OpenSSH 8.8p1 rebase

Related: rhbz#2007967

.gitignore

@@ -52,3 +52,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-8.6p1.tar.gz.asc
 /openssh-8.7p1.tar.gz
 /openssh-8.7p1.tar.gz.asc
+/openssh-8.8p1.tar.gz
+/openssh-8.8p1.tar.gz.asc

openssh-6.6p1-kuserok.patch

@@ -196,11 +196,11 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 	sPort, sHostKeyFile, sLoginGraceTime,
 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
--	sKerberosGetAFSToken, sKerberosUniqueCCache,
+-	sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
-+	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
++	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
- 	sChallengeResponseAuthentication,
+	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
- 	sPasswordAuthentication, sKbdInteractiveAuthentication,
+	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- 	sListenAddress, sAddressFamily,
+	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 @@ -478,12 +481,14 @@ static struct {
  	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
  #endif

openssh-7.3p1-x11-max-displays.patch

@@ -110,9 +110,9 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
  		options->x11_use_localhost = 1;
  	if (options->xauth_location == NULL)
 @@ -419,7 +422,7 @@ typedef enum {
- 	sPasswordAuthentication, sKbdInteractiveAuthentication,
+	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
- 	sListenAddress, sAddressFamily,
+	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
- 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 -	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 +	sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
  	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,

openssh-7.7p1-fips.patch

@@ -117,9 +117,9 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
 diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
 --- openssh-8.6p1/myproposal.h.fips	2021-04-16 05:55:25.000000000 +0200
 +++ openssh-8.6p1/myproposal.h	2021-04-19 16:53:03.065577869 +0200
-@@ -57,6 +57,20 @@
+@@ -57,6 +57,19 @@
- 	"rsa-sha2-256," \
+ 	"rsa-sha2-512," \
- 	"ssh-rsa"
+ 	"rsa-sha2-256"
  
 +#define	KEX_FIPS_PK_ALG	\
 +	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
@@ -132,8 +132,7 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
 +	"ecdsa-sha2-nistp384," \
 +	"ecdsa-sha2-nistp521," \
 +	"rsa-sha2-512," \
-+	"rsa-sha2-256," \
++	"rsa-sha2-256,"
-+	"ssh-rsa"
 +
  #define	KEX_SERVER_ENCRYPT \
  	"chacha20-poly1305@openssh.com," \

openssh-7.7p1-gssapi-new-unique.patch

@@ -503,16 +503,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
  	if (options->gss_authentication == -1)
  		options->gss_authentication = 0;
  	if (options->gss_keyex == -1)
-@@ -506,7 +509,8 @@ typedef enum {
+@@ -506,7 +509,7 @@ typedef enum {
 	sPort, sHostKeyFile, sLoginGraceTime,
 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
--	sKerberosGetAFSToken, sChallengeResponseAuthentication,
+-	sKerberosGetAFSToken, sPasswordAuthentication,
-+	sKerberosGetAFSToken, sKerberosUniqueCCache,
++	sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
-+	sChallengeResponseAuthentication,
+	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
-	sPasswordAuthentication, sKbdInteractiveAuthentication,
-	sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 @@ -593,11 +597,13 @@ static struct {
  #else
  	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },

openssh-8.0p1-crypto-policies.patch

@@ -2,8 +2,8 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 --- openssh-8.7p1/ssh_config.5.crypto-policies	2021-08-30 13:29:00.174292872 +0200
 +++ openssh-8.7p1/ssh_config.5	2021-08-30 13:31:32.009548808 +0200
 @@ -373,17 +373,13 @@ or
- .Qq *.c.example.com
+ causes no CNAMEs to be considered for canonicalization.
- domains.
+ This is the default behaviour.
  .It Cm CASignatureAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
@@ -105,18 +105,18 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
  Multiple algorithms must be comma-separated.
  If the specified list begins with a
  .Sq +
--character, then the specified methods will be appended to the default set
+-character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
-+character, then the specified methods will be appended to the built-in
++character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq -
- character, then the specified methods (including wildcards) will be removed
+ character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
- character, then the specified methods will be placed at the head of the
+ character, then the specified algorithms will be placed at the head of the
 -default set.
 -The default is:
 -.Bd -literal -offset indent
@@ -178,7 +178,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
  The list of available MAC algorithms may also be obtained using
  .Qq ssh -Q mac .
  .It Cm NoHostAuthenticationForLocalhost
-@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
+@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas
  The default is
  .Cm no .
  .It Cm PubkeyAcceptedAlgorithms
@@ -214,12 +214,11 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
--ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
--rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-rsa-sha2-512,rsa-sha2-256
 -.Ed
 +built-in openssh default set.
  .Pp
@@ -373,18 +372,18 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  Multiple algorithms must be comma-separated.
  Alternately if the specified list begins with a
  .Sq +
--character, then the specified methods will be appended to the default set
+-character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
-+character, then the specified methods will be appended to the built-in
++character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq -
- character, then the specified methods (including wildcards) will be removed
+ character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
- character, then the specified methods will be placed at the head of the
+ character, then the specified algorithms will be placed at the head of the
 -default set.
 +built-in openssh default set.
  The supported algorithms are:

