- upgrade to new upstream (#441066)

- prevent initscript from killing itself on halt with upstart (#438449) - initscript status should show that the daemon is running only when the main daemon is still alive (#430882)
2008-04-07 20:14:31 +00:00 · 2008-04-07 20:14:31 +00:00 · ca47f63941
parent 2cb0e73a4e
commit ca47f63941
16 changed files with 312 additions and 399 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1 +1 @@
-openssh-4.7p1-noacss.tar.bz2
+openssh-5.0p1-noacss.tar.bz2
--- a/openssh-3.9p1-skip-used.patch
+++ b/openssh-3.9p1-skip-used.patch
@ -1,12 +0,0 @@
--- openssh-3.9p1/channels.c.skip-used	2005-07-08 22:42:35.000000000 +0200
-+++ openssh-3.9p1/channels.c	2005-07-25 21:34:29.000000000 +0200
-@@ -2653,9 +2653,6 @@
- 				debug2("bind port %d: %.100s", port, strerror(errno));
- 				close(sock);
- 
-				if (ai->ai_next)
-					continue;
-
- 				for (n = 0; n < num_socks; n++) {
- 					close(socks[n]);
- 				}
--- a/openssh-4.2p1-pam-no-stack.patch
+++ b/openssh-4.2p1-pam-no-stack.patch
@ -1,16 +0,0 @@
--- openssh-4.2p1/contrib/redhat/sshd.pam.stack	2004-07-21 03:01:41.000000000 +0200
-+++ openssh-4.2p1/contrib/redhat/sshd.pam	2005-10-07 14:18:50.000000000 +0200
-@@ -1,6 +1,8 @@
- #%PAM-1.0
-auth       required     pam_stack.so service=system-auth
-auth       required     pam_nologin.so
-account    required     pam_stack.so service=system-auth
-password   required     pam_stack.so service=system-auth
-session    required     pam_stack.so service=system-auth
-+auth       include      system-auth
-+account    required     pam_nologin.so
-+account    include      system-auth
-+password   include      system-auth
-+session    optional     pam_keyinit.so force revoke
-+session    include      system-auth
-+session    required     pam_loginuid.so
--- a/openssh-4.3p2-initscript.patch
+++ b/openssh-4.3p2-initscript.patch
@ -1,66 +0,0 @@
--- openssh-4.5p1/contrib/redhat/sshd.init.initscript	2006-04-22 13:26:08.000000000 +0200
-+++ openssh-4.5p1/contrib/redhat/sshd.init	2007-07-25 18:26:50.000000000 +0200
-@@ -29,6 +29,8 @@
- DSA_KEY=/etc/ssh/ssh_host_dsa_key
- PID_FILE=/var/run/sshd.pid
- 
-+runlevel=$(set -- $(runlevel); eval "echo \$$#" )
-+
- do_rsa1_keygen() {
- 	if [ ! -s $RSA1_KEY ]; then
- 		echo -n $"Generating SSH1 RSA host key: "
-@@ -99,12 +101,14 @@
- start()
- {
- 	# Create keys if necessary
-	do_rsa1_keygen
-	do_rsa_keygen
-	do_dsa_keygen
-+	if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
-+		do_rsa1_keygen
-+		do_rsa_keygen
-+		do_dsa_keygen
-+	fi
- 
-	echo -n $"Starting $prog:"
-	initlog -c "$SSHD $OPTIONS" && success || failure
-+	echo -n $"Starting $prog: "
-+	$SSHD $OPTIONS && success || failure
- 	RETVAL=$?
- 	[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
- 	echo
-@@ -112,17 +116,30 @@
- 
- stop()
- {
-	echo -n $"Stopping $prog:"
-	killproc $SSHD -TERM
-+	echo -n $"Stopping $prog: "
-+	if [ -n "`pidfileofproc $SSHD`" ] ; then
-+	    killproc $SSHD
-+	else
-+	    failure $"Stopping $prog"
-+	fi
- 	RETVAL=$?
