forked from rpms/openssh
import CS openssh-8.7p1-38.el9
This commit is contained in:
parent
d80bf06988
commit
828c949c3d
52
SOURCES/openssh-9.3p1-openssl-compat.patch
Normal file
52
SOURCES/openssh-9.3p1-openssl-compat.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
--- openssh-9.3p1/openbsd-compat/openssl-compat.c 2023-03-15 22:28:19.000000000 +0100
|
||||||
|
+++ /home/dbelyavs/work/upstream/openssh-portable/openbsd-compat/openssl-compat.c 2023-05-25 14:19:42.870841944 +0200
|
||||||
|
@@ -33,10 +33,10 @@
|
||||||
|
|
||||||
|
/*
|
||||||
|
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
|
||||||
|
- * We match major, minor, fix and status (not patch) for <1.0.0.
|
||||||
|
- * After that, we acceptable compatible fix versions (so we
|
||||||
|
- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
|
||||||
|
- * within a patch series.
|
||||||
|
+ * Versions >=3 require only major versions to match.
|
||||||
|
+ * For versions <3, we accept compatible fix versions (so we allow 1.0.1
|
||||||
|
+ * to work with 1.0.0). Going backwards is only allowed within a patch series.
|
||||||
|
+ * See https://www.openssl.org/policies/releasestrat.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
int
|
||||||
|
@@ -48,15 +48,17 @@
|
||||||
|
if (headerver == libver)
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
- /* for versions < 1.0.0, major,minor,fix,status must match */
|
||||||
|
- if (headerver < 0x1000000f) {
|
||||||
|
- mask = 0xfffff00fL; /* major,minor,fix,status */
|
||||||
|
+ /*
|
||||||
|
+ * For versions >= 3.0, only the major and status must match.
|
||||||
|
+ */
|
||||||
|
+ if (headerver >= 0x3000000f) {
|
||||||
|
+ mask = 0xf000000fL; /* major,status */
|
||||||
|
return (headerver & mask) == (libver & mask);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * For versions >= 1.0.0, major,minor,status must match and library
|
||||||
|
- * fix version must be equal to or newer than the header.
|
||||||
|
+ * For versions >= 1.0.0, but <3, major,minor,status must match and
|
||||||
|
+ * library fix version must be equal to or newer than the header.
|
||||||
|
*/
|
||||||
|
mask = 0xfff0000fL; /* major,minor,status */
|
||||||
|
hfix = (headerver & 0x000ff000) >> 12;
|
||||||
|
diff -up openssh-8.7p1/configure.ac.check openssh-8.7p1/configure.ac
|
||||||
|
--- openssh-8.7p1/configure.ac.check 2023-11-27 14:54:32.959113758 +0100
|
||||||
|
+++ openssh-8.7p1/configure.ac 2023-11-27 14:54:49.467500523 +0100
|
||||||
|
@@ -2821,7 +2821,7 @@ if test "x$openssl" = "xyes" ; then
|
||||||
|
;;
|
||||||
|
101*) ;; # 1.1.x
|
||||||
|
200*) ;; # LibreSSL
|
||||||
|
- 300*) ;; # OpenSSL development branch.
