forked from rpms/openssh
c9833c96a4
- use libedit in sftp (#203009) - fixed audit log injection problem (CVE-2007-3102)
151 lines
6.2 KiB
Diff
151 lines
6.2 KiB
Diff
diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac
|
|
--- openssh-4.7p1/configure.ac.vendor 2007-09-06 16:27:47.000000000 +0200
|
|
+++ openssh-4.7p1/configure.ac 2007-09-06 16:27:47.000000000 +0200
|
|
@@ -3792,6 +3792,12 @@ AC_ARG_WITH(lastlog,
|
|
fi
|
|
]
|
|
)
|
|
+AC_ARG_ENABLE(vendor-patchlevel,
|
|
+ [ --enable-vendor-patchlevel=TAG specify a vendor patch level],
|
|
+ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
|
+ SSH_VENDOR_PATCHLEVEL="$enableval"],
|
|
+ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
|
+ SSH_VENDOR_PATCHLEVEL=none])
|
|
|
|
dnl lastlog, [uw]tmpx? detection
|
|
dnl NOTE: set the paths in the platform section to avoid the
|
|
@@ -4041,6 +4047,7 @@ echo " IP address in \$DISPLAY hac
|
|
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
|
echo " BSD Auth support: $BSD_AUTH_MSG"
|
|
echo " Random number source: $RAND_MSG"
|
|
+echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
|
|
if test ! -z "$USE_RAND_HELPER" ; then
|
|
echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
|
|
fi
|
|
diff -up openssh-4.7p1/sshd_config.5.vendor openssh-4.7p1/sshd_config.5
|
|
--- openssh-4.7p1/sshd_config.5.vendor 2007-09-06 16:27:47.000000000 +0200
|
|
+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:27:47.000000000 +0200
|
|
@@ -725,6 +725,14 @@ This option applies to protocol version
|
|
.It Cm ServerKeyBits
|
|
Defines the number of bits in the ephemeral protocol version 1 server key.
|
|
The minimum value is 512, and the default is 768.
|
|
+.It Cm ShowPatchLevel
|
|
+Specifies whether
|
|
+.Nm sshd
|
|
+will display the patch level of the binary in the identification string.
|
|
+The patch level is set at compile-time.
|
|
+The default is
|
|
+.Dq no .
|
|
+This option applies to protocol version 1 only.
|
|
.It Cm StrictModes
|
|
Specifies whether
|
|
.Xr sshd 8
|
|
diff -up openssh-4.7p1/servconf.h.vendor openssh-4.7p1/servconf.h
|
|
--- openssh-4.7p1/servconf.h.vendor 2007-02-19 12:25:38.000000000 +0100
|
|
+++ openssh-4.7p1/servconf.h 2007-09-06 16:27:47.000000000 +0200
|
|
@@ -120,6 +120,7 @@ typedef struct {
|
|
int max_startups;
|
|
int max_authtries;
|
|
char *banner; /* SSH-2 banner message */
|
|
+ int show_patchlevel; /* Show vendor patch level to clients */
|
|
int use_dns;
|
|
int client_alive_interval; /*
|
|
* poke the client this often to
|
|
diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c
|
|
--- openssh-4.7p1/servconf.c.vendor 2007-05-20 07:03:16.000000000 +0200
|
|
+++ openssh-4.7p1/servconf.c 2007-09-06 16:29:11.000000000 +0200
|
|
@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions
|
|
options->max_startups = -1;
|
|
options->max_authtries = -1;
|
|
options->banner = NULL;
|
|
+ options->show_patchlevel = -1;
|
|
options->use_dns = -1;
|
|
options->client_alive_interval = -1;
|
|
options->client_alive_count_max = -1;
|
|
@@ -250,6 +251,9 @@ fill_default_server_options(ServerOption
|
|
if (options->permit_tun == -1)
|
|
options->permit_tun = SSH_TUNMODE_NO;
|
|
|
|
+ if (options->show_patchlevel == -1)
|
|
+ options->show_patchlevel = 0;
|
|
+
|
|
/* Turn privilege separation on by default */
|
|
if (use_privsep == -1)
|
|
use_privsep = 1;
|
|
@@ -293,6 +297,7 @@ typedef enum {
|
|
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
|
sMatch, sPermitOpen, sForceCommand,
|
|
sUsePrivilegeSeparation,
|
|
+ sShowPatchLevel,
|
|
sDeprecated, sUnsupported
|
|
} ServerOpCodes;
|
|
|
|
@@ -390,6 +395,7 @@ static struct {
|
|
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
|
|
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
|
|
{ "banner", sBanner, SSHCFG_ALL },
|
|
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
|
|
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
|
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
|
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
|
@@ -1005,6 +1011,10 @@ parse_flag:
|
|
intptr = &use_privsep;
|
|
goto parse_flag;
|
|
|
|
+ case sShowPatchLevel:
|
|
+ intptr = &options->show_patchlevel;
|
|
+ goto parse_flag;
|
|
+
|
|
case sAllowUsers:
|
|
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
|
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
|
diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0
|
|
--- openssh-4.7p1/sshd_config.0.vendor 2007-09-06 16:27:47.000000000 +0200
|
|
+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:27:47.000000000 +0200
|
|
@@ -418,6 +418,11 @@ DESCRIPTION
|
|
Defines the number of bits in the ephemeral protocol version 1
|
|
server key. The minimum value is 512, and the default is 768.
|
|
|
|
+ ShowPatchLevel
|
|
+ Specifies whether sshd will display the specific patch level of
|
|
+ the binary in the server identification string. The patch level
|
|
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
+
|
|
StrictModes
|
|
Specifies whether sshd(8) should check file modes and ownership
|
|
of the user's files and home directory before accepting login.
|
|
diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config
|
|
--- openssh-4.7p1/sshd_config.vendor 2007-09-06 16:27:47.000000000 +0200
|
|
+++ openssh-4.7p1/sshd_config 2007-09-06 16:27:47.000000000 +0200
|
|
@@ -109,6 +109,7 @@ X11Forwarding yes
|
|
#Compression delayed
|
|
#ClientAliveInterval 0
|
|
#ClientAliveCountMax 3
|
|
+#ShowPatchLevel no
|
|
#UseDNS yes
|
|
#PidFile /var/run/sshd.pid
|
|
#MaxStartups 10
|
|
diff -up openssh-4.7p1/sshd.c.vendor openssh-4.7p1/sshd.c
|
|
--- openssh-4.7p1/sshd.c.vendor 2007-06-05 10:22:32.000000000 +0200
|
|
+++ openssh-4.7p1/sshd.c 2007-09-06 16:27:47.000000000 +0200
|
|
@@ -419,7 +419,8 @@ sshd_exchange_identification(int sock_in
|
|
major = PROTOCOL_MAJOR_1;
|
|
minor = PROTOCOL_MINOR_1;
|
|
}
|
|
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
|
|
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
|
|
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
|
|
server_version_string = xstrdup(buf);
|
|
|
|
/* Send our protocol version identification. */
|
|
@@ -1434,7 +1435,8 @@ main(int ac, char **av)
|
|
exit(1);
|
|
}
|
|
|
|
- debug("sshd version %.100s", SSH_RELEASE);
|
|
+ debug("sshd version %.100s",
|
|
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
|
|
|
|
/* Store privilege separation user for later use if required. */
|
|
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|