++		attrib = NULL;
+ 	}
+ 	if (attributes == 0) {
+ 		error("One or more attributes required for Match");
+ 		return -1;
+ 	}
+-	if (ci != NULL)
++ out:
++	if (ci != NULL && result != -1)
+ 		debug3("match %sfound", result ? "" : "not ");
++	free(attrib);
+ 	return result;
+ }
+ 
+-- 
+cgit v1.2.3
+

0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch

@@ -0,0 +1,65 @@
+From 19bcb2d90c6caf14abf386b644fb24eb7afab889 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 26 Sep 2024 23:55:08 +0000
+Subject: upstream: fix previous change to ssh_config Match, which broken on
+
+negated Matches; spotted by phessler@ ok deraadt@
+
+OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
+---
+ readconf.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index de42fb6f..9f559269 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
++/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
+     struct passwd *pw, const char *host_arg, const char *original_host,
+     int final_pass, int *want_final_pass, const char *filename, int linenum)
+ {
+-	char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
++	char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria;
+ 	const char *ruser;
+ 	int r, this_result, result = 1, attributes = 0, negate;
+ 
+@@ -731,8 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
+ 
+ 	debug2("checking match for '%s' host %s originally %s",
+ 	    full_line, host, original_host);
+-	while ((oattrib = argv_next(acp, avp)) != NULL) {
+-		attrib = xstrdup(oattrib);
++	while ((attrib = argv_next(acp, avp)) != NULL) {
++		attrib = oattrib = xstrdup(attrib);
+ 		/* Terminate on comment */
+ 		if (*attrib == '#') {
+ 			argv_consume(acp);
+@@ -871,8 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
+ 		    criteria == NULL ? "" : criteria,
+ 		    criteria == NULL ? "" : "\"");
+ 		free(criteria);
+-		free(attrib);
+-		attrib = NULL;
++		free(oattrib);
++		oattrib = attrib = NULL;
+ 	}
+ 	if (attributes == 0) {
+ 		error("One or more attributes required for Match");
+@@ -882,7 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
+  out:
+ 	if (result != -1)
+ 		debug2("match %sfound", result ? "" : "not ");
+-	free(attrib);
++	free(oattrib);
+ 	free(host);
+ 	return result;
+ }
+-- 
+cgit v1.2.3
+

0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch

@@ -0,0 +1,94 @@
+From 11f348196b3fb51c3d8d1f4f36db9d73f03149ed Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 27 Oct 2024 02:06:01 +0000
+Subject: upstream: fix ML-KEM768x25519 KEX on big-endian systems; spotted by
+
+jsg@ feedback/ok deraadt@
+
+OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
+---
+ libcrux_mlkem768_sha3.h |  8 +++++---
+ mlkem768.sh             | 17 ++++++++++++-----
+ 2 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
+index a82d60e8..b8ac1436 100644
+--- a/libcrux_mlkem768_sha3.h
++++ b/libcrux_mlkem768_sha3.h
+@@ -1,4 +1,5 @@
+-/*  $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */
++/*  $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
++
+ /* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */
+ 
+ /*
+@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
+ // CORE STUFF (conversions, endianness, ...)
+ 
+ static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
++  v = htole64(v);
+   memcpy(buf, &v, sizeof(v));
+ }
+ static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
+   uint64_t v;
+   memcpy(&v, buf, sizeof(v));
+-  return v;
++  return le64toh(v);
+ }
+ 
+ static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
+   uint32_t v;
+   memcpy(&v, buf, sizeof(v));
+-  return v;
++  return le32toh(v);
+ }
+ 
+ static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
+diff --git a/mlkem768.sh b/mlkem768.sh
+index 2fdc2831..3d12b2ed 100644
+--- a/mlkem768.sh
++++ b/mlkem768.sh
+@@ -1,9 +1,10 @@
+ #!/bin/sh
+-#       $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $
++#       $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $
+ #       Placed in the Public Domain.
+ #
+ 
+-WANT_LIBCRUX_REVISION="origin/main"
++#WANT_LIBCRUX_REVISION="origin/main"
++WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35"
+ 
+ FILES="
+ 	libcrux/libcrux-ml-kem/cg/eurydice_glue.h
+@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
+ echo '#define KRML_HOST_EPRINTF(...)'
+ echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
+ echo
++
+ for i in $FILES; do
+ 	echo "/* from $i */"
+ 	# Changes to all files:
+@@ -56,11 +58,16 @@ for i in $FILES; do
+ 	    -e 's/[	 ]*$//' \
+ 	    $i | \
+ 	case "$i" in
+-	# XXX per-file handling goes here.
++	*/libcrux-ml-kem/cg/eurydice_glue.h)
++		# Replace endian functions with versions that work.
++		perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1  v = htole64(v);\n\2/' |
++		perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
++		perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
++		;;
+ 	# Default: pass through.
+ 	*)
+-	    cat
+-	    ;;
++		cat
++		;;
+ 	esac
+ 	echo
+ done
+-- 
+cgit v1.2.3
+