|
||||||
|
+ 30*) ;; # OpenSSL 3.x series
|
||||||
|
*)
|
||||||
|
AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
|
||||||
|
;;
|
33
SOURCES/openssh-9.4p2-limit-delay.patch
Normal file
33
SOURCES/openssh-9.4p2-limit-delay.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
diff -u -p -r1.166 auth2.c
|
||||||
|
--- a/auth2.c 8 Mar 2023 04:43:12 -0000 1.166
|
||||||
|
+++ b/auth2.c 28 Aug 2023 08:32:44 -0000
|
||||||
|
@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_
|
||||||
|
}
|
||||||
|
|
||||||
|
#define MIN_FAIL_DELAY_SECONDS 0.005
|
||||||
|
+#define MAX_FAIL_DELAY_SECONDS 5.0
|
||||||
|
static double
|
||||||
|
user_specific_delay(const char *user)
|
||||||
|
{
|
||||||
|
@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start,
|
||||||
|
struct timespec ts;
|
||||||
|
double elapsed = monotime_double() - start, req = seconds, remain;
|
||||||
|
|
||||||
|
+ if (elapsed > MAX_FAIL_DELAY_SECONDS) {
|
||||||
|
+ debug3_f("elapsed %0.3lfms exceeded the max delay "
|
||||||
|
+ "requested %0.3lfms)", elapsed*1000, req*1000);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* if we've already passed the requested time, scale up */
|
||||||
|
while ((remain = seconds - elapsed) < 0.0)
|
||||||
|
seconds *= 2;
|
||||||
|
@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32
|
||||||
|
debug2("input_userauth_request: try method %s", method);
|
||||||
|
authenticated = m->userauth(ssh);
|
||||||
|
}
|
||||||
|
- if (!authctxt->authenticated)
|
||||||
|
+ if (!authctxt->authenticated && strcmp(method, "none") != 0)
|
||||||
|
ensure_minimum_time_since(tstart,
|
||||||
|
user_specific_delay(authctxt->user));
|
||||||
|
userauth_finish(ssh, authenticated, method, NULL);
|
447
SOURCES/openssh-9.6p1-CVE-2023-48795.patch
Normal file
447
SOURCES/openssh-9.6p1-CVE-2023-48795.patch
Normal file
@ -0,0 +1,447 @@
|
|||||||
|
diff --git a/PROTOCOL b/PROTOCOL
|
||||||
|
index d453c779..ded935eb 100644
|
||||||
|
--- a/PROTOCOL
|
||||||
|
+++ b/PROTOCOL
|
||||||
|
@@ -137,6 +137,32 @@ than as a named global or channel request to allow pings with very
|
||||||
|
described at:
|
||||||
|
http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
|
||||||
|
|
||||||
|
+1.9 transport: strict key exchange extension
|
||||||
|
+
|
||||||
|
+OpenSSH supports a number of transport-layer hardening measures under
|
||||||
|
+a "strict KEX" feature. This feature is signalled similarly to the
|
||||||
|
+RFC8308 ext-info feature: by including a additional algorithm in the
|
||||||
|
+initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
|
||||||
|
+"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
|
||||||
|
+may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
|
||||||
|
+are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
|
||||||
|
+if they are present in subsequent SSH2_MSG_KEXINIT packets.
|
||||||
|
+
|
||||||
|
+When an endpoint that supports this extension observes this algorithm
|
||||||
|
+name in a peer's KEXINIT packet, it MUST make the following changes to
|
||||||
|
+the the protocol:
|
||||||
|
+
|
||||||
|
+a) During initial KEX, terminate the connection if any unexpected or
|
||||||
|
+ out-of-sequence packet is received. This includes terminating the
|
||||||
|
+ connection if the first packet received is not SSH2_MSG_KEXINIT.
|
||||||
|
+ Unexpected packets for the purpose of strict KEX include messages
|
||||||
|
+ that are otherwise valid at any time during the connection such as
|
||||||
|
+ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
|
||||||
|
+b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
|
||||||
|
+ packet sequence number to zero. This behaviour persists for the
|
||||||
|
+ duration of the connection (i.e. not just the first
|
||||||
|
+ SSH2_MSG_NEWKEYS).
|
||||||
|
+
|
||||||
|
2. Connection protocol changes
|
||||||
|
|
||||||
|
2.1. connection: Channel write close extension "eow@openssh.com"
|
||||||
|
diff --git a/kex.c b/kex.c
|
||||||
|
index aa5e792d..d478ff6e 100644
|
||||||
|
--- a/kex.c
|
||||||
|
+++ b/kex.c
|
||||||
|
@@ -65,7 +65,7 @@
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* prototype */
|
||||||
|
-static int kex_choose_conf(struct ssh *);
|
||||||
|
+static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||||
|
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||||
|
|
||||||
|
static const char *proposal_names[PROPOSAL_MAX] = {
|
||||||
|
@@ -177,6 +177,18 @@ kex_names_valid(const char *names)
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* returns non-zero if proposal contains any algorithm from algs */
|
||||||
|
+static int
|
||||||
|
+has_any_alg(const char *proposal, const char *algs)
|
||||||
|
+{
|
||||||
|
+ char *cp;
|
||||||
|
+
|
||||||
|
+ if ((cp = match_list(proposal, algs, NULL)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+ free(cp);
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Concatenate algorithm names, avoiding duplicates in the process.
|
||||||
|
* Caller must free returned string.
