import UBI openssh-8.0p1-24.el8

2024-05-22 13:26:20 +00:00 · 2024-05-22 13:26:20 +00:00 · 6d16bfdb3c
commit 6d16bfdb3c
parent b6a876a1a7
8 changed files with 267 additions and 50 deletions
--- a/SOURCES/openssh-6.7p1-coverity.patch
+++ b/SOURCES/openssh-6.7p1-coverity.patch
@ -136,18 +136,6 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
 		if (tun != SSH_TUNID_ANY &&
 		    auth_opts->force_tun_device != (int)tun)
 			goto done;
-diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
-@@ -224,7 +224,7 @@ killchild(int signo)
- {
- 	if (sshpid > 1) {
- 		kill(sshpid, SIGTERM);
-		waitpid(sshpid, NULL, 0);
-+		(void) waitpid(sshpid, NULL, 0);
- 	}
- 
- 	_exit(1);
 diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 --- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
--- a/SOURCES/openssh-7.7p1-fips.patch
+++ b/SOURCES/openssh-7.7p1-fips.patch
@ -471,12 +471,53 @@ diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c
 
 #include "xmss_fast.h"
 
+@@ -392,7 +394,8 @@ sshkey_calculate_signature(EVP_PKEY *pkey
+ {
+ 	EVP_MD_CTX *ctx = NULL;
+ 	u_char *sig = NULL;
+-	int ret, slen, len;
+	int ret, slen;
+	size_t len;
+ 
+ 	if (sigp == NULL || lenp == NULL) {
+ 		return SSH_ERR_INVALID_ARGUMENT;
+@@ -411,9 +414,10 @@ sshkey_calculate_signature(EVP_PKEY *pkey
+ 		ret = SSH_ERR_ALLOC_FAIL;
+ 		goto error;
+ 	}
+-	if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
+-	    EVP_SignUpdate(ctx, data, datalen) <= 0 ||
+-	    EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
+	if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg),
+	        NULL, pkey) != 1 ||
+	    EVP_DigestSignUpdate(ctx, data, datalen) != 1 ||
+	    EVP_DigestSignFinal(ctx, sig, &len) != 1) {
+ 		ret = SSH_ERR_LIBCRYPTO_ERROR;
+ 		goto error;
+ 	}
+@@ -440,12 +444,13 @@ sshkey_verify_signature(EVP_PKEY *pkey
+ 	if ((ctx = EVP_MD_CTX_new()) == NULL) {
+ 		return SSH_ERR_ALLOC_FAIL;
+ 	}
+-	if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
+-	    EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
+	if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg),
+	    NULL, pkey) != 1 ||
+	    EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) {
+ 		ret = SSH_ERR_LIBCRYPTO_ERROR;
+ 		goto done;
+ 	}
+-	ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
+	ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen);
+ 	switch (ret) {
+ 	case 1:
+ 		ret = 0;
@@ -1514,6 +1516,8 @@ rsa_generate_private_key(u_int bits, RSA
 	}
 	if (!BN_set_word(f4, RSA_F4) ||
 	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
-+			if (FIPS_mode())
-+				logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
+		if (FIPS_mode())
+			logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
@ -515,3 +556,14 @@ diff -up openssh-7.9p1/ssh-keygen.c.fips openssh-7.9p1/ssh-keygen.c
 		if ((fd = mkstemp(prv_tmp)) == -1) {
 			error("Could not save your public key in %s: %s",
 			    prv_tmp, strerror(errno));
+diff -up openssh-8.0p1/sshd_config.xxx openssh-8.0p1/sshd_config
+--- openssh-8.0p1/sshd_config.xxx	2023-10-30 13:01:59.150952364 +0100
+++ openssh-8.0p1/sshd_config	2023-10-30 13:02:56.662231354 +0100
+@@ -21,6 +21,7 @@
+ 
+ HostKey /etc/ssh/ssh_host_rsa_key
+ HostKey /etc/ssh/ssh_host_ecdsa_key
+#In FIPS mode Ed25519 keys are not supported, please comment out the next line
+ HostKey /etc/ssh/ssh_host_ed25519_key
+ 
+ # Ciphers and keying
--- a/SOURCES/openssh-8.0p1-avoidkillall.patch
+++ b/SOURCES/openssh-8.0p1-avoidkillall.patch
@ -0,0 +1,20 @@
+diff --git a/sftp.c b/sftp.c
+index b66037f1..54538ff9 100644
+--- a/sftp.c
+++ b/sftp.c
+@@ -220,9 +220,12 @@ static const struct CMD cmds[] = {
+ static void
+ killchild(int signo)
+ {
+-	if (sshpid > 1) {
+-		kill(sshpid, SIGTERM);
+-		waitpid(sshpid, NULL, 0);
+	pid_t pid;
+
+	pid = sshpid;
+	if (pid > 1) {
+		kill(pid, SIGTERM);
+		(void)waitpid(pid, NULL, 0);
+ 	}
+ 
+ 	_exit(1);
--- a/SOURCES/openssh-8.0p1-bigsshdconfig.patch
+++ b/SOURCES/openssh-8.0p1-bigsshdconfig.patch
@ -0,0 +1,13 @@
+diff --git a/msg.c b/msg.c
+index 99c25cd2..574a566e 100644
+--- a/msg.c
+++ b/msg.c
+@@ -77,7 +77,7 @@ ssh_msg_recv(int fd, struct sshbuf *m)
+ 		return (-1);
+ 	}
+ 	msg_len = get_u32(buf);
+-	if (msg_len > 256 * 1024) {
+	if (msg_len > sshbuf_max_size(m)) {
+ 		error("ssh_msg_recv: read: bad msg_len %u", msg_len);
+ 		return (-1);
+ 	}
--- a/SOURCES/openssh-8.0p1-gssapi-keyex.patch
+++ b/SOURCES/openssh-8.0p1-gssapi-keyex.patch
@ -1509,7 +1509,7 @@ new file mode 100644
 index 00000000..0b2f6a56
 --- /dev/null
 +++ b/kexgssc.c
