Ssh should refuse connection when mlkem kex is specified in FIPS
Resolves: RHEL-155161 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich
parent
5f61c2a34a
commit
a3754bfa18
24
openssh-9.9p1-fill-default-options-error.patch
Normal file
24
openssh-9.9p1-fill-default-options-error.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff --color -ruNp a/readconf.c b/readconf.c
|
||||
--- a/readconf.c 2026-04-02 15:36:49.624394836 +0200
|
||||
+++ b/readconf.c 2026-04-02 15:43:15.115047190 +0200
|
||||
@@ -2779,7 +2779,7 @@ fill_default_options(Options * options)
|
||||
{
|
||||
char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
|
||||
char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
|
||||
- int ret = 0, r;
|
||||
+ int ret = 0;
|
||||
|
||||
if (options->forward_agent == -1)
|
||||
options->forward_agent = 0;
|
||||
@@ -2989,9 +2989,9 @@ fill_default_options(Options * options)
|
||||
KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||
#define ASSEMBLE(what, defaults, all) \
|
||||
do { \
|
||||
- if ((r = kex_assemble_names(&options->what, \
|
||||
+ if ((ret = kex_assemble_names(&options->what, \
|
||||
defaults, all)) != 0) { \
|
||||
- error_fr(r, "%s", #what); \
|
||||
+ error_fr(ret, "%s", #what); \
|
||||
goto fail; \
|
||||
} \
|
||||
} while (0)
|
||||
@ -247,6 +247,8 @@ Patch1037: openssh-9.9p1-reject-cntrl-chars-in-username.patch
|
||||
# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
|
||||
Patch1038: openssh-9.9p1-reject-null-char-in-url-string.patch
|
||||
Patch1039: openssh-9.9p1-compat-mlkem.patch
|
||||
# https://github.com/openssh/openssh-portable/pull/649
|
||||
Patch1040: openssh-9.9p1-fill-default-options-error.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -460,6 +462,7 @@ popd
|
||||
%patch1037 -p1 -b .reject-cntrl-chars-in-username
|
||||
%patch1038 -p1 -b .reject-null-char-in-url-string
|
||||
%patch1039 -p1 -b .skip-mlkem-when-na
|
||||
%patch1040 -p1 -b .fill-default-options-error
|
||||
|
||||
%patch100 -p1 -b .coverity
|
||||
|
||||
@ -753,6 +756,8 @@ test -f %{sysconfig_anaconda} && \
|
||||
* Wed Apr 01 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-8
|
||||
- Fix static analysis issues
|
||||
Resolves: RHEL-163366
|
||||
- Ssh should refuse connection when mlkem kex is specified in FIPS
|
||||
Resolves: RHEL-155161
|
||||
|
||||
* Thu Mar 26 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-7 + 0.10.4-9
|
||||
- Version bump
|
||||
|
||||
Loading…
Reference in New Issue
Block a user