fix-audit-fail-attempt.patch

@@ -1,23 +0,0 @@
-Index: openssh-9.8p1/sshd-session.c
-===================================================================
---- openssh-9.8p1.orig/sshd-session.c
-+++ openssh-9.8p1/sshd-session.c
-@@ -1624,9 +1624,6 @@ cleanup_exit(int i)
- 			}
- 		}
- 	}
--	/* Override default fatal exit value when auth was attempted */
--	if (i == 255 && auth_attempted)
--		_exit(EXIT_AUTH_ATTEMPTED);
- #ifdef SSH_AUDIT_EVENTS
- 	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
-        if (the_active_state != NULL &&
-@@ -1636,5 +1633,8 @@ cleanup_exit(int i)
- #endif
- 
- 	clobber_stack();
-+	/* Override default fatal exit value when auth was attempted */
-+	if (i == 255 && auth_attempted)
-+		_exit(EXIT_AUTH_ATTEMPTED);
- 	_exit(i);
- }

fix-memleak-in-process_server_config_line_depth.patch

@@ -1,39 +0,0 @@
-From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001
-From: Antonio Larrosa <alarrosa@suse.com>
-Date: Mon, 12 Aug 2024 11:32:42 +0200
-Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth
-
-The return value of argv_assemble is owned by the caller and should be
-free'd. When processing the sSubsystem case there are two calls to
-argv_assemble but only one of them is freed. This patch fixes the small
-(29 bytes according to valgrind) memory leak.
-
-The output from valgrind:
-==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913
-==115369==    at 0x4845794: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
-==115369==    by 0x124A22: argv_assemble (misc.c:2165)
-==115369==    by 0x1385E5: process_server_config_line_depth.constprop.0 (servconf.c:2004)
-==115369==    by 0x13984D: parse_server_config_depth.constprop.0 (servconf.c:3032)
-==115369==    by 0x139986: parse_server_config.constprop.0 (servconf.c:3049)
-==115369==    by 0x111C6E: main (sshd.c:1445)
-
-Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515
----
- servconf.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/servconf.c b/servconf.c
-index 5a20d6f8..0b989b95 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
- 		xasprintf(&options->subsystem_args[options->num_subsystems],
- 		    "%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
- 		free(arg2);
-+		free(arg);
- 		argv_consume(&ac);
- 		options->num_subsystems++;
- 		break;
--- 
-2.45.2
-

fix-x11-regression-bsc1229449.patch

@@ -0,0 +1,56 @@
+Index: openssh-9.9p1/clientloop.c
+===================================================================
+--- openssh-9.9p1.orig/clientloop.c
++++ openssh-9.9p1/clientloop.c
+@@ -663,9 +663,10 @@ obfuscate_keystroke_timing(struct ssh *s
+ 	if (just_started)
+ 		return 1;
+ 
+-	/* Don't arm output fd for poll until the timing interval has elapsed */
++	/* Don't arm output fd for poll until the timing interval has elapsed... */
+ 	if (timespeccmp(&now, &next_interval, <))
+-		return 0;
++		/* ...unless there's x11 communicattion happening */
++		return x11_channel_used_recently(ssh);
+ 
+ 	/* Calculate number of intervals missed since the last check */
+ 	n = (now.tv_sec - next_interval.tv_sec) * 1000LL * 1000 * 1000;
+Index: openssh-9.9p1/channels.c
+===================================================================
+--- openssh-9.9p1.orig/channels.c
++++ openssh-9.9p1/channels.c
+@@ -5352,3 +5352,22 @@ x11_request_forwarding_with_spoofing(str
+ 		fatal_fr(r, "send x11-req");
+ 	free(new_data);
+ }
++
++/*
++ * Returns whether an x11 channel was used recently (less than a second ago)
++ */
++int
++x11_channel_used_recently(struct ssh *ssh) {
++	u_int i;
++	Channel *c;
++	time_t lastused = 0;
++
++	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
++	    c = ssh->chanctxt->channels[i];
++	    if (c == NULL || c->ctype == NULL || c->lastused == 0 ||
++		strcmp(c->ctype, "x11-connection"))
++		continue;
++	    lastused = c->lastused;
++	}
++	return (lastused != 0 && monotime() < lastused + 1);
++}
+Index: openssh-9.9p1/channels.h
+===================================================================
+--- openssh-9.9p1.orig/channels.h
++++ openssh-9.9p1/channels.h
+@@ -382,6 +382,7 @@ int	 x11_connect_display(struct ssh *);
+ int	 x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
+ void	 x11_request_forwarding_with_spoofing(struct ssh *, int,
+ 	    const char *, const char *, const char *, int);
++int      x11_channel_used_recently(struct ssh *ssh);
+ 
+ /* channel close */
+ 

openssh-7.7p1-fips.patch

@@ -754,7 +754,7 @@ Index: openssh-9.6p1/ssh-keygen.c
 @@ -3794,6 +3815,15 @@ main(int argc, char **argv)
  		key_type_name = DEFAULT_KEY_TYPE_NAME;
  
