openssh-7.5p1-1 + 0.10.3-2

This commit is contained in:
Jakub Jelen 2017-03-20 15:55:43 +01:00
parent fd58b9eabb
commit 17b491b307
16 changed files with 61 additions and 113 deletions

1
.gitignore vendored
View File

@ -25,3 +25,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-7.3p1.tar.gz /openssh-7.3p1.tar.gz
/openssh-7.4p1.tar.gz /openssh-7.4p1.tar.gz
/pam_ssh_agent_auth-0.10.3.tar.bz2 /pam_ssh_agent_auth-0.10.3.tar.bz2
/openssh-7.5p1.tar.gz

View File

@ -60,8 +60,8 @@ diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions @@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep; intptr = &options->disable_forwarding;
goto parse_multistate; goto parse_flag;
+ case sShowPatchLevel: + case sShowPatchLevel:
+ intptr = &options->show_patchlevel; + intptr = &options->show_patchlevel;
@ -138,12 +138,12 @@ diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh @@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
char remote_version[256]; /* Must be at least as big as buf. */ char remote_version[256]; /* Must be at least as big as buf. */
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, + (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ", *options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline); options.version_addendum);
@@ -1650,7 +1651,8 @@ main(int ac, char **av) @@ -1650,7 +1651,8 @@ main(int ac, char **av)
exit(1); exit(1);

View File

@ -82,7 +82,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o) @@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); + dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);

View File

@ -235,8 +235,8 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o) @@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);

View File

@ -71,7 +71,7 @@ diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
+echo " TCP Wrappers support: $TCPW_MSG" +echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG" echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG" echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG" echo " libldns support: $LDNS_MSG"
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8 diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
--- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100 --- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100
+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100 +++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100

View File

@ -169,7 +169,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
{ "gssapiserveridentity", oGssServerIdentity }, { "gssapiserveridentity", oGssServerIdentity },
{ "gssapirenewalforcesrekey", oGssRenewalRekey }, { "gssapirenewalforcesrekey", oGssRenewalRekey },
+ { "gssapikexalgorithms", oGssKexAlgorithms }, + { "gssapikexalgorithms", oGssKexAlgorithms },
#else # else
{ "gssapiauthentication", oUnsupported }, { "gssapiauthentication", oUnsupported },
{ "gssapikeyexchange", oUnsupported }, { "gssapikeyexchange", oUnsupported },
@@ -207,6 +209,7 @@ static struct { @@ -207,6 +209,7 @@ static struct {
@ -178,8 +178,8 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
{ "gssapirenewalforcesrekey", oUnsupported }, { "gssapirenewalforcesrekey", oUnsupported },
+ { "gssapikexalgorithms", oUnsupported }, + { "gssapikexalgorithms", oUnsupported },
#endif #endif
{ "fallbacktorsh", oDeprecated }, #ifdef ENABLE_PKCS11
{ "usersh", oDeprecated }, { "smartcarddevice", oPKCS11Provider },
@@ -929,6 +932,18 @@ parse_time: @@ -929,6 +932,18 @@ parse_time:
intptr = &options->gss_renewal_rekey; intptr = &options->gss_renewal_rekey;
goto parse_flag; goto parse_flag;
@ -249,7 +249,7 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@@ -288,6 +290,10 @@ fill_default_server_options(ServerOption @@ -288,6 +290,10 @@ fill_default_server_options(ServerOption
options->gss_strict_acceptor = 0; options->gss_strict_acceptor = 1;
if (options->gss_store_rekey == -1) if (options->gss_store_rekey == -1)
options->gss_store_rekey = 0; options->gss_store_rekey = 0;
+#ifdef GSSAPI +#ifdef GSSAPI

