import UBI openssh-8.0p1-24.el8

2024-05-22 13:26:20 +00:00 · 2024-05-22 13:26:20 +00:00 · 6d16bfdb3c
commit 6d16bfdb3c
parent b6a876a1a7
8 changed files with 267 additions and 50 deletions
--- a/SOURCES/openssh-6.7p1-coverity.patch
+++ b/SOURCES/openssh-6.7p1-coverity.patch
@ -136,18 +136,6 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
 		if (tun != SSH_TUNID_ANY &&
 		    auth_opts->force_tun_device != (int)tun)
 			goto done;
 diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
 --- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
@@ -224,7 +224,7 @@ killchild(int signo)
 {
 	if (sshpid > 1) {
 		kill(sshpid, SIGTERM);
 -		waitpid(sshpid, NULL, 0);
 +		(void) waitpid(sshpid, NULL, 0);
 	}
 	_exit(1);
 diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 --- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
--- a/SOURCES/openssh-7.7p1-fips.patch
+++ b/SOURCES/openssh-7.7p1-fips.patch
@ -471,6 +471,47 @@ diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c
 #include "xmss_fast.h"
@@ -392,7 +394,8 @@ sshkey_calculate_signature(EVP_PKEY *pkey
 {
 	EVP_MD_CTX *ctx = NULL;
 	u_char *sig = NULL;
 -	int ret, slen, len;
 +	int ret, slen;
 +	size_t len;
 	if (sigp == NULL || lenp == NULL) {
 		return SSH_ERR_INVALID_ARGUMENT;
@@ -411,9 +414,10 @@ sshkey_calculate_signature(EVP_PKEY *pkey
 		ret = SSH_ERR_ALLOC_FAIL;
 		goto error;
 	}
 -	if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
 -	    EVP_SignUpdate(ctx, data, datalen) <= 0 ||
 -	    EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
 +	if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg),
 +	        NULL, pkey) != 1 ||
 +	    EVP_DigestSignUpdate(ctx, data, datalen) != 1 ||
 +	    EVP_DigestSignFinal(ctx, sig, &len) != 1) {
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto error;
 	}
@@ -440,12 +444,13 @@ sshkey_verify_signature(EVP_PKEY *pkey
 	if ((ctx = EVP_MD_CTX_new()) == NULL) {
 		return SSH_ERR_ALLOC_FAIL;
 	}
 -	if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
 -	    EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
 +	if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg),
 +	    NULL, pkey) != 1 ||
 +	    EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) {
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto done;
 	}
 -	ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
 +	ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen);
 	switch (ret) {
 	case 1:
 		ret = 0;
@@ -1514,6 +1516,8 @@ rsa_generate_private_key(u_int bits, RSA
 	}
 	if (!BN_set_word(f4, RSA_F4) ||
@ -515,3 +556,14 @@ diff -up openssh-7.9p1/ssh-keygen.c.fips openssh-7.9p1/ssh-keygen.c
 		if ((fd = mkstemp(prv_tmp)) == -1) {
 			error("Could not save your public key in %s: %s",
 			    prv_tmp, strerror(errno));
 diff -up openssh-8.0p1/sshd_config.xxx openssh-8.0p1/sshd_config
 --- openssh-8.0p1/sshd_config.xxx	2023-10-30 13:01:59.150952364 +0100
 +++ openssh-8.0p1/sshd_config	2023-10-30 13:02:56.662231354 +0100
@@ -21,6 +21,7 @@
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 +#In FIPS mode Ed25519 keys are not supported, please comment out the next line
 HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
--- a/SOURCES/openssh-8.0p1-avoidkillall.patch
+++ b/SOURCES/openssh-8.0p1-avoidkillall.patch
@ -0,0 +1,20 @@
 diff --git a/sftp.c b/sftp.c
 index b66037f1..54538ff9 100644
 --- a/sftp.c