-@@ -0,0 +1,595 @@
+@@ -0,0 +1,618 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@ -1571,7 +1571,7 @@ index 00000000..0b2f6a56
 +	struct sshbuf *server_blob = NULL;
 +	struct sshbuf *shared_secret = NULL;
 +	struct sshbuf *server_host_key_blob = NULL;
-+	struct sshbuf *empty = sshbuf_new();
+	struct sshbuf *empty = NULL;
 +	u_char *msg;
 +	int type = 0;
 +	int first = 1;
@ -1610,8 +1610,10 @@ index 00000000..0b2f6a56
 +	default:
 +		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
 +	}
-+	if (r != 0)
+	if (r != 0) {
+		ssh_gssapi_delete_ctx(&ctxt);
 +		return r;
+	}
 +
 +	token_ptr = GSS_C_NO_BUFFER;
 +
@ -1674,11 +1676,16 @@ index 00000000..0b2f6a56
 +			do {
 +				type = ssh_packet_read(ssh);
 +				if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+					char *tmp = NULL;
+					size_t tmp_len = 0;
+
 +					debug("Received KEXGSS_HOSTKEY");
 +					if (server_host_key_blob)
 +						fatal("Server host key received more than once");
-+					if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
+					if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
 +						fatal("Failed to read server host key: %s", ssh_err(r));
+					if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
+						fatal("sshbuf_from failed");
 +				}
 +			} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
 +
@ -1779,6 +1786,11 @@ index 00000000..0b2f6a56
 +	if (r != 0)
 +		goto out;
 +
+	if ((empty = sshbuf_new()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+
 +	hashlen = sizeof(hash);
 +	if ((r = kex_gen_hash(
 +	    kex->hash_alg,
@ -1848,7 +1860,7 @@ index 00000000..0b2f6a56
 +	size_t hashlen;
 +	const BIGNUM *pub_key, *dh_p, *dh_g;
 +	int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
-+	struct sshbuf *empty = sshbuf_new();
+	struct sshbuf *empty = NULL;
 +	u_char c;
 +	int r;
 +
@ -1960,11 +1972,16 @@ index 00000000..0b2f6a56
 +			do {
 +				type = ssh_packet_read(ssh);
 +				if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+					char *tmp = NULL;
+					size_t tmp_len = 0;
+
 +					debug("Received KEXGSS_HOSTKEY");
 +					if (server_host_key_blob)
 +						fatal("Server host key received more than once");
-+					if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
+					if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
 +						fatal("sshpkt failed: %s", ssh_err(r));
+					if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
+						fatal("sshbuf_from failed");
 +				}
 +			} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
 +
@ -2040,6 +2057,7 @@ index 00000000..0b2f6a56
 +	    (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0)
 +		goto out;
 +	sshbuf_free(buf);
+	buf = NULL;
 +
 +	if ((shared_secret = sshbuf_new()) == NULL) {
 +		r = SSH_ERR_ALLOC_FAIL;
@ -2048,6 +2066,10 @@ index 00000000..0b2f6a56
 +
 +	if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0)
 +		goto out;
+	if ((empty = sshbuf_new()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
 +
 +	DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
 +	hashlen = sizeof(hash);
@ -2094,6 +2116,7 @@ index 00000000..0b2f6a56
 +	if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
 +		r = kex_send_newkeys(ssh);
 +out:
+	sshbuf_free(buf);
 +	sshbuf_free(server_blob);
 +	sshbuf_free(empty);
 +	explicit_bzero(hash, sizeof(hash));
@ -2110,7 +2133,7 @@ new file mode 100644
 index 00000000..60bc02de
 --- /dev/null
 +++ b/kexgsss.c
-@@ -0,0 +1,474 @@
+@@ -0,0 +1,482 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@ -2177,7 +2200,7 @@ index 00000000..60bc02de
 +	 */
 +
 +	OM_uint32 ret_flags = 0;
-+	gss_buffer_desc gssbuf, recv_tok, msg_tok;
+	gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 +	Gssctxt *ctxt = NULL;
 +	struct sshbuf *shared_secret = NULL;
@ -2217,7 +2240,7 @@ index 00000000..60bc02de
 +		type = ssh_packet_read(ssh);
 +		switch(type) {
 +		case SSH2_MSG_KEXGSS_INIT:
-+			if (client_pubkey != NULL)
+			if (gssbuf.value != NULL)
 +				fatal("Received KEXGSS_INIT after initialising");
 +			if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
 +			        &recv_tok)) != 0 ||
@ -2248,6 +2271,31 @@ index 00000000..60bc02de
 +				goto out;
 +
 +			/* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
+
+			/* Calculate the hash early so we can free the
+			* client_pubkey, which has reference to the parent
+			* buffer state->incoming_packet
+			*/
+			hashlen = sizeof(hash);
+			if ((r = kex_gen_hash(
+			    kex->hash_alg,
+			    kex->client_version,
+			    kex->server_version,
+			    kex->peer,
+			    kex->my,