-+	# if we are in halt or reboot runlevel kill all running sessions
-+	# so the TCP connections are closed cleanly
-+	if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
-+	    killall $prog 2>/dev/null
-+	fi
- 	[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
- 	echo
- }
- 
- reload()
- {
-	echo -n $"Reloading $prog:"
-	killproc $SSHD -HUP
-+	echo -n $"Reloading $prog: "
-+	if [ -n "`pidfileofproc $SSHD`" ] ; then
-+	    killproc $SSHD -HUP
-+	else
-+	    failure $"Reloading $prog"
-+	fi
- 	RETVAL=$?
- 	echo
- }
--- a/openssh-4.5p1-controlcleanup.patch
+++ b/openssh-4.5p1-controlcleanup.patch
@ -0,0 +1,15 @@
+--- openssh-4.5p1/ssh.c~	2007-03-24 16:25:18.000000000 +0000
+++ openssh-4.5p1/ssh.c	2007-03-24 16:31:06.000000000 +0000
+@@ -1347,7 +1347,11 @@
+ 		}
+ 		if (errno == ENOENT)
+ 			debug("Control socket \"%.100s\" does not exist", path);
+-		else {
+		else if (errno == ECONNREFUSED) {
+			debug("Control socket connect(%.100s): %s", path,
+			    strerror(errno));
+			unlink(path);
+		} else {
+ 			error("Control socket connect(%.100s): %s", path,
+ 			    strerror(errno));
+ 		}
--- a/openssh-4.7p1-master-race.patch
+++ b/openssh-4.7p1-master-race.patch
@ -0,0 +1,85 @@
+--- openssh-4.7p1/ssh.c.masterrace	2008-03-06 13:55:11.000000000 +0000
+++ openssh-4.7p1/ssh.c	2008-03-06 13:55:19.000000000 +0000
+@@ -1065,7 +1065,7 @@ client_global_request_reply_fwd(int type
+ 	}
+ }
+ 
+-static void
+static int
+ ssh_control_listener(void)
+ {
+ 	struct sockaddr_un addr;
+@@ -1073,10 +1073,11 @@ ssh_control_listener(void)
+ 	int addr_len;
+ 
+ 	if (options.control_path == NULL ||
+-	    options.control_master == SSHCTL_MASTER_NO)
+-		return;
+	    options.control_master == SSHCTL_MASTER_NO ||
+	    control_fd != -1)
+		return 1;
+ 
+-	debug("setting up multiplex master socket");
+	debug("trying to set up multiplex master socket");
+ 
+ 	memset(&addr, '\0', sizeof(addr));
+ 	addr.sun_family = AF_UNIX;
+@@ -1093,11 +1094,9 @@ ssh_control_listener(void)
+ 	old_umask = umask(0177);
+ 	if (bind(control_fd, (struct sockaddr *)&addr, addr_len) == -1) {
+ 		control_fd = -1;
+-		if (errno == EINVAL || errno == EADDRINUSE)
+-			fatal("ControlSocket %s already exists",
+-			    options.control_path);
+-		else
+		if (errno != EINVAL && errno != EADDRINUSE)
+ 			fatal("%s bind(): %s", __func__, strerror(errno));
+		return 0;
+ 	}
+ 	umask(old_umask);
+ 
+@@ -1105,6 +1104,9 @@ ssh_control_listener(void)
+ 		fatal("%s listen(): %s", __func__, strerror(errno));
+ 
+ 	set_nonblock(control_fd);
+
+	debug("control master listening on %s", options.control_path);
+	return 1;
+ }
+ 
+ /* request pty/x11/agent/tcpfwd/shell for channel */
+@@ -1196,7 +1198,9 @@ ssh_session2(void)
+ 	ssh_init_forwarding();
