openssh-7.5p1-1 + 0.10.3-2
This commit is contained in:
parent
fd58b9eabb
commit
17b491b307
1
.gitignore
vendored
1
.gitignore
vendored
@ -25,3 +25,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
|||||||
/openssh-7.3p1.tar.gz
|
/openssh-7.3p1.tar.gz
|
||||||
/openssh-7.4p1.tar.gz
|
/openssh-7.4p1.tar.gz
|
||||||
/pam_ssh_agent_auth-0.10.3.tar.bz2
|
/pam_ssh_agent_auth-0.10.3.tar.bz2
|
||||||
|
/openssh-7.5p1.tar.gz
|
||||||
|
@ -60,8 +60,8 @@ diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
|
|||||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||||
@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
|
@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
|
||||||
multistate_ptr = multistate_privsep;
|
intptr = &options->disable_forwarding;
|
||||||
goto parse_multistate;
|
goto parse_flag;
|
||||||
|
|
||||||
+ case sShowPatchLevel:
|
+ case sShowPatchLevel:
|
||||||
+ intptr = &options->show_patchlevel;
|
+ intptr = &options->show_patchlevel;
|
||||||
@ -138,12 +138,12 @@ diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
|
|||||||
@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
|
@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
|
||||||
char remote_version[256]; /* Must be at least as big as buf. */
|
char remote_version[256]; /* Must be at least as big as buf. */
|
||||||
|
|
||||||
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
|
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
|
||||||
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
||||||
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
|
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
|
||||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||||
*options.version_addendum == '\0' ? "" : " ",
|
*options.version_addendum == '\0' ? "" : " ",
|
||||||
options.version_addendum, newline);
|
options.version_addendum);
|
||||||
|
|
||||||
@@ -1650,7 +1651,8 @@ main(int ac, char **av)
|
@@ -1650,7 +1651,8 @@ main(int ac, char **av)
|
||||||
exit(1);
|
exit(1);
|
||||||
|
@ -82,7 +82,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
M_CP_INTOPT(rekey_interval);
|
M_CP_INTOPT(rekey_interval);
|
||||||
|
|
||||||
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
|
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
|
||||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||||
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
||||||
|
@ -235,8 +235,8 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
M_CP_INTOPT(rekey_interval);
|
M_CP_INTOPT(rekey_interval);
|
||||||
|
|
||||||
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
|
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
|
||||||
|
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||||
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
|
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
|
||||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
|
||||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||||
|
|
||||||
|
@ -71,7 +71,7 @@ diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
|
|||||||
+echo " TCP Wrappers support: $TCPW_MSG"
|
+echo " TCP Wrappers support: $TCPW_MSG"
|
||||||
echo " MD5 password support: $MD5_MSG"
|
echo " MD5 password support: $MD5_MSG"
|
||||||
echo " libedit support: $LIBEDIT_MSG"
|
echo " libedit support: $LIBEDIT_MSG"
|
||||||
echo " Solaris process contract support: $SPC_MSG"
|
echo " libldns support: $LDNS_MSG"
|
||||||
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
|
