Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							7b15444065 
							
						 
					 
					
						
						
							
							Fix X11 forwarding CVE according to upstream  
						
						
						
					 
					
						2016-02-24 09:51:43 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							4fdc3c59c4 
							
						 
					 
					
						
						
							
							Fix problem when running without privsep ( #1303910 )  
						
						
						
					 
					
						2016-02-24 09:51:43 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							700da17374 
							
						 
					 
					
						
						
							
							Remove hard glob limit since the CVE introducing this one is unrelated.  
						
						
						
					 
					
						2016-02-24 09:51:43 +01:00 
						 
				 
			
				
					
						
							
							
								Fedora Release Engineering 
							
						 
					 
					
						
						
						
						
							
						
						
							b2b837ad97 
							
						 
					 
					
						
						
							
							- Rebuilt for  https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild  
						
						
						
					 
					
						2016-02-04 11:34:23 +00:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							8ddd3edcd8 
							
						 
					 
					
						
						
							
							openssh-7.1p2-3 + 0.10.2-1  
						
						
						
					 
					
						2016-01-30 01:18:26 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							ca79709ade 
							
						 
					 
					
						
						
							
							Silently disable X11 forwarding  
						
						... 
						
						
						
						Based on feedback on previous update:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-47ac27532d  
						
					 
					
						2016-01-30 01:18:12 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							c08255b7b1 
							
						 
					 
					
						
						
							
							Fix pam_ssh_agent_auth segfaults with non-accepted keys ( #1303036 )  
						
						
						
					 
					
						2016-01-30 01:18:06 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							d1b43a2865 
							
						 
					 
					
						
						
							
							Update sshd service file to forking (as  #1291172 )  
						
						
						
					 
					
						2016-01-26 13:54:53 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							7adf5f4c63 
							
						 
					 
					
						
						
							
							Missing pam_ssh_agent_auth sources  
						
						
						
					 
					
						2016-01-26 09:10:27 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							6c2eb5e22d 
							
						 
					 
					
						
						
							
							openssh-7.1p2-2 + 0.10.2-1  
						
						
						
					 
					
						2016-01-26 09:00:28 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							38c7737421 
							
						 
					 
					
						
						
							
							Remove defattr from spec file  
						
						... 
						
						
						
						Mailing list thread:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/KEO7AX3JXR2TY6OVL4M7HDISZ6YIJNKU/  
						
					 
					
						2016-01-26 09:00:28 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							733cea720e 
							
						 
					 
					
						
						
							
							CVE-2016-1908: Prevent possible fallback from untrusted to trusted X11 forwarding  
						
						... 
						
						
						
						Upstream commits:
  https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c 
  https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f  
						
					 
					
						2016-01-26 09:00:23 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							87ab5fc4af 
							
						 
					 
					
						
						
							
							Reabse to latest release of pam_ssh_agent_auth with preserving current functionality  
						
						... 
						
						
						
						* Rebase to latest upstream version
 * Clean up older patches for pam_ssh_agent_auth
 * Remove prefixes from upstream release so we can build it against current
   openssh library
 * Remove copied files and headers so we make sure we build against current openssh 
						
					 
					
						2016-01-25 13:32:42 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							7bc64374b0 
							
						 
					 
					
						
						
							
							openssh-7.1p2-1 + 0.9.2-9  
						
						
						
					 
					
						2016-01-14 16:11:06 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							b2191db92e 
							
						 
					 
					
						
						
							
							openssh-7.1p1-7 + 0.9.2-8  
						
						
						
					 
					
						2016-01-12 13:15:33 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							af94f46861 
							
						 
					 
					
						
						
							
							Fix condition to run sshd-keygen  
						
						... 
						
						
						
						When the first boot fails for some reason and the host keys files
are created, but the content not synced into the disk, during the
second boot, the keygen is not run, but the sshd will not start.
Changing condition mitigates this case. 
						
