import CS openssh-8.7p1-43.el9
This commit is contained in:
parent
828c949c3d
commit
4f059f7452
@ -81,7 +81,7 @@ diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
|
||||
#include <openssl/crypto.h>
|
||||
+#include <openssl/fips.h>
|
||||
#include <openssl/dh.h>
|
||||
# ifdef HAVE_EVP_KDF_CTX_NEW_ID
|
||||
# ifdef HAVE_EVP_KDF_CTX_NEW
|
||||
# include <openssl/kdf.h>
|
||||
@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
|
@ -12,7 +12,7 @@ index 2a455e4e..e01c3d43 100644
|
||||
HMAC_CTX_init \
|
||||
RSA_generate_key_ex \
|
||||
RSA_get_default_method \
|
||||
+ EVP_KDF_CTX_new_id \
|
||||
+ EVP_KDF_CTX_new \
|
||||
])
|
||||
|
||||
# OpenSSL_add_all_algorithms may be a macro.
|
||||
@ -20,33 +20,35 @@ diff --git a/kex.c b/kex.c
|
||||
index b6f041f4..1fbce2bb 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -38,6 +38,9 @@
|
||||
@@ -38,6 +38,11 @@
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/dh.h>
|
||||
+# ifdef HAVE_EVP_KDF_CTX_NEW_ID
|
||||
+# ifdef HAVE_EVP_KDF_CTX_NEW
|
||||
+# include <openssl/kdf.h>
|
||||
+# include <openssl/param_build.h>
|
||||
+# include <openssl/core_names.h>
|
||||
+# endif
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
@@ -942,6 +945,95 @@ kex_choose_conf(struct ssh *ssh)
|
||||
@@ -942,6 +945,112 @@ kex_choose_conf(struct ssh *ssh)
|
||||
return r;
|
||||
}
|
||||
|
||||
+#ifdef HAVE_EVP_KDF_CTX_NEW_ID
|
||||
+static const EVP_MD *
|
||||
+#ifdef HAVE_EVP_KDF_CTX_NEW
|
||||
+static const char *
|
||||
+digest_to_md(int digest_type)
|
||||
+{
|
||||
+ switch (digest_type) {
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
+ return EVP_sha1();
|
||||
+ return SN_sha1;
|
||||
+ case SSH_DIGEST_SHA256:
|
||||
+ return EVP_sha256();
|
||||
+ return SN_sha256;
|
||||
+ case SSH_DIGEST_SHA384:
|
||||
+ return EVP_sha384();
|
||||
+ return SN_sha384;
|
||||
+ case SSH_DIGEST_SHA512:
|
||||
+ return EVP_sha512();
|
||||
+ return SN_sha512;
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
@ -56,52 +58,67 @@ index b6f041f4..1fbce2bb 100644
|
||||
+ const struct sshbuf *shared_secret, u_char **keyp)
|
||||
+{
|
||||
+ struct kex *kex = ssh->kex;
|
||||
+ EVP_KDF_CTX *ctx = NULL;
|
||||
+ u_char *key = NULL;
|
||||
+ int r, key_len;
|
||||
+
|
||||
+ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0)
|
||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||
+ EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSHKDF", NULL);
|
||||
+ EVP_KDF_CTX *ctx = NULL;
|
||||
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||
+ OSSL_PARAM *params = NULL;
|
||||
+ const char *md = digest_to_md(kex->hash_alg);
|
||||
+ char keytype = (char)id;
|
||||
+
|
||||
+ if (!kdf) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ ctx = EVP_KDF_CTX_new(kdf);
|
||||
+ EVP_KDF_free(kdf);
|
||||
+ if (!ctx) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (md == NULL) {
|
||||
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (param_bld == NULL) {
|
||||
+ EVP_KDF_CTX_free(ctx);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0) {
|
||||
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ key_len = ROUNDUP(need, key_len);
|
||||
+ if ((key = calloc(1, key_len)) == NULL) {
|
||||
+ r = SSH_ERR_ALLOC_FAIL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
|
||||
+ if (!ctx) {
|
||||
+ r = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
|
||||
+ md, strlen(md)) && /* SN */
|
||||
+ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
|
||||
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)) &&
|
||||
+ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_XCGHASH,
|
||||
+ hash, hashlen) &&
|
||||
+ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
|
||||
+ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id)) &&
|
||||
+ OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
|
||||
+ &keytype, 1);
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, digest_to_md(kex->hash_alg));
|
||||
+ if (r != 1) {
|
||||
+ params = OSSL_PARAM_BLD_to_param(param_bld);
|
||||
+ if (params == NULL) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY,
|
||||
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, hash, hashlen);
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, id);
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||
+ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_derive(ctx, key, key_len);
|
||||
+ r = EVP_KDF_derive(ctx, key, key_len, params);
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
@ -115,6 +132,8 @@ index b6f041f4..1fbce2bb 100644
|
||||
+ r = 0;
|
||||
+
|
||||
+out:
|
||||
+ OSSL_PARAM_BLD_free(param_bld);
|
||||
+ OSSL_PARAM_free(params);
|
||||
+ free (key);
|
||||
+ EVP_KDF_CTX_free(ctx);
|
||||
+ if (r < 0) {
|
||||
@ -130,7 +149,7 @@ index b6f041f4..1fbce2bb 100644
|
||||
ssh_digest_free(hashctx);
|
||||
return r;
|
||||
}
|
||||
+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID */
|
||||
+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW */
|
||||
|
||||
#define NKEYS 6
|
||||
int
|
||||
|
106
SOURCES/openssh-8.7p1-audit-hostname.patch
Normal file
106
SOURCES/openssh-8.7p1-audit-hostname.patch
Normal file
@ -0,0 +1,106 @@
|
||||
diff --color -ruNp a/audit-linux.c b/audit-linux.c
|
||||
--- a/audit-linux.c 2024-05-09 12:38:08.843017319 +0200
|
||||
+++ b/audit-linux.c 2024-05-09 12:47:05.162267634 +0200
|
||||
@@ -52,7 +52,7 @@ extern u_int utmp_len;
|
||||
const char *audit_username(void);
|
||||
|
||||
static void
|
||||
-linux_audit_user_logxxx(int uid, const char *username,
|
||||
+linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
|
||||
const char *ip, const char *ttyn, int success, int event)
|
||||
{
|
||||
int audit_fd, rc, saved_errno;
|
||||
@@ -66,7 +66,7 @@ linux_audit_user_logxxx(int uid, const c
|
||||
}
|
||||
rc = audit_log_acct_message(audit_fd, event,
|
||||
NULL, "login", username ? username : "(unknown)",
|
||||
- username == NULL ? uid : -1, NULL, ip, ttyn, success);
|
||||
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||
saved_errno = errno;
|
||||
close(audit_fd);
|
||||
|
||||
@@ -181,9 +181,11 @@ audit_run_command(struct ssh *ssh, const
|
||||
{
|
||||
if (!user_login_count++)
|
||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
||||
ssh_remote_ipaddr(ssh),
|
||||
"ssh", 1, AUDIT_USER_LOGIN);
|
||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
||||
ssh_remote_ipaddr(ssh),
|
||||
"ssh", 1, AUDIT_USER_START);
|
||||
return 0;
|
||||
@@ -193,10 +195,12 @@ void
|
||||
audit_end_command(struct ssh *ssh, int handle, const char *command)
|
||||
{
|
||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
||||
ssh_remote_ipaddr(ssh),
|
||||
"ssh", 1, AUDIT_USER_END);
|
||||
if (user_login_count && !--user_login_count)
|
||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
||||
ssh_remote_ipaddr(ssh),
|
||||
"ssh", 1, AUDIT_USER_LOGOUT);
|
||||
}
|
||||
@@ -211,19 +215,27 @@ void
|
||||
audit_session_open(struct logininfo *li)
|
||||
{
|
||||
if (!user_login_count++)
|
||||
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ linux_audit_user_logxxx(li->uid, NULL,
|
||||