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
|
||||||
--- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100
|
--- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100
|
||||||
+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100
|
+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100
|
||||||
|
@ -169,7 +169,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
|||||||
{ "gssapiserveridentity", oGssServerIdentity },
|
{ "gssapiserveridentity", oGssServerIdentity },
|
||||||
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
|
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
|
||||||
+ { "gssapikexalgorithms", oGssKexAlgorithms },
|
+ { "gssapikexalgorithms", oGssKexAlgorithms },
|
||||||
#else
|
# else
|
||||||
{ "gssapiauthentication", oUnsupported },
|
{ "gssapiauthentication", oUnsupported },
|
||||||
{ "gssapikeyexchange", oUnsupported },
|
{ "gssapikeyexchange", oUnsupported },
|
||||||
@@ -207,6 +209,7 @@ static struct {
|
@@ -207,6 +209,7 @@ static struct {
|
||||||
@ -178,8 +178,8 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
|||||||
{ "gssapirenewalforcesrekey", oUnsupported },
|
{ "gssapirenewalforcesrekey", oUnsupported },
|
||||||
+ { "gssapikexalgorithms", oUnsupported },
|
+ { "gssapikexalgorithms", oUnsupported },
|
||||||
#endif
|
#endif
|
||||||
{ "fallbacktorsh", oDeprecated },
|
#ifdef ENABLE_PKCS11
|
||||||
{ "usersh", oDeprecated },
|
{ "smartcarddevice", oPKCS11Provider },
|
||||||
@@ -929,6 +932,18 @@ parse_time:
|
@@ -929,6 +932,18 @@ parse_time:
|
||||||
intptr = &options->gss_renewal_rekey;
|
intptr = &options->gss_renewal_rekey;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@ -249,7 +249,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
|||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
@@ -288,6 +290,10 @@ fill_default_server_options(ServerOption
|
@@ -288,6 +290,10 @@ fill_default_server_options(ServerOption
|
||||||
options->gss_strict_acceptor = 0;
|
options->gss_strict_acceptor = 1;
|
||||||
if (options->gss_store_rekey == -1)
|
if (options->gss_store_rekey == -1)
|
||||||
options->gss_store_rekey = 0;
|
options->gss_store_rekey = 0;
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
|
@ -776,7 +776,7 @@ diff -up openssh-7.4p1/auth2.c.audit openssh-7.4p1/auth2.c
|
|||||||
+++ openssh-7.4p1/auth2.c 2016-12-23 18:54:54.434080419 +0100
|
+++ openssh-7.4p1/auth2.c 2016-12-23 18:54:54.434080419 +0100
|
||||||
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32
|
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32
|
||||||
} else {
|
} else {
|
||||||
logit("input_userauth_request: invalid user %s", user);
|
/* Invalid user, fake password information */
|
||||||
authctxt->pw = fakepw();
|
authctxt->pw = fakepw();
|
||||||
-#ifdef SSH_AUDIT_EVENTS
|
-#ifdef SSH_AUDIT_EVENTS
|
||||||
- PRIVSEP(audit_event(SSH_INVALID_USER));
|
- PRIVSEP(audit_event(SSH_INVALID_USER));
|
||||||
@ -960,9 +960,9 @@ diff -up openssh-7.4p1/kex.c.audit openssh-7.4p1/kex.c
|
|||||||
+#endif
|
+#endif
|
||||||
return SSH_ERR_NO_CIPHER_ALG_MATCH;
|
return SSH_ERR_NO_CIPHER_ALG_MATCH;
|
||||||
+ }
|
+ }
|
||||||
if ((enc->cipher = cipher_by_name(name)) == NULL)
|
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
||||||
|
free(name);
|
||||||
return SSH_ERR_INTERNAL_ERROR;
|
return SSH_ERR_INTERNAL_ERROR;
|
||||||
enc->name = name;
|
|
||||||
@@ -702,8 +707,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
@@ -702,8 +707,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||||
{
|
{
|
