forked from rpms/openssh
Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openssh.git#126d278fec03d044c5d4a19015f1214420ec9097
This commit is contained in:
parent
81d24c0aa7
commit
c8a4397d72
57
openssh-8.4p1-debian-compat.patch
Normal file
57
openssh-8.4p1-debian-compat.patch
Normal file
@ -0,0 +1,57 @@
|
||||
--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700
|
||||
+++ compat.h 2020-10-05 10:10:17.587733113 -0700
|
||||
@@ -34,7 +34,7 @@
|
||||
|
||||
#define SSH_BUG_UTF8TTYMODE 0x00000001
|
||||
#define SSH_BUG_SIGTYPE 0x00000002
|
||||
-/* #define unused 0x00000004 */
|
||||
+#define SSH_BUG_SIGTYPE74 0x00000004
|
||||
/* #define unused 0x00000008 */
|
||||
#define SSH_OLD_SESSIONID 0x00000010
|
||||
/* #define unused 0x00000020 */
|
||||
--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700
|
||||
+++ compat.c 2020-10-05 10:13:11.637282492 -0700
|
||||
@@ -65,11 +65,12 @@
|
||||
{ "OpenSSH_6.5*,"
|
||||
"OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
|
||||
SSH_BUG_SIGTYPE},
|
||||
+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
|
||||
+ SSH_BUG_SIGTYPE74},
|
||||
{ "OpenSSH_7.0*,"
|
||||
"OpenSSH_7.1*,"
|
||||
"OpenSSH_7.2*,"
|
||||
"OpenSSH_7.3*,"
|
||||
- "OpenSSH_7.4*,"
|
||||
"OpenSSH_7.5*,"
|
||||
"OpenSSH_7.6*,"
|
||||
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
|
||||
--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700
|
||||
+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700
|
||||
@@ -1305,6 +1305,26 @@
|
||||
break;
|
||||
}
|
||||
free(oallowed);
|
||||
+ /*
|
||||
+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
|
||||
+ * support. For that release, check the local policy against the
|
||||
+ * SHA2 signature types.
|
||||
+ */
|
||||
+ if (alg == NULL &&
|
||||
+ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
|
||||
+ oallowed = allowed = xstrdup(options.pubkey_key_types);
|
||||
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
||||
+ if (sshkey_type_from_name(cp) != key->type)
|
||||
+ continue;
|
||||
+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
|
||||
+ if (tmp != NULL)
|
||||
+ alg = xstrdup(cp);
|
||||
+ free(tmp);
|
||||
+ if (alg != NULL)
|
||||
+ break;
|
||||
+ }
|
||||
+ free(oallowed);
|
||||
+ }
|
||||
return alg;
|
||||
}
|
||||
|
||||
|
14
openssh-8.4p1-sandbox-seccomp.patch
Normal file
14
openssh-8.4p1-sandbox-seccomp.patch
Normal file
@ -0,0 +1,14 @@
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index e0768c06..5065ae7e 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_pselect6
|
||||
SC_ALLOW(__NR_pselect6),
|
||||
#endif
|
||||
+#ifdef __NR_pselect6_time64
|
||||
+ SC_ALLOW(__NR_pselect6_time64),
|
||||
+#endif
|
||||
#ifdef __NR_read
|
||||
SC_ALLOW(__NR_read),
|
||||
#endif
|
12
openssh.spec
12
openssh.spec
@ -51,7 +51,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 8.4p1
|
||||
%global openssh_rel 2
|
||||
%global openssh_rel 3
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 1
|
||||
|
||||
@ -197,6 +197,10 @@ Patch965: openssh-8.2p1-visibility.patch
|
||||
# Do not break X11 without IPv6
|
||||
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
||||
Patch967: openssh-8.4p1-ssh-copy-id.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
|
||||
Patch968: openssh-8.4p1-sandbox-seccomp.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
|
||||
Patch969: openssh-8.4p1-debian-compat.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -381,6 +385,8 @@ popd
|
||||
%patch965 -p1 -b .visibility
|
||||
%patch966 -p1 -b .x11-ipv6
|
||||
%patch967 -p1 -b .ssh-copy-id
|
||||
%patch968 -p1 -b .seccomp
|
||||
%patch969 -p0 -b .debian
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
@ -663,6 +669,10 @@ test -f %{sysconfig_anaconda} && \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-3 + 0.10.4-1
|
||||
- Unbreak seccomp filter on arm (#1897712)
|
||||
- Add a workaround for Debian's broken OpenSSH (#1881301)
|
||||
|
||||
* Tue Oct 06 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-2 + 0.10.4-1
|
||||
- Unbreak ssh-copy-id after a release (#1884231)
|
||||
- Remove misleading comment from sysconfig
|
||||
|
Loading…
Reference in New Issue
Block a user