+			    empty,
+			    client_pubkey,
+			    server_pubkey,
+			    shared_secret,
+			    hash, &hashlen)) != 0)
+				goto out;
+
+			gssbuf.value = hash;
+			gssbuf.length = hashlen;
+
+			sshbuf_free(client_pubkey);
+			client_pubkey = NULL;
+
 +			break;
 +		case SSH2_MSG_KEXGSS_CONTINUE:
 +			if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
@ -2269,7 +2317,7 @@ index 00000000..60bc02de
 +		if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
 +			fatal("Zero length token output when incomplete");
 +
-+		if (client_pubkey == NULL)
+		if (gssbuf.value == NULL)
 +			fatal("No client public key");
 +
 +		if (maj_status & GSS_S_CONTINUE_NEEDED) {
@ -2298,23 +2346,6 @@ index 00000000..60bc02de
 +	if (!(ret_flags & GSS_C_INTEG_FLAG))
 +		fatal("Integrity flag wasn't set");
 +
-+	hashlen = sizeof(hash);
-+	if ((r = kex_gen_hash(
-+	    kex->hash_alg,
-+	    kex->client_version,
-+	    kex->server_version,
-+	    kex->peer,
-+	    kex->my,
-+	    empty,
-+	    client_pubkey,
-+	    server_pubkey,
-+	    shared_secret,
-+	    hash, &hashlen)) != 0)
-+		goto out;
-+
-+	gssbuf.value = hash;
-+	gssbuf.length = hashlen;
-+
 +	if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
 +		fatal("Couldn't get MIC");
 +
--- a/SOURCES/openssh-8.7p1-scp-kill-switch.patch
+++ b/SOURCES/openssh-8.7p1-scp-kill-switch.patch
@ -0,0 +1,46 @@
+diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
+--- openssh-8.7p1/pathnames.h.kill-scp	2021-09-16 11:37:57.240171687 +0200
+++ openssh-8.7p1/pathnames.h	2021-09-16 11:42:29.183427917 +0200
+@@ -42,6 +42,7 @@
+ #define _PATH_HOST_XMSS_KEY_FILE	SSHDIR "/ssh_host_xmss_key"
+ #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
+ #define _PATH_DH_MODULI			SSHDIR "/moduli"
+#define _PATH_SCP_KILL_SWITCH		SSHDIR "/disable_scp"
+ 
+ #ifndef _PATH_SSH_PROGRAM
+ #define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
+diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
+--- openssh-8.7p1/scp.1.kill-scp	2021-09-16 12:09:02.646714578 +0200
+++ openssh-8.7p1/scp.1	2021-09-16 12:26:49.978628226 +0200
+@@ -278,6 +278,13 @@ to print debugging messages about their
+ This is helpful in
+ debugging connection, authentication, and configuration problems.
+ .El
+.Pp
+Usage of SCP protocol can be blocked by creating a world-readable
+.Ar /etc/ssh/disable_scp
+file. If this file exists, when SCP protocol is in use (either remotely or 
+via the
+.Fl O
+option), the program will exit.
+ .Sh EXIT STATUS
+ .Ex -std scp
+ .Sh SEE ALSO
+diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
+--- openssh-8.7p1/scp.c.kill-scp	2021-09-16 11:42:56.013650519 +0200
+++ openssh-8.7p1/scp.c	2021-09-16 11:53:03.249713836 +0200
+@@ -596,6 +596,14 @@ main(int argc, char **argv)
+ 	argc -= optind;
+ 	argv += optind;
+ 
+	{
+		FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
+		if (f != NULL) {
+			fclose(f);
+			fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
+		}
+	}
+
+ 	if ((pwd = getpwuid(userid = getuid())) == NULL)
+ 		fatal("unknown user %u", (u_int) userid);
+ 
--- a/SOURCES/openssh-9.4p2-limit-delay.patch
+++ b/SOURCES/openssh-9.4p2-limit-delay.patch
@ -0,0 +1,33 @@
+diff -u -p -r1.166 auth2.c
+--- a/auth2.c	8 Mar 2023 04:43:12 -0000	1.166
+++ b/auth2.c	28 Aug 2023 08:32:44 -0000
+@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_
+ }
+ 
+ #define MIN_FAIL_DELAY_SECONDS 0.005
+#define MAX_FAIL_DELAY_SECONDS 5.0
+ static double
+ user_specific_delay(const char *user)
+ {
+@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start, 
+ 	struct timespec ts;
+ 	double elapsed = monotime_double() - start, req = seconds, remain;
+ 
+	if (elapsed > MAX_FAIL_DELAY_SECONDS) {
+		debug3("elapsed %0.3lfms exceeded the max delay "
+		    "requested %0.3lfms)", elapsed*1000, req*1000);
+		return;
+	}
+
+ 	/* if we've already passed the requested time, scale up */
+ 	while ((remain = seconds - elapsed) < 0.0)
+ 		seconds *= 2;
+@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32
+ 		debug2("input_userauth_request: try method %s", method);
+ 		authenticated =	m->userauth(ssh);
+ 	}
+-	if (!authctxt->authenticated)
+	if (!authctxt->authenticated && strcmp(method, "none") != 0)
+ 		ensure_minimum_time_since(tstart,
+ 		    user_specific_delay(authctxt->user));
+ 	userauth_finish(ssh, authenticated, method, NULL);
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@ -66,14 +66,14 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 19
+%global openssh_rel 24
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7