||||||
char *name = match_list(client, server, NULL);
|
char *name = match_list(client, server, NULL);
|
||||||
@ -974,9 +974,9 @@ diff -up openssh-7.4p1/kex.c.audit openssh-7.4p1/kex.c
|
|||||||
+#endif
|
+#endif
|
||||||
return SSH_ERR_NO_MAC_ALG_MATCH;
|
return SSH_ERR_NO_MAC_ALG_MATCH;
|
||||||
+ }
|
+ }
|
||||||
if (mac_setup(mac, name) < 0)
|
if (mac_setup(mac, name) < 0) {
|
||||||
|
free(name);
|
||||||
return SSH_ERR_INTERNAL_ERROR;
|
return SSH_ERR_INTERNAL_ERROR;
|
||||||
/* truncate the key */
|
|
||||||
@@ -720,8 +729,12 @@ choose_comp(struct sshcomp *comp, char *
|
@@ -720,8 +729,12 @@ choose_comp(struct sshcomp *comp, char *
|
||||||
{
|
{
|
||||||
char *name = match_list(client, server, NULL);
|
char *name = match_list(client, server, NULL);
|
||||||
@ -1739,16 +1739,16 @@ diff -up openssh-7.4p1/sandbox-seccomp-filter.c.audit openssh-7.4p1/sandbox-secc
|
|||||||
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 18:54:54.438080420 +0100
|
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 18:54:54.438080420 +0100
|
||||||
@@ -159,6 +159,12 @@ static const struct sock_filter preauth_
|
@@ -159,6 +159,12 @@ static const struct sock_filter preauth_
|
||||||
#ifdef __NR_gettimeofday
|
#ifdef __NR_gettimeofday
|
||||||
SC_ALLOW(gettimeofday),
|
SC_ALLOW(__NR_gettimeofday),
|
||||||
#endif
|
#endif
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ SC_ALLOW(getuid),
|
+ SC_ALLOW(__NR_getuid),
|
||||||
+#ifdef __NR_getuid32 /* not defined on x86_64 */
|
+#ifdef __NR_getuid32 /* not defined on x86_64 */
|
||||||
+ SC_ALLOW(getuid32),
|
+ SC_ALLOW(__NR_getuid32),
|
||||||
+#endif
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
#ifdef __NR_madvise
|
#ifdef __NR_madvise
|
||||||
SC_ALLOW(madvise),
|
SC_ALLOW(__NR_madvise),
|
||||||
#endif
|
#endif
|
||||||
diff -up openssh-7.4p1/session.c.audit openssh-7.4p1/session.c
|
diff -up openssh-7.4p1/session.c.audit openssh-7.4p1/session.c
|
||||||
--- openssh-7.4p1/session.c.audit 2016-12-23 18:54:54.430080418 +0100
|
--- openssh-7.4p1/session.c.audit 2016-12-23 18:54:54.430080418 +0100
|
||||||
|
@ -382,13 +382,13 @@ diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-secco
|
|||||||
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 16:37:49.300741586 +0100
|
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 16:37:49.300741586 +0100
|
||||||
@@ -118,6 +118,9 @@ static const struct sock_filter preauth_
|
@@ -118,6 +118,9 @@ static const struct sock_filter preauth_
|
||||||
#ifdef __NR_open
|
#ifdef __NR_open
|
||||||
SC_DENY(open, EACCES),
|
SC_DENY(__NR_open, EACCES),
|
||||||
#endif
|
#endif
|
||||||
+#ifdef __NR_socket
|
+#ifdef __NR_socket
|
||||||
+ SC_DENY(socket, EACCES),
|
+ SC_DENY(__NR_socket, EACCES),
|
||||||
+#endif
|
+#endif
|
||||||
#ifdef __NR_openat
|
#ifdef __NR_openat
|
||||||
SC_DENY(openat, EACCES),
|
SC_DENY(__NR_openat, EACCES),
|
||||||
#endif
|
#endif
|
||||||
diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
|
diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
|
||||||
--- openssh-7.4p1/servconf.c.fips 2016-12-23 16:37:49.285741579 +0100
|
--- openssh-7.4p1/servconf.c.fips 2016-12-23 16:37:49.285741579 +0100
|
||||||
|
@ -1959,7 +1959,7 @@ diff -up openssh-7.4p1/readconf.c.gsskex openssh-7.4p1/readconf.c
|
|||||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||||
oHashKnownHosts,
|
oHashKnownHosts,
|
||||||
@@ -205,10 +207,19 @@ static struct {
|
@@ -205,10 +207,19 @@ static struct {
|
||||||
{ "afstokenpassing", oUnsupported },
