From 9c481a12e1c9f647e31e3b6e1f1c77f50ce52154 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 14 Aug 2024 03:16:01 +0300 Subject: [PATCH] import openssh-8.0p1-25.el8_10 --- SOURCES/openssh-6.7p1-coverity.patch | 12 --- SOURCES/openssh-7.7p1-fips.patch | 56 +++++++++++- SOURCES/openssh-8.0p1-avoidkillall.patch | 20 +++++ SOURCES/openssh-8.0p1-bigsshdconfig.patch | 13 +++ SOURCES/openssh-8.0p1-gssapi-keyex.patch | 85 +++++++++++++------ ...penssh-8.0p1-upstream-ignore-SIGPIPE.patch | 38 +++++++++ SOURCES/openssh-8.7p1-scp-kill-switch.patch | 46 ++++++++++ SOURCES/openssh-9.4p2-limit-delay.patch | 33 +++++++ SPECS/openssh.spec | 57 +++++++++++-- 9 files changed, 311 insertions(+), 49 deletions(-) create mode 100644 SOURCES/openssh-8.0p1-avoidkillall.patch create mode 100644 SOURCES/openssh-8.0p1-bigsshdconfig.patch create mode 100644 SOURCES/openssh-8.0p1-upstream-ignore-SIGPIPE.patch create mode 100644 SOURCES/openssh-8.7p1-scp-kill-switch.patch create mode 100644 SOURCES/openssh-9.4p2-limit-delay.patch diff --git a/SOURCES/openssh-6.7p1-coverity.patch b/SOURCES/openssh-6.7p1-coverity.patch index 0159482..d24c4a2 100644 --- a/SOURCES/openssh-6.7p1-coverity.patch +++ b/SOURCES/openssh-6.7p1-coverity.patch @@ -136,18 +136,6 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c if (tun != SSH_TUNID_ANY && auth_opts->force_tun_device != (int)tun) goto done; -diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c ---- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100 -+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100 -@@ -224,7 +224,7 @@ killchild(int signo) - { - if (sshpid > 1) { - kill(sshpid, SIGTERM); -- waitpid(sshpid, NULL, 0); -+ (void) waitpid(sshpid, NULL, 0); - } - - _exit(1); diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c --- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100 diff --git a/SOURCES/openssh-7.7p1-fips.patch b/SOURCES/openssh-7.7p1-fips.patch index 1f6fdc2..0cbd22f 100644 --- a/SOURCES/openssh-7.7p1-fips.patch +++ b/SOURCES/openssh-7.7p1-fips.patch @@ -471,12 +471,53 @@ diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c #include "xmss_fast.h" +@@ -392,7 +394,8 @@ sshkey_calculate_signature(EVP_PKEY *pkey + { + EVP_MD_CTX *ctx = NULL; + u_char *sig = NULL; +- int ret, slen, len; ++ int ret, slen; ++ size_t len; + + if (sigp == NULL || lenp == NULL) { + return SSH_ERR_INVALID_ARGUMENT; +@@ -411,9 +414,10 @@ sshkey_calculate_signature(EVP_PKEY *pkey + ret = SSH_ERR_ALLOC_FAIL; + goto error; + } +- if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || +- EVP_SignUpdate(ctx, data, datalen) <= 0 || +- EVP_SignFinal(ctx, sig, &len, pkey) <= 0) { ++ if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg), ++ NULL, pkey) != 1 || ++ EVP_DigestSignUpdate(ctx, data, datalen) != 1 || ++ EVP_DigestSignFinal(ctx, sig, &len) != 1) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto error; + } +@@ -440,12 +444,13 @@ sshkey_verify_signature(EVP_PKEY *pkey + if ((ctx = EVP_MD_CTX_new()) == NULL) { + return SSH_ERR_ALLOC_FAIL; + } +- if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || +- EVP_VerifyUpdate(ctx, data, datalen) <= 0) { ++ if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg), ++ NULL, pkey) != 1 || ++ EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto done; + } +- ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey); ++ ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen); + switch (ret) { + case 1: + ret = 0; @@ -1514,6 +1516,8 @@ rsa_generate_private_key(u_int bits, RSA } if (!BN_set_word(f4, RSA_F4) || !RSA_generate_key_ex(private, bits, f4, NULL)) { -+ if (FIPS_mode()) -+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); ++ if (FIPS_mode()) ++ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } @@ -515,3 +556,14 @@ diff -up openssh-7.9p1/ssh-keygen.c.fips openssh-7.9p1/ssh-keygen.c if ((fd = mkstemp(prv_tmp)) == -1) { error("Could