 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}.2
+Release: %{openssh_rel}%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshagentauth.sourceforge.net
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -277,13 +277,21 @@ Patch985: openssh-8.7p1-minimize-sha1-use.patch
 Patch986: openssh-9.1p1-sshbanner.patch
 # Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6
 Patch987: openssh-8.0p1-ipv6-process.patch
+# Upstream 4332b4fe49360679647a8705bc08f4e81323f6b4
+Patch988: openssh-8.0p1-avoidkillall.patch
+# Upstream 89b54900ac61986760452f132bbe3fb7249cfdac
+Patch989: openssh-8.0p1-bigsshdconfig.patch
 # upsream commit
 # b23fe83f06ee7e721033769cfa03ae840476d280
 Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
+#upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec
+Patch1017: openssh-9.4p2-limit-delay.patch
 #upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 Patch1018: openssh-9.6p1-CVE-2023-48795.patch
 #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
 Patch1019: openssh-9.6p1-CVE-2023-51385.patch
+# SCP kill switch
+Patch1020: openssh-8.7p1-scp-kill-switch.patch

 License: BSD
 Group: Applications/Internet
@ -376,7 +384,7 @@ Requires: openssh = %{version}-%{release}
 Summary: PAM module for authentication with ssh-agent
 Group: System Environment/Base
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
 License: BSD