- 	type = sshkey_type_from_name(key_type_name);
+ 	type = sshkey_type_from_shortname(key_type_name);
 +
 +	/* protocol v1 is not allowed in FIPS mode, DSA is not acceptable because
 +	 * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit

openssh-8.0p1-gssapi-keyex.patch

@@ -5,7 +5,7 @@ index e7549470..b68c1710 100644
 @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
  	kex.o kex-names.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
  	kexgexc.o kexgexs.o \
- 	kexsntrup761x25519.o sntrup761.o kexgen.o \
+ 	kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
 +	kexgssc.o \
  	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
  	sshbuf-io.o
@@ -1293,9 +1293,9 @@ index a5ae6ac0..fe714141 100644
 --- a/kex.h
 +++ b/kex.h
 @@ -102,6 +102,15 @@ enum kex_exchange {
- 	KEX_ECDH_SHA2,
  	KEX_C25519_SHA256,
  	KEX_KEM_SNTRUP761X25519_SHA512,
+ 	KEX_KEM_MLKEM768X25519_SHA256,
 +#ifdef GSSAPI
 +	KEX_GSS_GRP1_SHA1,
 +	KEX_GSS_GRP14_SHA1,
@@ -3488,7 +3488,7 @@ index af00fb30..03bc87eb 100644
  
  	free(hkalgs);
  
-@@ -224,14 +256,44 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+@@ -224,15 +256,45 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
  # ifdef OPENSSL_HAS_ECC
  	ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
  # endif
@@ -3507,6 +3507,7 @@ index af00fb30..03bc87eb 100644
 +#endif /* WITH_OPENSSL */
  	ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
  	ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
+ 	ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
  	ssh->kex->verify_host_key=&verify_host_key_callback;
  
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3758,7 +3759,7 @@ index 60b2aaf7..d92f03aa 100644
 +#endif /* WITH_OPENSSL */
  	kex->kex[KEX_C25519_SHA256] = kex_gen_server;
  	kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
- 	kex->load_host_public_key=&get_hostkey_public_by_type;
+  	kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
 diff --git a/sshd_config b/sshd_config
 index 19b7c91a..2c48105f 100644
 --- a/sshd_config

openssh-8.1p1-audit.patch

@@ -3,7 +3,7 @@ Index: openssh-8.9p1/Makefile.in
 --- openssh-8.9p1.orig/Makefile.in
 +++ openssh-8.9p1/Makefile.in
 @@ -116,7 +116,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- 	kexsntrup761x25519.o sntrup761.o kexgen.o \
+ 	kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
  	kexgssc.o \
  	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
 -	sshbuf-io.o
@@ -2245,7 +2245,7 @@ Index: openssh-8.9p1/sshd-session.c
  
  	if (the_active_state != NULL && the_authctxt != NULL) {
 @@ -2525,7 +2593,9 @@ cleanup_exit(int i)
- 		_exit(EXIT_AUTH_ATTEMPTED);
+ 	}
  #ifdef SSH_AUDIT_EVENTS
  	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
 -	if (the_active_state != NULL && mm_is_monitor())
@@ -2254,12 +2254,22 @@ Index: openssh-8.9p1/sshd-session.c
 +           mm_is_monitor())
  		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
  #endif
- 	_exit(i);
+ 	/* Override default fatal exit value when auth was attempted */
 Index: openssh-8.9p1/sshkey.c
 ===================================================================
 --- openssh-8.9p1.orig/sshkey.c
 +++ openssh-8.9p1/sshkey.c
-@@ -400,6 +400,38 @@ sshkey_type_is_valid_ca(int type)
+@@ -35,6 +35,9 @@ sshkey_type_is_valid_ca(int type)
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+ #include <openssl/pem.h>
++# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
++# include <openssl/core_names.h>
++# endif
+ #endif
+ 
+ #include "crypto_api.h"
+@@ -400,6 +403,53 @@ sshkey_type_is_valid_ca(int type)
  }
  
