forked from pool/openssh
Marcus Meissner
67a17999e6
- Update to openssh 9.3p2
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
--------------------------------
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
OBS-URL: https://build.opensuse.org/request/show/1099810
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=249
67 lines
2.1 KiB
RPMSpec
67 lines
2.1 KiB
RPMSpec
#
|
|
# spec file for package openssh-askpass-gnome
|
|
#
|
|
# Copyright (c) 2020 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define _name openssh
|
|
Name: openssh-askpass-gnome
|
|
Version: 9.3p2
|
|
Release: 0
|
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
|
License: BSD-2-Clause
|
|
Group: Productivity/Networking/SSH
|
|
URL: https://www.openssh.com/
|
|
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
|
|
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
|
|
Requires: %{_name}-clients = %{version}
|
|
Supplements: packageand(openssh-clients:libgtk-3-0)
|
|
%if 0%{?suse_version} >= 1550
|
|
BuildRequires: gtk3-devel
|
|
%else
|
|
BuildRequires: gtk2-devel
|
|
%endif
|
|
|
|
%description
|
|
SSH (Secure Shell) is a program for logging into a remote machine and
|
|
for executing commands on a remote machine. This package contains a
|
|
GNOME-based passphrase dialog for OpenSSH.
|
|
|
|
%prep
|
|
%autosetup -p1 -n %{_name}-%{version}
|
|
|
|
%build
|
|
cd contrib
|
|
export CFLAGS="%{optflags}"
|
|
%if 0%{?suse_version} >= 1550
|
|
%make_build gnome-ssh-askpass3
|
|
%else
|
|
%make_build gnome-ssh-askpass2
|
|
%endif
|
|
|
|
%install
|
|
install -d -m 755 %{buildroot}%{_libexecdir}/ssh/
|
|
%if 0%{?suse_version} >= 1550
|
|
install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
|
|
%else
|
|
install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
|
|
%endif
|
|
|
|
%files
|
|
%dir %{_libexecdir}/ssh
|
|
%attr(0755,root,root) %{_libexecdir}/ssh/gnome-ssh-askpass
|
|
|
|
%changelog
|