View File

@ -776,7 +776,7 @@ diff -up openssh-7.4p1/auth2.c.audit openssh-7.4p1/auth2.c
+++ openssh-7.4p1/auth2.c 2016-12-23 18:54:54.434080419 +0100 +++ openssh-7.4p1/auth2.c 2016-12-23 18:54:54.434080419 +0100
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32 @@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32
} else { } else {
logit("input_userauth_request: invalid user %s", user); /* Invalid user, fake password information */
authctxt->pw = fakepw(); authctxt->pw = fakepw();
-#ifdef SSH_AUDIT_EVENTS -#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(SSH_INVALID_USER)); - PRIVSEP(audit_event(SSH_INVALID_USER));
@ -960,9 +960,9 @@ diff -up openssh-7.4p1/kex.c.audit openssh-7.4p1/kex.c
+#endif +#endif
return SSH_ERR_NO_CIPHER_ALG_MATCH; return SSH_ERR_NO_CIPHER_ALG_MATCH;
+ } + }
if ((enc->cipher = cipher_by_name(name)) == NULL) if ((enc->cipher = cipher_by_name(name)) == NULL) {
free(name);
return SSH_ERR_INTERNAL_ERROR; return SSH_ERR_INTERNAL_ERROR;
enc->name = name;
@@ -702,8 +707,12 @@ choose_mac(struct ssh *ssh, struct sshma @@ -702,8 +707,12 @@ choose_mac(struct ssh *ssh, struct sshma
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -974,9 +974,9 @@ diff -up openssh-7.4p1/kex.c.audit openssh-7.4p1/kex.c
+#endif +#endif
return SSH_ERR_NO_MAC_ALG_MATCH; return SSH_ERR_NO_MAC_ALG_MATCH;
+ } + }
if (mac_setup(mac, name) < 0) if (mac_setup(mac, name) < 0) {
free(name);
return SSH_ERR_INTERNAL_ERROR; return SSH_ERR_INTERNAL_ERROR;
/* truncate the key */
@@ -720,8 +729,12 @@ choose_comp(struct sshcomp *comp, char * @@ -720,8 +729,12 @@ choose_comp(struct sshcomp *comp, char *
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -1739,16 +1739,16 @@ diff -up openssh-7.4p1/sandbox-seccomp-filter.c.audit openssh-7.4p1/sandbox-secc
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 18:54:54.438080420 +0100 +++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 18:54:54.438080420 +0100
@@ -159,6 +159,12 @@ static const struct sock_filter preauth_ @@ -159,6 +159,12 @@ static const struct sock_filter preauth_
#ifdef __NR_gettimeofday #ifdef __NR_gettimeofday
SC_ALLOW(gettimeofday), SC_ALLOW(__NR_gettimeofday),
#endif #endif
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ SC_ALLOW(getuid), + SC_ALLOW(__NR_getuid),
+#ifdef __NR_getuid32 /* not defined on x86_64 */ +#ifdef __NR_getuid32 /* not defined on x86_64 */
+ SC_ALLOW(getuid32), + SC_ALLOW(__NR_getuid32),
+#endif +#endif
+#endif +#endif
#ifdef __NR_madvise #ifdef __NR_madvise
SC_ALLOW(madvise), SC_ALLOW(__NR_madvise),
#endif #endif
diff -up openssh-7.4p1/session.c.audit openssh-7.4p1/session.c diff -up openssh-7.4p1/session.c.audit openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.audit 2016-12-23 18:54:54.430080418 +0100 --- openssh-7.4p1/session.c.audit 2016-12-23 18:54:54.430080418 +0100

View File

@ -382,13 +382,13 @@ diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-secco
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 16:37:49.300741586 +0100 +++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 16:37:49.300741586 +0100
@@ -118,6 +118,9 @@ static const struct sock_filter preauth_ @@ -118,6 +118,9 @@ static const struct sock_filter preauth_
#ifdef __NR_open #ifdef __NR_open
SC_DENY(open, EACCES), SC_DENY(__NR_open, EACCES),
#endif #endif
+#ifdef __NR_socket +#ifdef __NR_socket
+ SC_DENY(socket, EACCES), + SC_DENY(__NR_socket, EACCES),
+#endif +#endif
#ifdef __NR_openat #ifdef __NR_openat
SC_DENY(openat, EACCES), SC_DENY(__NR_openat, EACCES),
#endif #endif
diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.fips 2016-12-23 16:37:49.285741579 +0100 --- openssh-7.4p1/servconf.c.fips 2016-12-23 16:37:49.285741579 +0100