  int
@@ -2267,23 +2277,38 @@ Index: openssh-8.9p1/sshkey.c
 +{
 +      switch (k->type) {
 +#ifdef WITH_OPENSSL
++# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 +      case KEY_RSA_CERT:
-+      case KEY_RSA: {
++      case KEY_RSA:
-+              const BIGNUM *d;
++      case KEY_ECDSA_CERT:
-+              RSA_get0_key(k->rsa, NULL, NULL, &d);
++      case KEY_ECDSA: {
++              BIGNUM *d = NULL;
++              EVP_PKEY_get_bn_param(k->pkey, OSSL_PKEY_PARAM_PRIV_KEY, &d);
 +              return d != NULL;
 +          }
++# else /* OPENSSL < 3.0.0 */
++      case KEY_RSA_CERT:
++      case KEY_RSA: {
++              const BIGNUM *d = NULL;
++              RSA *rsakey = EVP_PKEY_get0_RSA(k->pkey);
++              if (rsakey)
++                  RSA_get0_key(rsakey, NULL, NULL, &d);
++              return d != NULL;
++          }
++#  ifdef OPENSSL_HAS_ECC
++      case KEY_ECDSA_CERT:
++      case KEY_ECDSA: {
++              EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(k->pkey);
++              return (eckey != NULL) && (EC_KEY_get0_private_key(eckey) != NULL);
++          }
++#  endif /* OPENSSL_HAS_ECC */
++# endif /* OPENSSL < 3.0.0 */
 +      case KEY_DSA_CERT:
 +      case KEY_DSA: {
-+              const BIGNUM *priv_key;
++              const BIGNUM *priv_key = NULL;
 +              DSA_get0_key(k->dsa, NULL, &priv_key);
 +              return priv_key != NULL;
 +          }
-+#ifdef OPENSSL_HAS_ECC
-+      case KEY_ECDSA_CERT:
-+      case KEY_ECDSA:
-+              return EC_KEY_get0_private_key(k->ecdsa) != NULL;
-+#endif /* OPENSSL_HAS_ECC */
 +#endif /* WITH_OPENSSL */
 +      case KEY_ED25519_CERT:
 +      case KEY_ED25519:
@@ -2303,9 +2328,9 @@ Index: openssh-8.9p1/sshkey.h
 --- openssh-8.9p1.orig/sshkey.h
 +++ openssh-8.9p1/sshkey.h
 @@ -189,6 +189,7 @@ int		 sshkey_shield_private(struct sshke
- int		 sshkey_unshield_private(struct sshkey *);
  
  int	 sshkey_type_from_name(const char *);
+ int	 sshkey_type_from_shortname(const char *);
 +int	 sshkey_is_private(const struct sshkey *);
  int	 sshkey_is_cert(const struct sshkey *);
  int	 sshkey_is_sk(const struct sshkey *);

openssh-9.6p1-crypto-policies-man.patch

@@ -160,7 +160,7 @@ Index: openssh-9.6p1/ssh_config.5
  .It Cm HostKeyAlias
  Specifies an alias that should be used instead of the
  real host name when looking up or saving the host key
-@@ -1311,36 +1313,30 @@ it may be zero or more of:
+@@ -1311,37 +1313,30 @@ it may be zero or more of:
  and
  .Cm pam .
  .It Cm KexAlgorithms
@@ -172,7 +172,7 @@ Index: openssh-9.6p1/ssh_config.5
 +.Pp
  Specifies the permitted KEX (Key Exchange) algorithms that will be used and
  their preference order.
- The selected algorithm will the the first algorithm in this list that
+ The selected algorithm will be the first algorithm in this list that
  the server also supports.
  Multiple algorithms must be comma-separated.
  .Pp
@@ -194,7 +194,8 @@ Index: openssh-9.6p1/ssh_config.5
 -.Pp
 -The default is:
 -.Bd -literal -offset indent
--sntrup761x25519-sha512@openssh.com,
+-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
+-mlkem768x25519-sha256,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
@@ -534,13 +535,14 @@ Index: openssh-9.6p1/sshd_config.5
  .Pp
  The supported algorithms are:
  .Pp
-@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
+@@ -1072,17 +1057,6 @@ ecdh-sha2-nistp521
  sntrup761x25519-sha512@openssh.com
  .El
  .Pp
 -The default is:
 -.Bd -literal -offset indent
--sntrup761x25519-sha512@openssh.com,
+-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
+-mlkem768x25519-sha256,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,

openssh-9.8p1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3
-size 1910393

openssh-9.8p1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmaCMn0ACgkQKj9BTnNg
-YLrjcBAAgO7xhKUXp8YxdqSZigDbcHu7T37bm1pRTKg2ihPepz+q6pV+DY8AHSRu
-eyuOCOHYzjLyArFpiMX3z9iT2NqO+KNBvKQoh8loaxNrECmgRGk2jBEKiibFSP5M
-i6CYkF3sET9xnVDkt4P6KievWXY1/Tl93qve3K2a/bvvgT8s2AaBMM8u4BMGNm3D
-sc3A6euN0aiXRts2V6I885VyrQDMK++E7+eTHet0ex82KH4I+ceIOwB48hny4wpb
-Zaqy9pTFisTmFNOF6d3TB58yMWoLQIbLuVrbbbcr7hFYCWsgj0yN5iYQNOR9pU4E
-ooF+aC0kK9M4iUXthzjjgIjnMzsCmPeKisbwblsPSfSgccj/pCMzW8C3CMVL6AvG
-slSSLK42qm3f38kx3sg2S8LDW0v+hoyvBmKNFMiBwsF2tWCXIG+oP1PDYpJUpaOJ
-RFHG7JEPtY94UJGdo5C4YhqDWr3HOqEwuVIt1gWMMPs9IvDkDRo6emmDd64FFAKH
-ss3hHixu6OHqU5iw6JIVVtYiur6s9m6N/Xxt5Ho6wuqnzUZ+Dwj3L6lF9IOJbJxU
-Ufb70I1Uko9kXcoje9ONUsqr88wfQY+JZxxVTlzDUDadytCzmO3wXsz+cosMQ5Rw
-aOZwXYyvmcoZuUQG8GIqRO1wfOcD7o7pI6IyVJQjOeG/rA0eu/4=
-=Gj2n
------END PGP SIGNATURE-----

