forked from pool/openssh
03fc1a6def
- Update to openssh 9.3p1
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p1:
= Security
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in
OpenSSH 8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This
problem was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the
system's standard library lacks this function and portable
OpenSSH was not compiled with the ldns library (--with-ldns).
getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
fetch SSHFP records. This problem was found by the Coverity
static analyzer.
= New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
when outputting SSHFP fingerprints to allow algorithm
selection. bz3493
OBS-URL: https://build.opensuse.org/request/show/1087770
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247
|
||
|---|---|---|
| _multibuild | ||
| .gitattributes | ||
| .gitignore | ||
| cavs_driver-ssh.pl | ||
| fix-missing-lz.patch | ||
| openssh-7.7p1-cavstest-ctr.patch | ||
| openssh-7.7p1-cavstest-kdf.patch | ||
| openssh-7.7p1-disable_openssl_abi_check.patch | ||
| openssh-7.7p1-eal3.patch | ||
| openssh-7.7p1-enable_PAM_by_default.patch | ||
| openssh-7.7p1-fips_checks.patch | ||
| openssh-7.7p1-fips.patch | ||
| openssh-7.7p1-host_ident.patch | ||
| openssh-7.7p1-hostname_changes_when_forwarding_X.patch | ||
| openssh-7.7p1-IPv6_X_forwarding.patch | ||
| openssh-7.7p1-ldap.patch | ||
| openssh-7.7p1-no_fork-no_pid_file.patch | ||
| openssh-7.7p1-pam_check_locks.patch | ||
| openssh-7.7p1-pts_names_formatting.patch | ||
| openssh-7.7p1-remove_xauth_cookies_on_exit.patch | ||
| openssh-7.7p1-seccomp_ipc_flock.patch | ||
| openssh-7.7p1-seccomp_stat.patch | ||
| openssh-7.7p1-send_locale.patch | ||
| openssh-7.7p1-sftp_force_permissions.patch | ||
| openssh-7.7p1-sftp_print_diagnostic_messages.patch | ||
| openssh-7.7p1-systemd-notify.patch | ||
| openssh-7.7p1-X11_trusted_forwarding.patch | ||
| openssh-7.7p1-X_forward_with_disabled_ipv6.patch | ||
| openssh-7.9p1-keygen-preserve-perms.patch | ||
| openssh-7.9p1-revert-new-qos-defaults.patch | ||
| openssh-8.0p1-gssapi-keyex.patch | ||
| openssh-8.1p1-audit.patch | ||
| openssh-8.1p1-ed25519-use-openssl-rng.patch | ||
| openssh-8.1p1-seccomp-clock_gettime64.patch | ||
| openssh-8.1p1-seccomp-clock_nanosleep_time64.patch | ||
| openssh-8.1p1-seccomp-clock_nanosleep.patch | ||
| openssh-8.1p1-use-openssl-kdf.patch | ||
| openssh-8.4p1-pam_motd.patch | ||
| openssh-8.4p1-ssh_config_d.patch | ||
| openssh-8.4p1-vendordir.patch | ||
| openssh-9.3p1.tar.gz | ||
| openssh-9.3p1.tar.gz.asc | ||
| openssh-askpass-gnome.changes | ||
| openssh-askpass-gnome.spec | ||
| openssh-do-not-send-empty-message.patch | ||
| openssh-fips-ensure-approved-moduli.patch | ||
| openssh-link-with-sk.patch | ||
| openssh-openssl-3.patch | ||
| openssh-reenable-dh-group14-sha1-default.patch | ||
| openssh-whitelist-syscalls.patch | ||
| openssh.changes | ||
| openssh.keyring | ||
| openssh.spec | ||
| README.FIPS | ||
| README.kerberos | ||
| README.SUSE | ||
| ssh-askpass | ||
| ssh.reg | ||
| sshd-gen-keys-start | ||
| sshd-sle.pamd | ||
| sshd.fw | ||
| sshd.pamd | ||
| sshd.service | ||
| sysconfig.ssh | ||
| sysusers-sshd.conf | ||
| wtmpdb.patch | ||
There are following changes in default settings of ssh client and server: * Accepting and sending of locale environment variables in protocol 2 is enabled. * PAM authentication is enabled and mostly even required, do not turn it off. * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot be considered safe any more. * Accepting all RFC4419 specified DH group parameters. See KexDHMin in ssh_config and sshd_config manual pages. For more information on differences in SUSE OpenSSH package see README.FIPS