openssh-8.7p1-sftp-default-protocol.patch

@@ -2,18 +2,6 @@ diff --git a/scp.1 b/scp.1
 index 68aac04b..a96e95ad 100644
 --- a/scp.1
 +++ b/scp.1
-@@ -8,9 +8,9 @@
- .\"
- .\" Created: Sun May  7 00:14:37 1995 ylo
- .\"
--.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
-+.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $
- .\"
--.Dd $Mdocdate: August 11 2021 $
-+.Dd $Mdocdate: September 8 2021 $
- .Dt SCP 1
- .Os
- .Sh NAME
 @@ -18,7 +18,7 @@
  .Nd OpenSSH secure file copy
  .Sh SYNOPSIS
@@ -23,55 +11,31 @@ index 68aac04b..a96e95ad 100644
  .Op Fl c Ar cipher
  .Op Fl D Ar sftp_server_path
  .Op Fl F Ar ssh_config
-@@ -37,9 +37,6 @@ It uses
- .Xr ssh 1
- for data transfer, and uses the same authentication and provides the
- same security as a login session.
--The scp protocol requires execution of the remote user's shell to perform
--.Xr glob 3
--pattern matching.
- .Pp
- .Nm
- will ask for passwords or passphrases if they are needed for
 @@ -79,7 +76,9 @@ The options are as follows:
  Copies between two remote hosts are transferred through the local host.
  Without this option the data is copied directly between the two remote
  hosts.
--Note that, when using the legacy SCP protocol (the default), this option
+-Note that, when using the original SCP protocol (the default), this option
-+Note that, when using the legacy SCP protocol (via the
++Note that, when using the original SCP protocol (via the
 +.Fl O
 +flag), this option
  selects batch mode for the second host as
  .Nm
  cannot ask for passwords or passphrases for both hosts.
-@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s.
+@@ -146,7 +145,6 @@ Limits the used bandwidth, specified in Kbit/s.
- .It Fl O
+ wildcard patterns and for expanding paths with a
- Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
+ .Sq ~
- Forcing the use of the SCP protocol may be necessary for servers that do
+ prefix for older SFTP servers.
--not implement SFTP or for backwards-compatibility for particular filename
--wildcard patterns.
 -This mode is the default.
-+not implement SFTP, for backwards-compatibility for particular filename
-+wildcard patterns and for expanding paths with a
-+.Sq ~
-+prefix for older SFTP servers.
  .It Fl o Ar ssh_option
  Can be used to pass options to
  .Nm ssh
-@@ -258,16 +258,6 @@ to use for the encrypted connection.
+@@ -258,8 +258,6 @@ to use for the encrypted connection.
  The program must understand
  .Xr ssh 1
  options.
 -.It Fl s
--Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
+-Use the SFTP protocol for transfers rather than the original scp protocol.
--Using SFTP avoids invoking a shell on the remote side and provides
--more predictable filename handling, as the SCP protocol
--relied on the remote shell for expanding
--.Xr glob 3
--wildcards.
--.Pp
--A near-future release of OpenSSH will make the SFTP protocol the default.
--This option will be deleted before the end of 2022.
  .It Fl T
  Disable strict filename checking.
  By default when copying files from a remote host to a local directory
@@ -103,12 +67,6 @@ diff --git a/scp.c b/scp.c
 index e039350c..c7cf7529 100644
 --- a/scp.c
 +++ b/scp.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
-+/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */
- /*
-  * scp - secure remote copy.  This is basically patched BSD rcp which
-  * uses ssh to do the data transfer (instead of using rcmd).
 @@ -448,7 +448,7 @@ main(int argc, char **argv)
  	const char *errstr;
  	extern char *optarg;

openssh-8.7p1-upstream-cve-2021-41617.patch

@@ -1,31 +0,0 @@
-diff --git a/misc.c b/misc.c
-index b8d1040d..0134d694 100644
---- a/misc.c
-+++ b/misc.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */
-+/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
- /*
-  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
-  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
-@@ -56,6 +56,7 @@
- #ifdef HAVE_PATHS_H
- # include <paths.h>
- #include <pwd.h>
-+#include <grp.h>
- #endif
- #ifdef SSH_TUN_OPENBSD
- #include <net/if.h>
-@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
- 		}
- 		closefrom(STDERR_FILENO + 1);
- 
-+		if (geteuid() == 0 &&
-+		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
-+			error("%s: initgroups(%s, %u): %s", tag,
-+			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
-+			_exit(1);
-+		}
- 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
- 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
- 			    strerror(errno));

openssh.spec

@@ -50,10 +50,10 @@
 %{?static_openssl:%global static_libcrypto 1}
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 8.7p1
+%global openssh_ver 8.8p1
-%global openssh_rel 3
+%global openssh_rel 1
 %global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 4
+%global pam_ssh_agent_rel 5
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@@ -197,8 +197,6 @@ Patch975: openssh-8.0p1-preserve-pam-errors.patch
 Patch976: openssh-8.7p1-sftp-default-protocol.patch
 # Implement kill switch for SCP protocol
 Patch977: openssh-8.7p1-scp-kill-switch.patch
-# CVE-2021-41617
-Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -377,7 +375,6 @@ popd
 %patch975 -p1 -b .preserve-pam-errors
 %patch976 -p1 -b .sftp-by-default
 %patch977 -p1 -b .kill-scp
-%patch978 -p1 -b .cve-2021-41617
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -663,6 +660,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Mon Nov 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.8p1-1 + 0.10.4-5
+- New upstream release (#2007967)
+
 * Wed Sep 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-3
 - CVE-2021-41617 fix (#2008292)
 

sources

@@ -1,4 +1,4 @@
-SHA512 (openssh-8.7p1.tar.gz) = 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
+SHA512 (openssh-8.8p1.tar.gz) = d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
-SHA512 (openssh-8.7p1.tar.gz.asc) = 08b4bda855ca3ef202c271f1c0e3486082b93d1009a794d020e7ba223978bc87bf34b1fbccaae3379a47639bd849935fdaaf63bdb781d0a44625066ccf00fbfc
+SHA512 (openssh-8.8p1.tar.gz.asc) = 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
+SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
 SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
-SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21