openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Revisions of openssh

Antonio Larrosa (alarrosa) accepted request 1174779 from

Antonio Larrosa (alarrosa) 15 days ago (revision 267)

- Remove the recommendation for openssh-server-config-rootlogin
  from openssh-server. Since the default for that config option
  was changed in SLE it's not needed anymore in SLE nor in TW
  (boo#1224392).

- Add a warning in %post of openssh-clients, openssh-server and 
  openssh-server-config-disallow-rootlogin to warn the user if
  the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
  being used (bsc#1223486).

Dirk Mueller (dirkmueller) accepted request 1173783 from

Antonio Larrosa (alarrosa) 18 days ago (revision 266)

- Only for SLE15, restore the patch file removed in
  Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
  from SP5 of having root password login allowed by default
  (fixes bsc#1223486, related to bsc#1173067):
  * openssh-7.7p1-allow_root_password_login.patch
- Since the default value for this config option is now set to
  permit root to use password logins in SLE15, the
  openssh-server-config-rootlogin subpackage isn't useful there so 
  we now create an openssh-server-config-disallow-rootlogin
  subpackage that sets the configuration the other way around
  than openssh-server-config-rootlogin.

Antonio Larrosa (alarrosa) accepted request 1167855 from

Antonio Larrosa (alarrosa) about 2 months ago (revision 265)

Add bugzilla reference to bsc#1221005

Antonio Larrosa (alarrosa) accepted request 1167816 from

Marcus Meissner (msmeissn) about 2 months ago (revision 264)

- openssh-8.0p1-gssapi-keyex.patch: Added missing struct initializer,
  added missing parameter (bsc#1222840)

Antonio Larrosa (alarrosa) accepted request 1167038 from

Antonio Larrosa (alarrosa) about 2 months ago (revision 263)

- Make openssh-server recommend the openssh-server-config-rootlogin
  package in SLE in order to keep the same behaviour of previous
  SPs where the PermitRootLogin default was set to yes.
- Fix crypto-policies requirement to be set by openssh-server, not
  the config-rootlogin subpackage.
- Add back %config(noreplace) tag for more config files that were
  already set like this in previous SPs.

Antonio Larrosa (alarrosa) accepted request 1166764 from

Arnav Singh (Arnavion) about 2 months ago (revision 262)

- Fix duplicate loading of dropins. (boo#1222467)

Antonio Larrosa (alarrosa) accepted request 1166156 from

Antonio Larrosa (alarrosa) about 2 months ago (revision 261)

Add one more bsc/CVE reference

Antonio Larrosa (alarrosa) accepted request 1165554 from

Antonio Larrosa (alarrosa) about 2 months ago (revision 260)

- Add missing bugzilla/CVE references to the changelog

Antonio Larrosa (alarrosa) accepted request 1165549 from

Antonio Larrosa (alarrosa) about 2 months ago (revision 259)

- Add patch from SLE which was missing in Factory:
  * Mon Jun  7 20:54:09 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
- Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which
  attempts to mitigate instances of secrets lingering in memory
  after a session exits. (bsc#1213004 bsc#1213008) 
- Rebase patch:
  * openssh-6.6p1-privsep-selinux.patch

Antonio Larrosa (alarrosa) accepted request 1165438 from

Antonio Larrosa (alarrosa) about 2 months ago (revision 258)

Forward a fix for a patch from SLE
   
- Rebase openssh-7.7p1-fips.patch (bsc#1221928) 
  Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by
  upstream

Marcus Meissner (msmeissn) accepted request 1164145 from

Antonio Larrosa (alarrosa) about 2 months ago (revision 257)

- Use %config(noreplace) for sshd_config . In any case, it's
  recommended to drop a file in sshd_config.d instead of editing
  sshd_config (bsc#1221063)
- Use %{_libexecdir} when removing ssh-keycat instead of the
  hardcoded path so it works in TW and SLE.

Marcus Meissner (msmeissn) accepted request 1155471 from

Pedro Monreal Gonzalez (pmonrealgonzalez) about 2 months ago (revision 256)

- Add crypto-policies support [bsc#1211301]
  * Add patches:
    - openssh-9.6p1-crypto-policies.patch
    - openssh-9.6p1-crypto-policies-man.patch

Hans Petter Jansson (hpjansson) accepted request 1150500 from

Hans Petter Jansson (hpjansson) 3 months ago (revision 255)

- Update to openssh 9.6p1:
  * No changes for askpass, see main package changelog for
    details.