|
||||||
|
@@ -184,7 +196,7 @@ kex_names_valid(const char *names)
|
||||||
|
char *
|
||||||
|
kex_names_cat(const char *a, const char *b)
|
||||||
|
{
|
||||||
|
- char *ret = NULL, *tmp = NULL, *cp, *p, *m;
|
||||||
|
+ char *ret = NULL, *tmp = NULL, *cp, *p;
|
||||||
|
size_t len;
|
||||||
|
|
||||||
|
if (a == NULL || *a == '\0')
|
||||||
|
@@ -201,10 +213,8 @@ kex_names_cat(const char *a, const char *b)
|
||||||
|
}
|
||||||
|
strlcpy(ret, a, len);
|
||||||
|
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
|
||||||
|
- if ((m = match_list(ret, p, NULL)) != NULL) {
|
||||||
|
- free(m);
|
||||||
|
+ if (has_any_alg(ret, p))
|
||||||
|
continue; /* Algorithm already present */
|
||||||
|
- }
|
||||||
|
if (strlcat(ret, ",", len) >= len ||
|
||||||
|
strlcat(ret, p, len) >= len) {
|
||||||
|
free(tmp);
|
||||||
|
@@ -466,7 +485,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
|
||||||
|
{
|
||||||
|
int r;
|
||||||
|
|
||||||
|
- error("kex protocol error: type %d seq %u", type, seq);
|
||||||
|
+ /* If in strict mode, any unexpected message is an error */
|
||||||
|
+ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
|
||||||
|
+ ssh_packet_disconnect(ssh, "strict KEX violation: "
|
||||||
|
+ "unexpected packet type %u (seqnr %u)", type, seq);
|
||||||
|
+ }
|
||||||
|
+ error_f("type %u seq %u", type, seq);
|
||||||
|
if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
|
||||||
|
(r = sshpkt_put_u32(ssh, seq)) != 0 ||
|
||||||
|
(r = sshpkt_send(ssh)) != 0)
|
||||||
|
@@ -548,6 +572,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
|
||||||
|
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
|
||||||
|
if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
|
||||||
|
return r;
|
||||||
|
+ if (ninfo >= 1024) {
|
||||||
|
+ error("SSH2_MSG_EXT_INFO with too many entries, expected "
|
||||||
|
+ "<=1024, received %u", ninfo);
|
||||||
|
+ return dispatch_protocol_error(type, seq, ssh);
|
||||||
|
+ }
|
||||||
|
for (i = 0; i < ninfo; i++) {
|
||||||
|
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
|
||||||
|
return r;
|
||||||
|
@@ -681,7 +705,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
|
||||||
|
error_f("no kex");
|
||||||
|
return SSH_ERR_INTERNAL_ERROR;
|
||||||
|
}
|
||||||
|
- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
|
||||||
|
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
|
||||||
|
ptr = sshpkt_ptr(ssh, &dlen);
|
||||||
|
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
|
||||||
|
return r;
|
||||||
|
@@ -717,7 +741,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
|
||||||
|
if (!(kex->flags & KEX_INIT_SENT))
|
||||||
|
if ((r = kex_send_kexinit(ssh)) != 0)
|
||||||
|
return r;
|
||||||
|
- if ((r = kex_choose_conf(ssh)) != 0)
|
||||||
|
+ if ((r = kex_choose_conf(ssh, seq)) != 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
|
||||||
|
@@ -981,20 +1005,14 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* returns non-zero if proposal contains any algorithm from algs */
|
||||||
|
static int
|
||||||
|
-has_any_alg(const char *proposal, const char *algs)
|
||||||
|
+kexalgs_contains(char **peer, const char *ext)
|
||||||
|
{
|
||||||
|
- char *cp;
|
||||||
|
-
|
||||||
|
- if ((cp = match_list(proposal, algs, NULL)) == NULL)
|
||||||
|
- return 0;
|
||||||
|
- free(cp);
|
||||||
|
- return 1;
|
||||||
|
+ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-kex_choose_conf(struct ssh *ssh)
|
||||||
|
+kex_choose_conf(struct ssh *ssh, uint32_t seq)
|
||||||
|
{
|
||||||
|
