Revisions of openssh
Antonio Larrosa (alarrosa)
accepted
request 1167855
from
Antonio Larrosa (alarrosa)
(revision 265)
Add bugzilla reference to bsc#1221005
Antonio Larrosa (alarrosa)
accepted
request 1167816
from
Marcus Meissner (msmeissn)
(revision 264)
- openssh-8.0p1-gssapi-keyex.patch: Added missing struct initializer, added missing parameter (bsc#1222840)
Antonio Larrosa (alarrosa)
accepted
request 1167038
from
Antonio Larrosa (alarrosa)
(revision 263)
- Make openssh-server recommend the openssh-server-config-rootlogin package in SLE in order to keep the same behaviour of previous SPs where the PermitRootLogin default was set to yes. - Fix crypto-policies requirement to be set by openssh-server, not the config-rootlogin subpackage. - Add back %config(noreplace) tag for more config files that were already set like this in previous SPs.
Antonio Larrosa (alarrosa)
accepted
request 1166764
from
Arnav Singh (Arnavion)
(revision 262)
- Fix duplicate loading of dropins. (boo#1222467)
Antonio Larrosa (alarrosa)
accepted
request 1166156
from
Antonio Larrosa (alarrosa)
(revision 261)
Add one more bsc/CVE reference
Antonio Larrosa (alarrosa)
accepted
request 1165554
from
Antonio Larrosa (alarrosa)
(revision 260)
- Add missing bugzilla/CVE references to the changelog
Antonio Larrosa (alarrosa)
accepted
request 1165549
from
Antonio Larrosa (alarrosa)
(revision 259)
- Add patch from SLE which was missing in Factory: * Mon Jun 7 20:54:09 UTC 2021 - Hans Petter Jansson <hpj@suse.com> - Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which attempts to mitigate instances of secrets lingering in memory after a session exits. (bsc#1213004 bsc#1213008) - Rebase patch: * openssh-6.6p1-privsep-selinux.patch
Antonio Larrosa (alarrosa)
accepted
request 1165438
from
Antonio Larrosa (alarrosa)
(revision 258)
Forward a fix for a patch from SLE - Rebase openssh-7.7p1-fips.patch (bsc#1221928) Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by upstream
Marcus Meissner (msmeissn)
accepted
request 1164145
from
Antonio Larrosa (alarrosa)
(revision 257)
- Use %config(noreplace) for sshd_config . In any case, it's
recommended to drop a file in sshd_config.d instead of editing
sshd_config (bsc#1221063)
- Use %{_libexecdir} when removing ssh-keycat instead of the
hardcoded path so it works in TW and SLE.
Marcus Meissner (msmeissn)
accepted
request 1155471
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 256)
- Add crypto-policies support [bsc#1211301]
* Add patches:
- openssh-9.6p1-crypto-policies.patch
- openssh-9.6p1-crypto-policies-man.patch
Hans Petter Jansson (hpjansson)
accepted
request 1150500
from
Hans Petter Jansson (hpjansson)
(revision 255)
- Update to openssh 9.6p1:
* No changes for askpass, see main package changelog for
details.
- Update to openssh 9.6p1:
= Security
* ssh(1), sshd(8): implement protocol extensions to thwart the
so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server
would not be able to detect that messages were deleted.
* ssh-agent(1): when adding PKCS#11-hosted private keys while
specifying destination constraints, if the PKCS#11 token returned
multiple keys then only the first key had the constraints applied.
Use of regular private keys, FIDO tokens and unconstrained keys
are unaffected.
* ssh(1): if an invalid user or hostname that contained shell
metacharacters was passed to ssh(1), and a ProxyCommand,
LocalCommand directive or "match exec" predicate referenced the
user or hostname via %u, %h or similar expansion token, then
an attacker who could supply arbitrary user/hostnames to ssh(1)
could potentially perform command injection depending on what
quoting was present in the user-supplied ssh_config(5) directive.
= Potentially incompatible changes
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
a TCP-like window mechanism that limits the amount of data that
can be sent without acceptance from the peer. In cases where this
Hans Petter Jansson (hpjansson)
accepted
request 1133932
from
Hans Petter Jansson (hpjansson)
(revision 254)
Added openssh-cve-2023-48795.patch
Hans Petter Jansson (hpjansson)
accepted
request 1113799
from
Thorsten Kukuk (kukuk)
(revision 253)
- Disable SLP by default for Factory and ALP (bsc#1214884)
Hans Petter Jansson (hpjansson)
accepted
request 1123220
from
Johannes Segitz (jsegitz)
(revision 252)
- Enhanced SELinux functionality. Added Fedora patches:
* openssh-7.8p1-role-mls.patch
Proper handling of MLS systems and basis for other SELinux
improvements
* openssh-6.6p1-privsep-selinux.patch
Properly set contexts during privilege separation
* openssh-6.6p1-keycat.patch
Add ssh-keycat command to allow retrival of authorized_keys
on MLS setups with polyinstantiation
* openssh-6.6.1p1-selinux-contexts.patch
Additional changes to set the proper context during privilege
separation
* openssh-7.6p1-cleanup-selinux.patch
Various changes and putting the pieces together
For now we don't ship the ssh-keycat command, but we need the patch
for the other SELinux infrastructure
This change fixes issues like bsc#1214788, where the ssh daemon
needs to act on behalf of a user and needs a proper context for this
Marcus Meissner (msmeissn)
accepted
request 1119952
from
Dominique Leuenberger (dimstar)
(revision 251)
- Add cb4ed12f.patch: Fix build using zlib 1.3. The check expected a version in the form a.b.c[.d], which no longer matches 1.3. See failure with zlib 1.3 in Staging:N
Hans Petter Jansson (hpjansson)
accepted
request 1110800
from
Thorsten Kukuk (kukuk)
(revision 250)
Teach openssh to tell logind the TTY, else tools like wall will stop working now with the new systemd v254 and util-linux (and who, w, ... will not show a tty)
Marcus Meissner (msmeissn)
accepted
request 1099810
from
Simon Lees (simotek)
(revision 249)
- Update to openssh 9.3p2
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
--------------------------------
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
Dirk Mueller (dirkmueller)
accepted
request 1089432
from
Andreas Stieger (AndreasStieger)
(revision 248)
- openssh-askpass-gnome: require only openssh-clients, not the full openssh (including -server), to avoid pulling in excessive dependencies when installing git on Gnome (boo#1211446)
Hans Petter Jansson (hpjansson)
accepted
request 1087770
from
Antonio Larrosa (alarrosa)
(revision 247)
- Update to openssh 9.3p1
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p1:
= Security
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in
OpenSSH 8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This
problem was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the
system's standard library lacks this function and portable
OpenSSH was not compiled with the ldns library (--with-ldns).
getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
fetch SSHFP records. This problem was found by the Coverity
static analyzer.
= New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
when outputting SSHFP fingerprints to allow algorithm
selection. bz3493
Hans Petter Jansson (hpjansson)
accepted
request 1074609
from
Thorsten Kukuk (kukuk)
(revision 246)
- Rename sshd.pamd to sshd-sle.pamd and fix order of pam_keyinit - Add new sshd.pamd including postlogin-* config files
Displaying revisions 1 - 20 of 265