+ 
+ 	/* Start listening for multiplex clients */
+-	ssh_control_listener();
+	if (!ssh_control_listener())
+		fatal("control master socket %s already exists",
+		      options.control_path);
+ 
+  	/*
+  	 * If we are the control master, and if control_persist is set,
+@@ -1375,7 +1379,13 @@ control_client(const char *path)
+ 	switch (options.control_master) {
+ 	case SSHCTL_MASTER_AUTO:
+ 	case SSHCTL_MASTER_AUTO_ASK:
+-		debug("auto-mux: Trying existing master");
+		/* see if we can create a control master socket
+		   to avoid a race between two auto clients */
+		if (mux_command == SSHMUX_COMMAND_OPEN &&
+		    ssh_control_listener())
+			return;
+		debug("trying to connect to control master socket %s",
+		    options.control_path);
+ 		/* FALLTHROUGH */
+ 	case SSHCTL_MASTER_NO:
+ 		break;
+@@ -1522,6 +1532,8 @@ control_client(const char *path)
+ 	signal(SIGTERM, control_client_sighandler);
+ 	signal(SIGWINCH, control_client_sigrelay);
+ 
+	debug("connected to control master; waiting for exit");
+
+ 	if (tty_flag)
+ 		enter_raw_mode();
+ 
--- a/openssh-4.7p1-mls.patch
+++ b/openssh-4.7p1-mls.patch
@ -42,12 +42,6 @@ diff -up openssh-4.7p1/session.c.mls openssh-4.7p1/session.c
 diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-compat/port-linux.c
 --- openssh-4.7p1/openbsd-compat/port-linux.c.mls	2007-09-06 17:39:28.000000000 +0200
 +++ openssh-4.7p1/openbsd-compat/port-linux.c	2007-08-07 17:38:18.000000000 +0200
-@@ -1,4 +1,4 @@
-/* $Id: port-linux.c,v 1.4 2007/06/27 22:48:03 djm Exp $ */
-+/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */
- 
- /*
-  * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -33,12 +33,23 @@
 #include "key.h"
 #include "hostfile.h"
--- a/openssh-4.7p1-packetdefsize.patch
+++ b/openssh-4.7p1-packetdefsize.patch
@ -1,25 +0,0 @@
-Index: clientloop.c
-===================================================================
-RCS file: /usr/local/src/security/openssh/cvs/openssh/clientloop.c,v
-retrieving revision 1.170
-diff -u -p -r1.170 clientloop.c
--- clientloop.c	28 Dec 2007 15:45:07 -0000	1.170
-+++ clientloop.c	28 Dec 2007 18:14:10 -0000
-@@ -1745,7 +1745,7 @@ client_request_forwarded_tcpip(const cha
- 	}
- 	c = channel_new("forwarded-tcpip",
- 	    SSH_CHANNEL_CONNECTING, sock, sock, -1,
-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-+	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
- 	    originator_address, 1);
- 	xfree(originator_address);
- 	xfree(listen_address);
-@@ -1803,7 +1803,7 @@ client_request_agent(const char *request
- 		return NULL;
- 	c = channel_new("authentication agent connection",
- 	    SSH_CHANNEL_OPEN, sock, sock, -1,
-	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-+	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