|
/* Sometimes-unsupported options */
|
||||||
#if defined(GSSAPI)
|
#if defined(GSSAPI)
|
||||||
{ "gssapiauthentication", oGssAuthentication },
|
{ "gssapiauthentication", oGssAuthentication },
|
||||||
+ { "gssapikeyexchange", oGssKeyEx },
|
+ { "gssapikeyexchange", oGssKeyEx },
|
||||||
@ -1968,7 +1968,7 @@ diff -up openssh-7.4p1/readconf.c.gsskex openssh-7.4p1/readconf.c
|
|||||||
+ { "gssapiclientidentity", oGssClientIdentity },
|
+ { "gssapiclientidentity", oGssClientIdentity },
|
||||||
+ { "gssapiserveridentity", oGssServerIdentity },
|
+ { "gssapiserveridentity", oGssServerIdentity },
|
||||||
+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
|
+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
|
||||||
#else
|
# else
|
||||||
{ "gssapiauthentication", oUnsupported },
|
{ "gssapiauthentication", oUnsupported },
|
||||||
+ { "gssapikeyexchange", oUnsupported },
|
+ { "gssapikeyexchange", oUnsupported },
|
||||||
{ "gssapidelegatecredentials", oUnsupported },
|
{ "gssapidelegatecredentials", oUnsupported },
|
||||||
@ -1976,8 +1976,8 @@ diff -up openssh-7.4p1/readconf.c.gsskex openssh-7.4p1/readconf.c
|
|||||||
+ { "gssapiclientidentity", oUnsupported },
|
+ { "gssapiclientidentity", oUnsupported },
|
||||||
+ { "gssapirenewalforcesrekey", oUnsupported },
|
+ { "gssapirenewalforcesrekey", oUnsupported },
|
||||||
#endif
|
#endif
|
||||||
{ "fallbacktorsh", oDeprecated },
|
#ifdef ENABLE_PKCS11
|
||||||
{ "usersh", oDeprecated },
|
{ "smartcarddevice", oPKCS11Provider },
|
||||||
@@ -961,10 +972,30 @@ parse_time:
|
@@ -961,10 +972,30 @@ parse_time:
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@ -2136,7 +2136,7 @@ diff -up openssh-7.4p1/servconf.c.gsskex openssh-7.4p1/servconf.c
|
|||||||
if (options->gss_cleanup_creds == -1)
|
if (options->gss_cleanup_creds == -1)
|
||||||
options->gss_cleanup_creds = 1;
|
options->gss_cleanup_creds = 1;
|
||||||
if (options->gss_strict_acceptor == -1)
|
if (options->gss_strict_acceptor == -1)
|
||||||
options->gss_strict_acceptor = 0;
|
options->gss_strict_acceptor = 1;
|
||||||
+ if (options->gss_store_rekey == -1)
|
+ if (options->gss_store_rekey == -1)
|
||||||
+ options->gss_store_rekey = 0;
|
+ options->gss_store_rekey = 0;
|
||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
@ -2325,8 +2325,8 @@ diff -up openssh-7.4p1/sshconnect2.c.gsskex openssh-7.4p1/sshconnect2.c
|
|||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
if (options.rekey_limit || options.rekey_interval)
|
if (options.rekey_limit || options.rekey_interval)
|
||||||
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
|
packet_set_rekey_limits(options.rekey_limit,
|
||||||
(time_t)options.rekey_interval);
|
options.rekey_interval);
|
||||||
@@ -212,11 +248,31 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -212,11 +248,31 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
|
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
|
||||||
# endif
|
# endif
|
||||||
|
@ -2,8 +2,8 @@ diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
|
|||||||
--- openssh-7.4p1/auth2.c.expose-pam 2016-12-23 15:40:26.768447868 +0100
|
--- openssh-7.4p1/auth2.c.expose-pam 2016-12-23 15:40:26.768447868 +0100
|
||||||
+++ openssh-7.4p1/auth2.c 2016-12-23 15:40:26.818447876 +0100
|
+++ openssh-7.4p1/auth2.c 2016-12-23 15:40:26.818447876 +0100
|
||||||
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
|
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
|
||||||
const char *submethod)
|
|
||||||
{
|
{
|
