diff --git a/.gitignore b/.gitignore index 7362d2e..bfa675f 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-8.1p1.tar.gz.asc /openssh-8.2p1.tar.gz /openssh-8.2p1.tar.gz.asc +/openssh-8.3p1.tar.gz +/openssh-8.3p1.tar.gz.asc diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index 024d990..675b672 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -883,8 +883,8 @@ diff -up openssh/cipher.c.audit openssh/cipher.c - if (cc == NULL) + if (cc == NULL || cc->cipher == NULL) return; - if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) - explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx)); + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { + chachapoly_free(cc->cp_ctx); diff -up openssh/cipher.h.audit openssh/cipher.h --- openssh/cipher.h.audit 2019-03-27 23:26:14.000000000 +0100 +++ openssh/cipher.h 2019-04-03 17:02:20.714886050 +0200 diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 21eba1d..bb69efe 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -453,5 +453,5 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c fflush(stdout); - type = sshkey_type_from_name(key_types[i].key_type); if ((fd = mkstemp(prv_tmp)) == -1) { - error("Could not save your public key in %s: %s", - prv_tmp, strerror(errno)); + error("Could not save your private key in %s: %s", + prv_tmp, strerror(errno)); diff --git a/openssh-7.7p1-gssapi-new-unique.patch b/openssh-7.7p1-gssapi-new-unique.patch index 9386249..506c79a 100644 --- a/openssh-7.7p1-gssapi-new-unique.patch +++ b/openssh-7.7p1-gssapi-new-unique.patch @@ -480,7 +480,7 @@ index 6cae720e..16e55cbc 100644 + return 0; } - /* This allows GSSAPI methods to do things to the childs environment based + /* This allows GSSAPI methods to do things to the child's environment based @@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() { char *envstr; #endif @@ -574,7 +574,7 @@ index 85df6a27..480a5ead 100644 +++ b/session.c @@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) /* Allow any GSSAPI methods that we've used to alter - * the childs environment as they see fit + * the child's environment as they see fit */ - ssh_gssapi_do_child(&env, &envsize); + if (s->authctxt->krb5_set_env) diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index 466fa62..770e99e 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -964,7 +964,7 @@ index ab3a15f0..6ce56e92 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,7 +1,7 @@ - /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */ + /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch index 712f703..7c00b13 100644 --- a/openssh-8.0p1-pkcs11-uri.patch +++ b/openssh-8.0p1-pkcs11-uri.patch @@ -48,7 +48,7 @@ index e7549470..4511f82a 100644 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - ssh-pkcs11.o smult_curve25519_ref.o \ + ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \ - poly1305.o chacha.o cipher-chachapoly.o \ + poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \ ssh-ed25519.o digest-openssl.o digest-libc.o \ hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ @@ -289,6 +289,8 @@ clean: regressclean @@ -2502,7 +2502,7 @@ index a302c79c..879fe917 100644 int ret = -1; struct pkcs11_provider *p = NULL; void *handle = NULL; -@@ -1484,165 +1670,301 @@ pkcs11_register_provider(char *provider_id, char *pin, +@@ -1484,167 +1670,303 @@ pkcs11_register_provider(char *provider_id, char *pin, CK_FUNCTION_LIST *f = NULL; CK_TOKEN_INFO *token; CK_ULONG i; @@ -2830,6 +2830,8 @@ index a302c79c..879fe917 100644 } - if (handle) - dlclose(handle); + if (ret > 0) + ret = -1; return (ret); } @@ -3109,9 +3111,9 @@ index 15aee569..976844cb 100644 + } +#endif /* ENABLE_PKCS11 */ + cp = tilde_expand_filename(name, getuid()); - filename = percent_expand(cp, "d", pw->pw_dir, - "u", pw->pw_name, "l", thishost, "h", host, - "r", options.user, (char *)NULL); + filename = default_client_percent_expand(cp, + pw->pw_dir, host, options.user, pw->pw_name); + free(cp); diff --git a/ssh_config.5 b/ssh_config.5 index 06a32d31..4b2763bd 100644 --- a/ssh_config.5 diff --git a/openssh-8.2p1-visibility.patch b/openssh-8.2p1-visibility.patch index 2f0b191..89c35ef 100644 --- a/openssh-8.2p1-visibility.patch +++ b/openssh-8.2p1-visibility.patch @@ -26,7 +26,7 @@ index dca158de..afdcb1d2 100644 -int +int __attribute__((visibility("default"))) - sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, + sk_sign(uint32_t alg, const uint8_t *data, size_t datalen, const char *application, const uint8_t *key_handle, size_t key_handle_len, uint8_t flags, const char *pin, struct sk_option **options, @@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, diff --git a/openssh.spec b/openssh.spec index de2ffa2..740be9b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -65,10 +65,10 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 8.2p1 -%global openssh_rel 3 +%global openssh_ver 8.3p1 +%global openssh_rel 1 %global pam_ssh_agent_ver 0.10.3 -%global pam_ssh_agent_rel 9 +%global pam_ssh_agent_rel 10 Summary: An open source implementation of SSH protocol version 2 Name: openssh @@ -716,6 +716,11 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Wed May 27 2020 Jakub Jelen - 8.3p1-1 + 0.10.3-10 +- New upstream release (#1840503) +- Unbreak corner cases of sshd_config include +- Fix order of gssapi key exchange algorithms + * Wed Apr 08 2020 Jakub Jelen - 8.2p1-3 + 0.10.3-9 - Simplify reference to crypto policies in configuration files - Unbreak gssapi authentication with GSSAPITrustDNS over jump hosts diff --git a/sources b/sources index c951140..112375c 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (openssh-8.2p1.tar.gz) = c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a -SHA512 (openssh-8.2p1.tar.gz.asc) = e6d091289d62d3a01d5978e3c26f72d8ea6979c345fbebc215515185ea567c959f5b17e32052d752829ab4c6bc537fd977f7aa02cf0a23280da63fd9d880f303 +SHA512 (openssh-8.3p1.tar.gz) = b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40 +SHA512 (openssh-8.3p1.tar.gz.asc) = 569fa12b3671af15bd7cd54fc7b13d1d64f3e96eb28f6dc430082f7bec4595689c633d3d56c23faad45b73e4da666c3ec090de26bf54f49410ba9bb8b5363e75 SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66