- 	    "authentication agent connection", 1);
- 	c->force_drain = 1;
- 	return c;
--- a/openssh-4.7p1-pam-session.patch
+++ b/openssh-4.7p1-pam-session.patch
@ -1,137 +0,0 @@
-diff -up openssh-4.7p1/session.c.pam-session openssh-4.7p1/session.c
--- openssh-4.7p1/session.c.pam-session	2007-08-16 15:28:04.000000000 +0200
-+++ openssh-4.7p1/session.c	2007-09-06 17:37:46.000000000 +0200
-@@ -422,11 +422,6 @@ do_exec_no_pty(Session *s, const char *c
- 
- 	session_proctitle(s);
- 
-#if defined(USE_PAM)
-	if (options.use_pam && !use_privsep)
-		do_pam_setcred(1);
-#endif /* USE_PAM */
-
- 	/* Fork the child. */
- 	if ((pid = fork()) == 0) {
- 		is_child = 1;
-@@ -557,14 +552,6 @@ do_exec_pty(Session *s, const char *comm
- 	ptyfd = s->ptyfd;
- 	ttyfd = s->ttyfd;
- 
-#if defined(USE_PAM)
-	if (options.use_pam) {
-		do_pam_set_tty(s->tty);
-		if (!use_privsep)
-			do_pam_setcred(1);
-	}
-#endif
-
- 	/* Fork the child. */
- 	if ((pid = fork()) == 0) {
- 		is_child = 1;
-@@ -1300,17 +1287,9 @@ do_setusercontext(struct passwd *pw)
- # ifdef __bsdi__
- 		setpgid(0, 0);
- # endif
-#ifdef GSSAPI
-		if (options.gss_authentication) {
-			temporarily_use_uid(pw);
-			ssh_gssapi_storecreds();
-			restore_uid();
-		}
-#endif
- # ifdef USE_PAM
- 		if (options.use_pam) {
-			do_pam_session();
-			do_pam_setcred(use_privsep);
-+			do_pam_setcred(0);
- 		}
- # endif /* USE_PAM */
- 		if (setusercontext(lc, pw, pw->pw_uid,
-@@ -1337,13 +1316,6 @@ do_setusercontext(struct passwd *pw)
- 			exit(1);
- 		}
- 		endgrent();
-#ifdef GSSAPI
-		if (options.gss_authentication) {
-			temporarily_use_uid(pw);
-			ssh_gssapi_storecreds();
-			restore_uid();
-		}
-#endif
- # ifdef USE_PAM
- 		/*
- 		 * PAM credentials may take the form of supplementary groups.
-@@ -1351,8 +1323,7 @@ do_setusercontext(struct passwd *pw)
- 		 * Reestablish them here.
- 		 */
- 		if (options.use_pam) {
-			do_pam_session();
-			do_pam_setcred(use_privsep);
-+			do_pam_setcred(0);
- 		}
- # endif /* USE_PAM */
- # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
-diff -up openssh-4.7p1/sshd.c.pam-session openssh-4.7p1/sshd.c
--- openssh-4.7p1/sshd.c.pam-session	2007-09-06 17:37:46.000000000 +0200
-+++ openssh-4.7p1/sshd.c	2007-09-06 17:37:46.000000000 +0200
-@@ -1831,7 +1831,21 @@ main(int ac, char **av)
- 	audit_event(SSH_AUTH_SUCCESS);
- #endif
- 
-	/*
-+#ifdef GSSAPI
-+	if (options.gss_authentication) {
-+		temporarily_use_uid(authctxt->pw);
-+		ssh_gssapi_storecreds();
-+		restore_uid();
-+	}
-+#endif
-+#ifdef USE_PAM
-+	if (options.use_pam) {
-+		do_pam_setcred(1);
-+		do_pam_session();
-+	}
-+#endif
-+
-+ 	/*
- 	 * In privilege separation, we fork another child and prepare
- 	 * file descriptor passing.