 +++ b/sftp.c
@@ -220,9 +220,12 @@ static const struct CMD cmds[] = {
 static void
 killchild(int signo)
 {
 -	if (sshpid > 1) {
 -		kill(sshpid, SIGTERM);
 -		waitpid(sshpid, NULL, 0);
 +	pid_t pid;
 +
 +	pid = sshpid;
 +	if (pid > 1) {
 +		kill(pid, SIGTERM);
 +		(void)waitpid(pid, NULL, 0);
 	}
 	_exit(1);
--- a/SOURCES/openssh-8.0p1-bigsshdconfig.patch
+++ b/SOURCES/openssh-8.0p1-bigsshdconfig.patch
@ -0,0 +1,13 @@
 diff --git a/msg.c b/msg.c
 index 99c25cd2..574a566e 100644
 --- a/msg.c
 +++ b/msg.c
@@ -77,7 +77,7 @@ ssh_msg_recv(int fd, struct sshbuf *m)
 		return (-1);
 	}
 	msg_len = get_u32(buf);
 -	if (msg_len > 256 * 1024) {
 +	if (msg_len > sshbuf_max_size(m)) {
 		error("ssh_msg_recv: read: bad msg_len %u", msg_len);
 		return (-1);
 	}
--- a/SOURCES/openssh-8.0p1-gssapi-keyex.patch
+++ b/SOURCES/openssh-8.0p1-gssapi-keyex.patch
@ -1509,7 +1509,7 @@ new file mode 100644
 index 00000000..0b2f6a56
 --- /dev/null
 +++ b/kexgssc.c
-@@ -0,0 +1,595 @@
+@@ -0,0 +1,618 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@ -1571,7 +1571,7 @@ index 00000000..0b2f6a56
 +	struct sshbuf *server_blob = NULL;
 +	struct sshbuf *shared_secret = NULL;
 +	struct sshbuf *server_host_key_blob = NULL;
-+	struct sshbuf *empty = sshbuf_new();
+	struct sshbuf *empty = NULL;
 +	u_char *msg;
 +	int type = 0;
 +	int first = 1;
@ -1610,8 +1610,10 @@ index 00000000..0b2f6a56
 +	default:
 +		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
 +	}
-+	if (r != 0)
+	if (r != 0) {
 +		ssh_gssapi_delete_ctx(&ctxt);
 +		return r;
 +	}
 +
 +	token_ptr = GSS_C_NO_BUFFER;
 +
@ -1674,11 +1676,16 @@ index 00000000..0b2f6a56
 +			do {
 +				type = ssh_packet_read(ssh);
 +				if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
 +					char *tmp = NULL;
 +					size_t tmp_len = 0;
 +
 +					debug("Received KEXGSS_HOSTKEY");
 +					if (server_host_key_blob)
 +						fatal("Server host key received more than once");
-+					if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
+					if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
 +						fatal("Failed to read server host key: %s", ssh_err(r));
 +					if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
 +						fatal("sshbuf_from failed");
 +				}
 +			} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
 +
@ -1779,6 +1786,11 @@ index 00000000..0b2f6a56
 +	if (r != 0)
 +		goto out;
 +
 +	if ((empty = sshbuf_new()) == NULL) {
 +		r = SSH_ERR_ALLOC_FAIL;
 +		goto out;
 +	}
 +
 +	hashlen = sizeof(hash);
 +	if ((r = kex_gen_hash(
 +	    kex->hash_alg,
@ -1848,7 +1860,7 @@ index 00000000..0b2f6a56
 +	size_t hashlen;
 +	const BIGNUM *pub_key, *dh_p, *dh_g;
 +	int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
-+	struct sshbuf *empty = sshbuf_new();
+	struct sshbuf *empty = NULL;
 +	u_char c;
 +	int r;
 +
@ -1960,11 +1972,16 @@ index 00000000..0b2f6a56
 +			do {
 +				type = ssh_packet_read(ssh);
 +				if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
 +					char *tmp = NULL;
 +					size_t tmp_len = 0;
 +
 +					debug("Received KEXGSS_HOSTKEY");
 +					if (server_host_key_blob)
 +						fatal("Server host key received more than once");
-+					if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
+					if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
 +						fatal("sshpkt failed: %s", ssh_err(r));
 +					if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