not save your public key in %s: %s", prv_tmp, strerror(errno)); +diff -up openssh-8.0p1/sshd_config.xxx openssh-8.0p1/sshd_config +--- openssh-8.0p1/sshd_config.xxx 2023-10-30 13:01:59.150952364 +0100 ++++ openssh-8.0p1/sshd_config 2023-10-30 13:02:56.662231354 +0100 +@@ -21,6 +21,7 @@ + + HostKey /etc/ssh/ssh_host_rsa_key + HostKey /etc/ssh/ssh_host_ecdsa_key ++#In FIPS mode Ed25519 keys are not supported, please comment out the next line + HostKey /etc/ssh/ssh_host_ed25519_key + + # Ciphers and keying diff --git a/SOURCES/openssh-8.0p1-avoidkillall.patch b/SOURCES/openssh-8.0p1-avoidkillall.patch new file mode 100644 index 0000000..77331e8 --- /dev/null +++ b/SOURCES/openssh-8.0p1-avoidkillall.patch @@ -0,0 +1,20 @@ +diff --git a/sftp.c b/sftp.c +index b66037f1..54538ff9 100644 +--- a/sftp.c ++++ b/sftp.c +@@ -220,9 +220,12 @@ static const struct CMD cmds[] = { + static void + killchild(int signo) + { +- if (sshpid > 1) { +- kill(sshpid, SIGTERM); +- waitpid(sshpid, NULL, 0); ++ pid_t pid; ++ ++ pid = sshpid; ++ if (pid > 1) { ++ kill(pid, SIGTERM); ++ (void)waitpid(pid, NULL, 0); + } + + _exit(1); diff --git a/SOURCES/openssh-8.0p1-bigsshdconfig.patch b/SOURCES/openssh-8.0p1-bigsshdconfig.patch new file mode 100644 index 0000000..2158ffe --- /dev/null +++ b/SOURCES/openssh-8.0p1-bigsshdconfig.patch @@ -0,0 +1,13 @@ +diff --git a/msg.c b/msg.c +index 99c25cd2..574a566e 100644 +--- a/msg.c ++++ b/msg.c +@@ -77,7 +77,7 @@ ssh_msg_recv(int fd, struct sshbuf *m) + return (-1); + } + msg_len = get_u32(buf); +- if (msg_len > 256 * 1024) { ++ if (msg_len > sshbuf_max_size(m)) { + error("ssh_msg_recv: read: bad msg_len %u", msg_len); + return (-1); + } diff --git a/SOURCES/openssh-8.0p1-gssapi-keyex.patch b/SOURCES/openssh-8.0p1-gssapi-keyex.patch index a8f2838..2182c49 100644 --- a/SOURCES/openssh-8.0p1-gssapi-keyex.patch +++ b/SOURCES/openssh-8.0p1-gssapi-keyex.patch @@ -1509,7 +1509,7 @@ new file mode 100644 index 00000000..0b2f6a56 --- /dev/null +++ b/kexgssc.c -@@ -0,0 +1,595 @@ +@@ -0,0 +1,618 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -1571,7 +1571,7 @@ index 00000000..0b2f6a56 + struct sshbuf *server_blob = NULL; + struct sshbuf *shared_secret = NULL; + struct sshbuf *server_host_key_blob = NULL; -+ struct sshbuf *empty = sshbuf_new(); ++ struct sshbuf *empty = NULL; + u_char *msg; + int type = 0; + int first = 1; @@ -1610,8 +1610,10 @@ index 00000000..0b2f6a56 + default: + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + } -+ if (r != 0) ++ if (r != 0) { ++ ssh_gssapi_delete_ctx(&ctxt); + return r; ++ } + + token_ptr = GSS_C_NO_BUFFER; + @@ -1674,11 +1676,16 @@ index 00000000..0b2f6a56 + do { + type = ssh_packet_read(ssh); + if (type == SSH2_MSG_KEXGSS_HOSTKEY) { ++ char *tmp = NULL; ++ size_t tmp_len = 0; ++ + debug("Received KEXGSS_HOSTKEY"); + if (server_host_key_blob) + fatal("Server host key received more than once"); -+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) ++ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0) + fatal("Failed to read server host key: %s", ssh_err(r)); ++ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL) ++ fatal("sshbuf_from failed"); + } + } while (type == SSH2_MSG_KEXGSS_HOSTKEY); + @@ -1779,6 +1786,11 @@ index 00000000..0b2f6a56 + if (r != 0) + goto out; + ++ if ((empty = sshbuf_new()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ + hashlen = sizeof(hash); + if ((r = kex_gen_hash( + kex->hash_alg, @@ -1848,7 +1860,7 @@ index 00000000..0b2f6a56 + size_t hashlen; + const BIGNUM *pub_key, *dh_p, *dh_g; + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; -+ struct sshbuf *empty = sshbuf_new(); ++ struct sshbuf *empty = NULL; + u_char c; + int r; + @@ -1960,11 +1972,16 @@ index 00000000..0b2f6a56 + do { + type = ssh_packet_read(ssh); + if (type == SSH2_MSG_KEXGSS_HOSTKEY) { ++ char *tmp = NULL; ++ size_t tmp_len = 0; ++ + debug("Received KEXGSS_HOSTKEY"); + if (server_host_key_blob) + fatal("Server host key received more than once"); -+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) ++ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0) + fatal("sshpkt failed: %s", ssh_err(r)); ++ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL) ++ fatal("sshbuf_from failed"); + } + } while (type == SSH2_MSG_KEXGSS_HOSTKEY); + @@ -2040,6 +2057,7 @@ index 00000000..0b2f6a56 + (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0) + goto out; + sshbuf_free(buf); ++ buf = NULL; + + if ((shared_secret = sshbuf_new()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; @@ -2048,6 +2066,10 @@ index 00000000..0b2f6a56 + + if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0) + goto out; ++ if ((empty = sshbuf_new()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } + + DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g); + hashlen = sizeof(hash); @@ -2094,6 +2116,7 @@ index 00000000..0b2f6a56 + if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0) + r = kex_send_newkeys(ssh); +out: ++ sshbuf_free(buf); + sshbuf_free(server_blob); + sshbuf_free(empty); + explicit_bzero(hash, sizeof(hash)); @@ -2110,7 +2133,7 @@ new file mode 100644 index 00000000..60bc02de --- /dev/null +++ b/kexgsss.c -@@ -0,0 +1,474 @@ +@@ -0,0 +1,482 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -2177,7 +2200,7 @@ index 00000000..60bc02de + */ + + OM_uint32 ret_flags = 0; -+ gss_buffer_desc gssbuf, recv_tok, msg_tok; ++ gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + Gssctxt *ctxt = NULL; + struct sshbuf *shared_secret = NULL; @@ -2217,7 +2240,7 @@ index 00000000..60bc02de + type = ssh_packet_read(ssh); + switch(type) { + case SSH2_MSG_KEXGSS_INIT: -+ if (client_pubkey != NULL) ++ if (gssbuf.value != NULL) + fatal("Received KEXGSS_INIT after initialising"); + if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh, + &recv_tok)) != 0 || @@ -2248,6 +2271,31 @@ index 00000000..60bc02de + goto out; + + /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ ++ ++ /* Calculate the hash early so we can free the ++ * client_pubkey, which has reference to the parent ++ * buffer state->incoming_packet ++ */ ++ hashlen = sizeof(hash); ++ if ((r = kex_gen_hash( ++ kex->hash_alg, ++ kex->client_version, ++ kex->server_version, ++ kex->peer, ++ kex->my, ++ empty, ++ client_pubkey, ++ server_pubkey, ++ shared_secret, ++ hash, &hashlen)) != 0) ++ goto out; ++ ++ gssbuf.value = hash; ++ gssbuf.length = hashlen; ++ ++ sshbuf_free(client_pubkey); ++ client_pubkey = NULL; ++ + break; + case SSH2_MSG_KEXGSS_CONTINUE: + if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh, @@ -2269,7 +2317,7 @@ index 00000000..60bc02de + if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) + fatal("Zero length token output when incomplete"); + -+ if (client_pubkey == NULL) ++ if (gssbuf.value == NULL) + fatal("No client public key"); + + if (maj_status & GSS_S_CONTINUE_NEEDED) { @@ -2298,23 +2346,6 @@ index 00000000..60bc02de + if (!(ret_flags & GSS_C_INTEG_FLAG)) + fatal("Integrity flag wasn't set"); + -+ hashlen = sizeof(hash); -+ if ((r = kex_gen_hash( -+ kex->hash_alg, -+ kex->client_version, -+ kex->server_version, -+ kex->peer, -+ kex->my, -+ empty, -+ client_pubkey, -+ server_pubkey, -+ shared_secret, -+ hash, &hashlen)) != 0) -+ goto out; -+ -+ gssbuf.value = hash; -+ gssbuf.length = hashlen; -+ + if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))) + fatal("Couldn't get MIC"); + diff --git a/SOURCES/openssh-8.0p1-upstream-ignore-SIGPIPE.patch b/SOURCES/openssh-8.0p1-upstream-ignore-SIGPIPE.patch new file mode 100644 index 0000000..0e85815 --- /dev/null +++ b/SOURCES/openssh-8.0p1-upstream-ignore-SIGPIPE.patch @@ -0,0 +1,38 @@ +From d33ff14309e33aa79fdf95e1bc4facafa80b90a9 Mon Sep 17 00:00:00 2001 +From: Stepan Broz +Date: Tue, 25 Jun 2024 17:38:22 +0200 +Subject: [PATCH] upstream: ignore SIGPIPE earlier