struct kex *kex = ssh->kex;
|
||||||
|
struct newkeys *newkeys;
|
||||||
|
@@ -1019,13 +1037,23 @@ kex_choose_conf(struct ssh *ssh)
|
||||||
|
sprop=peer;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Check whether client supports ext_info_c */
|
||||||
|
- if (kex->server && (kex->flags & KEX_INITIAL)) {
|
||||||
|
- char *ext;
|
||||||
|
-
|
||||||
|
- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
|
||||||
|
- kex->ext_info_c = (ext != NULL);
|
||||||
|
- free(ext);
|
||||||
|
+ /* Check whether peer supports ext_info/kex_strict */
|
||||||
|
+ if ((kex->flags & KEX_INITIAL) != 0) {
|
||||||
|
+ if (kex->server) {
|
||||||
|
+ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
|
||||||
|
+ kex->kex_strict = kexalgs_contains(peer,
|
||||||
|
+ "kex-strict-c-v00@openssh.com");
|
||||||
|
+ } else {
|
||||||
|
+ kex->kex_strict = kexalgs_contains(peer,
|
||||||
|
+ "kex-strict-s-v00@openssh.com");
|
||||||
|
+ }
|
||||||
|
+ if (kex->kex_strict) {
|
||||||
|
+ debug3_f("will use strict KEX ordering");
|
||||||
|
+ if (seq != 0)
|
||||||
|
+ ssh_packet_disconnect(ssh,
|
||||||
|
+ "strict KEX violation: "
|
||||||
|
+ "KEXINIT was not the first packet");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check whether client supports rsa-sha2 algorithms */
|
||||||
|
diff --git a/kex.h b/kex.h
|
||||||
|
index 5f7ef784..272ebb43 100644
|
||||||
|
--- a/kex.h
|
||||||
|
+++ b/kex.h
|
||||||
|
@@ -149,6 +149,7 @@ struct kex {
|
||||||
|
u_int kex_type;
|
||||||
|
char *server_sig_algs;
|
||||||
|
int ext_info_c;
|
||||||
|
+ int kex_strict;
|
||||||
|
struct sshbuf *my;
|
||||||
|
struct sshbuf *peer;
|
||||||
|
struct sshbuf *client_version;
|
||||||
|
diff --git a/packet.c b/packet.c
|
||||||
|
index 52017def..beb214f9 100644
|
||||||
|
--- a/packet.c
|
||||||
|
+++ b/packet.c
|
||||||
|
@@ -1207,8 +1207,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
|
||||||
|
sshbuf_dump(state->output, stderr);
|
||||||
|
#endif
|
||||||
|
/* increment sequence number for outgoing packets */
|
||||||
|
- if (++state->p_send.seqnr == 0)
|
||||||
|
+ if (++state->p_send.seqnr == 0) {
|
||||||
|
+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
|
||||||
|
+ ssh_packet_disconnect(ssh, "outgoing sequence number "
|
||||||
|
+ "wrapped during initial key exchange");
|
||||||
|
+ }
|
||||||
|
logit("outgoing seqnr wraps around");
|
||||||
|
+ }
|
||||||
|
if (++state->p_send.packets == 0)
|
||||||
|
if (!(ssh->compat & SSH_BUG_NOREKEY))
|
||||||
|
return SSH_ERR_NEED_REKEY;
|
||||||
|
@@ -1216,6 +1221,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
|
||||||
|
state->p_send.bytes += len;
|
||||||
|
sshbuf_reset(state->outgoing_packet);
|
||||||
|
|
||||||
|
+ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
|
||||||
|
+ debug_f("resetting send seqnr %u", state->p_send.seqnr);
|
||||||
|
+ state->p_send.seqnr = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (type == SSH2_MSG_NEWKEYS)
|
||||||
|
r = ssh_set_newkeys(ssh, MODE_OUT);
|
||||||
|
else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
|
||||||
|
@@ -1344,8 +1354,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||||
|
/* Stay in the loop until we have received a complete packet. */
|
||||||
|
for (;;) {
|
||||||
|
/* Try to read a packet from the buffer. */
|
||||||
|
- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
|
||||||
|
- if (r != 0)
|
||||||
|
+ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
|
||||||
|
break;
|
||||||
|
/* If we got a packet, return it. */
|
||||||
|