+ options.use_dns ? li->hostname : NULL,
|
||||
+ options.use_dns ? NULL : li->hostname,
|
||||
li->line, 1, AUDIT_USER_LOGIN);
|
||||
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ linux_audit_user_logxxx(li->uid, NULL,
|
||||
+ options.use_dns ? li->hostname : NULL,
|
||||
+ options.use_dns ? NULL : li->hostname,
|
||||
li->line, 1, AUDIT_USER_START);
|
||||
}
|
||||
|
||||
void
|
||||
audit_session_close(struct logininfo *li)
|
||||
{
|
||||
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ linux_audit_user_logxxx(li->uid, NULL,
|
||||
+ options.use_dns ? li->hostname : NULL,
|
||||
+ options.use_dns ? NULL : li->hostname,
|
||||
li->line, 1, AUDIT_USER_END);
|
||||
if (user_login_count && !--user_login_count)
|
||||
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ linux_audit_user_logxxx(li->uid, NULL,
|
||||
+ options.use_dns ? li->hostname : NULL,
|
||||
+ options.use_dns ? NULL : li->hostname,
|
||||
li->line, 1, AUDIT_USER_LOGOUT);
|
||||
}
|
||||
|
||||
@@ -236,6 +248,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
||||
linux_audit_user_auth(-1, audit_username(),
|
||||
ssh_remote_ipaddr(ssh), "ssh", 0, event);
|
||||
linux_audit_user_logxxx(-1, audit_username(),
|
||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
||||
ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
||||
break;
|
||||
case SSH_AUTH_FAIL_PASSWD:
|
||||
@@ -254,9 +267,11 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
||||
if (user_login_count) {
|
||||
while (user_login_count--)
|
||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
||||
ssh_remote_ipaddr(ssh),
|
||||
"ssh", 1, AUDIT_USER_END);
|
||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
||||
ssh_remote_ipaddr(ssh),
|
||||
"ssh", 1, AUDIT_USER_LOGOUT);
|
||||
}
|
||||
@@ -265,6 +280,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
||||
case SSH_CONNECTION_ABANDON:
|
||||
case SSH_INVALID_USER:
|
||||
linux_audit_user_logxxx(-1, audit_username(),
|
||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
||||
ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
||||
break;
|
||||
default:
|
21
SOURCES/openssh-8.7p1-sigpipe.patch
Normal file
21
SOURCES/openssh-8.7p1-sigpipe.patch
Normal file
@ -0,0 +1,21 @@
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index 89ca1940..559bf2af 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -1124,6 +1124,8 @@ main(int ac, char **av)
|
||||
}
|
||||
}
|
||||
|
||||
+ ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
|
||||
+
|
||||
/*
|
||||
* Initialize "log" output. Since we are the client all output
|
||||
* goes to stderr unless otherwise specified by -y or -E.
|
||||
@@ -1652,7 +1654,6 @@ main(int ac, char **av)
|
||||
options.num_system_hostfiles);
|
||||
tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
|
||||
|
||||
- ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
|
||||
ssh_signal(SIGCHLD, main_sigchld_handler);
|
||||
|
||||
/* Log into the remote system. Never returns if the login fails. */
|
30
SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch
Normal file
30
SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch
Normal file
@ -0,0 +1,30 @@
|
||||
diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c
|
||||
--- openssh-8.7p1/log.c.xxx 2024-06-28 11:02:43.949912398 +0200
|
||||
+++ openssh-8.7p1/log.c 2024-06-28 11:02:58.652297885 +0200
|
||||
@@ -455,12 +455,14 @@ void
|
||||
sshsigdie(const char *file, const char *func, int line, int showfunc,
|
||||
LogLevel level, const char *suffix, const char *fmt, ...)