- 	 */
-diff -up openssh-4.7p1/monitor.c.pam-session openssh-4.7p1/monitor.c
--- openssh-4.7p1/monitor.c.pam-session	2007-09-06 17:37:46.000000000 +0200
-+++ openssh-4.7p1/monitor.c	2007-09-06 17:37:46.000000000 +0200
-@@ -1566,6 +1566,11 @@ mm_answer_term(int sock, Buffer *req)
- 	/* The child is terminating */
- 	session_destroy_all(&mm_session_close);
- 
-+#ifdef USE_PAM
-+	if (options.use_pam)
-+		sshpam_cleanup();
-+#endif
-+
- 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
- 		if (errno != EINTR)
- 			exit(1);
-diff -up openssh-4.7p1/auth-pam.c.pam-session openssh-4.7p1/auth-pam.c
--- openssh-4.7p1/auth-pam.c.pam-session	2007-08-10 06:32:34.000000000 +0200
-+++ openssh-4.7p1/auth-pam.c	2007-09-06 17:37:46.000000000 +0200
-@@ -598,15 +598,17 @@ static struct pam_conv store_conv = { ss
- void
- sshpam_cleanup(void)
- {
-	debug("PAM: cleanup");
-	if (sshpam_handle == NULL)
-+	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
- 		return;
-+	debug("PAM: cleanup");
- 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
- 	if (sshpam_cred_established) {
-+		debug("PAM: deleting credentials");
- 		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
- 		sshpam_cred_established = 0;
- 	}
- 	if (sshpam_session_open) {
-+		debug("PAM: closing session");
- 		pam_close_session(sshpam_handle, PAM_SILENT);
- 		sshpam_session_open = 0;
- 	}
--- a/openssh-4.7p1-sftp-doclose.patch
+++ b/openssh-4.7p1-sftp-doclose.patch
@ -1,13 +0,0 @@
-Without this do_close() I get "Couldn't get handle: Failure"
-on every operation after N times through this failure path
-where N = 100 on OpenBSD and N = 200 on GNU/Linux.
--- src/usr.bin/ssh/sftp-client.c.orig	Sun Sep 16 00:55:52 2007
-+++ src/usr.bin/ssh/sftp-client.c	Mon Oct 15 10:12:50 2007
-@@ -813,6 +813,7 @@ do_download(struct sftp_conn *conn, char
- 	if (local_fd == -1) {
- 		error("Couldn't open local file \"%s\" for writing: %s",
- 		    local_path, strerror(errno));
-+		do_close(conn, handle, handle_len);
- 		buffer_free(&msg);
- 		xfree(handle);
- 		return(-1);
--- a/openssh-4.7p1-sftp-drain-acks.patch
+++ b/openssh-4.7p1-sftp-drain-acks.patch
@ -1,71 +0,0 @@
-diff -up openssh-4.7p1/sftp-client.c.drain-acks openssh-4.7p1/sftp-client.c
--- openssh-4.7p1/sftp-client.c.drain-acks	2007-02-19 12:13:39.000000000 +0100
-+++ openssh-4.7p1/sftp-client.c	2007-09-06 17:54:41.000000000 +0200
-@@ -992,7 +992,8 @@ int
- do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
-     int pflag)
- {
-	int local_fd, status;
-+	int local_fd;
-+	int status = SSH2_FX_OK;
- 	u_int handle_len, id, type;
- 	u_int64_t offset;
- 	char *handle, *data;
-@@ -1074,7 +1075,7 @@ do_upload(struct sftp_conn *conn, char *
- 		 * Simulate an EOF on interrupt, allowing ACKs from the
- 		 * server to drain.
- 		 */
-		if (interrupted)
-+		if (interrupted || status != SSH2_FX_OK)
- 			len = 0;
- 		else do
- 			len = read(local_fd, data, conn->transfer_buflen);
-@@ -1131,18 +1132,6 @@ do_upload(struct sftp_conn *conn, char *
- 				fatal("Can't find request for ID %u", r_id);
- 			TAILQ_REMOVE(&acks, ack, tq);
- 
-			if (status != SSH2_FX_OK) {
-				error("Couldn't write to remote file \"%s\": %s",
-				    remote_path, fx2txt(status));
-				if (showprogress)
-					stop_progress_meter();
-				do_close(conn, handle, handle_len);
-				close(local_fd);
-				xfree(data);
-				xfree(ack);
-				status = -1;
-				goto done;
-			}
- 			debug3("In write loop, ack for %u %u bytes at %llu",
- 			    ack->id, ack->len, (unsigned long long)ack->offset);
- 			++ackid;
-@@ -1154,21 +1143,25 @@ do_upload(struct sftp_conn *conn, char *
- 		stop_progress_meter();
- 	xfree(data);
- 
-+	if (status != SSH2_FX_OK) {
-+		error("Couldn't write to remote file \"%s\": %s",
-+		    remote_path, fx2txt(status));
-+		status = -1;
-+	}
-+
- 	if (close(local_fd) == -1) {
- 		error("Couldn't close local file \"%s\": %s", local_path,
- 		    strerror(errno));
-		do_close(conn, handle, handle_len);
- 		status = -1;
-		goto done;
- 	}
- 
- 	/* Override umask and utimes if asked */
- 	if (pflag)
- 		do_fsetstat(conn, handle, handle_len, &a);
- 
-	status = do_close(conn, handle, handle_len);
-+	if (do_close(conn, handle, handle_len) != SSH2_FX_OK)
-+		status = -1;
- 
-done:
- 	xfree(handle);
- 	buffer_free(&msg);
- 	return(status);
--- a/openssh-4.7p1-sshd-v6only.patch
+++ b/openssh-4.7p1-sshd-v6only.patch
@ -1,30 +0,0 @@
--- sshd.c	2007-06-05 01:22:32.000000000 -0700
-+++ sshd.c.new	2007-11-17 00:07:08.000000000 -0800
-@@ -971,12 +971,27 @@
- 		}
- 		/*
- 		 * Set socket options.