if (*typep != SSH_MSG_NONE)
|
||||||
|
@@ -1629,10 +1615,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||||
|
if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
if (seqnr_p != NULL)
|
||||||
|
*seqnr_p = state->p_read.seqnr;
|
||||||
|
- if (++state->p_read.seqnr == 0)
|
||||||
|
+ if (++state->p_read.seqnr == 0) {
|
||||||
|
+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
|
||||||
|
+ ssh_packet_disconnect(ssh, "incoming sequence number "
|
||||||
|
+ "wrapped during initial key exchange");
|
||||||
|
+ }
|
||||||
|
logit("incoming seqnr wraps around");
|
||||||
|
+ }
|
||||||
|
if (++state->p_read.packets == 0)
|
||||||
|
if (!(ssh->compat & SSH_BUG_NOREKEY))
|
||||||
|
return SSH_ERR_NEED_REKEY;
|
||||||
|
@@ -1698,6 +1690,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||||
|
#endif
|
||||||
|
/* reset for next packet */
|
||||||
|
state->packlen = 0;
|
||||||
|
+ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
|
||||||
|
+ debug_f("resetting read seqnr %u", state->p_read.seqnr);
|
||||||
|
+ state->p_read.seqnr = 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if ((r = ssh_packet_check_rekey(ssh)) != 0)
|
||||||
|
return r;
|
||||||
|
@@ -1720,10 +1716,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||||
|
r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
|
||||||
|
if (r != 0)
|
||||||
|
return r;
|
||||||
|
- if (*typep) {
|
||||||
|
- state->keep_alive_timeouts = 0;
|
||||||
|
- DBG(debug("received packet type %d", *typep));
|
||||||
|
+ if (*typep == 0) {
|
||||||
|
+ /* no message ready */
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
+ state->keep_alive_timeouts = 0;
|
||||||
|
+ DBG(debug("received packet type %d", *typep));
|
||||||
|
+
|
||||||
|
+ /* Always process disconnect messages */
|
||||||
|
+ if (*typep == SSH2_MSG_DISCONNECT) {
|
||||||
|
+ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
|
||||||
|
+ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
|
||||||
|
+ return r;
|
||||||
|
+ /* Ignore normal client exit notifications */
|
||||||
|
+ do_log2(ssh->state->server_side &&
|
||||||
|
+ reason == SSH2_DISCONNECT_BY_APPLICATION ?
|
||||||
|
+ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
|
||||||
|
+ "Received disconnect from %s port %d:"
|
||||||
|
+ "%u: %.400s", ssh_remote_ipaddr(ssh),
|
||||||
|
+ ssh_remote_port(ssh), reason, msg);
|
||||||
|
+ free(msg);
|
||||||
|
+ return SSH_ERR_DISCONNECTED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Do not implicitly handle any messages here during initial
|
||||||
|
+ * KEX when in strict mode. They will be need to be allowed
|
||||||
|
+ * explicitly by the KEX dispatch table or they will generate
|
||||||
|
+ * protocol errors.
|
||||||
|
+ */
|
||||||
|
+ if (ssh->kex != NULL &&
|
||||||
|
+ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
|
||||||
|
+ return 0;
|
||||||
|
+ /* Implicitly handle transport-level messages */
|
||||||
|
switch (*typep) {
|
||||||
|
case SSH2_MSG_IGNORE:
|
||||||
|
debug3("Received SSH2_MSG_IGNORE");
|
||||||
|
@@ -1738,19 +1763,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||||
|
debug("Remote: %.900s", msg);
|
||||||
|
free(msg);
|
||||||
|
break;
|
||||||
|
- case SSH2_MSG_DISCONNECT:
|
||||||
|
- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
|
||||||
|
- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
|
||||||
|
- return r;
|
||||||
|
- /* Ignore normal client exit notifications */
|
||||||
|
- do_log2(ssh->state->server_side &&
|
||||||
|
- reason == SSH2_DISCONNECT_BY_APPLICATION ?
