Update to version 0.9.4
Fixes CVE-2020-1730
This commit is contained in:
parent
75bacb0234
commit
57b527a2bb
18
libssh-0.9.4-enable-sshd-sha1-algorithms.patch
Normal file
18
libssh-0.9.4-enable-sshd-sha1-algorithms.patch
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
--- a/tests/torture.c 2020-04-09 16:16:07.691894761 +0200
|
||||||
|
+++ b/tests/torture.c 2020-04-09 20:11:50.577962771 +0200
|
||||||
|
@@ -636,6 +636,15 @@
|
||||||
|
# else /* HAVE_DSA */
|
||||||
|
"HostKeyAlgorithms +ssh-rsa\n"
|
||||||
|
# endif /* HAVE_DSA */
|
||||||
|
+/* Add back algorithms removed from default in OpenSSH-8.2 due to SHA1
|
||||||
|
+ * deprecation*/
|
||||||
|
+# if (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2)
|
||||||
|
+ "KexAlgorithms +diffie-hellman-group14-sha1,"
|
||||||
|
+ "diffie-hellman-group-exchange-sha1,"
|
||||||
|
+ "diffie-hellman-group1-sha1\n"
|
||||||
|
+ "HostKeyAlgorithms +ssh-rsa\n"
|
||||||
|
+ "CASignatureAlgorithms +ssh-rsa\n"
|
||||||
|
+#endif
|
||||||
|
# if (OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6)
|
||||||
|
"Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc\n"
|
||||||
|
# else /* OPENSSH_VERSION 7.0 - 7.5 */
|
@ -1,46 +0,0 @@
|
|||||||
From b33dcda94d313913a877bc8db006ad02141bc695 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Wed, 11 Dec 2019 11:07:33 +0100
|
|
||||||
Subject: [PATCH] torture: Accept whole pid_t range
|
|
||||||
|
|
||||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
||||||
(cherry picked from commit d2a32ca6d3c40483a6d10340d3e11da9259e1379)
|
|
||||||
---
|
|
||||||
tests/torture.c | 10 ++++++++--
|
|
||||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/torture.c b/tests/torture.c
|
|
||||||
index 360fd02a..907f45b3 100644
|
|
||||||
--- a/tests/torture.c
|
|
||||||
+++ b/tests/torture.c
|
|
||||||
@@ -196,6 +196,7 @@ torture_read_pidfile(const char *pidfile)
|
|
||||||
{
|
|
||||||
char buf[8] = {0};
|
|
||||||
long int tmp;
|
|
||||||
+ pid_t ret;
|
|
||||||
ssize_t rc;
|
|
||||||
int fd;
|
|
||||||
|
|
||||||
@@ -213,11 +214,16 @@ torture_read_pidfile(const char *pidfile)
|
|
||||||
buf[sizeof(buf) - 1] = '\0';
|
|
||||||
|
|
||||||
tmp = strtol(buf, NULL, 10);
|
|
||||||
- if (tmp == 0 || tmp > 0xFFFF || errno == ERANGE) {
|
|
||||||
+ if (tmp == 0 || errno == ERANGE) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ ret = (pid_t)tmp;
|
|
||||||
+ /* Check if we are out of pid_t range on this system */
|
|
||||||
+ if ((long)ret != tmp) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- return (pid_t)(tmp & 0xFFFF);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
int torture_terminate_process(const char *pidfile)
|
|
||||||
--
|
|
||||||
2.23.0
|
|
||||||
|
|
14
libssh.spec
14
libssh.spec
@ -1,6 +1,6 @@
|
|||||||
Name: libssh
|
Name: libssh
|
||||||
Version: 0.9.3
|
Version: 0.9.4
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: A library implementing the SSH protocol
|
Summary: A library implementing the SSH protocol
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://www.libssh.org
|
URL: http://www.libssh.org
|
||||||
@ -11,7 +11,7 @@ Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC
|
|||||||
Source3: libssh_client.config
|
Source3: libssh_client.config
|
||||||
Source4: libssh_server.config
|
Source4: libssh_server.config
|
||||||
|
|
||||||
Patch0: libssh-0.9.4-torture_fix_pid_range_check.patch
|
Patch0: libssh-0.9.4-enable-sshd-sha1-algorithms.patch
|
||||||
|
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -136,6 +136,14 @@ popd
|
|||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 09 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
|
||||||
|
- Update to version 0.9.4
|
||||||
|
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
|
||||||
|
- Removed inclusion of OpenSSH server configuration file from
|
||||||
|
libssh_server.config
|
||||||
|
- Added patch to re-enable algorithms using sha1 in sshd for testing
|
||||||
|
- resolves: #1822529 - CVE-2020-1730
|
||||||
|
|
||||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
@ -1,4 +1,2 @@
|
|||||||
# Parse system-wide crypto configuration file
|
# Parse system-wide crypto configuration file
|
||||||
Include /etc/crypto-policies/back-ends/libssh.config
|
Include /etc/crypto-policies/back-ends/libssh.config
|
||||||
# Parse OpenSSH configuration file for consistency
|
|
||||||
Include /etc/ssh/sshd_config
|
|
||||||
|
Loading…
Reference in New Issue
Block a user