 +						fatal("sshbuf_from failed");
 +				}
 +			} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
 +
@ -2040,6 +2057,7 @@ index 00000000..0b2f6a56
 +	    (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0)
 +		goto out;
 +	sshbuf_free(buf);
 +	buf = NULL;
 +
 +	if ((shared_secret = sshbuf_new()) == NULL) {
 +		r = SSH_ERR_ALLOC_FAIL;
@ -2048,6 +2066,10 @@ index 00000000..0b2f6a56
 +
 +	if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0)
 +		goto out;
 +	if ((empty = sshbuf_new()) == NULL) {
 +		r = SSH_ERR_ALLOC_FAIL;
 +		goto out;
 +	}
 +
 +	DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
 +	hashlen = sizeof(hash);
@ -2094,6 +2116,7 @@ index 00000000..0b2f6a56
 +	if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
 +		r = kex_send_newkeys(ssh);
 +out:
 +	sshbuf_free(buf);
 +	sshbuf_free(server_blob);
 +	sshbuf_free(empty);
 +	explicit_bzero(hash, sizeof(hash));
@ -2110,7 +2133,7 @@ new file mode 100644
 index 00000000..60bc02de
 --- /dev/null
 +++ b/kexgsss.c
-@@ -0,0 +1,474 @@
+@@ -0,0 +1,482 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@ -2177,7 +2200,7 @@ index 00000000..60bc02de
 +	 */
 +
 +	OM_uint32 ret_flags = 0;
-+	gss_buffer_desc gssbuf, recv_tok, msg_tok;
+	gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 +	Gssctxt *ctxt = NULL;
 +	struct sshbuf *shared_secret = NULL;
@ -2217,7 +2240,7 @@ index 00000000..60bc02de
 +		type = ssh_packet_read(ssh);
 +		switch(type) {
 +		case SSH2_MSG_KEXGSS_INIT:
-+			if (client_pubkey != NULL)
+			if (gssbuf.value != NULL)
 +				fatal("Received KEXGSS_INIT after initialising");
 +			if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
 +			        &recv_tok)) != 0 ||
@ -2248,6 +2271,31 @@ index 00000000..60bc02de
 +				goto out;
 +
 +			/* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
 +
 +			/* Calculate the hash early so we can free the
 +			* client_pubkey, which has reference to the parent
 +			* buffer state->incoming_packet
 +			*/
 +			hashlen = sizeof(hash);
 +			if ((r = kex_gen_hash(
 +			    kex->hash_alg,
 +			    kex->client_version,
 +			    kex->server_version,
 +			    kex->peer,
 +			    kex->my,
 +			    empty,
 +			    client_pubkey,
 +			    server_pubkey,
 +			    shared_secret,
 +			    hash, &hashlen)) != 0)
 +				goto out;
 +
 +			gssbuf.value = hash;
 +			gssbuf.length = hashlen;
 +
 +			sshbuf_free(client_pubkey);
 +			client_pubkey = NULL;
 +
 +			break;
 +		case SSH2_MSG_KEXGSS_CONTINUE:
 +			if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
@ -2269,7 +2317,7 @@ index 00000000..60bc02de
 +		if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
 +			fatal("Zero length token output when incomplete");
 +
-+		if (client_pubkey == NULL)
+		if (gssbuf.value == NULL)
 +			fatal("No client public key");
 +
 +		if (maj_status & GSS_S_CONTINUE_NEEDED) {
@ -2298,23 +2346,6 @@ index 00000000..60bc02de
 +	if (!(ret_flags & GSS_C_INTEG_FLAG))
 +		fatal("Integrity flag wasn't set");
 +
 +	hashlen = sizeof(hash);
 +	if ((r = kex_gen_hash(
 +	    kex->hash_alg,
 +	    kex->client_version,
 +	    kex->server_version,
 +	    kex->peer,
 +	    kex->my,
 +	    empty,
 +	    client_pubkey,
 +	    server_pubkey,
 +	    shared_secret,
 +	    hash, &hashlen)) != 0)
 +		goto out;
 +
 +	gssbuf.value = hash;
 +	gssbuf.length = hashlen;
 +
 +	if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