|
||||
{
|
||||
+#if 0
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
|
||||
suffix, fmt, args);
|
||||
va_end(args);
|
||||
+#endif
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
diff -up openssh-8.7p1/sshd.c.xxx openssh-8.7p1/sshd.c
|
||||
--- openssh-8.7p1/sshd.c.xxx 2024-07-01 10:33:04.332907749 +0200
|
||||
+++ openssh-8.7p1/sshd.c 2024-07-01 10:33:47.843998038 +0200
|
||||
@@ -384,7 +384,7 @@ grace_alarm_handler(int sig)
|
||||
|
||||
/* Log error and exit. */
|
||||
if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
|
||||
- cleanup_exit(255); /* don't log in privsep child */
|
||||
+ _exit(255); /* don't log in privsep child */
|
||||
else {
|
||||
sigdie("Timeout before authentication for %s port %d",
|
||||
ssh_remote_ipaddr(the_active_state),
|
@ -9,8 +9,14 @@ case $KEYTYPE in
|
||||
if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
|
||||
exit 0
|
||||
fi ;;
|
||||
"rsa") ;; # always ok
|
||||
"ecdsa") ;;
|
||||
"rsa")
|
||||
if [[ ! -z $SSH_RSA_BITS ]]; then
|
||||
SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS"
|
||||
fi ;; # always ok
|
||||
"ecdsa")
|
||||
if [[ ! -z $SSH_ECDSA_BITS ]]; then
|
||||
SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS"
|
||||
fi ;;
|
||||
*) # wrong argument
|
||||
exit 12 ;;
|
||||
esac
|
||||
@ -25,7 +31,7 @@ fi
|
||||
rm -f $KEY{,.pub}
|
||||
|
||||
# create new keys
|
||||
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
|
||||
if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
@ -5,3 +5,6 @@
|
||||
# example using systemctl enable sshd-keygen@dsa.service to allow creation
|
||||
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
|
||||
# creation.
|
||||
|
||||
#SSH_RSA_BITS=3072
|
||||
#SSH_ECDSA_BITS=256
|
||||
|
@ -47,7 +47,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 8.7p1
|
||||
%global openssh_rel 38
|
||||
%global openssh_rel 43
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 5
|
||||
|
||||
@ -84,6 +84,8 @@ Patch100: openssh-6.7p1-coverity.patch
|
||||
Patch200: openssh-7.6p1-audit.patch
|
||||
# Audit race condition in forked child (#1310684)
|
||||
Patch201: openssh-7.1p2-audit-race-condition.patch
|
||||
# Correctly audit hostname and IP address
|
||||
Patch202: openssh-8.7p1-audit-hostname.patch
|
||||
|
||||
# --- pam_ssh-agent ---
|
||||
# make it build reusing the openssh sources
|
||||
@ -288,6 +290,9 @@ Patch1017: openssh-9.4p2-limit-delay.patch
|
||||
Patch1018: openssh-9.6p1-CVE-2023-48795.patch
|
||||
#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
|
||||
Patch1019: openssh-9.6p1-CVE-2023-51385.patch
|
||||
#upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c
|
||||
Patch1020: openssh-8.7p1-sigpipe.patch
|
||||
Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -484,6 +489,7 @@ popd
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
%patch202 -p1 -b .audit-hostname
|
||||
%patch700 -p1 -b .fips
|
||||
|
||||
%patch1000 -p1 -b .minimize-sha1-use
|
||||
@ -511,6 +517,8 @@ popd
|
||||
%patch1017 -p1 -b .limitdelay
|
||||
%patch1018 -p1 -b .cve-2023-48795
|
||||
%patch1019 -p1 -b .cve-2023-51385
|
||||
%patch1020 -p1 -b .earlypipe
|
||||
%patch1021 -p1 -b .cve-2024-6387
|
||||
|
||||
autoreconf
|
||||
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
@ -798,6 +806,28 @@ test -f %{sysconfig_anaconda} && \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jul 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-43
|
||||
- Possible remote code execution due to a race condition (CVE-2024-6409)
|
||||
Resolves: RHEL-45741
|
||||
|
||||
* Thu Jul 04 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-42
|
||||
- Possible remote code execution due to a race condition (CVE-2024-6387)
|
||||
Resolves: RHEL-45348
|
||||
|
||||
* Mon Jun 03 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-41
|
||||
- Fix ssh multiplexing connect timeout processing
|
||||
Resolves: RHEL-37748
|
||||
|
||||
* Thu May 02 2024 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-40
|
||||
- Correctly audit hostname and IP address
|
||||
Resolves: RHEL-22316
|
||||
- Make default key sizes configurable in sshd-keygen
|
||||
Resolves: RHEL-26454
|
||||
|
||||
* Wed Apr 24 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-39
|
||||
- Use FIPS-compatible API for key derivation
|
||||
Resolves: RHEL-32809
|
||||
|
||||
* Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-38
|
||||
- Fix Terrapin attack
|
||||
Resolves: CVE-2023-48795
|
||||
|
Loading…
Reference in New Issue
Block a user