Revisions of openssh
Dominique Leuenberger (dimstar_suse)
accepted
request 1196434
from
Antonio Larrosa (alarrosa)
(revision 183)
- Update to openssh 9.8p1: * No changes for askpass, see main package changelog for details. - Add patch to fix sshd not logging in the audit failed login attempts (submitted to upstream in https://github.com/openssh/openssh-portable/pull/516): * fix-audit-fail-attempt.patch - Use --enable-dsa-keys when building openssh. It's required if the user sets the crypto-policy mode to LEGACY, where DSA keys should be allowed. The option was added by upstream in 9.7 and set to disabled by default. - These two changes fix 2 of the 3 issues reported in bsc#1229650. - Fix a dbus connection leaked in the logind patch that was missing a sd_bus_unref call (found by Matthias Gerstner): * logind_set_tty.patch - Add a patch that fixes a small memory leak when parsing the subsystem configuration option: * fix-memleak-in-process_server_config_line_depth.patch - Update to openssh 9.8p1: = Security * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387). A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to
Ana Guerrero (anag+factory)
committed
(revision 182)
https://bugzilla.opensuse.org/show_bug.cgi?id=1229650
Ana Guerrero (anag+factory)
accepted
request 1194679
from
Factory Maintainer (factory-maintainer)
(revision 181)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
committed
(revision 176)
https://bugzilla.opensuse.org/show_bug.cgi?id=1224392
Ana Guerrero (anag+factory)
accepted
request 1150501
from
Hans Petter Jansson (hpjansson)
(revision 170)
- Update to openssh 9.6p1: * No changes for askpass, see main package changelog for details. - Update to openssh 9.6p1: = Security * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. = Potentially incompatible changes * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this (forwarded request 1150500 from hpjansson)
Ana Guerrero (anag+factory)
accepted
request 1133933
from
Hans Petter Jansson (hpjansson)
(revision 169)
Added openssh-cve-2023-48795.patch (forwarded request 1133932 from hpjansson)
Ana Guerrero (anag+factory)
accepted
request 1129646
from
Hans Petter Jansson (hpjansson)
(revision 168)
Ana Guerrero (anag+factory)
accepted
request 1112087
from
Hans Petter Jansson (hpjansson)
(revision 166)
Teach openssh to tell logind the TTY, else tools like wall will stop working now with the new systemd v254 and util-linux (and who, w, ... will not show a tty) (forwarded request 1110800 from kukuk)
Displaying revisions 1 - 20 of 185