||||||
|
struct ssh *ssh = active_state; /* XXX */
|
||||||
char *methods;
|
char *methods;
|
||||||
+ char *prev_auth_details;
|
+ char *prev_auth_details;
|
||||||
int partial = 0;
|
int partial = 0;
|
||||||
@ -217,7 +217,7 @@ diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
|
|||||||
--- openssh-7.4p1/monitor.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
|
--- openssh-7.4p1/monitor.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
|
||||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:41:16.473455863 +0100
|
+++ openssh-7.4p1/monitor.c 2016-12-23 15:41:16.473455863 +0100
|
||||||
@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
|
@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
{
|
struct ssh *ssh = active_state; /* XXX */
|
||||||
struct mon_table *ent;
|
struct mon_table *ent;
|
||||||
int authenticated = 0, partial = 0;
|
int authenticated = 0, partial = 0;
|
||||||
+ char *prev_auth_details;
|
+ char *prev_auth_details;
|
||||||
|
@ -50,4 +50,4 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
|||||||
+ return -1;
|
+ return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
#ifdef __APPLE__
|
||||||
|
@ -2133,8 +2133,8 @@ diff -up openssh-7.4p1/sshconnect1.c.openssl openssh-7.4p1/sshconnect1.c
|
|||||||
int bits, rbits;
|
int bits, rbits;
|
||||||
int ssh_cipher_default = SSH_CIPHER_3DES;
|
int ssh_cipher_default = SSH_CIPHER_3DES;
|
||||||
@@ -522,10 +530,14 @@ ssh_kex(char *host, struct sockaddr *hos
|
@@ -522,10 +530,14 @@ ssh_kex(char *host, struct sockaddr *hos
|
||||||
/* Get the public key. */
|
if ((server_key = key_new(KEY_RSA1)) == NULL)
|
||||||
server_key = key_new(KEY_RSA1);
|
fatal("%s: key_new(KEY_RSA1) failed", __func__);
|
||||||
bits = packet_get_int();
|
bits = packet_get_int();
|
||||||
- packet_get_bignum(server_key->rsa->e);
|
- packet_get_bignum(server_key->rsa->e);
|
||||||
- packet_get_bignum(server_key->rsa->n);
|
- packet_get_bignum(server_key->rsa->n);
|
||||||
@ -2151,8 +2151,8 @@ diff -up openssh-7.4p1/sshconnect1.c.openssl openssh-7.4p1/sshconnect1.c
|
|||||||
logit("Warning: Server lies about size of server public key: "
|
logit("Warning: Server lies about size of server public key: "
|
||||||
"actual size is %d bits vs. announced %d.", rbits, bits);
|
"actual size is %d bits vs. announced %d.", rbits, bits);
|
||||||
@@ -534,10 +546,14 @@ ssh_kex(char *host, struct sockaddr *hos
|
@@ -534,10 +546,14 @@ ssh_kex(char *host, struct sockaddr *hos
|
||||||
/* Get the host key. */
|
if ((host_key = key_new(KEY_RSA1)) == NULL)
|
||||||
host_key = key_new(KEY_RSA1);
|
fatal("%s: key_new(KEY_RSA1) failed", __func__);
|
||||||
bits = packet_get_int();
|
bits = packet_get_int();
|
||||||
- packet_get_bignum(host_key->rsa->e);
|
- packet_get_bignum(host_key->rsa->e);
|
||||||
- packet_get_bignum(host_key->rsa->n);
|
- packet_get_bignum(host_key->rsa->n);
|
||||||
@ -2644,7 +2644,7 @@ diff -up openssh-7.4p1/sshkey.c.openssl openssh-7.4p1/sshkey.c
|
|||||||
+ BIGNUM *e = NULL, *n = NULL;
|
+ BIGNUM *e = NULL, *n = NULL;
|
||||||
#endif /* WITH_SSH1 */
|
#endif /* WITH_SSH1 */
|
||||||
|
|
||||||
cp = *cpp;
|
if (ret == NULL)
|
||||||
@@ -1303,12 +1319,21 @@ sshkey_read(struct sshkey *ret, char **c
|
@@ -1303,12 +1319,21 @@ sshkey_read(struct sshkey *ret, char **c
|
||||||
bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
|
bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
|
||||||
return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
|
