forked from pool/openssh
b3ff99ae3c
- Update to openssh 9.6p1: * No changes for askpass, see main package changelog for details. - Update to openssh 9.6p1: = Security * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. = Potentially incompatible changes * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this OBS-URL: https://build.opensuse.org/request/show/1150500 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=255 |
||
---|---|---|
_multibuild | ||
.gitattributes | ||
.gitignore | ||
cavs_driver-ssh.pl | ||
fix-missing-lz.patch | ||
logind_set_tty.patch | ||
openssh-6.6.1p1-selinux-contexts.patch | ||
openssh-6.6p1-keycat.patch | ||
openssh-6.6p1-privsep-selinux.patch | ||
openssh-7.6p1-cleanup-selinux.patch | ||
openssh-7.7p1-cavstest-ctr.patch | ||
openssh-7.7p1-cavstest-kdf.patch | ||
openssh-7.7p1-disable_openssl_abi_check.patch | ||
openssh-7.7p1-eal3.patch | ||
openssh-7.7p1-enable_PAM_by_default.patch | ||
openssh-7.7p1-fips_checks.patch | ||
openssh-7.7p1-fips.patch | ||
openssh-7.7p1-host_ident.patch | ||
openssh-7.7p1-hostname_changes_when_forwarding_X.patch | ||
openssh-7.7p1-IPv6_X_forwarding.patch | ||
openssh-7.7p1-ldap.patch | ||
openssh-7.7p1-no_fork-no_pid_file.patch | ||
openssh-7.7p1-pam_check_locks.patch | ||
openssh-7.7p1-pts_names_formatting.patch | ||
openssh-7.7p1-remove_xauth_cookies_on_exit.patch | ||
openssh-7.7p1-seccomp_ipc_flock.patch | ||
openssh-7.7p1-seccomp_stat.patch | ||
openssh-7.7p1-send_locale.patch | ||
openssh-7.7p1-sftp_force_permissions.patch | ||
openssh-7.7p1-sftp_print_diagnostic_messages.patch | ||
openssh-7.7p1-systemd-notify.patch | ||
openssh-7.7p1-X11_trusted_forwarding.patch | ||
openssh-7.7p1-X_forward_with_disabled_ipv6.patch | ||
openssh-7.8p1-role-mls.patch | ||
openssh-7.9p1-keygen-preserve-perms.patch | ||
openssh-7.9p1-revert-new-qos-defaults.patch | ||
openssh-8.0p1-gssapi-keyex.patch | ||
openssh-8.1p1-audit.patch | ||
openssh-8.1p1-ed25519-use-openssl-rng.patch | ||
openssh-8.1p1-seccomp-clock_gettime64.patch | ||
openssh-8.1p1-seccomp-clock_nanosleep_time64.patch | ||
openssh-8.1p1-seccomp-clock_nanosleep.patch | ||
openssh-8.1p1-use-openssl-kdf.patch | ||
openssh-8.4p1-pam_motd.patch | ||
openssh-8.4p1-ssh_config_d.patch | ||
openssh-8.4p1-vendordir.patch | ||
openssh-9.6p1.tar.gz | ||
openssh-9.6p1.tar.gz.asc | ||
openssh-askpass-gnome.changes | ||
openssh-askpass-gnome.spec | ||
openssh-do-not-send-empty-message.patch | ||
openssh-fips-ensure-approved-moduli.patch | ||
openssh-link-with-sk.patch | ||
openssh-openssl-3.patch | ||
openssh-reenable-dh-group14-sha1-default.patch | ||
openssh-whitelist-syscalls.patch | ||
openssh.changes | ||
openssh.keyring | ||
openssh.spec | ||
README.FIPS | ||
README.kerberos | ||
README.SUSE | ||
ssh-askpass | ||
ssh.reg | ||
sshd-gen-keys-start | ||
sshd-sle.pamd | ||
sshd.fw | ||
sshd.pamd | ||
sshd.service | ||
sysconfig.ssh | ||
sysusers-sshd.conf | ||
wtmpdb.patch |
There are following changes in default settings of ssh client and server: * Accepting and sending of locale environment variables in protocol 2 is enabled. * PAM authentication is enabled and mostly even required, do not turn it off. * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot be considered safe any more. * Accepting all RFC4419 specified DH group parameters. See KexDHMin in ssh_config and sshd_config manual pages. For more information on differences in SUSE OpenSSH package see README.FIPS