forked from rpms/openssh
OpenSSH 8.8p1 rebase
Related: rhbz#2007967
This commit is contained in:
parent
c5e4c28ae1
commit
7b76af5292
2
.gitignore
vendored
2
.gitignore
vendored
@ -52,3 +52,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-8.6p1.tar.gz.asc
|
||||
/openssh-8.7p1.tar.gz
|
||||
/openssh-8.7p1.tar.gz.asc
|
||||
/openssh-8.8p1.tar.gz
|
||||
/openssh-8.8p1.tar.gz.asc
|
||||
|
@ -196,11 +196,11 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
|
||||
sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
- sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
|
||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
|
||||
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||
@@ -478,12 +481,14 @@ static struct {
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
|
@ -110,9 +110,9 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
|
||||
options->x11_use_localhost = 1;
|
||||
if (options->xauth_location == NULL)
|
||||
@@ -419,7 +422,7 @@ typedef enum {
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
|
||||
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
|
||||
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
||||
|
@ -117,9 +117,9 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
|
||||
diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
|
||||
--- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200
|
||||
+++ openssh-8.6p1/myproposal.h 2021-04-19 16:53:03.065577869 +0200
|
||||
@@ -57,6 +57,20 @@
|
||||
"rsa-sha2-256," \
|
||||
"ssh-rsa"
|
||||
@@ -57,6 +57,19 @@
|
||||
"rsa-sha2-512," \
|
||||
"rsa-sha2-256"
|
||||
|
||||
+#define KEX_FIPS_PK_ALG \
|
||||
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
|
||||
@ -132,8 +132,7 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
|
||||
+ "ecdsa-sha2-nistp384," \
|
||||
+ "ecdsa-sha2-nistp521," \
|
||||
+ "rsa-sha2-512," \
|
||||
+ "rsa-sha2-256," \
|
||||
+ "ssh-rsa"
|
||||
+ "rsa-sha2-256,"
|
||||
+
|
||||
#define KEX_SERVER_ENCRYPT \
|
||||
"chacha20-poly1305@openssh.com," \
|
||||
|
@ -503,16 +503,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
if (options->gss_keyex == -1)
|
||||
@@ -506,7 +509,8 @@ typedef enum {
|
||||
@@ -506,7 +509,7 @@ typedef enum {
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||
+ sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
- sKerberosGetAFSToken, sPasswordAuthentication,
|
||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
|
||||
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||
@@ -593,11 +597,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
|
@ -2,8 +2,8 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
|
||||
--- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200
|
||||
+++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200
|
||||
@@ -373,17 +373,13 @@ or
|
||||
.Qq *.c.example.com
|
||||
domains.
|
||||
causes no CNAMEs to be considered for canonicalization.
|
||||
This is the default behaviour.
|
||||
.It Cm CASignatureAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
@ -105,18 +105,18 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
|
||||
Multiple algorithms must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified methods will be appended to the default set
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified methods will be appended to the built-in
|
||||
+character, then the specified algorithms will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified methods (including wildcards) will be removed
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified methods will be placed at the head of the
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
@ -178,7 +178,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
.It Cm NoHostAuthenticationForLocalhost
|
||||
@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
|
||||
@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas
|
||||
The default is
|
||||
.Cm no .
|
||||
.It Cm PubkeyAcceptedAlgorithms
|
||||
@ -214,12 +214,11 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
|
||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-rsa-sha2-512-cert-v01@openssh.com,
|
||||
-rsa-sha2-256-cert-v01@openssh.com,
|
||||
-ssh-rsa-cert-v01@openssh.com,
|
||||
-ssh-ed25519,
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ssh-ed25519@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
-rsa-sha2-512,rsa-sha2-256
|
||||
-.Ed
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
@ -373,18 +372,18 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
|
||||
Multiple algorithms must be comma-separated.
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified methods will be appended to the default set
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified methods will be appended to the built-in
|
||||
+character, then the specified algorithms will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified methods (including wildcards) will be removed
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified methods will be placed at the head of the
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
The supported algorithms are:
|
||||
|
@ -2,18 +2,6 @@ diff --git a/scp.1 b/scp.1
|
||||
index 68aac04b..a96e95ad 100644
|
||||
--- a/scp.1
|
||||
+++ b/scp.1
|
||||
@@ -8,9 +8,9 @@
|
||||
.\"
|
||||
.\" Created: Sun May 7 00:14:37 1995 ylo
|
||||
.\"
|
||||
-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
|
||||
+.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $
|
||||
.\"
|
||||
-.Dd $Mdocdate: August 11 2021 $
|
||||
+.Dd $Mdocdate: September 8 2021 $
|
||||
.Dt SCP 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@@ -18,7 +18,7 @@
|
||||
.Nd OpenSSH secure file copy
|
||||
.Sh SYNOPSIS
|
||||
@ -23,55 +11,31 @@ index 68aac04b..a96e95ad 100644
|
||||
.Op Fl c Ar cipher
|
||||
.Op Fl D Ar sftp_server_path
|
||||
.Op Fl F Ar ssh_config
|
||||
@@ -37,9 +37,6 @@ It uses
|
||||
.Xr ssh 1
|
||||
for data transfer, and uses the same authentication and provides the
|
||||
same security as a login session.
|
||||
-The scp protocol requires execution of the remote user's shell to perform
|
||||
-.Xr glob 3
|
||||
-pattern matching.
|
||||
.Pp
|
||||
.Nm
|
||||
will ask for passwords or passphrases if they are needed for
|
||||
@@ -79,7 +76,9 @@ The options are as follows:
|
||||
Copies between two remote hosts are transferred through the local host.
|
||||
Without this option the data is copied directly between the two remote
|
||||
hosts.