- Update to openssh 9.6p1:
  = Security
  * ssh(1), sshd(8): implement protocol extensions to thwart the
    so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
    Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
    limited break of the integrity of the early encrypted SSH transport
    protocol by sending extra messages prior to the commencement of
    encryption, and deleting an equal number of consecutive messages
    immediately after encryption starts. A peer SSH client/server
    would not be able to detect that messages were deleted.
  * ssh-agent(1): when adding PKCS#11-hosted private keys while
    specifying destination constraints, if the PKCS#11 token returned
    multiple keys then only the first key had the constraints applied.
    Use of regular private keys, FIDO tokens and unconstrained keys
    are unaffected.
  * ssh(1): if an invalid user or hostname that contained shell
    metacharacters was passed to ssh(1), and a ProxyCommand,
    LocalCommand directive or "match exec" predicate referenced the
    user or hostname via %u, %h or similar expansion token, then
    an attacker who could supply arbitrary user/hostnames to ssh(1)
    could potentially perform command injection depending on what
    quoting was present in the user-supplied ssh_config(5) directive.
  = Potentially incompatible changes
  * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
    a TCP-like window mechanism that limits the amount of data that
    can be sent without acceptance from the peer. In cases where this

Hans Petter Jansson (hpjansson) accepted request 1133932 from

Hans Petter Jansson (hpjansson) 6 months ago (revision 254)

Added openssh-cve-2023-48795.patch

Hans Petter Jansson (hpjansson) accepted request 1113799 from

Thorsten Kukuk (kukuk) 6 months ago (revision 253)

- Disable SLP by default for Factory and ALP (bsc#1214884)

Hans Petter Jansson (hpjansson) accepted request 1123220 from

Johannes Segitz (jsegitz) 6 months ago (revision 252)

- Enhanced SELinux functionality. Added Fedora patches:
  * openssh-7.8p1-role-mls.patch
    Proper handling of MLS systems and basis for other SELinux
    improvements
  * openssh-6.6p1-privsep-selinux.patch
    Properly set contexts during privilege separation
  * openssh-6.6p1-keycat.patch
    Add ssh-keycat command to allow retrival of authorized_keys
    on MLS setups with polyinstantiation
  * openssh-6.6.1p1-selinux-contexts.patch
    Additional changes to set the proper context during privilege 
    separation
  * openssh-7.6p1-cleanup-selinux.patch
    Various changes and putting the pieces together
  For now we don't ship the ssh-keycat command, but we need the patch
  for the other SELinux infrastructure
  This change fixes issues like bsc#1214788, where the ssh daemon 
  needs to act on behalf of a user and needs a proper context for this

Marcus Meissner (msmeissn) accepted request 1119952 from

Dominique Leuenberger (dimstar) 7 months ago (revision 251)

- Add cb4ed12f.patch: Fix build using zlib 1.3. The check expected
  a version in the form a.b.c[.d], which no longer matches 1.3.

See failure with zlib 1.3 in Staging:N

Hans Petter Jansson (hpjansson) accepted request 1110800 from

Thorsten Kukuk (kukuk) 9 months ago (revision 250)

Teach openssh to tell logind the TTY, else tools like wall will stop working now with the new systemd v254 and util-linux (and who, w, ... will not show a tty)

Marcus Meissner (msmeissn) accepted request 1099810 from

Simon Lees (simotek) 11 months ago (revision 249)

- Update to openssh 9.3p2
  * No changes for askpass, see main package changelog for
    details
- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
  Security
  ========
  Fix CVE-2023-38408 - a condition where specific libaries loaded via
  ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
  code execution via a forwarded agent socket if the following
  conditions are met:
  * Exploitation requires the presence of specific libraries on
    the victim system.
  * Remote exploitation requires that the agent was forwarded
    to an attacker-controlled system.
  Exploitation can also be prevented by starting ssh-agent(1) with an
  empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
  an allowlist that contains only specific provider libraries.
  This vulnerability was discovered and demonstrated to be exploitable
  by the Qualys Security Advisory team. 
 
  In addition to removing the main precondition for exploitation,
  this release removes the ability for remote ssh-agent(1) clients
  to load PKCS#11 modules by default (see below).
  Potentially-incompatible changes
  --------------------------------
   * ssh-agent(8): the agent will now refuse requests to load PKCS#11
     modules issued by remote clients by default. A flag has been added
     to restore the previous behaviour "-Oallow-remote-pkcs11".
     Note that ssh-agent(8) depends on the SSH client to identify
     requests that are remote. The OpenSSH >=8.9 ssh(1) client does
     this, but forwarding access to an agent socket using other tools
     may circumvent this restriction.

Dirk Mueller (dirkmueller) accepted request 1089432 from

Andreas Stieger (AndreasStieger) 12 months ago (revision 248)

- openssh-askpass-gnome: require only openssh-clients, not the full
  openssh (including -server), to avoid pulling in excessive
  dependencies when installing git on Gnome (boo#1211446)

Displaying revisions 1 - 20 of 267

Places

Revisions of openssh

Places