 %description
@ -517,6 +525,8 @@ popd
 %patch985 -p1 -b .minimize-sha1-use
 %patch986 -p1 -b .banner
 %patch987 -p1 -b .sftp_ipv6
+%patch988 -p1 -b .killall
+%patch989 -p1 -b .bigsshdconfig

 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@ -525,8 +535,10 @@ popd
 %patch100 -p1 -b .coverity

 %patch1015 -p1 -b .cve-2023-38408
+%patch1017 -p1 -b .limitdelay
 %patch1018 -p1 -b .cve-2023-48795
 %patch1019 -p1 -b .cve-2023-51385
+%patch1020 -p1 -b .scp-kill-switch

 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -812,15 +824,37 @@ getent passwd sshd >/dev/null || \
 %endif

 %changelog
-* Mon Jan 08 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19.2
- Fix Terrapin attack
-  Resolves: RHEL-19762
+* Tue Feb 06 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-24
+- Providing a kill switch for scp to deal with CVE-2020-15778
+  Resolves: RHEL-22870

-* Thu Dec 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19.1
+* Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-23
 - Fix Terrapin attack
-  Resolves: RHEL-19762
+  Resolves: RHEL-19308
+
+* Thu Dec 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-22
+- Fix Terrapin attack
+  Resolves: RHEL-19308
 - Forbid shell metasymbols in username/hostname
-  Resolves: RHEL-19820
+  Resolves: RHEL-19788
+
+* Tue Nov 07 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-21
+- Using DigestSign/DigestVerify functions for better FIPS compatibility
+  Resolves: RHEL-5217
+
+* Mon Oct 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-20
+- Limit artificial delays in sshd while login using AD user
+  Resolves: RHEL-1684
+- Add comment to OpenSSH server config about FIPS-incompatible key
+  Resolves: RHEL-5221
+- Avoid killing all processes on system in case of race condition
+  Resolves: RHEL-11548
+- Avoid sshd_config 256K limit
+  Resolves: RHEL-5279
+- Using DigestSign/DigestVerify functions for better FIPS compatibility
+  Resolves: RHEL-5217
+- Fix GSS KEX causing ssh failures when connecting to WinSSHD
+  Resolves: RHEL-5321

 * Thu Aug 24 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19
 - rebuilt