in main(), specifically + before + +muxclient() which performs operations that could cause one; Reported by Noam +Lewis via bz3454, ok dtucker@ + +OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47 +--- + ssh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssh.c b/ssh.c +index 786e26d..e037c66 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1115,6 +1115,8 @@ main(int ac, char **av) + } + } + ++ signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ ++ + /* + * Initialize "log" output. Since we are the client all output + * goes to stderr unless otherwise specified by -y or -E. +@@ -1545,7 +1547,6 @@ main(int ac, char **av) + options.num_system_hostfiles); + tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles); + +- signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ + signal(SIGCHLD, main_sigchld_handler); + + /* Log into the remote system. Never returns if the login fails. */ +-- +2.45.2 + diff --git a/SOURCES/openssh-8.7p1-scp-kill-switch.patch b/SOURCES/openssh-8.7p1-scp-kill-switch.patch new file mode 100644 index 0000000..cbfbf56 --- /dev/null +++ b/SOURCES/openssh-8.7p1-scp-kill-switch.patch @@ -0,0 +1,46 @@ +diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h +--- openssh-8.7p1/pathnames.h.kill-scp 2021-09-16 11:37:57.240171687 +0200 ++++ openssh-8.7p1/pathnames.h 2021-09-16 11:42:29.183427917 +0200 +@@ -42,6 +42,7 @@ + #define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key" + #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" + #define _PATH_DH_MODULI SSHDIR "/moduli" ++#define _PATH_SCP_KILL_SWITCH SSHDIR "/disable_scp" + + #ifndef _PATH_SSH_PROGRAM + #define _PATH_SSH_PROGRAM "/usr/bin/ssh" +diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1 +--- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200 ++++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200 +@@ -278,6 +278,13 @@ to print debugging messages about their + This is helpful in + debugging connection, authentication, and configuration problems. + .El ++.Pp ++Usage of SCP protocol can be blocked by creating a world-readable ++.Ar /etc/ssh/disable_scp ++file. If this file exists, when SCP protocol is in use (either remotely or ++via the ++.Fl O ++option), the program will exit. + .Sh EXIT STATUS + .Ex -std scp + .Sh SEE ALSO +diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c +--- openssh-8.7p1/scp.c.kill-scp 2021-09-16 11:42:56.013650519 +0200 ++++ openssh-8.7p1/scp.c 2021-09-16 11:53:03.249713836 +0200 +@@ -596,6 +596,14 @@ main(int argc, char **argv) + argc -= optind; + argv += optind; + ++ { ++ FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r"); ++ if (f != NULL) { ++ fclose(f); ++ fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH); ++ } ++ } ++ + if ((pwd = getpwuid(userid = getuid())) == NULL) + fatal("unknown user %u", (u_int) userid); + diff --git a/SOURCES/openssh-9.4p2-limit-delay.patch b/SOURCES/openssh-9.4p2-limit-delay.patch new file mode 100644 index 0000000..009fcc7 --- /dev/null +++ b/SOURCES/openssh-9.4p2-limit-delay.patch @@ -0,0 +1,33 @@ +diff -u -p -r1.166 auth2.c +--- a/auth2.c 8 Mar 2023 04:43:12 -0000 1.166 ++++ b/auth2.c 28 Aug 2023 08:32:44 -0000 +@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_ + } + + #define MIN_FAIL_DELAY_SECONDS 0.005 ++#define MAX_FAIL_DELAY_SECONDS 5.0 + static double + user_specific_delay(const char *user) + { +@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start, + struct timespec ts; + double elapsed = monotime_double() - start, req = seconds, remain; + ++ if (elapsed > MAX_FAIL_DELAY_SECONDS) { ++ debug3("elapsed %0.3lfms exceeded the max delay " ++ "requested %0.3lfms)", elapsed*1000, req*1000); ++ return; ++ } ++ + /* if we've already passed the requested time, scale up */ + while ((remain = seconds - elapsed) < 0.0) + seconds *= 2; +@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32 + debug2("input_userauth_request: try method %s", method); + authenticated = m->userauth(ssh); + } +- if (!authctxt->authenticated) ++ if (!authctxt->authenticated && strcmp(method, "none") != 0) + ensure_minimum_time_since(tstart, + user_specific_delay(authctxt->user)); + userauth_finish(ssh, authenticated, method, NULL); diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index a8874da..a07dbd3 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -66,14 +66,14 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 19 +%global openssh_rel 25 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}%{?rescue_rel}.2 +Release: %{openssh_rel}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -277,13 +277,23 @@ Patch985: openssh-8.7p1-minimize-sha1-use.patch Patch986: openssh-9.1p1-sshbanner.patch # Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6 Patch987: openssh-8.0p1-ipv6-process.patch +# Upstream 4332b4fe49360679647a8705bc08f4e81323f6b4 +Patch988: openssh-8.0p1-avoidkillall.patch +# Upstream 89b54900ac61986760452f132bbe3fb7249cfdac +Patch989: openssh-8.0p1-bigsshdconfig.patch # upsream commit # b23fe83f06ee7e721033769cfa03ae840476d280 Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch +#upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec +Patch1017: openssh-9.4p2-limit-delay.patch #upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Patch1018: openssh-9.6p1-CVE-2023-48795.patch #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a Patch1019: openssh-9.6p1-CVE-2023-51385.patch +# SCP kill switch +Patch1020: openssh-8.7p1-scp-kill-switch.patch +#upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c +Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch License: BSD Group: Applications/Internet @@ -376,7 +386,7 @@ Requires: openssh = %{version}-%{release} Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} License: BSD %description @@ -517,6 +527,8 @@ popd %patch985 -p1 -b .minimize-sha1-use %patch986 -p1 -b .banner %patch987 -p1 -b .sftp_ipv6 +%patch988 -p1 -b .killall +%patch989 -p1 -b .bigsshdconfig %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -525,8 +537,11 @@ popd %patch100 -p1 -b .coverity %patch1015 -p1 -b .cve-2023-38408 +%patch1017 -p1 -b .limitdelay %patch1018 -p1 -b .cve-2023-48795 %patch1019 -p1 -b .cve-2023-51385 +%patch1020 -p1 -b .scp-kill-switch +%patch1021 -p1 -b .ignore-SIGPIPE autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -812,15 +827,41 @@ getent passwd sshd >/dev/null || \ %endif %changelog -* Mon Jan 08 2024 Dmitry Belyavskiy - 8.0p1-19.2 +* Tue Jun 25 2024 Stepan Broz - 8.0p1-25 +- Upstream: Ignore SIGPIPE earlier in main() + Resolves: RHEL-37743 + +* Tue Feb 06 2024 Dmitry Belyavskiy - 8.0p1-24 +- Providing a kill switch for scp to deal with CVE-2020-15778 + Resolves: RHEL-22870 + +* Fri Jan 05 2024 Dmitry Belyavskiy - 8.0p1-23 - Fix Terrapin attack - Resolves: RHEL-19762 + Resolves: RHEL-19308 -* Thu Dec 21 2023 Dmitry Belyavskiy - 8.0p1-19.1 +* Thu Dec 21 2023 Dmitry Belyavskiy - 8.0p1-22 - Fix Terrapin attack - Resolves: RHEL-19762 + Resolves: RHEL-19308 - Forbid shell metasymbols in username/hostname - Resolves: RHEL-19820 + Resolves: RHEL-19788 + +* Tue Nov 07 2023 Dmitry Belyavskiy - 8.0p1-21 +- Using DigestSign/DigestVerify functions for better FIPS compatibility + Resolves: RHEL-5217 + +* Mon Oct 30 2023 Dmitry Belyavskiy - 8.0p1-20 +- Limit artificial delays in sshd while login using AD user + Resolves: RHEL-1684 +- Add comment to OpenSSH server config about FIPS-incompatible key + Resolves: RHEL-5221 +- Avoid killing all processes on system in case of race condition + Resolves: RHEL-11548 +- Avoid sshd_config 256K limit + Resolves: RHEL-5279 +- Using DigestSign/DigestVerify functions for better FIPS compatibility + Resolves: RHEL-5217 +- Fix GSS KEX causing ssh failures when connecting to WinSSHD + Resolves: RHEL-5321 * Thu Aug 24 2023 Dmitry Belyavskiy - 8.0p1-19 - rebuilt