|
||||||
|
- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
|
||||||
|
- "Received disconnect from %s port %d:"
|
||||||
|
- "%u: %.400s", ssh_remote_ipaddr(ssh),
|
||||||
|
- ssh_remote_port(ssh), reason, msg);
|
||||||
|
- free(msg);
|
||||||
|
- return SSH_ERR_DISCONNECTED;
|
||||||
|
case SSH2_MSG_UNIMPLEMENTED:
|
||||||
|
if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
|
||||||
|
return r;
|
||||||
|
@@ -2242,6 +2254,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex)
|
||||||
|
(r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
|
||||||
|
(r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
|
||||||
|
(r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
|
||||||
|
+ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
|
||||||
|
(r = sshbuf_put_stringb(m, kex->my)) != 0 ||
|
||||||
|
(r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
|
||||||
|
(r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
|
||||||
|
@@ -2404,6 +2417,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
|
||||||
|
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
|
||||||
|
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
|
||||||
|
(r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
|
||||||
|
+ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
|
||||||
|
(r = sshbuf_get_stringb(m, kex->my)) != 0 ||
|
||||||
|
(r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
|
||||||
|
(r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
|
||||||
|
@@ -2732,6 +2746,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
|
||||||
|
vsnprintf(buf, sizeof(buf), fmt, args);
|
||||||
|
va_end(args);
|
||||||
|
|
||||||
|
+ debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf);
|
||||||
|
if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
|
||||||
|
(r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
|
||||||
|
(r = sshpkt_put_cstring(ssh, buf)) != 0 ||
|
||||||
|
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||||
|
index df6caf81..0cccbcc4 100644
|
||||||
|
--- a/sshconnect2.c
|
||||||
|
+++ b/sshconnect2.c
|
||||||
|
@@ -253,7 +253,8 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
fatal_fr(r, "kex_assemble_namelist");
|
||||||
|
free(all_key);
|
||||||
|
|
||||||
|
- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
|
||||||
|
+ if ((s = kex_names_cat(options.kex_algorithms,
|
||||||
|
+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
|
||||||
|
fatal_f("kex_names_cat");
|
||||||
|
myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s);
|
||||||
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||||
|
@@ -358,7 +358,6 @@ struct cauthmethod {
|
||||||
|
};
|
||||||
|
|
||||||
|
static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
|
||||||
|
-static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
|
||||||
|
static int input_userauth_success(int, u_int32_t, struct ssh *);
|
||||||
|
static int input_userauth_failure(int, u_int32_t, struct ssh *);
|
||||||
|
static int input_userauth_banner(int, u_int32_t, struct ssh *);
|
||||||
|
@@ -472,7 +471,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
|
||||||
|
|
||||||
|
ssh->authctxt = &authctxt;
|
||||||
|
ssh_dispatch_init(ssh, &input_userauth_error);
|
||||||
|
- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
|
||||||
|
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
|
||||||
|
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
|
||||||
|
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
|
||||||
|
pubkey_cleanup(ssh);
|
||||||
|
@@ -531,12 +530,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* ARGSUSED */
|
||||||
|
-static int
|
||||||
|
-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
|
||||||
|
-{
|
||||||
|
- return kex_input_ext_info(type, seqnr, ssh);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
void
|
||||||
|
userauth(struct ssh *ssh, char *authlist)
|
||||||
|
{
|
||||||
|
@@ -615,6 +608,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
|
||||||
|
free(authctxt->methoddata);
|
||||||
|
authctxt->methoddata = NULL;
|
||||||
|
authctxt->success = 1; /* break out */
|
||||||
|
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssh-8.7p1/sshd.c.kexstrict openssh-8.7p1/sshd.c
|
||||||
|
--- openssh-8.7p1/sshd.c.kexstrict 2023-11-27 13:19:18.855433602 +0100
|
||||||
|
+++ openssh-8.7p1/sshd.c 2023-11-27 13:28:10.441325314 +0100
|
||||||
|
@@ -2531,10 +2531,14 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
|
struct kex *kex;
|
||||||
|
char *hostkey_types = NULL;
|
||||||
|
char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
|
||||||
|
+ char *cp;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
- myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh,
|
||||||
|
- options.kex_algorithms);
|
||||||
|
+ if ((cp = kex_names_cat(options.kex_algorithms,
|
||||||
|
+ "kex-strict-s-v00@openssh.com")) == NULL)
|
||||||
|
+ fatal_f("kex_names_cat");
|
||||||
|
+
|
||||||
|
+ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, cp);
|
||||||
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||||
|
myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
|
||||||
|
compat_cipher_proposal(ssh, options.ciphers);
|
||||||
|
@@ -2586,7 +2586,7 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
|
if (gss && orig)
|
||||||
|
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||||
|
else if (gss)
|
||||||
|
- newstr = gss;
|
||||||
|
+ xasprintf(&newstr, "%s,%s", gss, "kex-strict-s-v00@openssh.com");
|
||||||
|
else if (orig)
|
||||||
|
newstr = orig;
|
||||||
|
|
||||||
|
@@ -2650,6 +2654,7 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
|
#endif
|
||||||
|
free(prop_kex);
|
||||||
|
free(prop_enc);
|
||||||
|
+ free(cp);
|
||||||
|
free(prop_hostkey);
|
||||||
|
debug("KEX done");
|
||||||
|
}
|
57
SOURCES/openssh-9.6p1-CVE-2023-51385.patch
Normal file
57
SOURCES/openssh-9.6p1-CVE-2023-51385.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
diff --git a/ssh.c b/ssh.c
|
||||||
|
index 35c48e62..48d93ddf 100644
|
||||||
|
--- a/ssh.c
|
||||||
|
+++ b/ssh.c
|
||||||
|
@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
|
||||||
|
free(cinfo);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+valid_hostname(const char *s)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ if (*s == '-')
|
||||||
|
+ return 0;
|
||||||
|
+ for (i = 0; s[i] != 0; i++) {
|
||||||
|
+ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
|
||||||
|
+ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+valid_ruser(const char *s)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ if (*s == '-')
|
||||||
|
+ return 0;
|
||||||
|
+ for (i = 0; s[i] != 0; i++) {
|
||||||
|
+ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
|
||||||
|
+ return 0;
|
||||||
|
+ /* Disallow '-' after whitespace */
|
||||||
|
+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
|
||||||
|
+ return 0;
|
||||||
|
+ /* Disallow \ in last position */
|
||||||
|
+ if (s[i] == '\\' && s[i + 1] == '\0')
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Main program for the ssh client.