-+		 */
-+
-+		/*
- 		 * Allow local port reuse in TIME_WAIT.
- 		 */
- 		if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
- 		    &on, sizeof(on)) == -1)
- 			error("setsockopt SO_REUSEADDR: %s", strerror(errno));
- 
-+#ifdef IPV6_V6ONLY
-+		if (ai->ai_family == AF_INET6) {
-+			/*
-+			 * Only communicate in IPv6 over AF_INET6 sockets.
-+			 */
-+			if (setsockopt(listen_sock, IPPROTO_IPV6, IPV6_V6ONLY,
-+			    &on, sizeof(on)) == -1)
-+				error("setsockopt IPV6_V6ONLY: %s",
-+				    strerror(errno));
-+		}
-+#endif
-+
- 		debug("Bind to port %s on %s.", strport, ntop);
- 
- 		/* Bind the socket to the desired port. */
--- a/openssh.spec
+++ b/openssh.spec
@ -62,8 +62,8 @@

 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
-Version: 4.7p1
-Release: 9%{?dist}%{?rescue_rel}
+Version: 5.0p1
+Release: 1%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -72,34 +72,30 @@ URL: http://www.openssh.com/portable.html
 # the unpacked source directory.
 Source0: openssh-%{version}-noacss.tar.bz2
 Source1: openssh-nukeacss.sh
+Source2: sshd.pam
+Source3: sshd.init
 Patch0: openssh-4.7p1-redhat.patch
 Patch2: openssh-3.8.1p1-skip-initial.patch
 Patch3: openssh-3.8.1p1-krb5-config.patch
 Patch4: openssh-4.7p1-vendor.patch
-Patch5: openssh-4.3p2-initscript.patch
-Patch10: openssh-4.7p1-pam-session.patch
 Patch12: openssh-4.7p1-selinux.patch
 Patch13: openssh-4.7p1-mls.patch
 Patch16: openssh-4.7p1-audit.patch
 Patch17: openssh-4.3p2-cve-2007-3102.patch
 Patch22: openssh-3.9p1-askpass-keep-above.patch
 Patch24: openssh-4.3p1-fromto-remote.patch
-Patch26: openssh-4.2p1-pam-no-stack.patch
 Patch27: openssh-4.7p1-log-in-chroot.patch
 Patch30: openssh-4.0p1-exit-deadlock.patch
-Patch31: openssh-3.9p1-skip-used.patch
 Patch35: openssh-4.2p1-askpass-progress.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
 Patch39: openssh-4.3p2-no-v6only.patch
 Patch44: openssh-4.3p2-allow-ip-opts.patch
 Patch49: openssh-4.3p2-gssapi-canohost.patch
 Patch51: openssh-4.7p1-nss-keys.patch
-Patch52: openssh-4.7p1-sftp-drain-acks.patch
-Patch53: openssh-4.7p1-packetdefsize.patch
 Patch54: openssh-4.7p1-gssapi-role.patch
 Patch55: openssh-4.7p1-cloexec.patch
-Patch56: openssh-4.7p1-sshd-v6only.patch
-Patch57: openssh-4.7p1-sftp-doclose.patch
+Patch58: openssh-4.5p1-controlcleanup.patch
+Patch59: openssh-4.7p1-master-race.patch

 License: BSD
 Group: Applications/Internet
@ -209,9 +205,6 @@ an X11 passphrase dialog for OpenSSH.
