Ssh should refuse connection when mlkem kex is specified in FIPS
Resolves: RHEL-155178 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich
parent
7f2ed42778
commit
27f5b6826e
24
openssh-9.9p1-fill-default-options-error.patch
Normal file
24
openssh-9.9p1-fill-default-options-error.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff --color -ruNp a/readconf.c b/readconf.c
|
||||
--- a/readconf.c 2026-04-02 15:36:49.624394836 +0200
|
||||
+++ b/readconf.c 2026-04-02 15:43:15.115047190 +0200
|
||||
@@ -2779,7 +2779,7 @@ fill_default_options(Options * options)
|
||||
{
|
||||
char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
|
||||
char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
|
||||
- int ret = 0, r;
|
||||
+ int ret = 0;
|
||||
|
||||
if (options->forward_agent == -1)
|
||||
options->forward_agent = 0;
|
||||
@@ -2989,9 +2989,9 @@ fill_default_options(Options * options)
|
||||
KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||
#define ASSEMBLE(what, defaults, all) \
|
||||
do { \
|
||||
- if ((r = kex_assemble_names(&options->what, \
|
||||
+ if ((ret = kex_assemble_names(&options->what, \
|
||||
defaults, all)) != 0) { \
|
||||
- error_fr(r, "%s", #what); \
|
||||
+ error_fr(ret, "%s", #what); \
|
||||
goto fail; \
|
||||
} \
|
||||
} while (0)
|
||||
@ -237,6 +237,8 @@ Patch1037: openssh-9.9p1-first-match-wins.patch
|
||||
# upstream eddd1d2daa64a6ab1a915ca88436fa41aede44d4
|
||||
# upstream bc328144f149af07139a0f2c1329018cd85b86b7
|
||||
Patch1038: openssh-9.9p1-maxstartups-mistracking.patch
|
||||
# https://github.com/openssh/openssh-portable/pull/649
|
||||
Patch1039: openssh-9.9p1-fill-default-options-error.patch
|
||||
|
||||
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
|
||||
Requires: /sbin/nologin
|
||||
@ -439,6 +441,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
|
||||
%patch -P 1036 -p1 -b .gssapi-s4u
|
||||
%patch -P 1037 -p1 -b .first-match-wins
|
||||
%patch -P 1038 -p1 -b .maxstartups-mistracking
|
||||
%patch -P 1039 -p1 -b .fill-default-options-error
|
||||
|
||||
%patch -P 100 -p1 -b .coverity
|
||||
|
||||
@ -722,6 +725,8 @@ test -f %{sysconfig_anaconda} && \
|
||||
* Wed Apr 01 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-25
|
||||
- Fix static analysis issues
|
||||
Resolves: RHEL-163365
|
||||
- Ssh should refuse connection when mlkem kex is specified in FIPS
|
||||
Resolves: RHEL-155178
|
||||
|
||||
* Fri Mar 27 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-24
|
||||
- Fix typo in SPDX license name
|
||||
|
||||
Loading…
Reference in New Issue
Block a user