|
||||||
|
*/
|
||||||
|
@@ -1118,6 +1153,10 @@ main(int ac, char **av)
|
||||||
|
if (!host)
|
||||||
|
usage();
|
||||||
|
|
||||||
|
+ if (!valid_hostname(host))
|
||||||
|
+ fatal("hostname contains invalid characters");
|
||||||
|
+ if (options.user != NULL && !valid_ruser(options.user))
|
||||||
|
+ fatal("remote username contains invalid characters");
|
||||||
|
host_arg = xstrdup(host);
|
||||||
|
|
||||||
|
/* Initialize the command to execute on remote host. */
|
2
SOURCES/openssh-server-systemd-sysusers.conf
Normal file
2
SOURCES/openssh-server-systemd-sysusers.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
#Type Name ID GECOS Home directory Shell
|
||||||
|
u sshd 74 "Privilege-separated SSH" /usr/share/empty.sshd -
|
2
SOURCES/openssh-systemd-sysusers.conf
Normal file
2
SOURCES/openssh-systemd-sysusers.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
#Type Name ID
|
||||||
|
g ssh_keys 101
|
@ -7,10 +7,6 @@
|
|||||||
|
|
||||||
%global _hardened_build 1
|
%global _hardened_build 1
|
||||||
|
|
||||||
# OpenSSH privilege separation requires a user & group ID
|
|
||||||
%global sshd_uid 74
|
|
||||||
%global sshd_gid 74
|
|
||||||
|
|
||||||
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
||||||
%global no_gnome_askpass 0
|
%global no_gnome_askpass 0
|
||||||
|
|
||||||
@ -51,7 +47,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.7p1
|
%global openssh_ver 8.7p1
|
||||||
%global openssh_rel 34
|
%global openssh_rel 38
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 5
|
%global pam_ssh_agent_rel 5
|
||||||
|
|
||||||
@ -76,6 +72,8 @@ Source12: sshd-keygen@.service
|
|||||||
Source13: sshd-keygen
|
Source13: sshd-keygen
|
||||||
Source15: sshd-keygen.target
|
Source15: sshd-keygen.target
|
||||||
Source16: ssh-agent.service
|
Source16: ssh-agent.service
|
||||||
|
Source17: openssh-systemd-sysusers.conf
|
||||||
|
Source18: openssh-server-systemd-sysusers.conf
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
||||||
Patch100: openssh-6.7p1-coverity.patch
|
Patch100: openssh-6.7p1-coverity.patch
|
||||||
@ -282,6 +280,14 @@ Patch1014: openssh-8.7p1-UTC-time-parse.patch
|
|||||||
# upsream commit
|
# upsream commit
|
||||||
# b23fe83f06ee7e721033769cfa03ae840476d280
|
# b23fe83f06ee7e721033769cfa03ae840476d280
|
||||||
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
||||||
|
#upstream commit b7afd8a4ecaca8afd3179b55e9db79c0ff210237
|
||||||
|
Patch1016: openssh-9.3p1-openssl-compat.patch
|
||||||
|
#upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec
|
||||||
|
Patch1017: openssh-9.4p2-limit-delay.patch
|
||||||
|
#upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
|
||||||
|
Patch1018: openssh-9.6p1-CVE-2023-48795.patch
|
||||||
|
#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
|
||||||
|
Patch1019: openssh-9.6p1-CVE-2023-51385.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -501,6 +507,10 @@ popd
|
|||||||
%patch1013 -p1 -b .man-hostkeyalgos
|
%patch1013 -p1 -b .man-hostkeyalgos
|
||||||
%patch1014 -p1 -b .utc_parse
|
%patch1014 -p1 -b .utc_parse
|
||||||
%patch1015 -p1 -b .cve-2023-38408
|
%patch1015 -p1 -b .cve-2023-38408
|
||||||
|
%patch1016 -p1 -b .openssl3compat
|
||||||
|
%patch1017 -p1 -b .limitdelay
|
||||||
|
%patch1018 -p1 -b .cve-2023-48795
|
||||||
|
%patch1019 -p1 -b .cve-2023-51385
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
