OpenSSH 8.8p1 rebase

Related: rhbz#2007967
2021-11-29 14:37:28 +01:00 · 2021-11-29 14:37:28 +01:00 · 7b76af5292
commit 7b76af5292
parent c5e4c28ae1
10 changed files with 48 additions and 122 deletions
--- a/.gitignore
+++ b/.gitignore
@ -52,3 +52,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-8.6p1.tar.gz.asc
 /openssh-8.7p1.tar.gz
 /openssh-8.7p1.tar.gz.asc
+/openssh-8.8p1.tar.gz
+/openssh-8.8p1.tar.gz.asc
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@ -196,11 +196,11 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 	sPort, sHostKeyFile, sLoginGraceTime,
 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-	sKerberosGetAFSToken, sKerberosUniqueCCache,
-+	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
- 	sChallengeResponseAuthentication,
- 	sPasswordAuthentication, sKbdInteractiveAuthentication,
- 	sListenAddress, sAddressFamily,
+-	sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
+	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
+	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
+	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -478,12 +481,14 @@ static struct {
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
--- a/openssh-7.3p1-x11-max-displays.patch
+++ b/openssh-7.3p1-x11-max-displays.patch
@ -110,8 +110,8 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 		options->x11_use_localhost = 1;
 	if (options->xauth_location == NULL)
@@ -419,7 +422,7 @@ typedef enum {
- 	sPasswordAuthentication, sKbdInteractiveAuthentication,
- 	sListenAddress, sAddressFamily,
+	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
+	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 -	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 +	sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -117,9 +117,9 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
 diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
 --- openssh-8.6p1/myproposal.h.fips	2021-04-16 05:55:25.000000000 +0200
 +++ openssh-8.6p1/myproposal.h	2021-04-19 16:53:03.065577869 +0200
-@@ -57,6 +57,20 @@
- 	"rsa-sha2-256," \
- 	"ssh-rsa"
+@@ -57,6 +57,19 @@
+ 	"rsa-sha2-512," \
+ 	"rsa-sha2-256"
 