 +		fatal("Couldn't get MIC");
 +
--- a/SOURCES/openssh-8.7p1-scp-kill-switch.patch
+++ b/SOURCES/openssh-8.7p1-scp-kill-switch.patch
@ -0,0 +1,46 @@
 diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
 --- openssh-8.7p1/pathnames.h.kill-scp	2021-09-16 11:37:57.240171687 +0200
 +++ openssh-8.7p1/pathnames.h	2021-09-16 11:42:29.183427917 +0200
@@ -42,6 +42,7 @@
 #define _PATH_HOST_XMSS_KEY_FILE	SSHDIR "/ssh_host_xmss_key"
 #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
 #define _PATH_DH_MODULI			SSHDIR "/moduli"
 +#define _PATH_SCP_KILL_SWITCH		SSHDIR "/disable_scp"
 #ifndef _PATH_SSH_PROGRAM
 #define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
 diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
 --- openssh-8.7p1/scp.1.kill-scp	2021-09-16 12:09:02.646714578 +0200
 +++ openssh-8.7p1/scp.1	2021-09-16 12:26:49.978628226 +0200
@@ -278,6 +278,13 @@ to print debugging messages about their
 This is helpful in
 debugging connection, authentication, and configuration problems.
 .El
 +.Pp
 +Usage of SCP protocol can be blocked by creating a world-readable
 +.Ar /etc/ssh/disable_scp
 +file. If this file exists, when SCP protocol is in use (either remotely or 
 +via the
 +.Fl O
 +option), the program will exit.
 .Sh EXIT STATUS
 .Ex -std scp
 .Sh SEE ALSO
 diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
 --- openssh-8.7p1/scp.c.kill-scp	2021-09-16 11:42:56.013650519 +0200
 +++ openssh-8.7p1/scp.c	2021-09-16 11:53:03.249713836 +0200
@@ -596,6 +596,14 @@ main(int argc, char **argv)
 	argc -= optind;
 	argv += optind;
 +	{
 +		FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
 +		if (f != NULL) {
 +			fclose(f);
 +			fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
 +		}
 +	}
 +
 	if ((pwd = getpwuid(userid = getuid())) == NULL)
 		fatal("unknown user %u", (u_int) userid);
--- a/SOURCES/openssh-9.4p2-limit-delay.patch
+++ b/SOURCES/openssh-9.4p2-limit-delay.patch
@ -0,0 +1,33 @@
 diff -u -p -r1.166 auth2.c
 --- a/auth2.c	8 Mar 2023 04:43:12 -0000	1.166
 +++ b/auth2.c	28 Aug 2023 08:32:44 -0000
@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_
 }
 #define MIN_FAIL_DELAY_SECONDS 0.005
 +#define MAX_FAIL_DELAY_SECONDS 5.0
 static double
 user_specific_delay(const char *user)
 {
@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start, 
 	struct timespec ts;
 	double elapsed = monotime_double() - start, req = seconds, remain;
 +	if (elapsed > MAX_FAIL_DELAY_SECONDS) {
 +		debug3("elapsed %0.3lfms exceeded the max delay "
 +		    "requested %0.3lfms)", elapsed*1000, req*1000);
 +		return;
 +	}
 +
 	/* if we've already passed the requested time, scale up */
 	while ((remain = seconds - elapsed) < 0.0)
 		seconds *= 2;
@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32
 		debug2("input_userauth_request: try method %s", method);
 		authenticated =	m->userauth(ssh);
 	}
 -	if (!authctxt->authenticated)
 +	if (!authctxt->authenticated && strcmp(method, "none") != 0)
 		ensure_minimum_time_since(tstart,
 		    user_specific_delay(authctxt->user));
 	userauth_finish(ssh, authenticated, method, NULL);
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@ -66,14 +66,14 @@
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 19
+%global openssh_rel 24
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}.2