 %patch2 -p1 -b .skip-initial
 %patch3 -p1 -b .krb5-config
 %patch4 -p1 -b .vendor
-%patch5 -p1 -b .initscript
-
-%patch10 -p1 -b .pam-session

 %if %{WITH_SELINUX}
 #SELinux
@ -223,22 +216,18 @@ an X11 passphrase dialog for OpenSSH.

 %patch22 -p1 -b .keep-above
 %patch24 -p1 -b .fromto-remote
-%patch26 -p1 -b .stack
 %patch27 -p1 -b .log-chroot
 %patch30 -p1 -b .exit-deadlock
-%patch31 -p1 -b .skip-used
 %patch35 -p1 -b .progress
 %patch38 -p1 -b .grab-info
 %patch39 -p1 -b .no-v6only
 %patch44 -p1 -b .ip-opts
 %patch49 -p1 -b .canohost
 %patch51 -p1 -b .nss-keys
-%patch52 -p1 -b .drain-acks
-%patch53 -p0 -b .defsize
 %patch54 -p0 -b .gssapi-role
 %patch55 -p1 -b .cloexec
-%patch56 -p0 -b .sshd-v6only
-%patch57 -p3 -b .doclose
+%patch58 -p1 -b .controlcleanup
+%patch59 -p1 -b .master-race

 autoreconf

@ -343,8 +332,8 @@ make install DESTDIR=$RPM_BUILD_ROOT
 install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
-install -m644 contrib/redhat/sshd.pam      $RPM_BUILD_ROOT/etc/pam.d/sshd
-install -m755 contrib/redhat/sshd.init     $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
+install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/

@ -489,6 +478,16 @@ fi
 %endif

 %changelog
+* Mon Apr  7 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-1
+- upgrade to new upstream (#441066)
+- prevent initscript from killing itself on halt with upstart (#438449)
+- initscript status should show that the daemon is running
+  only when the main daemon is still alive (#430882)
+
+* Thu Mar  6 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-10
+- fix race on control master and cleanup stale control socket (#436311)
+  patches by David Woodhouse
+
 * Fri Feb 29 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-9
 - set FD_CLOEXEC on client socket
 - apply real fix for window size problem (#286181) from upstream
--- a/2
+++ b/2
@ -1 +1 @@
-21634329a8f1cd0e7a7974ade7280bdc  openssh-4.7p1-noacss.tar.bz2
+e39c15a5fb9036bd64256c78a6fbf394  openssh-5.0p1-noacss.tar.bz2
--- a/sshd.init
+++ b/sshd.init
@ -0,0 +1,182 @@
+#!/bin/bash
+#
+# Init file for OpenSSH server daemon
+#
+# chkconfig: 2345 55 25
+# description: OpenSSH server daemon
+#
+# processname: sshd
+# config: /etc/ssh/ssh_host_key
+# config: /etc/ssh/ssh_host_key.pub
+# config: /etc/ssh/ssh_random_seed
+# config: /etc/ssh/sshd_config
+# pidfile: /var/run/sshd.pid
+
+# source function library
+. /etc/rc.d/init.d/functions
+
+# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
+
+RETVAL=0
+prog="sshd"
+
+# Some functions to make the below more readable
+KEYGEN=/usr/bin/ssh-keygen
+SSHD=/usr/sbin/sshd
+RSA1_KEY=/etc/ssh/ssh_host_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+DSA_KEY=/etc/ssh/ssh_host_dsa_key
+PID_FILE=/var/run/sshd.pid
+
+runlevel=$(set -- $(runlevel); eval "echo \$$#" )
+
+do_rsa1_keygen() {
+	if [ ! -s $RSA1_KEY ]; then
+		echo -n $"Generating SSH1 RSA host key: "
