Revisions of openssh
Antonio Larrosa (alarrosa)
accepted
request 1174779
from
Antonio Larrosa (alarrosa)
(revision 267)
- Remove the recommendation for openssh-server-config-rootlogin from openssh-server. Since the default for that config option was changed in SLE it's not needed anymore in SLE nor in TW (boo#1224392). - Add a warning in %post of openssh-clients, openssh-server and openssh-server-config-disallow-rootlogin to warn the user if the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not being used (bsc#1223486).
Dirk Mueller (dirkmueller)
accepted
request 1173783
from
Antonio Larrosa (alarrosa)
(revision 266)
- Only for SLE15, restore the patch file removed in Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour from SP5 of having root password login allowed by default (fixes bsc#1223486, related to bsc#1173067): * openssh-7.7p1-allow_root_password_login.patch - Since the default value for this config option is now set to permit root to use password logins in SLE15, the openssh-server-config-rootlogin subpackage isn't useful there so we now create an openssh-server-config-disallow-rootlogin subpackage that sets the configuration the other way around than openssh-server-config-rootlogin.
Antonio Larrosa (alarrosa)
accepted
request 1167855
from
Antonio Larrosa (alarrosa)
(revision 265)
Add bugzilla reference to bsc#1221005
Antonio Larrosa (alarrosa)
accepted
request 1167816
from
Marcus Meissner (msmeissn)
(revision 264)
- openssh-8.0p1-gssapi-keyex.patch: Added missing struct initializer, added missing parameter (bsc#1222840)
Antonio Larrosa (alarrosa)
accepted
request 1167038
from
Antonio Larrosa (alarrosa)
(revision 263)
- Make openssh-server recommend the openssh-server-config-rootlogin package in SLE in order to keep the same behaviour of previous SPs where the PermitRootLogin default was set to yes. - Fix crypto-policies requirement to be set by openssh-server, not the config-rootlogin subpackage. - Add back %config(noreplace) tag for more config files that were already set like this in previous SPs.
Antonio Larrosa (alarrosa)
accepted
request 1166764
from
Arnav Singh (Arnavion)
(revision 262)
- Fix duplicate loading of dropins. (boo#1222467)
Antonio Larrosa (alarrosa)
accepted
request 1166156
from
Antonio Larrosa (alarrosa)
(revision 261)
Add one more bsc/CVE reference
Antonio Larrosa (alarrosa)
accepted
request 1165554
from
Antonio Larrosa (alarrosa)
(revision 260)
- Add missing bugzilla/CVE references to the changelog
Antonio Larrosa (alarrosa)
accepted
request 1165549
from
Antonio Larrosa (alarrosa)
(revision 259)
- Add patch from SLE which was missing in Factory: * Mon Jun 7 20:54:09 UTC 2021 - Hans Petter Jansson <hpj@suse.com> - Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which attempts to mitigate instances of secrets lingering in memory after a session exits. (bsc#1213004 bsc#1213008) - Rebase patch: * openssh-6.6p1-privsep-selinux.patch
Antonio Larrosa (alarrosa)
accepted
request 1165438
from
Antonio Larrosa (alarrosa)
(revision 258)
Forward a fix for a patch from SLE - Rebase openssh-7.7p1-fips.patch (bsc#1221928) Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by upstream
Marcus Meissner (msmeissn)
accepted
request 1164145
from
Antonio Larrosa (alarrosa)
(revision 257)
- Use %config(noreplace) for sshd_config . In any case, it's recommended to drop a file in sshd_config.d instead of editing sshd_config (bsc#1221063) - Use %{_libexecdir} when removing ssh-keycat instead of the hardcoded path so it works in TW and SLE.
Marcus Meissner (msmeissn)
accepted
request 1155471
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 256)
- Add crypto-policies support [bsc#1211301] * Add patches: - openssh-9.6p1-crypto-policies.patch - openssh-9.6p1-crypto-policies-man.patch
Hans Petter Jansson (hpjansson)
accepted
request 1150500
from
Hans Petter Jansson (hpjansson)
(revision 255)
- Update to openssh 9.6p1: * No changes for askpass, see main package changelog for details. - Update to openssh 9.6p1: = Security * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. = Potentially incompatible changes * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this
Hans Petter Jansson (hpjansson)
accepted
request 1133932
from
Hans Petter Jansson (hpjansson)
(revision 254)
Added openssh-cve-2023-48795.patch
Hans Petter Jansson (hpjansson)
accepted
request 1113799
from
Thorsten Kukuk (kukuk)
(revision 253)
- Disable SLP by default for Factory and ALP (bsc#1214884)
Hans Petter Jansson (hpjansson)
accepted
request 1123220
from
Johannes Segitz (jsegitz)
(revision 252)
- Enhanced SELinux functionality. Added Fedora patches: * openssh-7.8p1-role-mls.patch Proper handling of MLS systems and basis for other SELinux improvements * openssh-6.6p1-privsep-selinux.patch Properly set contexts during privilege separation * openssh-6.6p1-keycat.patch Add ssh-keycat command to allow retrival of authorized_keys on MLS setups with polyinstantiation * openssh-6.6.1p1-selinux-contexts.patch Additional changes to set the proper context during privilege separation * openssh-7.6p1-cleanup-selinux.patch Various changes and putting the pieces together For now we don't ship the ssh-keycat command, but we need the patch for the other SELinux infrastructure This change fixes issues like bsc#1214788, where the ssh daemon needs to act on behalf of a user and needs a proper context for this
Marcus Meissner (msmeissn)
accepted
request 1119952
from
Dominique Leuenberger (dimstar)
(revision 251)
- Add cb4ed12f.patch: Fix build using zlib 1.3. The check expected a version in the form a.b.c[.d], which no longer matches 1.3. See failure with zlib 1.3 in Staging:N
Hans Petter Jansson (hpjansson)
accepted
request 1110800
from
Thorsten Kukuk (kukuk)
(revision 250)
Teach openssh to tell logind the TTY, else tools like wall will stop working now with the new systemd v254 and util-linux (and who, w, ... will not show a tty)
Marcus Meissner (msmeissn)
accepted
request 1099810
from
Simon Lees (simotek)
(revision 249)
- Update to openssh 9.3p2 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction.
Dirk Mueller (dirkmueller)
accepted
request 1089432
from
Andreas Stieger (AndreasStieger)
(revision 248)
- openssh-askpass-gnome: require only openssh-clients, not the full openssh (including -server), to avoid pulling in excessive dependencies when installing git on Gnome (boo#1211446)
Displaying revisions 1 - 20 of 267