return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
|
||||||
@ -3318,7 +3318,7 @@ diff -up openssh-7.4p1/sshkey.c.openssl openssh-7.4p1/sshkey.c
|
|||||||
|
|
||||||
/* enable blinding */
|
/* enable blinding */
|
||||||
@@ -3846,7 +4109,7 @@ sshkey_parse_private_pem_fileblob(struct
|
@@ -3846,7 +4109,7 @@ sshkey_parse_private_pem_fileblob(struct
|
||||||
r = SSH_ERR_KEY_WRONG_PASSPHRASE;
|
r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
- if (pk->type == EVP_PKEY_RSA &&
|
- if (pk->type == EVP_PKEY_RSA &&
|
||||||
@ -3640,3 +3640,17 @@ diff -up openssh-7.4p1/ssh-rsa.c.openssl openssh-7.4p1/ssh-rsa.c
|
|||||||
sig == NULL || siglen == 0)
|
sig == NULL || siglen == 0)
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
|
||||||
|
diff --git a/sshkey.c b/sshkey.c
|
||||||
|
index ffc17ce..130217a 100644
|
||||||
|
--- a/sshkey.c
|
||||||
|
+++ b/sshkey.c
|
||||||
|
@@ -3815,7 +3815,9 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
|
||||||
|
case EVP_R_BAD_DECRYPT:
|
||||||
|
r = SSH_ERR_KEY_WRONG_PASSPHRASE;
|
||||||
|
goto out;
|
||||||
|
+#ifdef EVP_R_BN_DECODE_ERROR
|
||||||
|
case EVP_R_BN_DECODE_ERROR:
|
||||||
|
+#endif
|
||||||
|
case EVP_R_DECODE_ERROR:
|
||||||
|
#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
|
||||||
|
case EVP_R_PRIVATE_KEY_DECODE_ERROR:
|
||||||
|
@ -1,40 +0,0 @@
|
|||||||
diff --git a/readconf.c b/readconf.c
|
|
||||||
index fa3fab8..e7eb30d 100644
|
|
||||||
--- a/readconf.c
|
|
||||||
+++ b/readconf.c
|
|
||||||
@@ -1499,7 +1499,7 @@ parse_keytypes:
|
|
||||||
oactive ? "" : " (parse only)");
|
|
||||||
r = read_config_file_depth(gl.gl_pathv[i],
|
|
||||||
pw, host, original_host, options,
|
|
||||||
- flags | SSHCONF_CHECKPERM |
|
|
||||||
+ flags | SSHCONF_CHECKPERM | SSHCONF_IGNORE_READERR |
|
|
||||||
(oactive ? 0 : SSHCONF_NEVERMATCH),
|
|
||||||
activep, depth + 1);
|
|
||||||
/*
|
|
||||||
@@ -1707,8 +1707,13 @@ read_config_file_depth(const char *filename, struct passwd *pw,
|
|
||||||
if (depth < 0 || depth > READCONF_MAX_DEPTH)
|
|
||||||
fatal("Too many recursive configuration includes");
|
|
||||||
|
|
||||||
- if ((f = fopen(filename, "r")) == NULL)
|
|
||||||
+ if ((f = fopen(filename, "r")) == NULL) {
|
|
||||||
+ if (flags & SSHCONF_IGNORE_READERR) {
|
|
||||||
+ error("Can not open configuration file %s", filename);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
return 0;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (flags & SSHCONF_CHECKPERM) {
|
|
||||||
struct stat sb;
|
|
||||||
diff --git a/readconf.h b/readconf.h
|
|
||||||
index cef55f7..4f7d3b4 100644
|
|
||||||
--- a/readconf.h
|
|
||||||
+++ b/readconf.h
|
|
||||||
@@ -190,6 +190,7 @@ typedef struct {
|
|
||||||
#define SSHCONF_USERCONF 2 /* user provided config file not system */
|
|
||||||
#define SSHCONF_POSTCANON 4 /* After hostname canonicalisation */
|
|
||||||
#define SSHCONF_NEVERMATCH 8 /* Match/Host never matches; internal only */
|
|
||||||
+#define SSHCONF_IGNORE_READERR 16 /* Treat unreadable files as errors; internal only */
|
|
||||||
|
|
||||||
#define SSH_UPDATE_HOSTKEYS_NO 0
|
|
||||||
#define SSH_UPDATE_HOSTKEYS_YES 1
|
|
@ -1,24 +0,0 @@
|
|||||||
diff -up openssh-7.4p1/ssh-agent.1.pkcs11-whitelist openssh-7.4p1/ssh-agent.1
|
|
||||||
--- openssh-7.4p1/ssh-agent.1.pkcs11-whitelist 2017-01-03 10:41:01.916331710 +0100
|
|
||||||
+++ openssh-7.4p1/ssh-agent.1 2017-01-03 10:40:06.549366029 +0100
|
|
||||||
@@ -129,7 +129,7 @@ that may be added using the
|
|
||||||
option to
|
|
||||||
.Xr ssh-add 1 .