+		if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
+			chmod 600 $RSA1_KEY
+			chmod 644 $RSA1_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $RSA1_KEY.pub
+			fi
+			success $"RSA1 key generation"
+			echo
+		else
+			failure $"RSA1 key generation"
+			echo
+			exit 1
+		fi
+	fi
+}
+
+do_rsa_keygen() {
+	if [ ! -s $RSA_KEY ]; then
+		echo -n $"Generating SSH2 RSA host key: "
+		if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
+			chmod 600 $RSA_KEY
+			chmod 644 $RSA_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $RSA_KEY.pub
+			fi
+			success $"RSA key generation"
+			echo
+		else
+			failure $"RSA key generation"
+			echo
+			exit 1
+		fi
+	fi
+}
+
+do_dsa_keygen() {
+	if [ ! -s $DSA_KEY ]; then
+		echo -n $"Generating SSH2 DSA host key: "
+		if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
+			chmod 600 $DSA_KEY
+			chmod 644 $DSA_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $DSA_KEY.pub
+			fi
+			success $"DSA key generation"
+			echo
+		else
+			failure $"DSA key generation"
+			echo
+			exit 1
+		fi
+	fi
+}
+
+do_restart_sanity_check()
+{
+	$SSHD -t
+	RETVAL=$?
+	if [ ! "$RETVAL" = 0 ]; then
+		failure $"Configuration file or keys are invalid"
+		echo
+	fi
+}
+
+start()
+{
+	# Create keys if necessary
+	if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
+		do_rsa1_keygen
+		do_rsa_keygen
+		do_dsa_keygen
+	fi
+
+	echo -n $"Starting $prog: "
+	$SSHD $OPTIONS && success || failure
+	RETVAL=$?
+	[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
+	echo
+}
+
+stop()
+{
+	echo -n $"Stopping $prog: "
+	if [ -n "`pidfileofproc $SSHD`" ] ; then
+	    killproc $SSHD
+	else
+	    failure $"Stopping $prog"
+	fi
+	RETVAL=$?
+	# if we are in halt or reboot runlevel kill all running sessions
+	# so the TCP connections are closed cleanly
+	if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
+	    trap '' TERM
+	    killall $prog 2>/dev/null
+	    trap TERM
+	fi
+	[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
+	echo
+}
+
+reload()
+{
+	echo -n $"Reloading $prog: "
+	if [ -n "`pidfileofproc $SSHD`" ] ; then
+	    killproc $SSHD -HUP
+	else
+	    failure $"Reloading $prog"
+	fi
+	RETVAL=$?
+	echo
+}
+
+case "$1" in
+	start)
+		start
+		;;
+	stop)
+		stop
+		;;
+	restart)
+		stop
+		start
+		;;
+	reload)
+		reload
+		;;
+	condrestart)
+		if [ -f /var/lock/subsys/sshd ] ; then
+			do_restart_sanity_check
+			if [ "$RETVAL" = 0 ] ; then
+				stop
+				# avoid race
+				sleep 3
+				start
+			fi
+		fi
+		;;
+	status)
+		status -p $PID_FILE openssh-daemon
+		RETVAL=$?
+		;;
+	*)
+		echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
+		RETVAL=1
+esac
+exit $RETVAL
--- a/sshd.pam
+++ b/sshd.pam
@ -0,0 +1,8 @@
+#%PAM-1.0
+auth       include      system-auth
+account    required     pam_nologin.so
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so force revoke
+session    include      system-auth
+session    required     pam_loginuid.so