Relax OpenSSH checks for OpenSSL version
Resolves: RHEL-4734
This commit is contained in:
parent
edaf6c0fb4
commit
d8b51e8341
40
openssh-9.3p1-openssl-compat.patch
Normal file
40
openssh-9.3p1-openssl-compat.patch
Normal file
@ -0,0 +1,40 @@
|
||||
--- openssh-9.3p1/openbsd-compat/openssl-compat.c 2023-03-15 22:28:19.000000000 +0100
|
||||
+++ /home/dbelyavs/work/upstream/openssh-portable/openbsd-compat/openssl-compat.c 2023-05-25 14:19:42.870841944 +0200
|
||||
@@ -33,10 +33,10 @@
|
||||
|
||||
/*
|
||||
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
|
||||
- * We match major, minor, fix and status (not patch) for <1.0.0.
|
||||
- * After that, we acceptable compatible fix versions (so we
|
||||
- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
|
||||
- * within a patch series.
|
||||
+ * Versions >=3 require only major versions to match.
|
||||
+ * For versions <3, we accept compatible fix versions (so we allow 1.0.1
|
||||
+ * to work with 1.0.0). Going backwards is only allowed within a patch series.
|
||||
+ * See https://www.openssl.org/policies/releasestrat.html
|
||||
*/
|
||||
|
||||
int
|
||||
@@ -48,15 +48,17 @@
|
||||
if (headerver == libver)
|
||||
return 1;
|
||||
|
||||
- /* for versions < 1.0.0, major,minor,fix,status must match */
|
||||
- if (headerver < 0x1000000f) {
|
||||
- mask = 0xfffff00fL; /* major,minor,fix,status */
|
||||
+ /*
|
||||
+ * For versions >= 3.0, only the major and status must match.
|
||||
+ */
|
||||
+ if (headerver >= 0x3000000f) {
|
||||
+ mask = 0xf000000fL; /* major,status */
|
||||
return (headerver & mask) == (libver & mask);
|
||||
}
|
||||
|
||||
/*
|
||||
- * For versions >= 1.0.0, major,minor,status must match and library
|
||||
- * fix version must be equal to or newer than the header.
|
||||
+ * For versions >= 1.0.0, but <3, major,minor,status must match and
|
||||
+ * library fix version must be equal to or newer than the header.
|
||||
*/
|
||||
mask = 0xfff0000fL; /* major,minor,status */
|
||||
hfix = (headerver & 0x000ff000) >> 12;
|
@ -51,7 +51,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 8.7p1
|
||||
%global openssh_rel 34
|
||||
%global openssh_rel 35
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 5
|
||||
|
||||
@ -282,6 +282,8 @@ Patch1014: openssh-8.7p1-UTC-time-parse.patch
|
||||
# upsream commit
|
||||
# b23fe83f06ee7e721033769cfa03ae840476d280
|
||||
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
||||
#upstream commit b7afd8a4ecaca8afd3179b55e9db79c0ff210237
|
||||
Patch1016: openssh-9.3p1-openssl-compat.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -501,6 +503,7 @@ popd
|
||||
%patch1013 -p1 -b .man-hostkeyalgos
|
||||
%patch1014 -p1 -b .utc_parse
|
||||
%patch1015 -p1 -b .cve-2023-38408
|
||||
%patch1016 -p1 -b .openssl3compat
|
||||
|
||||
autoreconf
|
||||
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
@ -787,6 +790,10 @@ test -f %{sysconfig_anaconda} && \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Oct 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-35
|
||||
- Relax OpenSSH checks for OpenSSL version
|
||||
Resolves: RHEL-4734
|
||||
|
||||
* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
|
||||
- Avoid remote code execution in ssh-agent PKCS#11 support
|
||||
Resolves: CVE-2023-38408
|
||||
|
Loading…
Reference in New Issue
Block a user