openssh-9.9p1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmbspccACgkQKj9BTnNg
+YLppxRAAv7eU/Xd2w9MX9vWQdhugiPByEcKg7KuKXUUs9xJGy+HbLqPqUCvn1UW6
+qodKoSAdeBuSB7AjzuIQ1lTVX7C67OmZaVPRq25ar5b+Wq4SSlv23KMRq0b4EVyw
+pOW6R9tsxqYBwYaiXQ50APcYL8SpepnGU+b/iR15f7q3SU2XMVVtkVb149UdLOqK
+smfurbDGwUKFb2Q009MUfEV/d9zq31tdSjphvkqAXCcmxc8siuOYWYcByuysie+m
+NpaOpee0047L5JIxNSLsa2yZrJZhClP8LbTCH1Vfwr7l0KE5nvL2qAtPKI2XxGQC
+3jXrDLzp10RFxV8sCym+QlY9pZyzGj9d3G7vCHtxWGQ1Y0Qt+xs18OeBpjiehRhl
+WM3Y+cjoN35jBaGhOoHdh3ePZQdTUyZ16aSv0h/cUHOohiM7i/4XW+dQtkqsJsw4
+a81O0E64WrL8ho3Ju9mwcVZ9A0aEaftJsmJPDB+qYBjF/i7xcnH32LginzP5pel7
+/W0aS2C1ZNo3QKHezI6IA9MyENMZiAMy2ybvfmN0HgLBaBY1plJ8a5GvMwJc+Qwh
+iCHLCQ6Qgf/1hh+F6liTXnhtedtFHneJdyqvd7XOoardDEipZjxcnGa4HthbDFU+
+8XdHKnWWhn4BLA+y7KB3ZGURniQK+qibwkF6J63CuMU+LmG+bvQ=
+=Ukrb
+-----END PGP SIGNATURE-----

openssh-askpass-gnome.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to openssh 9.9p1:
+  * No changes for askpass, see main package changelog for
+    details.
+
 -------------------------------------------------------------------
 Thu Aug  1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 

openssh-askpass-gnome.spec

@@ -18,7 +18,7 @@
 
 %define _name openssh
 Name:           openssh-askpass-gnome
-Version:        9.8p1
+Version:        9.9p1
 Release:        0
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
 License:        BSD-2-Clause

openssh-mitigate-lingering-secrets.patch

@@ -334,11 +334,12 @@ Index: openssh-9.3p2/sshd-session.c
  	in_cleanup = 1;
  	extern int auth_attempted; /* monitor.c */
  
-@@ -1604,5 +1610,7 @@ cleanup_exit(int i)
+@@ -1604,6 +1610,8 @@ cleanup_exit(int i)
             mm_is_monitor())
  		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
  #endif
 +
 +	clobber_stack();
- 	_exit(i);
+ 	/* Override default fatal exit value when auth was attempted */
- }
+ 	if (i == 255 && auth_attempted)
+ 		_exit(EXIT_AUTH_ATTEMPTED);