View File

@ -1959,7 +1959,7 @@ diff -up openssh-7.4p1/readconf.c.gsskex openssh-7.4p1/readconf.c
oSendEnv, oControlPath, oControlMaster, oControlPersist, oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts, oHashKnownHosts,
@@ -205,10 +207,19 @@ static struct { @@ -205,10 +207,19 @@ static struct {
{ "afstokenpassing", oUnsupported }, /* Sometimes-unsupported options */
#if defined(GSSAPI) #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
+ { "gssapikeyexchange", oGssKeyEx }, + { "gssapikeyexchange", oGssKeyEx },
@ -1968,7 +1968,7 @@ diff -up openssh-7.4p1/readconf.c.gsskex openssh-7.4p1/readconf.c
+ { "gssapiclientidentity", oGssClientIdentity }, + { "gssapiclientidentity", oGssClientIdentity },
+ { "gssapiserveridentity", oGssServerIdentity }, + { "gssapiserveridentity", oGssServerIdentity },
+ { "gssapirenewalforcesrekey", oGssRenewalRekey }, + { "gssapirenewalforcesrekey", oGssRenewalRekey },
#else # else
{ "gssapiauthentication", oUnsupported }, { "gssapiauthentication", oUnsupported },
+ { "gssapikeyexchange", oUnsupported }, + { "gssapikeyexchange", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported }, { "gssapidelegatecredentials", oUnsupported },
@ -1976,8 +1976,8 @@ diff -up openssh-7.4p1/readconf.c.gsskex openssh-7.4p1/readconf.c
+ { "gssapiclientidentity", oUnsupported }, + { "gssapiclientidentity", oUnsupported },
+ { "gssapirenewalforcesrekey", oUnsupported }, + { "gssapirenewalforcesrekey", oUnsupported },
#endif #endif
{ "fallbacktorsh", oDeprecated }, #ifdef ENABLE_PKCS11
{ "usersh", oDeprecated }, { "smartcarddevice", oPKCS11Provider },
@@ -961,10 +972,30 @@ parse_time: @@ -961,10 +972,30 @@ parse_time:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2136,7 +2136,7 @@ diff -up openssh-7.4p1/servconf.c.gsskex openssh-7.4p1/servconf.c
if (options->gss_cleanup_creds == -1) if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1; options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1) if (options->gss_strict_acceptor == -1)
options->gss_strict_acceptor = 0; options->gss_strict_acceptor = 1;
+ if (options->gss_store_rekey == -1) + if (options->gss_store_rekey == -1)
+ options->gss_store_rekey = 0; + options->gss_store_rekey = 0;
if (options->password_authentication == -1) if (options->password_authentication == -1)
@ -2325,8 +2325,8 @@ diff -up openssh-7.4p1/sshconnect2.c.gsskex openssh-7.4p1/sshconnect2.c
+#endif +#endif
+ +
if (options.rekey_limit || options.rekey_interval) if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit, packet_set_rekey_limits(options.rekey_limit,
(time_t)options.rekey_interval); options.rekey_interval);
@@ -212,11 +248,31 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -212,11 +248,31 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_ECDH_SHA2] = kexecdh_client; kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
# endif # endif

View File

@ -2,8 +2,8 @@ diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
--- openssh-7.4p1/auth2.c.expose-pam 2016-12-23 15:40:26.768447868 +0100 --- openssh-7.4p1/auth2.c.expose-pam 2016-12-23 15:40:26.768447868 +0100
+++ openssh-7.4p1/auth2.c 2016-12-23 15:40:26.818447876 +0100 +++ openssh-7.4p1/auth2.c 2016-12-23 15:40:26.818447876 +0100
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int @@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
const char *submethod)
{ {
struct ssh *ssh = active_state; /* XXX */
char *methods; char *methods;
+ char *prev_auth_details; + char *prev_auth_details;
int partial = 0; int partial = 0;
@ -217,7 +217,7 @@ diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.expose-pam 2016-12-23 15:40:26.794447872 +0100 --- openssh-7.4p1/monitor.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 15:41:16.473455863 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 15:41:16.473455863 +0100
@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx @@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
{ struct ssh *ssh = active_state; /* XXX */
struct mon_table *ent; struct mon_table *ent;
int authenticated = 0, partial = 0; int authenticated = 0, partial = 0;
+ char *prev_auth_details; + char *prev_auth_details;

View File

@ -50,4 +50,4 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
+ return -1; + return -1;
} }
int #ifdef __APPLE__