					 
					
						2016-01-12 13:14:58 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							06b1d5330a 
							
						 
					 
					
						
						
							
							Make ssh-keysign world readable ( #1296724 )  
						
						
						
					 
					
						2016-01-08 13:22:09 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							f26cd8d6ee 
							
						 
					 
					
						
						
							
							Update ssh-agent permissions ( #1296724 )  
						
						... 
						
						
						
						* It is no longer required to have ssh-agent with suid bit, because
  the ptrace attach is prevented using PR_SET_DUMPABLE 0 [1]
[1] https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e  
						
					 
					
						2016-01-08 11:27:02 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							7c5d0a686c 
							
						 
					 
					
						
						
							
							Make sure the semantics of %global macro stays the same as before  a0e252571b 
						
						
						
					 
					
						2016-01-08 09:15:52 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							da62b78673 
							
						 
					 
					
						
						
							
							Do not check for openssl based keys if built without openssl  
						
						
						
					 
					
						2016-01-05 12:48:00 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							62897e51d6 
							
						 
					 
					
						
						
							
							Do not set default values for GSSAPI when building without GSSAPI  
						
						
						
					 
					
						2016-01-05 12:41:38 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							e1b19de52a 
							
						 
					 
					
						
						
							
							Fix wrong handling of LEGACY environment variable  
						
						
						
					 
					
						2016-01-05 12:39:40 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							a0e252571b 
							
						 
					 
					
						
						
							
							Change %define to %global according to packaging guidelines  
						
						... 
						
						
						
						Based on discussion started on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/AS35NKZSAWRIKY77IUYOVNFAT6AJQVAU/  
						
					 
					
						2016-01-04 10:41:27 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							c45d147a86 
							
						 
					 
					
						
						
							
							openssh-7.1p1-6 + 0.9.2-8  
						
						
						
					 
					
						2015-12-18 14:36:00 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							f6bd29aaca 
							
						 
					 
					
						
						
							
							Preserve IUTF8 tty mode flag over ssh connections ( #1270248 )  
						
						
						
					 
					
						2015-12-18 14:36:00 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							c9e7e79685 
							
						 
					 
					
						
						
							
							Compatibility SSH_COPY_ID_LEGACY for ssh-copy-id  
						
						
						
					 
					
						2015-12-18 14:36:00 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							86f52d4e69 
							
						 
					 
					
						
						
							
							Rebase downstream patches of ssh-copy-id into one from upstream  
						
						... 
						
						
						
						Source:
http://git.hands.com/ssh-copy-id  
						
					 
					
						2015-12-16 15:40:10 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							d9d9575f00 
							
						 
					 
					
						
						
							
							GSSAPI Key Exchange documentation improvements  
						
						... 
						
						
						
						from Debian patches:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655  
						
					 
					
						2015-12-10 15:37:52 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							f33aef5318 
							
						 
					 
					
						
						
							
							Remove unused patches  
						
						
						
					 
					
						2015-12-08 14:22:44 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							5410d2d3a7 
							
						 
					 
					
						
						
							
							Do not require sysconfig file to start service ( #1279521 )  
						
						
						
					 
					
						2015-11-09 17:10:15 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							ef86a312db 
							
						 
					 
					
						
						
							
							openssh-7.1p1-5 + 0.9.2-8  
						
						
						
					 
					
						2015-11-04 10:18:50 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							b6d4dc0a6f 
							
						 
					 
					
						
						
							
							Do not set user context too many times for root logins ( #1269072 )  
						
						
						
					 
					
						2015-11-04 10:17:32 +01:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							fa54d5472d 
							
						 
					 
					
						
						
							
							openssh-7.1p1-4 + 0.9.2-8  
						
						
						
					 
					
						2015-10-22 14:55:07 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							aa9a7754ed 
							
						 
					 
					
						
						
							
							Audit implicit mac, if mac is covered in cipher ( #1271694 )  
						
						... 
						
						
						
						For example chacha20-poly1305@openssh.com  is AEAD (Authenticated Encryption with Associated Data) cipher and thus there is no separate MAC when it is used. 
						