openssh.changes

@@ -1,3 +1,192 @@
+-------------------------------------------------------------------
+Mon Oct 28 11:18:04 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Don't force using gcc11 on SLFO/ALP which have a newer version.
+
+-------------------------------------------------------------------
+Mon Oct 28 10:29:33 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add patches from upstream:
+  - To fix a copy&paste oversight in an ifdef :
+  * 0001-fix-utmpx-ifdef.patch
+  - To fix a regression introduced when the "Match" criteria
+    tokenizer was modified since it stopped supporting the
+    "Match criteria=argument" format:
+  * 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
+  - To fix the previous patch which broke on negated Matches:
+  * 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
+  - To fix the ML-KEM768x25519 kex algorithm on big-endian systems:
+  * 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
+
+-------------------------------------------------------------------
+Mon Oct 14 15:06:19 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Use %{with ...} instead of 0%{with ...}
+
+-------------------------------------------------------------------
+Fri Oct 11 09:28:30 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add a patch to fix a regression introduced in 9.6 that makes X11
+  forwarding very slow. Submitted to upstream in
+  https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4 . Fixes
+  bsc#1229449:
+  * fix-x11-regression-bsc1229449.patch
+- Remove empty line at the end of sshd-sle.pamd (bsc#1227456)
+
+-------------------------------------------------------------------
+Wed Sep 25 10:45:17 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add a const to the openssl 1.1/RSA section of sshkey_is_private
+  to keep it similar to what it used before the 9.9 rebase:
+  * openssh-8.1p1-audit.patch
+- Add a openssl11 bcond to the spec file for the SLE12 case
+  instead of checking suse_version in different parts.
+- Move conditional patches to a number >= 1000.
+
+-------------------------------------------------------------------
+Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to openssh 9.9p1:
+  = Future deprecation notice
+  * OpenSSH plans to remove support for the DSA signature algorithm
+    in early 2025. This release disables DSA by default at compile
+    time. DSA, as specified in the SSHv2 protocol, is inherently
+    weak - being limited to a 160 bit private key and use of the
+    SHA1 digest. Its estimated security level is only 80 bits
+    symmetric equivalent.
+    OpenSSH has disabled DSA keys by default since 2015 but has
+    retained run-time optional support for them. DSA was the only
+    mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
+    because alternative algorithms were encumbered by patents when
+    the SSHv2 protocol was specified.
+    This has not been the case for decades at this point and better
+    algorithms are well supported by all actively-maintained SSH
+    implementations. We do not consider the costs of maintaining
+    DSA in OpenSSH to be justified and hope that removing it from
+    OpenSSH can accelerate its wider deprecation in supporting
+    cryptography libraries.
+
+  = Potentially-incompatible changes
+  * ssh(1): remove support for pre-authentication compression.
+    OpenSSH has only supported post-authentication compression in
+    the server for some years. Compression before authentication
+    significantly increases the attack surface of SSH servers and
+    risks creating oracles that reveal information about
+    information sent during authentication.
+  * ssh(1), sshd(8): processing of the arguments to the "Match"
+    configuration directive now follows more shell-like rules for
+    quoted strings, including allowing nested quotes and \-escaped
+    characters. If configurations contained workarounds for the
+    previous simplistic quote handling then they may need to be
+    adjusted. If this is the case, it's most likely to be in the
+    arguments to a "Match exec" confition. In this case, moving the
+    command to be evaluated from the Match line to an external
+    shell script is easiest way to preserve compatibility with both
+    the old and new versions.
+
+  = New features
+  * ssh(1), sshd(8): add support for a new hybrid post-quantum key
+    exchange based on the FIPS 203 Module-Lattice Key Enapsulation
+    mechanism (ML-KEM) combined with X25519 ECDH as described by
+    https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
+    This algorithm "mlkem768x25519-sha256" is available by default.
+  * ssh(1): the ssh_config "Include" directive can now expand
+    environment as well as the same set of %-tokens "Match Exec"
+    supports.
+  * sshd(8): add a sshd_config "RefuseConnection" option that, if
+    set will terminate the connection at the first authentication
+    request.
+  * sshd(8): add a "refuseconnection" penalty class to sshd_config
+    PerSourcePenalties that is applied when a connection is dropped
+    by the new RefuseConnection keyword.
+  * sshd(8): add a "Match invalid-user" predicate to sshd_config
+    Match options that matches when the target username is not
+    valid on the server.
+  * ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
+    substantially faster implementation.
+  * ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key
+    exchange algorithm now has an IANA-assigned name in addition to
+    the "@openssh.com" vendor extension name. This algorithm is now
+    also available under this name "sntrup761x25519-sha512"
+  * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
+    included in core dump files for most of their lifespans. This
+    is in addition to pre-existing controls in ssh-agent(1) and
+    sshd(8) that prevented coredumps. This feature is supported on
+    OpenBSD, Linux and FreeBSD.
+  * All: convert key handling to use the libcrypto EVP_PKEY API,
+    with the exception of DSA.
+  * sshd(8): add a random amount of jitter (up to 4 seconds) to the
+    grace login time to make its expiry unpredictable.
+
+  = Bugfixes
+  * sshd(8): relax absolute path requirement back to what it was
+    prior to OpenSSH 9.8, which incorrectly required that sshd was
+    started with an absolute path in inetd mode. bz3717
+  * sshd(8): fix regression introduced in openssh-9.8 that swapped
+    the order of source and destination addresses in some sshd log
+    messages.
+  * sshd(8): do not apply authorized_keys options when signature
+    verification fails. Prevents more restrictive key options being
+    incorrectly applied to subsequent keys in authorized_keys.
+    bz3733
+  * ssh-keygen(1): include pathname in some of ssh-keygen's
+    passphrase prompts. Helps the user know what's going on when
+    ssh-keygen is invoked via other tools. Requested in GHPR503
+  * ssh(1), ssh-add(1): make parsing user@host consistently look
+    for the last '@' in the string rather than the first. This
+    makes it possible to more consistently use usernames that
+    contain '@' characters.
+  * ssh(1), sshd(8): be more strict in parsing key type names. Only
+    allow short names (e.g "rsa") in user-interface code and
+    require full SSH protocol names (e.g. "ssh-rsa") everywhere
+    else. bz3725
+  * regress: many performance and correctness improvements to the
+    re-keying regression test.
+  * ssh-keygen(1): clarify that ed25519 is the default key type
+    generated and clarify that rsa-sha2-512 is the default
+    signature scheme when RSA is in use. GHPR505
+  * sshd(8): fix minor memory leak in Subsystem option parsing;
+    GHPR515
+  * All: additional hardening and consistency checks for the sshbuf
+    code.
+  * sshd(8): reduce default logingrace penalty to ensure that a
+    single forgotton login that times out will be below the penalty
+    threshold.
+  * ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started
+    with ControlPersist then later has a forwarding added using mux
+    proxy connection and the forwarding was used, then when the mux
+    proxy session terminated, the mux master process would issue a
+    bad message that terminated the connection.
+
+  = Portability
+  * sync contrib/ssh-copy-id to the latest upstream version.
+  * regress: improve portablility for some awk(1) usage
+    (e.g. Solaris)
+  * In the contrib/redhat RPM spec file, without_openssl was
+    previously incorrectly enabled unconditionally.
+  * sshd(8) restore audit call before exit that regressed in
+    openssh-9.8. Fixes an issue where the SSH_CONNECTION_ABANDON
+    event was not recorded.
+  * sshd(8): add support for class-imposed loging restrictions on
+    FreeBSD. Allowing auth_hostok(3) and auth_timeok(3) to control
+    logins.
+  * Build fixes for Musl libc.
+  * Fix detection of setres*id on GNU/Hurd
+
+- Drop patches that were already merged by upstream:
+  * fix-memleak-in-process_server_config_line_depth.patch
+  * fix-audit-fail-attempt.patch
+- Rebase patch with significant changes:
+  * openssh-8.1p1-audit.patch
+- Rebase patches with context or trivial changes:
+  * openssh-7.7p1-fips.patch
+  * openssh-8.0p1-gssapi-keyex.patch
+  * openssh-9.6p1-crypto-policies-man.patch
+  * openssh-mitigate-lingering-secrets.patch
+- Several spec file fixes so the package builds and can be
+  installed in SLE 15 SP5 and SLE 12 SP5
+- Use gcc11 when building in SLE12 and SLE15.
+
 -------------------------------------------------------------------
 Thu Sep 12 07:43:18 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 

