5.6p1-36 + 0.9.2-29

openssh-5.6p1-getaddrinfo.patch

@@ -0,0 +1,24 @@
+diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
+--- openssh-5.6p1/channels.c.getaddrinfo	2012-02-14 16:12:54.427852524 +0100
++++ openssh-5.6p1/channels.c	2012-02-14 16:13:22.818928690 +0100
+@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
+ 		memset(&hints, 0, sizeof(hints));
+ 		hints.ai_family = IPv4or6;
+ 		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif
+ 		hints.ai_socktype = SOCK_STREAM;
+ 		snprintf(strport, sizeof strport, "%d", port);
+ 		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
+diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
+--- openssh-5.6p1/sshconnect.c.getaddrinfo	2012-02-14 16:09:25.057964291 +0100
++++ openssh-5.6p1/sshconnect.c	2012-02-14 16:09:25.106047007 +0100
+@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
+ 	memset(&hints, 0, sizeof(hints));
+ 	hints.ai_family = family;
+ 	hints.ai_socktype = SOCK_STREAM;
++	hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG;
+ 	snprintf(strport, sizeof strport, "%u", port);
+ 	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+ 		fatal("%s: Could not resolve hostname %.100s: %s", __progname,

openssh-5.6p1-legacy-certificate.patch

@@ -0,0 +1,14 @@
+diff --git a/key.c b/key.c
+index 57ad9fd..5886d44 100644
+--- a/key.c
++++ b/key.c
+@@ -1517,8 +1517,8 @@ key_certify(Key *k, Key *ca)
+ 	buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
+ 
+ 	/* -v01 certs put nonce first */
++	arc4random_buf(&nonce, sizeof(nonce));
+ 	if (k->type == KEY_DSA_CERT || k->type == KEY_RSA_CERT) {
+-		arc4random_buf(&nonce, sizeof(nonce));
+ 		buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
+ 	}
+ 

openssh-5.6p1-linux-oomkiller.patch

@@ -0,0 +1,96 @@
+? build
+Index: openbsd-compat/port-linux.c
+===================================================================
+RCS file: /var/cvs/openssh/openbsd-compat/port-linux.c,v
+retrieving revision 1.9
+diff -u -p -r1.9 port-linux.c
+--- openbsd-compat/port-linux.c	10 Sep 2010 00:30:25 -0000	1.9
++++ openbsd-compat/port-linux.c	17 Jan 2011 00:02:45 -0000
+@@ -208,14 +208,22 @@ ssh_selinux_change_context(const char *n
+ #endif /* WITH_SELINUX */
+ 
+ #ifdef LINUX_OOM_ADJUST
+-#define OOM_ADJ_PATH	"/proc/self/oom_adj"
+ /*
+- * The magic "don't kill me", as documented in eg:
++ * The magic "don't kill me" values, old and new, as documented in eg:
+  * http://lxr.linux.no/#linux+v2.6.32/Documentation/filesystems/proc.txt
++ * http://lxr.linux.no/#linux+v2.6.36/Documentation/filesystems/proc.txt
+  */
+-#define OOM_ADJ_NOKILL	-17
+ 
+ static int oom_adj_save = INT_MIN;
++static char *oom_adj_path = NULL;
++struct {
++	char *path;
++	int value;
++} oom_adjust[] = {
++	{"/proc/self/oom_score_adj", -1000},	/* kernels >= 2.6.36 */
++	{"/proc/self/oom_adj", -17},		/* kernels <= 2.6.35 */
++	{NULL, 0},
++};
+ 
+ /*
+  * Tell the kernel's out-of-memory killer to avoid sshd.
+@@ -224,23 +232,31 @@ static int oom_adj_save = INT_MIN;
+ void
+ oom_adjust_setup(void)
+ {
++	int i, value;
+ 	FILE *fp;
+ 
+ 	debug3("%s", __func__);
+-	if ((fp = fopen(OOM_ADJ_PATH, "r+")) != NULL) {
+-		if (fscanf(fp, "%d", &oom_adj_save) != 1)
+-			verbose("error reading %s: %s", OOM_ADJ_PATH, strerror(errno));
+-		else {
+-			rewind(fp);
+-			if (fprintf(fp, "%d\n", OOM_ADJ_NOKILL) <= 0)
+-				verbose("error writing %s: %s",
+-				    OOM_ADJ_PATH, strerror(errno));
+-			else
+-				verbose("Set %s from %d to %d",
+-				    OOM_ADJ_PATH, oom_adj_save, OOM_ADJ_NOKILL);
++	 for (i = 0; oom_adjust[i].path != NULL; i++) {
++		oom_adj_path = oom_adjust[i].path;
++		value = oom_adjust[i].value;
++		if ((fp = fopen(oom_adj_path, "r+")) != NULL) {
++			if (fscanf(fp, "%d", &oom_adj_save) != 1)
++				verbose("error reading %s: %s", oom_adj_path,
++				    strerror(errno));
++			else {
++				rewind(fp);
++				if (fprintf(fp, "%d\n", value) <= 0)
++					verbose("error writing %s: %s",
++					   oom_adj_path, strerror(errno));
++				else
++					verbose("Set %s from %d to %d",
++					   oom_adj_path, oom_adj_save, value);
++			}
++			fclose(fp);
++			return;
+ 		}
+-		fclose(fp);
+ 	}
++	oom_adj_path = NULL;
+ }
+ 
+ /* Restore the saved OOM adjustment */
+@@ -250,13 +266,14 @@ oom_adjust_restore(void)
+ 	FILE *fp;
+ 
+ 	debug3("%s", __func__);
+-	if (oom_adj_save == INT_MIN || (fp = fopen(OOM_ADJ_PATH, "w")) == NULL)
++	if (oom_adj_save == INT_MIN || oom_adj_path == NULL ||
++	    (fp = fopen(oom_adj_path, "w")) == NULL)
+ 		return;
+ 
+ 	if (fprintf(fp, "%d\n", oom_adj_save) <= 0)
+-		verbose("error writing %s: %s", OOM_ADJ_PATH, strerror(errno));
++		verbose("error writing %s: %s", oom_adj_path, strerror(errno));
+ 	else
+-		verbose("Set %s to %d", OOM_ADJ_PATH, oom_adj_save);
++		verbose("Set %s to %d", oom_adj_path, oom_adj_save);
+ 
+ 	fclose(fp);
+ 	return;

