Revisions of openssh
Ana Guerrero (anag+factory)
accepted
request 1150501
from
Hans Petter Jansson (hpjansson)
(revision 170)
- Update to openssh 9.6p1: * No changes for askpass, see main package changelog for details. - Update to openssh 9.6p1: = Security * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. = Potentially incompatible changes * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this (forwarded request 1150500 from hpjansson)
Ana Guerrero (anag+factory)
accepted
request 1133933
from
Hans Petter Jansson (hpjansson)
(revision 169)
Added openssh-cve-2023-48795.patch (forwarded request 1133932 from hpjansson)
Ana Guerrero (anag+factory)
accepted
request 1129646
from
Hans Petter Jansson (hpjansson)
(revision 168)
Ana Guerrero (anag+factory)
accepted
request 1112087
from
Hans Petter Jansson (hpjansson)
(revision 166)
Teach openssh to tell logind the TTY, else tools like wall will stop working now with the new systemd v254 and util-linux (and who, w, ... will not show a tty) (forwarded request 1110800 from kukuk)
Ana Guerrero (anag+factory)
accepted
request 1099856
from
Marcus Meissner (msmeissn)
(revision 165)
- Update to openssh 9.3p2 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. (forwarded request 1099810 from simotek)
Dominique Leuenberger (dimstar_suse)
accepted
request 1090577
from
Dirk Mueller (dirkmueller)
(revision 164)
Dominique Leuenberger (dimstar_suse)
accepted
request 1079298
from
Hans Petter Jansson (hpjansson)
(revision 163)
- Rename sshd.pamd to sshd-sle.pamd and fix order of pam_keyinit - Add new sshd.pamd including postlogin-* config files (forwarded request 1074609 from kukuk)
Dominique Leuenberger (dimstar_suse)
accepted
request 1074486
from
Dirk Mueller (dirkmueller)
(revision 162)
Dominique Leuenberger (dimstar_suse)
accepted
request 1044051
from
Marcus Meissner (msmeissn)
(revision 161)
Dominique Leuenberger (dimstar_suse)
accepted
request 1043180
from
Dirk Mueller (dirkmueller)
(revision 160)
- limit to openssl < 3.0 as this version is not compatible (bsc#1205042) next version update will fix it
Dominique Leuenberger (dimstar_suse)
accepted
request 1035879
from
Marcus Meissner (msmeissn)
(revision 159)
Dominique Leuenberger (dimstar_suse)
accepted
request 999883
from
Marcus Meissner (msmeissn)
(revision 158)
Dominique Leuenberger (dimstar_suse)
accepted
request 997452
from
Factory Maintainer (factory-maintainer)
(revision 157)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 973782
from
Factory Maintainer (factory-maintainer)
(revision 156)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 960152
from
Dirk Mueller (dirkmueller)
(revision 155)
Displaying revisions 1 - 20 of 174