openssh.spec

@@ -34,12 +34,24 @@
 %bcond_without allow_root_password_login_by_default
 %endif
 
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
+%bcond_without crypto_policies
+%else
+%bcond_with crypto_policies
+%endif
+
+%if 0%{?suse_version} < 1500
+%bcond_without openssl11
+%else
+%bcond_with openssl11
+%endif
+
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           openssh
-Version:        9.8p1
+Version:        9.9p1
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-2-Clause AND MIT
@@ -126,20 +138,34 @@ Patch103:       openssh-6.6p1-privsep-selinux.patch
 Patch104:       openssh-6.6p1-keycat.patch
 Patch105:       openssh-6.6.1p1-selinux-contexts.patch
 Patch106:       openssh-7.6p1-cleanup-selinux.patch
-# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
+
-Patch107:       openssh-9.6p1-crypto-policies.patch
+# 200 - 300  --  Patches submitted to upstream
-Patch108:       openssh-9.6p1-crypto-policies-man.patch
-Patch109:       fix-memleak-in-process_server_config_line_depth.patch
-# PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516
-Patch110:       fix-audit-fail-attempt.patch
 # PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
-Patch111:       0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+Patch200:       0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
-%if 0%{with allow_root_password_login_by_default}
+# PATCH-FIX-UPSTREAM -- https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4
-Patch1000:      openssh-7.7p1-allow_root_password_login.patch
+Patch201:       fix-x11-regression-bsc1229449.patch
+# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
+Patch202:       0001-fix-utmpx-ifdef.patch
+# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
+Patch203:       0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
+# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
+Patch204:       0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
+# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
+Patch205:       0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
+
+# 1000 - 2000  --  Conditional patches
+%if %{with crypto_policies}
+# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
+Patch1000:      openssh-9.6p1-crypto-policies.patch
+Patch1001:      openssh-9.6p1-crypto-policies-man.patch
+%endif
+%if %{with allow_root_password_login_by_default}
+# PATCH-FIX-SLE Allow root login with password by default (for SLE12 and SLE15)
+Patch1002:      openssh-7.7p1-allow_root_password_login.patch
 %endif
 BuildRequires:  audit-devel
 BuildRequires:  automake
-%if 0%{?sle_version} >= 150500
+%if 0%{?suse_version} < 1600
 BuildRequires:  gcc11
 %endif
 BuildRequires:  groff
@@ -148,7 +174,12 @@ BuildRequires:  libselinux-devel
 %if %{with ldap}
 BuildRequires:  openldap2-devel
 %endif
+%if %{with openssl11}
+BuildRequires:  libopenssl-1_1-devel
+BuildRequires:  openssl-1_1
+%else
 BuildRequires:  openssl-devel
+%endif
 BuildRequires:  pam-devel
 BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
@@ -158,7 +189,7 @@ BuildRequires:  sysuser-shadow
 BuildRequires:  sysuser-tools
 Requires:       %{name}-clients = %{version}-%{release}
 Requires:       %{name}-server = %{version}-%{release}
-%if 0%{?suse_version} >= 1550
+%if 0%{?suse_version} >= 1550 || 0%{?suse_version} < 1500 
 BuildRequires:  pkgconfig(krb5)
 %else
 BuildRequires:  krb5-mini-devel
@@ -204,14 +235,16 @@ clients.
 Summary:        SSH (Secure Shell) server
 Group:          Productivity/Networking/SSH
 Requires:       %{name}-common = %{version}-%{release}
+%if %{with crypto_policies}
 Requires:       crypto-policies >= 20220824
+%endif
 Recommends:     audit
 Requires(pre):  findutils
 Requires(pre):  grep
 Requires(post): %fillup_prereq
 Requires(post): permissions
 Provides:       openssh:%{_sbindir}/sshd
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 # For a brief period of time this package existed in SLE/Leap.
 # It was removed before GM but some people might have it from
 # a beta distribution version (boo#1227350)
@@ -231,7 +264,7 @@ also be forwarded over the secure channel.
 This package contains the Secure Shell daemon, which allows clients to
 securely connect to your server.
 