View File

@ -2133,8 +2133,8 @@ diff -up openssh-7.4p1/sshconnect1.c.openssl openssh-7.4p1/sshconnect1.c
int bits, rbits; int bits, rbits;
int ssh_cipher_default = SSH_CIPHER_3DES; int ssh_cipher_default = SSH_CIPHER_3DES;
@@ -522,10 +530,14 @@ ssh_kex(char *host, struct sockaddr *hos @@ -522,10 +530,14 @@ ssh_kex(char *host, struct sockaddr *hos
/* Get the public key. */ if ((server_key = key_new(KEY_RSA1)) == NULL)
server_key = key_new(KEY_RSA1); fatal("%s: key_new(KEY_RSA1) failed", __func__);
bits = packet_get_int(); bits = packet_get_int();
- packet_get_bignum(server_key->rsa->e); - packet_get_bignum(server_key->rsa->e);
- packet_get_bignum(server_key->rsa->n); - packet_get_bignum(server_key->rsa->n);
@ -2151,8 +2151,8 @@ diff -up openssh-7.4p1/sshconnect1.c.openssl openssh-7.4p1/sshconnect1.c
logit("Warning: Server lies about size of server public key: " logit("Warning: Server lies about size of server public key: "
"actual size is %d bits vs. announced %d.", rbits, bits); "actual size is %d bits vs. announced %d.", rbits, bits);
@@ -534,10 +546,14 @@ ssh_kex(char *host, struct sockaddr *hos @@ -534,10 +546,14 @@ ssh_kex(char *host, struct sockaddr *hos
/* Get the host key. */ if ((host_key = key_new(KEY_RSA1)) == NULL)
host_key = key_new(KEY_RSA1); fatal("%s: key_new(KEY_RSA1) failed", __func__);
bits = packet_get_int(); bits = packet_get_int();
- packet_get_bignum(host_key->rsa->e); - packet_get_bignum(host_key->rsa->e);
- packet_get_bignum(host_key->rsa->n); - packet_get_bignum(host_key->rsa->n);
@ -2644,7 +2644,7 @@ diff -up openssh-7.4p1/sshkey.c.openssl openssh-7.4p1/sshkey.c
+ BIGNUM *e = NULL, *n = NULL; + BIGNUM *e = NULL, *n = NULL;
#endif /* WITH_SSH1 */ #endif /* WITH_SSH1 */
cp = *cpp; if (ret == NULL)
@@ -1303,12 +1319,21 @@ sshkey_read(struct sshkey *ret, char **c @@ -1303,12 +1319,21 @@ sshkey_read(struct sshkey *ret, char **c
bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
@ -3318,7 +3318,7 @@ diff -up openssh-7.4p1/sshkey.c.openssl openssh-7.4p1/sshkey.c
/* enable blinding */ /* enable blinding */
@@ -3846,7 +4109,7 @@ sshkey_parse_private_pem_fileblob(struct @@ -3846,7 +4109,7 @@ sshkey_parse_private_pem_fileblob(struct
r = SSH_ERR_KEY_WRONG_PASSPHRASE; r = SSH_ERR_LIBCRYPTO_ERROR;
goto out; goto out;
} }
- if (pk->type == EVP_PKEY_RSA && - if (pk->type == EVP_PKEY_RSA &&
@ -3640,3 +3640,17 @@ diff -up openssh-7.4p1/ssh-rsa.c.openssl openssh-7.4p1/ssh-rsa.c
sig == NULL || siglen == 0) sig == NULL || siglen == 0)
return SSH_ERR_INVALID_ARGUMENT; return SSH_ERR_INVALID_ARGUMENT;
diff --git a/sshkey.c b/sshkey.c
index ffc17ce..130217a 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -3815,7 +3815,9 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
case EVP_R_BAD_DECRYPT:
r = SSH_ERR_KEY_WRONG_PASSPHRASE;
goto out;
+#ifdef EVP_R_BN_DECODE_ERROR
case EVP_R_BN_DECODE_ERROR:
+#endif
case EVP_R_DECODE_ERROR:
#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
case EVP_R_PRIVATE_KEY_DECODE_ERROR:

View File

@ -1,40 +0,0 @@
diff --git a/readconf.c b/readconf.c
index fa3fab8..e7eb30d 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1499,7 +1499,7 @@ parse_keytypes:
oactive ? "" : " (parse only)");
r = read_config_file_depth(gl.gl_pathv[i],
pw, host, original_host, options,
- flags | SSHCONF_CHECKPERM |
+ flags | SSHCONF_CHECKPERM | SSHCONF_IGNORE_READERR |
(oactive ? 0 : SSHCONF_NEVERMATCH),
activep, depth + 1);
/*
@@ -1707,8 +1707,13 @@ read_config_file_depth(const char *filename, struct passwd *pw,
if (depth < 0 || depth > READCONF_MAX_DEPTH)
fatal("Too many recursive configuration includes");
- if ((f = fopen(filename, "r")) == NULL)
+ if ((f = fopen(filename, "r")) == NULL) {
+ if (flags & SSHCONF_IGNORE_READERR) {
+ error("Can not open configuration file %s", filename);
+ return 1;
+ }
return 0;
+ }
if (flags & SSHCONF_CHECKPERM) {
struct stat sb;
diff --git a/readconf.h b/readconf.h
index cef55f7..4f7d3b4 100644
--- a/readconf.h
+++ b/readconf.h
@@ -190,6 +190,7 @@ typedef struct {
#define SSHCONF_USERCONF 2 /* user provided config file not system */
#define SSHCONF_POSTCANON 4 /* After hostname canonicalisation */
#define SSHCONF_NEVERMATCH 8 /* Match/Host never matches; internal only */
+#define SSHCONF_IGNORE_READERR 16 /* Treat unreadable files as errors; internal only */
#define SSH_UPDATE_HOSTKEYS_NO 0
#define SSH_UPDATE_HOSTKEYS_YES 1