@ -646,6 +656,8 @@ install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
|
|||||||
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
||||||
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||||
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
|
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
|
||||||
|
install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/openssh.conf
|
||||||
|
install -p -D -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/openssh-server.conf
|
||||||
|
|
||||||
%if ! %{no_gnome_askpass}
|
%if ! %{no_gnome_askpass}
|
||||||
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||||
@ -674,13 +686,10 @@ install -m 755 -d $RPM_BUILD_ROOT%{_libdir}/sshtest/
|
|||||||
install -m 755 regress/misc/sk-dummy/sk-dummy.so $RPM_BUILD_ROOT%{_libdir}/sshtest
|
install -m 755 regress/misc/sk-dummy/sk-dummy.so $RPM_BUILD_ROOT%{_libdir}/sshtest
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
|
%sysusers_create_compat %{SOURCE17}
|
||||||
|
|
||||||
%pre server
|
%pre server
|
||||||
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
|
%sysusers_create_compat %{SOURCE18}
|
||||||
getent passwd sshd >/dev/null || \
|
|
||||||
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
|
||||||
-s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
|
|
||||||
|
|
||||||
%post server
|
%post server
|
||||||
%systemd_post sshd.service sshd.socket
|
%systemd_post sshd.service sshd.socket
|
||||||
@ -718,6 +727,7 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
||||||
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||||
|
%attr(0644,root,root) %{_sysusersdir}/openssh.conf
|
||||||
|
|
||||||
%files clients
|
%files clients
|
||||||
%attr(0755,root,root) %{_bindir}/ssh
|
%attr(0755,root,root) %{_bindir}/ssh
|
||||||
@ -763,6 +773,7 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
||||||
|
%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf
|
||||||
|
|
||||||
%files keycat
|
%files keycat
|
||||||
%doc HOWTO.ssh-keycat
|
%doc HOWTO.ssh-keycat
|
||||||
@ -787,6 +798,30 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-38
|
||||||
|
- Fix Terrapin attack
|
||||||
|
Resolves: CVE-2023-48795
|
||||||
|
|
||||||
|
* Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-37
|
||||||
|
- Fix Terrapin attack
|
||||||
|
Resolves: CVE-2023-48795
|
||||||
|
|
||||||
|
* Wed Dec 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-36
|
||||||
|
- Fix Terrapin attack
|
||||||
|
Resolves: CVE-2023-48795
|
||||||
|
- Relax OpenSSH build-time checks for OpenSSL version
|
||||||
|
Related: RHEL-4734
|
||||||
|
- Forbid shell metasymbols in username/hostname
|
||||||
|
Resolves: CVE-2023-51385
|
||||||
|
|
||||||
|
* Mon Oct 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-35
|
||||||
|
- Relax OpenSSH checks for OpenSSL version
|
||||||
|
Resolves: RHEL-4734
|
||||||
|
- Limit artificial delays in sshd while login using AD user
|
||||||
|
Resolves: RHEL-2469
|
||||||
|
- Move users/groups creation logic to sysusers.d fragments
|
||||||
|
Resolves: RHEL-5222
|
||||||
|
|
||||||
* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
|
* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
|
||||||
- Avoid remote code execution in ssh-agent PKCS#11 support
|
- Avoid remote code execution in ssh-agent PKCS#11 support
|
||||||
Resolves: CVE-2023-38408
|
Resolves: CVE-2023-38408
|
||||||
|
Loading…
Reference in New Issue
Block a user