import openssh-8.7p1-29.el9_2
This commit is contained in:
parent
fe35f1e78c
commit
26f40c1ea2
38
SOURCES/openssh-8.7p1-CVE-2023-25136.patch
Normal file
38
SOURCES/openssh-8.7p1-CVE-2023-25136.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
diff --git a/compat.c b/compat.c
|
||||||
|
index 46dfe3a9c2e..478a9403eea 100644
|
||||||
|
--- a/compat.c
|
||||||
|
+++ b/compat.c
|
||||||
|
@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
|
||||||
|
char *
|
||||||
|
compat_kex_proposal(struct ssh *ssh, char *p)
|
||||||
|
{
|
||||||
|
- char *cp = NULL;
|
||||||
|
+ char *cp = NULL, *cp2 = NULL;
|
||||||
|
|
||||||
|
if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
|
||||||
|
return xstrdup(p);
|
||||||
|
debug2_f("original KEX proposal: %s", p);
|
||||||
|
if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
|
||||||
|
- if ((p = match_filter_denylist(p,
|
||||||
|
+ if ((cp = match_filter_denylist(p,
|
||||||
|
"curve25519-sha256@libssh.org")) == NULL)
|
||||||
|
fatal("match_filter_denylist failed");
|
||||||
|
if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
|
||||||
|
- cp = p;
|
||||||
|
- if ((p = match_filter_denylist(p,
|
||||||
|
+ if ((cp2 = match_filter_denylist(cp ? cp : p,
|
||||||
|
"diffie-hellman-group-exchange-sha256,"
|
||||||
|
"diffie-hellman-group-exchange-sha1")) == NULL)
|
||||||
|
fatal("match_filter_denylist failed");
|
||||||
|
free(cp);
|
||||||
|
+ cp = cp2;
|
||||||
|
}
|
||||||
|
- debug2_f("compat KEX proposal: %s", p);
|
||||||
|
- if (*p == '\0')
|
||||||
|
+ if (cp == NULL || *cp == '\0')
|
||||||
|
fatal("No supported key exchange algorithms found");
|
||||||
|
- return p;
|
||||||
|
+ debug2_f("compat KEX proposal: %s", cp);
|
||||||
|
+ return cp;
|
||||||
|
}
|
||||||
|
|
@ -51,7 +51,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.7p1
|
%global openssh_ver 8.7p1
|
||||||
%global openssh_rel 28
|
%global openssh_rel 29
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 5
|
%global pam_ssh_agent_rel 5
|
||||||
|
|
||||||
@ -261,6 +261,10 @@ Patch1005: openssh-8.7p1-host-based-auth.patch
|
|||||||
Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
|
Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
|
||||||
#
|
#
|
||||||
Patch1007: openssh-8.7p1-nohostsha1proof.patch
|
Patch1007: openssh-8.7p1-nohostsha1proof.patch
|
||||||
|
# CVE-2023-25136
|
||||||
|
# upstream 12da7823336434a403f25c7cc0c2c6aed0737a35
|
||||||
|
# to fix 1005
|
||||||
|
Patch1008: openssh-8.7p1-CVE-2023-25136.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -470,6 +474,7 @@ popd
|
|||||||
%patch100 -p1 -b .coverity
|
%patch100 -p1 -b .coverity
|
||||||
|
|
||||||
%patch1007 -p1 -b .sshrsacheck
|
%patch1007 -p1 -b .sshrsacheck
|
||||||
|
%patch1008 -p1 -b .cve-2023-25136
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
@ -756,6 +761,10 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 06 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-29
|
||||||
|
- Resolve possible self-DoS with some clients
|
||||||
|
Resolves: rhbz#2186473
|
||||||
|
|
||||||
* Thu Jan 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-28
|
* Thu Jan 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-28
|
||||||
- Do not try to use SHA1 for host key ownership proof when we don't support it server-side
|
- Do not try to use SHA1 for host key ownership proof when we don't support it server-side
|
||||||
Resolves: rhbz#2088750
|
Resolves: rhbz#2088750
|
||||||
|
Loading…
Reference in New Issue
Block a user