|
||||
-Note that, when using the legacy SCP protocol (the default), this option
|
||||
+Note that, when using the legacy SCP protocol (via the
|
||||
-Note that, when using the original SCP protocol (the default), this option
|
||||
+Note that, when using the original SCP protocol (via the
|
||||
+.Fl O
|
||||
+flag), this option
|
||||
selects batch mode for the second host as
|
||||
.Nm
|
||||
cannot ask for passwords or passphrases for both hosts.
|
||||
@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s.
|
||||
.It Fl O
|
||||
Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
|
||||
Forcing the use of the SCP protocol may be necessary for servers that do
|
||||
-not implement SFTP or for backwards-compatibility for particular filename
|
||||
-wildcard patterns.
|
||||
@@ -146,7 +145,6 @@ Limits the used bandwidth, specified in Kbit/s.
|
||||
wildcard patterns and for expanding paths with a
|
||||
.Sq ~
|
||||
prefix for older SFTP servers.
|
||||
-This mode is the default.
|
||||
+not implement SFTP, for backwards-compatibility for particular filename
|
||||
+wildcard patterns and for expanding paths with a
|
||||
+.Sq ~
|
||||
+prefix for older SFTP servers.
|
||||
.It Fl o Ar ssh_option
|
||||
Can be used to pass options to
|
||||
.Nm ssh
|
||||
@@ -258,16 +258,6 @@ to use for the encrypted connection.
|
||||
@@ -258,8 +258,6 @@ to use for the encrypted connection.
|
||||
The program must understand
|
||||
.Xr ssh 1
|
||||
options.
|
||||
-.It Fl s
|
||||
-Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
|
||||
-Using SFTP avoids invoking a shell on the remote side and provides
|
||||
-more predictable filename handling, as the SCP protocol
|
||||
-relied on the remote shell for expanding
|
||||
-.Xr glob 3
|
||||
-wildcards.
|
||||
-.Pp
|
||||
-A near-future release of OpenSSH will make the SFTP protocol the default.
|
||||
-This option will be deleted before the end of 2022.
|
||||
-Use the SFTP protocol for transfers rather than the original scp protocol.
|
||||
.It Fl T
|
||||
Disable strict filename checking.
|
||||
By default when copying files from a remote host to a local directory
|
||||
@ -103,12 +67,6 @@ diff --git a/scp.c b/scp.c
|
||||
index e039350c..c7cf7529 100644
|
||||
--- a/scp.c
|
||||
+++ b/scp.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
|
||||
+/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */
|
||||
/*
|
||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||
* uses ssh to do the data transfer (instead of using rcmd).
|
||||
@@ -448,7 +448,7 @@ main(int argc, char **argv)
|
||||
const char *errstr;
|
||||
extern char *optarg;
|
||||
|
@ -1,31 +0,0 @@
|
||||
diff --git a/misc.c b/misc.c
|
||||
index b8d1040d..0134d694 100644
|
||||
--- a/misc.c
|
||||
+++ b/misc.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */
|
||||
+/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
|
||||
@@ -56,6 +56,7 @@
|
||||
#ifdef HAVE_PATHS_H
|
||||
# include <paths.h>
|
||||
#include <pwd.h>
|
||||
+#include <grp.h>
|
||||
#endif
|
||||
#ifdef SSH_TUN_OPENBSD
|
||||
#include <net/if.h>
|
||||
@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
|
||||
}
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
+ if (geteuid() == 0 &&
|
||||
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
|
||||
+ error("%s: initgroups(%s, %u): %s", tag,
|
||||
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
|
||||
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
|
||||
strerror(errno));
|
12
openssh.spec
12
openssh.spec
@ -50,10 +50,10 @@
|
||||
%{?static_openssl:%global static_libcrypto 1}
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 8.7p1
|
||||
%global openssh_rel 3
|
||||
%global openssh_ver 8.8p1
|
||||
%global openssh_rel 1
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 4
|
||||
%global pam_ssh_agent_rel 5
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
@ -197,8 +197,6 @@ Patch975: openssh-8.0p1-preserve-pam-errors.patch
|
||||
Patch976: openssh-8.7p1-sftp-default-protocol.patch
|
||||
# Implement kill switch for SCP protocol
|
||||
Patch977: openssh-8.7p1-scp-kill-switch.patch
|
||||
# CVE-2021-41617
|
||||
Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -377,7 +375,6 @@ popd
|
||||
%patch975 -p1 -b .preserve-pam-errors
|
||||
%patch976 -p1 -b .sftp-by-default
|
||||
%patch977 -p1 -b .kill-scp
|
||||
%patch978 -p1 -b .cve-2021-41617
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
@ -663,6 +660,9 @@ test -f %{sysconfig_anaconda} && \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Nov 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.8p1-1 + 0.10.4-5
|
||||
- New upstream release (#2007967)
|
||||
|
||||
* Wed Sep 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-3
|
||||
- CVE-2021-41617 fix (#2008292)
|
||||
|
||||
|
6
sources
6
sources
@ -1,4 +1,4 @@
|
||||
SHA512 (openssh-8.7p1.tar.gz) = 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
|
||||
SHA512 (openssh-8.7p1.tar.gz.asc) = 08b4bda855ca3ef202c271f1c0e3486082b93d1009a794d020e7ba223978bc87bf34b1fbccaae3379a47639bd849935fdaaf63bdb781d0a44625066ccf00fbfc
|
||||
SHA512 (openssh-8.8p1.tar.gz) = d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
|
||||
SHA512 (openssh-8.8p1.tar.gz.asc) = 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
|
||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
||||
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21
|
||||
|
Loading…
Reference in New Issue
Block a user