|
|
||||||
The default is to allow loading PKCS#11 libraries from
|
|
||||||
-.Dq /usr/lib/*,/usr/local/lib/* .
|
|
||||||
+.Dq /usr/lib*/*,/usr/local/lib*/* .
|
|
||||||
PKCS#11 libraries that do not match the whitelist will be refused.
|
|
||||||
See PATTERNS in
|
|
||||||
.Xr ssh_config 5
|
|
||||||
diff -up openssh-7.4p1/ssh-agent.c.pkcs11-whitelist openssh-7.4p1/ssh-agent.c
|
|
||||||
--- openssh-7.4p1/ssh-agent.c.pkcs11-whitelist 2017-01-03 10:41:09.324327118 +0100
|
|
||||||
+++ openssh-7.4p1/ssh-agent.c 2017-01-03 10:40:21.212356939 +0100
|
|
||||||
@@ -89,7 +89,7 @@
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef DEFAULT_PKCS11_WHITELIST
|
|
||||||
-# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
|
|
||||||
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib*/*,/usr/local/lib*/*"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
typedef enum {
|
|
15
openssh.spec
15
openssh.spec
@ -65,10 +65,10 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 7.4p1
|
%global openssh_ver 7.5p1
|
||||||
%global openssh_rel 4
|
%global openssh_rel 1
|
||||||
%global pam_ssh_agent_ver 0.10.3
|
%global pam_ssh_agent_ver 0.10.3
|
||||||
%global pam_ssh_agent_rel 1
|
%global pam_ssh_agent_rel 2
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
@ -226,10 +226,6 @@ Patch940: openssh-7.2p2-expose-pam.patch
|
|||||||
Patch942: openssh-7.2p2-chroot-capabilities.patch
|
Patch942: openssh-7.2p2-chroot-capabilities.patch
|
||||||
# Move MAX_DISPLAYS to a configuration option (#1341302)
|
# Move MAX_DISPLAYS to a configuration option (#1341302)
|
||||||
Patch944: openssh-7.3p1-x11-max-displays.patch
|
Patch944: openssh-7.3p1-x11-max-displays.patch
|
||||||
# Whitelist /usr/lib*/ as planed upstream to prevent breakage
|
|
||||||
Patch946: openssh-7.4p1-pkcs11-whitelist.patch
|
|
||||||
# Correct reporting errors from included files (#1408558)
|
|
||||||
Patch947: openssh-7.4p1-include-errors.patch
|
|
||||||
# Help systemd to track the running service
|
# Help systemd to track the running service
|
||||||
Patch948: openssh-7.4p1-systemd.patch
|
Patch948: openssh-7.4p1-systemd.patch
|
||||||
|
|
||||||
@ -466,8 +462,6 @@ popd
|
|||||||
%patch940 -p1 -b .expose-pam
|
%patch940 -p1 -b .expose-pam
|
||||||
%patch942 -p1 -b .chroot-cap
|
%patch942 -p1 -b .chroot-cap
|
||||||
%patch944 -p1 -b .x11max
|
%patch944 -p1 -b .x11max
|
||||||
%patch946 -p1 -b .pkcs11-whitelist
|
|
||||||
%patch947 -p1 -b .include-errors
|
|
||||||
%patch948 -p1 -b .systemd
|
%patch948 -p1 -b .systemd
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
@ -811,6 +805,9 @@ getent passwd sshd >/dev/null || \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 20 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-1 + 0.10.3-2
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
* Fri Mar 03 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-4 + 0.10.3-1
|
* Fri Mar 03 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-4 + 0.10.3-1
|
||||||
- Avoid sending the SD_NOTIFY messages from wrong processes (#1427526)
|
- Avoid sending the SD_NOTIFY messages from wrong processes (#1427526)
|
||||||
- Address reports by coverity
|
- Address reports by coverity
|
||||||
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
|||||||
|
SHA512 (openssh-7.5p1.tar.gz) = 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
|
||||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
||||||
SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
|
|
||||||
|
Loading…
Reference in New Issue
Block a user