					 
					
						2015-10-22 14:53:36 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							0ebe96b604 
							
						 
					 
					
						
						
							
							Handle root logins the same way as other users ( #1269072 )  
						
						... 
						
						
						
						root users are unconfined by definition, but they can be limited by SELinux so having privilege separation still makes sense. As a consequence we can remove hunk that handled this condition if we skipped forking. 
						
					 
					
						2015-10-22 14:52:55 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							22a08c3da4 
							
						 
					 
					
						
						
							
							Review SELinux user context handling after authentication ( #1269072 )  
						
						... 
						
						
						
						The previous required to have for all SELInux user contexts with setexec capability. Otherwise user would not be able to change password if it is expired. This patch sets correct context and cleans up the exec context.
When doing chroot, copy_selinux_context is called twice 
						
					 
					
						2015-10-15 16:21:33 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							8395bb78d0 
							
						 
					 
					
						
						
							
							Increase size limit of glob structures in sftp  
						
						
						
					 
					
						2015-09-30 15:27:08 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							a80c277795 
							
						 
					 
					
						
						
							
							openssh-7.1p1-3 + 0.9.2-8  
						
						
						
					 
					
						2015-09-25 14:10:39 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							a01bd486f0 
							
						 
					 
					
						
						
							
							Fix obsolete usage of SELinux constants ( #1261496 )  
						
						
						
					 
					
						2015-09-25 14:10:25 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							bf69b47630 
							
						 
					 
					
						
						
							
							Allow gss-keyex root login when without-password is set ( #2456 )  
						
						... 
						
						
						
						Reported upstream, but applicable also for our gss-keyex patch:
https://bugzilla.mindrot.org/show_bug.cgi?id=2456  
						
					 
					
						2015-09-24 15:57:11 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							6bf47e3d35 
							
						 
					 
					
						
						
							
							Having no keys is not fatal in gssapi key exchange ( #1261414 )  
						
						
						
					 
					
						2015-09-24 15:57:11 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							9a804fa266 
							
						 
					 
					
						
						
							
							Apply GSSAPI key exchange methods in client offered list ( #1261414 )  
						
						
						
					 
					
						2015-09-24 15:57:11 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							c6ba7b1e09 
							
						 
					 
					
						
						
							
							Return back forgotten patch which prevent connection using GSSAPI key exchange ( #1261414 )  
						
						
						
					 
					
						2015-09-24 15:57:11 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							812f08d95e 
							
						 
					 
					
						
						
							
							Provide full RELRO and PIE form askpass helper ( #1264036 )  
						
						
						
					 
					
						2015-09-24 15:57:11 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							3e5d955bcb 
							
						 
					 
					
						
						
							
							Fix FIPS mode for DH kex ( #1260253 )  
						
						
						
					 
					
						2015-09-11 11:32:37 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							98262158d8 
							
						 
					 
					
						
						
							
							openssh-7.1p1-2 + 0.9.2-8  
						
						
						
					 
					
						2015-09-09 14:29:31 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							c4c52b0667 
							
						 
					 
					
						
						
							
							Fix warnings produced by gcc  
						
						... 
						
						
						
						related to
 * ssh-keysign and fingerprint algorithms
 * ssh and GSSAPI algorithms validation 
						
					 
					
						2015-09-09 10:59:19 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							757fec581b 
							
						 
					 
					
						
						
							
							openssh-7.1p1-1 + 0.9.3-8  
						
						
						
					 
					
						2015-08-22 22:22:48 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							ccd186847a 
							
						 
					 
					
						
						
							
							Add corresponding options for ssh1 configure  
						
						
						
					 
					
						2015-08-22 22:22:48 +02:00 
						 
				 
			
				
					
						
							
							
								Jakub Jelen 
							
						 
					 
					
						
						
						
						
							
						
						
							c98f559725 
							
						 
					 
					
						
						
							
							HostKeyAlgorithms option on server is broken when using + sign  
						
						
						
					 
					
						2015-08-22 22:22:48 +02:00