openssh.spec

@@ -71,14 +71,14 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.6p1
-%define openssh_rel 30
+%define openssh_rel 36
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 29
 
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1
+Release: %{openssh_rel}%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshagentauth.sourceforge.net
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -139,6 +139,13 @@ Patch79: openssh-5.5p1-x11.patch
 Patch80: openssh-5.6p1-biguid.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1842
 Patch81: openssh-5.6p1-clientloop.patch
+#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
+#https://bugzilla.redhat.com/show_bug.cgi?id=735889
+Patch82:openssh-5.6p1-getaddrinfo.patch
+#https://bugzilla.mindrot.org/show_bug.cgi?id=1838
+Patch83:openssh-5.6p1-linux-oomkiller.patch
+#https://bugzilla.redhat.com//show_bug.cgi?id=784641
+Patch84:openssh-5.6p1-legacy-certificate.patch
 
 License: BSD
 Group: Applications/Internet
@@ -322,6 +329,9 @@ popd
 %patch79 -p1 -b .x11
 %patch80 -p1 -b .biguid
 %patch81 -p1 -b .clientloop
+%patch82 -p1 -b .getaddrinfo
+%patch83 -p0 -b .oomkiller
+%patch84 -p1 -b .legacy
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -603,6 +613,22 @@ fi
 %endif
 
 %changelog
+* Mon Apr 16 2012 Petr Lautrbach <plautrba@redhat.com> 5.6p1-36 + 0.9.2-29
+- fix out-of-memory killer patch (#812676)
+
+* Tue Feb 14 2012 Petr Lautrbach <plautrba@redhat.com> 5.6p1-35 + 0.9.2-29
+- Fill fields in legacy certificates with random data (#784641)
+- Look for x11 forward sockets with AI_ADDRCONFIG flag getaddrinfo (#735889)
+
+* Wed Aug  3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p2-34 + 0.9.2-29
+- Improve oom_adj (#727335)
+
+* Thu Jul 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p2-33 + 0.9.2-29
+- Add postlogin to pam. (#718807)
+
+* Fri Apr 29 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-31 + 0.9.2-29
+- add flags AI_V4MAPPED and AI_ADDRCONFIG to getaddrinfo
+
 * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.6p1-30.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
 

sshd.pam

@@ -1,6 +1,7 @@
 #%PAM-1.0
 auth	   required	pam_sepermit.so
-auth       include      password-auth
+auth       substack     password-auth
+auth       include      postlogin
 account    required     pam_nologin.so
 account    include      password-auth
 password   include      password-auth
@@ -11,3 +12,4 @@ session    required     pam_loginuid.so
 session    required     pam_selinux.so open env_params
 session    optional     pam_keyinit.so force revoke
 session    include      password-auth
+session    include      postlogin