Revisions of openssh
Dominique Leuenberger (dimstar_suse)
accepted
request 997452
from
Factory Maintainer (factory-maintainer)
(revision 157)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 973782
from
Factory Maintainer (factory-maintainer)
(revision 156)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 960152
from
Dirk Mueller (dirkmueller)
(revision 155)
Dominique Leuenberger (dimstar_suse)
accepted
request 923951
from
Marcus Meissner (msmeissn)
(revision 154)
- Version upgrade to 8.8p1 * No changes for askpass, see main package changelog for details - Version update to 8.8p1: = Security * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege. Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5). = Potentially-incompatible changes * This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K. For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible. Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol. For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user
Dominique Leuenberger (dimstar_suse)
accepted
request 907490
from
Marcus Meissner (msmeissn)
(revision 153)
Dominique Leuenberger (dimstar_suse)
accepted
request 901582
from
Hans Petter Jansson (hpjansson)
(revision 152)
- Don't move user-modified ssh_config and sshd_config files to .rpmsave on upgrade. (forwarded request 901581 from hpjansson)
Dominique Leuenberger (dimstar_suse)
accepted
request 888799
from
Hans Petter Jansson (hpjansson)
(revision 151)
- Change vendor configuration dir from /usr/share/ssh/ to /usr/etc/ssh/. - Remove upgrade enablement hack. This has been fixed in systemd-rpm-macros (bsc#1180083). (forwarded request 887559 from hpjansson)
Dominique Leuenberger (dimstar_suse)
accepted
request 872342
from
Hans Petter Jansson (hpjansson)
(revision 150)
- Add openssh-whitelist-syscalls.patch (bsc#1182232), fixing failure to accept connections on 32-bit platforms with glibc 2.33+.
Dominique Leuenberger (dimstar_suse)
accepted
request 867288
from
Hans Petter Jansson (hpjansson)
(revision 149)
Dominique Leuenberger (dimstar_suse)
accepted
request 866401
from
Dirk Mueller (dirkmueller)
(revision 148)
Dominique Leuenberger (dimstar_suse)
accepted
request 863947
from
Hans Petter Jansson (hpjansson)
(revision 147)
Dominique Leuenberger (dimstar_suse)
accepted
request 861779
from
Hans Petter Jansson (hpjansson)
(revision 146)
- Update openssh-8.1p1-audit.patch (bsc#1180501). This fixes occasional crashes on connection termination caused by accessing freed memory. (forwarded request 861491 from hpjansson)
Dominique Leuenberger (dimstar_suse)
accepted
request 860306
from
Hans Petter Jansson (hpjansson)
(revision 145)
- Support /usr/etc/pam.d (forwarded request 851366 from kukuk)
Dominique Leuenberger (dimstar_suse)
accepted
request 849984
from
Hans Petter Jansson (hpjansson)
(revision 144)
- Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. (forwarded request 849311 from hpjansson)
Dominique Leuenberger (dimstar_suse)
accepted
request 841947
from
Hans Petter Jansson (hpjansson)
(revision 143)
- Work around %service_add_post disabling sshd on upgrade with package name change (bsc#1177039). - Use of DISABLE_RESTART_ON_UPDATE is deprecated. Replace it with %service_del_postun_without_restart (forwarded request 840337 from hpjansson)
Dominique Leuenberger (dimstar_suse)
committed
(revision 142)
https://bugzilla.opensuse.org/show_bug.cgi?id=1177039
Dominique Leuenberger (dimstar_suse)
accepted
request 837828
from
Hans Petter Jansson (hpjansson)
(revision 141)
- Fix fillup-template usage: + %post server needs to reference ssh (not sshd), which matches the sysconfig.ssh file name the package ships. + %post client does not need any fillup_ calls, as there is no client-relevant sysconfig file present. The naming of the sysconfig file (ssh instead of sshd) is unfortunate. (forwarded request 837497 from dimstar)
Dominique Leuenberger (dimstar_suse)
accepted
request 812018
from
Marcus Meissner (msmeissn)
(revision 140)
Dominique Leuenberger (dimstar_suse)
accepted
request 811148
from
Vítězslav Čížek (vitezslav_cizek)
(revision 139)
Dominique Leuenberger (dimstar_suse)
accepted
request 780476
from
Tomáš Chvátal (scarabeus_iv)
(revision 138)
Displaying revisions 21 - 40 of 177