View File

@ -1,24 +0,0 @@
diff -up openssh-7.4p1/ssh-agent.1.pkcs11-whitelist openssh-7.4p1/ssh-agent.1
--- openssh-7.4p1/ssh-agent.1.pkcs11-whitelist 2017-01-03 10:41:01.916331710 +0100
+++ openssh-7.4p1/ssh-agent.1 2017-01-03 10:40:06.549366029 +0100
@@ -129,7 +129,7 @@ that may be added using the
option to
.Xr ssh-add 1 .
The default is to allow loading PKCS#11 libraries from
-.Dq /usr/lib/*,/usr/local/lib/* .
+.Dq /usr/lib*/*,/usr/local/lib*/* .
PKCS#11 libraries that do not match the whitelist will be refused.
See PATTERNS in
.Xr ssh_config 5
diff -up openssh-7.4p1/ssh-agent.c.pkcs11-whitelist openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.pkcs11-whitelist 2017-01-03 10:41:09.324327118 +0100
+++ openssh-7.4p1/ssh-agent.c 2017-01-03 10:40:21.212356939 +0100
@@ -89,7 +89,7 @@
#endif
#ifndef DEFAULT_PKCS11_WHITELIST
-# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib*/*,/usr/local/lib*/*"
#endif
typedef enum {

View File

@ -65,10 +65,10 @@
%endif %endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 7.4p1 %global openssh_ver 7.5p1
%global openssh_rel 4 %global openssh_rel 1
%global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_ver 0.10.3
%global pam_ssh_agent_rel 1 %global pam_ssh_agent_rel 2
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
@ -226,10 +226,6 @@ Patch940: openssh-7.2p2-expose-pam.patch
Patch942: openssh-7.2p2-chroot-capabilities.patch Patch942: openssh-7.2p2-chroot-capabilities.patch
# Move MAX_DISPLAYS to a configuration option (#1341302) # Move MAX_DISPLAYS to a configuration option (#1341302)
Patch944: openssh-7.3p1-x11-max-displays.patch Patch944: openssh-7.3p1-x11-max-displays.patch
# Whitelist /usr/lib*/ as planed upstream to prevent breakage
Patch946: openssh-7.4p1-pkcs11-whitelist.patch
# Correct reporting errors from included files (#1408558)
Patch947: openssh-7.4p1-include-errors.patch
# Help systemd to track the running service # Help systemd to track the running service
Patch948: openssh-7.4p1-systemd.patch Patch948: openssh-7.4p1-systemd.patch
@ -466,8 +462,6 @@ popd
%patch940 -p1 -b .expose-pam %patch940 -p1 -b .expose-pam
%patch942 -p1 -b .chroot-cap %patch942 -p1 -b .chroot-cap
%patch944 -p1 -b .x11max %patch944 -p1 -b .x11max
%patch946 -p1 -b .pkcs11-whitelist
%patch947 -p1 -b .include-errors
%patch948 -p1 -b .systemd %patch948 -p1 -b .systemd
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
@ -811,6 +805,9 @@ getent passwd sshd >/dev/null || \
%endif %endif
%changelog %changelog
* Mon Mar 20 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-1 + 0.10.3-2
- New upstream release
* Fri Mar 03 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-4 + 0.10.3-1 * Fri Mar 03 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-4 + 0.10.3-1
- Avoid sending the SD_NOTIFY messages from wrong processes (#1427526) - Avoid sending the SD_NOTIFY messages from wrong processes (#1427526)
- Address reports by coverity - Address reports by coverity

View File

@ -1,2 +1,2 @@
SHA512 (openssh-7.5p1.tar.gz) = 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66 SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292