Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/openssh.git#126d278fec03d044c5d4a19015f1214420ec9097

openssh-8.4p1-debian-compat.patch

@@ -0,0 +1,57 @@
+--- compat.h.orig	2020-10-05 10:09:02.953505129 -0700
++++ compat.h	2020-10-05 10:10:17.587733113 -0700
+@@ -34,7 +34,7 @@
+ 
+ #define SSH_BUG_UTF8TTYMODE	0x00000001
+ #define SSH_BUG_SIGTYPE		0x00000002
+-/* #define unused		0x00000004 */
++#define SSH_BUG_SIGTYPE74	0x00000004
+ /* #define unused		0x00000008 */
+ #define SSH_OLD_SESSIONID	0x00000010
+ /* #define unused		0x00000020 */
+--- compat.c.orig	2020-10-05 10:25:02.088720562 -0700
++++ compat.c	2020-10-05 10:13:11.637282492 -0700
+@@ -65,11 +65,12 @@
+ 		{ "OpenSSH_6.5*,"
+ 		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
+ 					SSH_BUG_SIGTYPE},
++		{ "OpenSSH_7.4*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
++		  			SSH_BUG_SIGTYPE74},
+ 		{ "OpenSSH_7.0*,"
+ 		  "OpenSSH_7.1*,"
+ 		  "OpenSSH_7.2*,"
+ 		  "OpenSSH_7.3*,"
+-		  "OpenSSH_7.4*,"
+ 		  "OpenSSH_7.5*,"
+ 		  "OpenSSH_7.6*,"
+ 		  "OpenSSH_7.7*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
+--- sshconnect2.c.orig	2020-09-26 07:26:37.618010545 -0700
++++ sshconnect2.c	2020-10-05 10:47:22.116315148 -0700
+@@ -1305,6 +1305,26 @@
+ 			break;
+ 	}
+ 	free(oallowed);
++	/*
++	 * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
++	 * support.  For that release, check the local policy against the
++	 * SHA2 signature types.
++	 */
++	if (alg == NULL &&
++	    (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
++		oallowed = allowed = xstrdup(options.pubkey_key_types);
++		while ((cp = strsep(&allowed, ",")) != NULL) {
++			if (sshkey_type_from_name(cp) != key->type)
++				continue;
++			tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
++			if (tmp != NULL)
++				alg = xstrdup(cp);
++			free(tmp);
++			if (alg != NULL)
++				break;
++		}
++		free(oallowed);
++	}
+ 	return alg;
+ }
+ 
+

openssh-8.4p1-sandbox-seccomp.patch

@@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c06..5065ae7e 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+ 	SC_ALLOW(__NR_pselect6),
+ #endif
++#ifdef __NR_pselect6_time64
++	SC_ALLOW(__NR_pselect6_time64),
++#endif
+ #ifdef __NR_read
+ 	SC_ALLOW(__NR_read),
+ #endif

openssh.spec

@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.4p1
-%global openssh_rel 2
+%global openssh_rel 3
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 1
 
@@ -197,6 +197,10 @@ Patch965: openssh-8.2p1-visibility.patch
 # Do not break X11 without IPv6
 Patch966: openssh-8.2p1-x11-without-ipv6.patch
 Patch967: openssh-8.4p1-ssh-copy-id.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
+Patch968: openssh-8.4p1-sandbox-seccomp.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
+Patch969: openssh-8.4p1-debian-compat.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -381,6 +385,8 @@ popd
 %patch965 -p1 -b .visibility
 %patch966 -p1 -b .x11-ipv6
 %patch967 -p1 -b .ssh-copy-id
+%patch968 -p1 -b .seccomp
+%patch969 -p0 -b .debian
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -663,6 +669,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-3 + 0.10.4-1
+- Unbreak seccomp filter on arm (#1897712)
+- Add a workaround for Debian's broken OpenSSH (#1881301)
+
 * Tue Oct 06 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-2 + 0.10.4-1
 - Unbreak ssh-copy-id after a release (#1884231)
 - Remove misleading comment from sysconfig