Overview Repositories Revisions Requests Users Attributes Meta

Revisions of openssh

Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 997452 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 157) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 973782 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 156) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 923951 from Marcus Meissner's avatar Marcus Meissner (msmeissn) (revision 154) 
- Version upgrade to 8.8p1
  * No changes for askpass, see main package changelog for
    details

- Version update to 8.8p1:
  = Security
  * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
    supplemental groups when executing an AuthorizedKeysCommand or
    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
    AuthorizedPrincipalsCommandUser directive has been set to run the
    command as a different user. Instead these commands would inherit
    the groups that sshd(8) was started with.
    Depending on system configuration, inherited groups may allow
    AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
    gain unintended privilege.
    Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
    enabled by default in sshd_config(5).
  = Potentially-incompatible changes
  * This release disables RSA signatures using the SHA-1 hash algorithm
    by default. This change has been made as the SHA-1 hash algorithm is
    cryptographically broken, and it is possible to create chosen-prefix
    hash collisions for <USD$50K.
    For most users, this change should be invisible and there is
    no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
    RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
    will automatically use the stronger algorithm where possible.
    Incompatibility is more likely when connecting to older SSH
    implementations that have not been upgraded or have not closely tracked
    improvements in the SSH protocol. For these cases, it may be necessary
    to selectively re-enable RSA/SHA1 to allow connection and/or user
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 901582 from Hans Petter Jansson's avatar Hans Petter Jansson (hpjansson) (revision 152) 
- Don't move user-modified ssh_config and sshd_config files to
  .rpmsave on upgrade. (forwarded request 901581 from hpjansson)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 888799 from Hans Petter Jansson's avatar Hans Petter Jansson (hpjansson) (revision 151) 
- Change vendor configuration dir from /usr/share/ssh/ to
  /usr/etc/ssh/.
- Remove upgrade enablement hack. This has been fixed in
  systemd-rpm-macros (bsc#1180083). (forwarded request 887559 from hpjansson)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 872342 from Hans Petter Jansson's avatar Hans Petter Jansson (hpjansson) (revision 150) 
- Add openssh-whitelist-syscalls.patch (bsc#1182232), fixing
  failure to accept connections on 32-bit platforms with
  glibc 2.33+.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 861779 from Hans Petter Jansson's avatar Hans Petter Jansson (hpjansson) (revision 146) 
- Update openssh-8.1p1-audit.patch (bsc#1180501). This fixes
  occasional crashes on connection termination caused by accessing
  freed memory. (forwarded request 861491 from hpjansson)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 860306 from Hans Petter Jansson's avatar Hans Petter Jansson (hpjansson) (revision 145) 
- Support /usr/etc/pam.d (forwarded request 851366 from kukuk)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 849984 from Hans Petter Jansson's avatar Hans Petter Jansson (hpjansson) (revision 144) 
- Fix build breakage caused by missing security key objects:
  + Modify openssh-7.7p1-cavstest-ctr.patch.
  + Modify openssh-7.7p1-cavstest-kdf.patch.
  + Add openssh-link-with-sk.patch.

- Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939).
  This ensures only approved DH parameters are used in FIPS mode.

- Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799).
  This uses OpenSSL's RAND_bytes() directly instead of the internal
  ChaCha20-based implementation to obtain random bytes for Ed25519
  curve computations. This is required for FIPS compliance. (forwarded request 849311 from hpjansson)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 841947 from Hans Petter Jansson's avatar Hans Petter Jansson (hpjansson) (revision 143) 
- Work around %service_add_post disabling sshd on upgrade with
  package name change (bsc#1177039).

- Use of DISABLE_RESTART_ON_UPDATE is deprecated.
  Replace it with %service_del_postun_without_restart (forwarded request 840337 from hpjansson)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) committed (revision 142) 
https://bugzilla.opensuse.org/show_bug.cgi?id=1177039
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 837828 from Hans Petter Jansson's avatar Hans Petter Jansson (hpjansson) (revision 141) 
- Fix fillup-template usage:
  + %post server needs to reference ssh (not sshd), which matches
    the sysconfig.ssh file name the package ships.
  + %post client does not need any fillup_ calls, as there is no
    client-relevant sysconfig file present. The naming of the
    sysconfig file (ssh instead of sshd) is unfortunate. (forwarded request 837497 from dimstar)
Displaying revisions 21 - 40 of 177
openSUSE Build Service is sponsored by
Places