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 %package server-config-disallow-rootlogin
 Summary:        Config to disallow password root logins to sshd
 Group:          Productivity/Networking/SSH
@@ -260,7 +293,9 @@ ssh-copy-id(1).
 %package clients
 Summary:        SSH (Secure Shell) client applications
 Group:          Productivity/Networking/SSH
+%if %{with crypto_policies}
 Requires:       crypto-policies >= 20220824
+%endif
 Requires:       %{name}-common = %{version}-%{release}
 Provides:       openssh:%{_bindir}/ssh
 
@@ -329,7 +364,7 @@ sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
     )
 
 %build
-%if 0%{?sle_version} >= 150500
+%if 0%{?suse_version} < 1600
 export CC=gcc-11
 %endif
 autoreconf -fiv
@@ -407,7 +442,7 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
 install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
 
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
 %else
 echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
@@ -419,19 +454,21 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
 mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
 %else
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 %endif
 %endif
 
+%if %{with crypto_policies}
 install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
 %if %{defined _distconfdir}
 install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %else
 install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %endif
+%endif
 
 %if 0%{?suse_version} < 1550
 # install firewall definitions
@@ -457,13 +494,19 @@ install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
 #
 # this shows up earlier because otherwise the %%expand of
 # the macro is too late.
+%if %{with openssl11}
+%define opensslbin openssl-1_1
+%else
+%define opensslbin openssl
+%endif
+
 %{expand:%%global __os_install_post {%__os_install_post
 for b in \
         %{_bindir}/ssh \
         %{_sbindir}/sshd \
         %{_libexecdir}/ssh/sftp-server \
         ; do
-    openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
+    %{opensslbin} dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
 done
 
 }}
@@ -481,6 +524,7 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
 %{fillup_only -n ssh}
 %service_add_post sshd.service sshd.socket
 
+%if %{with crypto_policies}
 %if ! %{defined _distconfdir}
 test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
     echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
@@ -489,6 +533,7 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
     echo "/etc/ssh/sshd_config :"
     echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
 %endif
+%endif
 
 %preun server
 %service_del_preun sshd.service sshd.socket
@@ -503,6 +548,7 @@ else
 %service_del_postun sshd.service sshd.socket
 fi
 
+%if %{with crypto_policies}
 %if ! %{defined _distconfdir}
 %post server-config-disallow-rootlogin
 test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
@@ -512,6 +558,7 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
     echo "the following line is added at the start of /etc/ssh/sshd_config :"
     echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
 %endif
+%endif
 
 %if %{defined _distconfdir}
 %posttrans server
@@ -526,6 +573,7 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
 test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
 %endif
 
+%if %{with crypto_policies}
 %if ! %{defined _distconfdir}
 %post clients
 test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
@@ -535,6 +583,7 @@ test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.con
     echo "/etc/ssh/ssh_config :"
     echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
 %endif
+%endif
 
 %if %{defined _distconfdir}
 %posttrans clients
@@ -582,11 +631,13 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
 %endif
+%if %{with crypto_policies}
 %if %{defined _distconfdir}
 %attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %else
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %endif
+%endif
 %attr(0644,root,root) %{_unitdir}/sshd.service
 %attr(0644,root,root) %{_unitdir}/sshd@.service
 %attr(0644,root,root) %{_unitdir}/sshd.socket
@@ -607,7 +658,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %config %{_fwdefdir}/sshd
 %endif
 
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 %files server-config-disallow-rootlogin
 %if %{defined _distconfdir}
 %{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
@@ -624,8 +675,10 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %endif
 
 %files clients
+%if %{with crypto_policies}
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
+%endif
 %if %{defined _distconfdir}
 %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
 %else

sshd-sle.pamd

@@ -8,4 +8,3 @@ session     required    pam_loginuid.so
 session     optional    pam_keyinit.so   force revoke
 session     include     common-session
 session     optional    pam_motd.so
-