openSUSE Build Service

Ana Guerrero (anag+factory) accepted request 1203550 from

Antonio Larrosa (alarrosa) about 19 hours ago (revision 185)

Ana Guerrero (anag+factory) accepted request 1200282 from

Antonio Larrosa (alarrosa) 14 days ago (revision 184)

Dominique Leuenberger (dimstar_suse) accepted request 1196434 from

Antonio Larrosa (alarrosa) 29 days ago (revision 183)

- Update to openssh 9.8p1:
  * No changes for askpass, see main package changelog for
    details.

- Add patch to fix sshd not logging in the audit failed login
  attempts (submitted to upstream in
  https://github.com/openssh/openssh-portable/pull/516):
  * fix-audit-fail-attempt.patch
- Use --enable-dsa-keys when building openssh. It's required if
  the user sets the crypto-policy mode to LEGACY, where DSA keys
  should be allowed. The option was added by upstream in 9.7 and
  set to disabled by default.
- These two changes fix 2 of the 3 issues reported in bsc#1229650.

- Fix a dbus connection leaked in the logind patch that was
  missing a sd_bus_unref call (found by Matthias Gerstner):
  * logind_set_tty.patch
- Add a patch that fixes a small memory leak when parsing the
  subsystem configuration option:
  * fix-memleak-in-process_server_config_line_depth.patch

- Update to openssh 9.8p1:
  = Security
  * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
    A critical vulnerability in sshd(8) was present in Portable
    OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
    allow arbitrary code execution with root privileges.
    Successful exploitation has been demonstrated on 32-bit
    Linux/glibc systems with ASLR. Under lab conditions, the attack
    requires on average 6-8 hours of continuous connections up to

Ana Guerrero (anag+factory) committed about 1 month ago (revision 182)

https://bugzilla.opensuse.org/show_bug.cgi?id=1229650

Ana Guerrero (anag+factory) accepted request 1194679 from

Factory Maintainer (factory-maintainer) about 1 month ago (revision 181)

Automatic submission by obs-autosubmit

Ana Guerrero (anag+factory) accepted request 1185823 from

Antonio Larrosa (alarrosa) 3 months ago (revision 180)

Ana Guerrero (anag+factory) accepted request 1184302 from

Antonio Larrosa (alarrosa) 3 months ago (revision 179)

Ana Guerrero (anag+factory) accepted request 1179624 from

Dirk Mueller (dirkmueller) 4 months ago (revision 178)

Ana Guerrero (anag+factory) accepted request 1174781 from

Antonio Larrosa (alarrosa) 4 months ago (revision 177)

Dominique Leuenberger (dimstar_suse) committed 4 months ago (revision 176)

https://bugzilla.opensuse.org/show_bug.cgi?id=1224392

Ana Guerrero (anag+factory) accepted request 1173885 from

Dirk Mueller (dirkmueller) 4 months ago (revision 175)

Ana Guerrero (anag+factory) accepted request 1167856 from

Antonio Larrosa (alarrosa) 5 months ago (revision 174)

Ana Guerrero (anag+factory) accepted request 1166980 from

Antonio Larrosa (alarrosa) 6 months ago (revision 173)

Ana Guerrero (anag+factory) accepted request 1166157 from

Antonio Larrosa (alarrosa) 6 months ago (revision 172)

Ana Guerrero (anag+factory) accepted request 1164536 from

Marcus Meissner (msmeissn) 6 months ago (revision 171)

Ana Guerrero (anag+factory) accepted request 1150501 from

Hans Petter Jansson (hpjansson) 7 months ago (revision 170)

- Update to openssh 9.6p1:
  * No changes for askpass, see main package changelog for
    details.

- Update to openssh 9.6p1:
  = Security
  * ssh(1), sshd(8): implement protocol extensions to thwart the
    so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
    Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
    limited break of the integrity of the early encrypted SSH transport
    protocol by sending extra messages prior to the commencement of
    encryption, and deleting an equal number of consecutive messages
    immediately after encryption starts. A peer SSH client/server
    would not be able to detect that messages were deleted.
  * ssh-agent(1): when adding PKCS#11-hosted private keys while
    specifying destination constraints, if the PKCS#11 token returned
    multiple keys then only the first key had the constraints applied.
    Use of regular private keys, FIDO tokens and unconstrained keys
    are unaffected.
  * ssh(1): if an invalid user or hostname that contained shell
    metacharacters was passed to ssh(1), and a ProxyCommand,
    LocalCommand directive or "match exec" predicate referenced the
    user or hostname via %u, %h or similar expansion token, then
    an attacker who could supply arbitrary user/hostnames to ssh(1)
    could potentially perform command injection depending on what
    quoting was present in the user-supplied ssh_config(5) directive.
  = Potentially incompatible changes
  * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
    a TCP-like window mechanism that limits the amount of data that
    can be sent without acceptance from the peer. In cases where this (forwarded request 1150500 from hpjansson)

Ana Guerrero (anag+factory) accepted request 1133933 from

Hans Petter Jansson (hpjansson) 9 months ago (revision 169)

Added openssh-cve-2023-48795.patch (forwarded request 1133932 from hpjansson)

Ana Guerrero (anag+factory) accepted request 1129646 from

Hans Petter Jansson (hpjansson) 10 months ago (revision 168)

Ana Guerrero (anag+factory) accepted request 1120184 from

Marcus Meissner (msmeissn) 11 months ago (revision 167)

Ana Guerrero (anag+factory) accepted request 1112087 from

Hans Petter Jansson (hpjansson) about 1 year ago (revision 166)

Teach openssh to tell logind the TTY, else tools like wall will stop working now with the new systemd v254 and util-linux (and who, w, ... will not show a tty) (forwarded request 1110800 from kukuk)

Places

Revisions of openssh

Places