 +#define	KEX_FIPS_PK_ALG	\
 +	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
@ -132,8 +132,7 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
 +	"ecdsa-sha2-nistp384," \
 +	"ecdsa-sha2-nistp521," \
 +	"rsa-sha2-512," \
-+	"rsa-sha2-256," \
-+	"ssh-rsa"
+	"rsa-sha2-256,"
 +
 #define	KEX_SERVER_ENCRYPT \
 	"chacha20-poly1305@openssh.com," \
--- a/openssh-7.7p1-gssapi-new-unique.patch
+++ b/openssh-7.7p1-gssapi-new-unique.patch
@ -503,16 +503,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
 	if (options->gss_keyex == -1)
-@@ -506,7 +509,8 @@ typedef enum {
+@@ -506,7 +509,7 @@ typedef enum {
 	sPort, sHostKeyFile, sLoginGraceTime,
 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-	sKerberosGetAFSToken, sChallengeResponseAuthentication,
-+	sKerberosGetAFSToken, sKerberosUniqueCCache,
-+	sChallengeResponseAuthentication,
-	sPasswordAuthentication, sKbdInteractiveAuthentication,
-	sListenAddress, sAddressFamily,
+-	sKerberosGetAFSToken, sPasswordAuthentication,
+	sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
+	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -593,11 +597,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
--- a/openssh-8.0p1-crypto-policies.patch
+++ b/openssh-8.0p1-crypto-policies.patch
@ -2,8 +2,8 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 --- openssh-8.7p1/ssh_config.5.crypto-policies	2021-08-30 13:29:00.174292872 +0200
 +++ openssh-8.7p1/ssh_config.5	2021-08-30 13:31:32.009548808 +0200
@@ -373,17 +373,13 @@ or
- .Qq *.c.example.com
- domains.
+ causes no CNAMEs to be considered for canonicalization.
+ This is the default behaviour.
 .It Cm CASignatureAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
@ -105,18 +105,18 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 Multiple algorithms must be comma-separated.
 If the specified list begins with a
 .Sq +
-character, then the specified methods will be appended to the default set
+-character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
-+character, then the specified methods will be appended to the built-in
+character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
- character, then the specified methods (including wildcards) will be removed
+ character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
- character, then the specified methods will be placed at the head of the
+ character, then the specified algorithms will be placed at the head of the
 -default set.
 -The default is:
 -.Bd -literal -offset indent
@ -178,7 +178,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm NoHostAuthenticationForLocalhost
-@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
+@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas
 The default is
 .Cm no .
 .It Cm PubkeyAcceptedAlgorithms
@ -214,12 +214,11 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-rsa-sha2-512,rsa-sha2-256
 -.Ed
 +built-in openssh default set.
 .Pp
@ -373,18 +372,18 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 Multiple algorithms must be comma-separated.
 Alternately if the specified list begins with a
 .Sq +
-character, then the specified methods will be appended to the default set
+-character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
-+character, then the specified methods will be appended to the built-in
+character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
- character, then the specified methods (including wildcards) will be removed
+ character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
- character, then the specified methods will be placed at the head of the
+ character, then the specified algorithms will be placed at the head of the
 -default set.
 +built-in openssh default set.
 The supported algorithms are:
--- a/openssh-8.7p1-sftp-default-protocol.patch
+++ b/openssh-8.7p1-sftp-default-protocol.patch
@ -2,18 +2,6 @@ diff --git a/scp.1 b/scp.1
 index 68aac04b..a96e95ad 100644
 --- a/scp.1
 +++ b/scp.1
-@@ -8,9 +8,9 @@
- .\"
- .\" Created: Sun May  7 00:14:37 1995 ylo
- .\"
-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
-+.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $
- .\"
-.Dd $Mdocdate: August 11 2021 $
-+.Dd $Mdocdate: September 8 2021 $
- .Dt SCP 1
- .Os
- .Sh NAME
@@ -18,7 +18,7 @@
 .Nd OpenSSH secure file copy
 .Sh SYNOPSIS
@ -23,55 +11,31 @@ index 68aac04b..a96e95ad 100644
 .Op Fl c Ar cipher
 .Op Fl D Ar sftp_server_path
 .Op Fl F Ar ssh_config
-@@ -37,9 +37,6 @@ It uses
- .Xr ssh 1
- for data transfer, and uses the same authentication and provides the
- same security as a login session.
-The scp protocol requires execution of the remote user's shell to perform
-.Xr glob 3
-pattern matching.
- .Pp
- .Nm
- will ask for passwords or passphrases if they are needed for
@@ -79,7 +76,9 @@ The options are as follows:
 Copies between two remote hosts are transferred through the local host.
 Without this option the data is copied directly between the two remote
 hosts.
-Note that, when using the legacy SCP protocol (the default), this option
-+Note that, when using the legacy SCP protocol (via the
+-Note that, when using the original SCP protocol (the default), this option
+Note that, when using the original SCP protocol (via the
 +.Fl O
 +flag), this option
 selects batch mode for the second host as
 .Nm
 cannot ask for passwords or passphrases for both hosts.
-@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s.
- .It Fl O
- Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
- Forcing the use of the SCP protocol may be necessary for servers that do
-not implement SFTP or for backwards-compatibility for particular filename
-wildcard patterns.
+@@ -146,7 +145,6 @@ Limits the used bandwidth, specified in Kbit/s.
+ wildcard patterns and for expanding paths with a
+ .Sq ~
+ prefix for older SFTP servers.
 -This mode is the default.
-+not implement SFTP, for backwards-compatibility for particular filename
-+wildcard patterns and for expanding paths with a
-+.Sq ~
-+prefix for older SFTP servers.
 .It Fl o Ar ssh_option
 Can be used to pass options to
 .Nm ssh
-@@ -258,16 +258,6 @@ to use for the encrypted connection.
+@@ -258,8 +258,6 @@ to use for the encrypted connection.
 The program must understand
 .Xr ssh 1
 options.
 -.It Fl s
-Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
-Using SFTP avoids invoking a shell on the remote side and provides
-more predictable filename handling, as the SCP protocol
-relied on the remote shell for expanding
-.Xr glob 3
-wildcards.
-.Pp
-A near-future release of OpenSSH will make the SFTP protocol the default.
-This option will be deleted before the end of 2022.
+-Use the SFTP protocol for transfers rather than the original scp protocol.
 .It Fl T
 Disable strict filename checking.
 By default when copying files from a remote host to a local directory
@ -103,12 +67,6 @@ diff --git a/scp.c b/scp.c
 index e039350c..c7cf7529 100644
 --- a/scp.c
 +++ b/scp.c
-@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
-+/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */
- /*
-  * scp - secure remote copy.  This is basically patched BSD rcp which
-  * uses ssh to do the data transfer (instead of using rcmd).
@@ -448,7 +448,7 @@ main(int argc, char **argv)
 	const char *errstr;
 	extern char *optarg;
--- a/openssh-8.7p1-upstream-cve-2021-41617.patch
+++ b/openssh-8.7p1-upstream-cve-2021-41617.patch
@ -1,31 +0,0 @@
-diff --git a/misc.c b/misc.c
-index b8d1040d..0134d694 100644
--- a/misc.c
-+++ b/misc.c
-@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */
-+/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
- /*
-  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
-  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
-@@ -56,6 +56,7 @@
- #ifdef HAVE_PATHS_H
- # include <paths.h>
- #include <pwd.h>
-+#include <grp.h>
- #endif
- #ifdef SSH_TUN_OPENBSD
- #include <net/if.h>
-@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
- 		}
- 		closefrom(STDERR_FILENO + 1);
- 
-+		if (geteuid() == 0 &&
-+		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
-+			error("%s: initgroups(%s, %u): %s", tag,
-+			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
-+			_exit(1);
-+		}
- 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
- 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
- 			    strerror(errno));
--- a/openssh.spec
+++ b/openssh.spec
@ -50,10 +50,10 @@
 %{?static_openssl:%global static_libcrypto 1}

