forked from pool/openssh
03fc1a6def
- Update to openssh 9.3p1
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p1:
= Security
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in
OpenSSH 8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This
problem was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the
system's standard library lacks this function and portable
OpenSSH was not compiled with the ldns library (--with-ldns).
getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
fetch SSHFP records. This problem was found by the Coverity
static analyzer.
= New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
when outputting SSHFP fingerprints to allow algorithm
selection. bz3493
OBS-URL: https://build.opensuse.org/request/show/1087770
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247
42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
# HG changeset patch
|
|
# Parent 9d38b7292619a6d5faf554b1a88888fdfa535de7
|
|
Patch from IBM enabling the use of OpenCryptoki, submitted upstreams:
|
|
|
|
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
To: openssh-unix-dev@mindrot.org
|
|
Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture
|
|
Date: Tue, 9 May 2017 14:27:13 -0300
|
|
|
|
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
|
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
|
implementation) which calls the libraries that will communicate with the
|
|
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
|
this is only need on s390 architecture.
|
|
|
|
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
|
|
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
|
===================================================================
|
|
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
|
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
|
@@ -219,6 +219,9 @@ static const struct sock_filter preauth_
|
|
#ifdef __NR_geteuid32
|
|
SC_ALLOW(__NR_geteuid32),
|
|
#endif
|
|
+#if defined(__NR_flock) && defined(__s390__)
|
|
+ SC_ALLOW(__NR_flock),
|
|
+#endif
|
|
#ifdef __NR_getpgid
|
|
SC_ALLOW(__NR_getpgid),
|
|
#endif
|
|
@@ -237,6 +240,9 @@ static const struct sock_filter preauth_
|
|
#ifdef __NR_getuid32
|
|
SC_ALLOW(__NR_getuid32),
|
|
#endif
|
|
+#if defined(__NR_ipc) && defined(__s390__)
|
|
+ SC_ALLOW(__NR_ipc),
|
|
+#endif
|
|
#ifdef __NR_madvise
|
|
SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
|
|
# ifdef MADV_FREE
|