+Release: %{openssh_rel}%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshagentauth.sourceforge.net
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -277,13 +277,21 @@ Patch985: openssh-8.7p1-minimize-sha1-use.patch
 Patch986: openssh-9.1p1-sshbanner.patch
 # Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6
 Patch987: openssh-8.0p1-ipv6-process.patch
 # Upstream 4332b4fe49360679647a8705bc08f4e81323f6b4
 Patch988: openssh-8.0p1-avoidkillall.patch
 # Upstream 89b54900ac61986760452f132bbe3fb7249cfdac
 Patch989: openssh-8.0p1-bigsshdconfig.patch
 # upsream commit
 # b23fe83f06ee7e721033769cfa03ae840476d280
 Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
 #upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec
 Patch1017: openssh-9.4p2-limit-delay.patch
 #upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 Patch1018: openssh-9.6p1-CVE-2023-48795.patch
 #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
 Patch1019: openssh-9.6p1-CVE-2023-51385.patch
 # SCP kill switch
 Patch1020: openssh-8.7p1-scp-kill-switch.patch
 License: BSD
 Group: Applications/Internet
@ -376,7 +384,7 @@ Requires: openssh = %{version}-%{release}
 Summary: PAM module for authentication with ssh-agent
 Group: System Environment/Base
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
 License: BSD
 %description
@ -517,6 +525,8 @@ popd
 %patch985 -p1 -b .minimize-sha1-use
 %patch986 -p1 -b .banner
 %patch987 -p1 -b .sftp_ipv6
 %patch988 -p1 -b .killall
 %patch989 -p1 -b .bigsshdconfig
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@ -525,8 +535,10 @@ popd
 %patch100 -p1 -b .coverity
 %patch1015 -p1 -b .cve-2023-38408
 %patch1017 -p1 -b .limitdelay
 %patch1018 -p1 -b .cve-2023-48795
 %patch1019 -p1 -b .cve-2023-51385
 %patch1020 -p1 -b .scp-kill-switch
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -812,15 +824,37 @@ getent passwd sshd >/dev/null || \
 %endif
 %changelog
-* Mon Jan 08 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19.2
+* Tue Feb 06 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-24
- Fix Terrapin attack
+- Providing a kill switch for scp to deal with CVE-2020-15778
-  Resolves: RHEL-19762
+  Resolves: RHEL-22870
-* Thu Dec 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19.1
+* Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-23
 - Fix Terrapin attack
-  Resolves: RHEL-19762
+  Resolves: RHEL-19308
 * Thu Dec 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-22
 - Fix Terrapin attack
  Resolves: RHEL-19308
 - Forbid shell metasymbols in username/hostname
-  Resolves: RHEL-19820
+  Resolves: RHEL-19788
 * Tue Nov 07 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-21
 - Using DigestSign/DigestVerify functions for better FIPS compatibility
  Resolves: RHEL-5217
 * Mon Oct 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-20
 - Limit artificial delays in sshd while login using AD user
  Resolves: RHEL-1684
 - Add comment to OpenSSH server config about FIPS-incompatible key
  Resolves: RHEL-5221
 - Avoid killing all processes on system in case of race condition
  Resolves: RHEL-11548
 - Avoid sshd_config 256K limit
  Resolves: RHEL-5279
 - Using DigestSign/DigestVerify functions for better FIPS compatibility
  Resolves: RHEL-5217
 - Fix GSS KEX causing ssh failures when connecting to WinSSHD
  Resolves: RHEL-5321
 * Thu Aug 24 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19
 - rebuilt