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 8.7p1
-%global openssh_rel 3
+%global openssh_ver 8.8p1
+%global openssh_rel 1
 %global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 4
+%global pam_ssh_agent_rel 5

 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@ -197,8 +197,6 @@ Patch975: openssh-8.0p1-preserve-pam-errors.patch
 Patch976: openssh-8.7p1-sftp-default-protocol.patch
 # Implement kill switch for SCP protocol
 Patch977: openssh-8.7p1-scp-kill-switch.patch
-# CVE-2021-41617
-Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch

 License: BSD
 Requires: /sbin/nologin
@ -377,7 +375,6 @@ popd
 %patch975 -p1 -b .preserve-pam-errors
 %patch976 -p1 -b .sftp-by-default
 %patch977 -p1 -b .kill-scp
-%patch978 -p1 -b .cve-2021-41617

 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@ -663,6 +660,9 @@ test -f %{sysconfig_anaconda} && \
 %endif

 %changelog
+* Mon Nov 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.8p1-1 + 0.10.4-5
+- New upstream release (#2007967)
+
 * Wed Sep 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-3
 - CVE-2021-41617 fix (#2008292)

--- a/6
+++ b/6
@ -1,4 +1,4 @@
-SHA512 (openssh-8.7p1.tar.gz) = 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
-SHA512 (openssh-8.7p1.tar.gz.asc) = 08b4bda855ca3ef202c271f1c0e3486082b93d1009a794d020e7ba223978bc87bf34b1fbccaae3379a47639bd849935fdaaf63bdb781d0a44625066ccf00fbfc
+SHA512 (openssh-8.8p1.tar.gz) = d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
+SHA512 (openssh-8.8p1.tar.gz.asc) = 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
+SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
 SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
-SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21