Relax OpenSSH checks for OpenSSL version

Resolves: RHEL-4734
This commit is contained in:
Dmitry Belyavskiy 2023-10-23 12:59:46 +02:00
parent edaf6c0fb4
commit d8b51e8341
2 changed files with 48 additions and 1 deletions

View File

@ -0,0 +1,40 @@
--- openssh-9.3p1/openbsd-compat/openssl-compat.c 2023-03-15 22:28:19.000000000 +0100
+++ /home/dbelyavs/work/upstream/openssh-portable/openbsd-compat/openssl-compat.c 2023-05-25 14:19:42.870841944 +0200
@@ -33,10 +33,10 @@
/*
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
- * We match major, minor, fix and status (not patch) for <1.0.0.
- * After that, we acceptable compatible fix versions (so we
- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
- * within a patch series.
+ * Versions >=3 require only major versions to match.
+ * For versions <3, we accept compatible fix versions (so we allow 1.0.1
+ * to work with 1.0.0). Going backwards is only allowed within a patch series.
+ * See https://www.openssl.org/policies/releasestrat.html
*/
int
@@ -48,15 +48,17 @@
if (headerver == libver)
return 1;
- /* for versions < 1.0.0, major,minor,fix,status must match */
- if (headerver < 0x1000000f) {
- mask = 0xfffff00fL; /* major,minor,fix,status */
+ /*
+ * For versions >= 3.0, only the major and status must match.
+ */
+ if (headerver >= 0x3000000f) {
+ mask = 0xf000000fL; /* major,status */
return (headerver & mask) == (libver & mask);
}
/*
- * For versions >= 1.0.0, major,minor,status must match and library
- * fix version must be equal to or newer than the header.
+ * For versions >= 1.0.0, but <3, major,minor,status must match and
+ * library fix version must be equal to or newer than the header.
*/
mask = 0xfff0000fL; /* major,minor,status */
hfix = (headerver & 0x000ff000) >> 12;

View File

@ -51,7 +51,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1
%global openssh_rel 34
%global openssh_rel 35
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 5
@ -282,6 +282,8 @@ Patch1014: openssh-8.7p1-UTC-time-parse.patch
# upsream commit
# b23fe83f06ee7e721033769cfa03ae840476d280
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
#upstream commit b7afd8a4ecaca8afd3179b55e9db79c0ff210237
Patch1016: openssh-9.3p1-openssl-compat.patch
License: BSD
Requires: /sbin/nologin
@ -501,6 +503,7 @@ popd
%patch1013 -p1 -b .man-hostkeyalgos
%patch1014 -p1 -b .utc_parse
%patch1015 -p1 -b .cve-2023-38408
%patch1016 -p1 -b .openssl3compat
autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -787,6 +790,10 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
* Mon Oct 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-35
- Relax OpenSSH checks for OpenSSL version
Resolves: RHEL-4734
* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
- Avoid remote code execution in ssh-agent PKCS#11 support
Resolves: CVE-2023-38408