rpms/openssh
7
0
Fork 2
Code Issues Pull Requests Releases Activity

import UBI openssh-9.9p1-13.el10_1

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-04-02 12:07:20 -04:00
parent 745caa6950
commit f25c500b9e
2 changed files with 27 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
openssh-9.6p1-gssapi-keyex.patch
View File

@ -1240,7 +1240,7 @@ diff --color -ruNp a/kexgen.c b/kexgen.c
const struct sshbuf *client_version,
diff --color -ruNp a/kexgssc.c b/kexgssc.c
--- a/kexgssc.c 1970-01-01 01:00:00.000000000 +0100
+++ b/kexgssc.c 2024-10-14 15:18:02.491798105 +0200
+++ b/kexgssc.c 2026-03-13 12:25:23.115812190 +0100
@@ -0,0 +1,706 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1369,7 +1369,7 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
+
+ /* Verify that the hash matches the MIC we just got. */
+ if (GSS_ERROR(ssh_gssapi_checkmic(gss, &gss->buf, &gss->msg_tok)))
+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
+ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
+
+ gss_release_buffer(&gss->minor, &gss->msg_tok);
+
@ -1592,10 +1592,10 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
+ fatal("Failed to read token: %s", ssh_err(r));
+ /* If we're already complete - protocol error */
+ if (gss->major == GSS_S_COMPLETE)
+ sshpkt_disconnect(ssh, "Protocol error: received token when complete");
+ ssh_packet_disconnect(ssh, "Protocol error: received token when complete");
+ } else {
+ if (gss->major != GSS_S_COMPLETE)
+ sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
+ ssh_packet_disconnect(ssh, "Protocol error: did not receive final token");
+ }
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ fatal("Expecting end of packet.");
@ -1731,7 +1731,7 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
+
+ /* Verify that the hash matches the MIC we just got. */
+ if (GSS_ERROR(ssh_gssapi_checkmic(gss, &gss->buf, &gss->msg_tok)))
+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
+ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
+
+ gss_release_buffer(&gss->minor, &gss->msg_tok);
+
@ -1932,10 +1932,10 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
+ fatal("Failed to read token: %s", ssh_err(r));
+ /* If we're already complete - protocol error */
+ if (gss->major == GSS_S_COMPLETE)
+ sshpkt_disconnect(ssh, "Protocol error: received token when complete");
+ ssh_packet_disconnect(ssh, "Protocol error: received token when complete");
+ } else {
+ if (gss->major != GSS_S_COMPLETE)
+ sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
+ ssh_packet_disconnect(ssh, "Protocol error: did not receive final token");
+ }
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ fatal("Expecting end of packet.");
@ -1950,8 +1950,8 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
diff --color -ruNp a/kexgsss.c b/kexgsss.c
--- a/kexgsss.c 1970-01-01 01:00:00.000000000 +0100
+++ b/kexgsss.c 2024-10-14 15:18:02.491798105 +0200
@@ -0,0 +1,601 @@
+++ b/kexgsss.c 2026-03-13 12:32:17.556172591 +0100
@@ -0,0 +1,603 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@ -2083,7 +2083,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
+{
+ struct kex *kex = ssh->kex;
+ Gssctxt *gss = kex->gss;
+ gss_buffer_desc msg_tok;
+ gss_buffer_desc msg_tok = GSS_C_EMPTY_BUFFER;
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t hashlen;
+ struct sshbuf *shared_secret = NULL;
@ -2167,7 +2167,8 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
+ Gssctxt *gss = kex->gss;
+ struct sshbuf *empty;
+ struct sshbuf *client_pubkey = NULL;
+ gss_buffer_desc recv_tok, send_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc recv_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ OM_uint32 ret_flags = 0;
+ int r;
+
@ -2243,7 +2244,8 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
+ struct ssh *ssh)
+{
+ Gssctxt *gss = ssh->kex->gss;
+ gss_buffer_desc recv_tok, send_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc recv_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ OM_uint32 ret_flags = 0;
+ int r;
+
@ -2334,7 +2336,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
+{
+ struct kex *kex = ssh->kex;
+ Gssctxt *gss = kex->gss;
+ gss_buffer_desc msg_tok;
+ gss_buffer_desc msg_tok = GSS_C_EMPTY_BUFFER;
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t hashlen;
+ const BIGNUM *pub_key, *dh_p, *dh_g;
@ -2475,10 +2477,8 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d", min, nbits, max);
+
+ kex->dh = mm_choose_dh(min, nbits, max);
+ if (kex->dh == NULL) {
+ sshpkt_disconnect(ssh, "Protocol error: no matching group found");
+ fatal("Protocol error: no matching group found");
+ }
+ if (kex->dh == NULL)
+ ssh_packet_disconnect(ssh, "Protocol error: no matching group found");
+
+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0 ||
@ -2510,7 +2510,8 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
+ struct ssh *ssh)
+{
+ Gssctxt *gss = ssh->kex->gss;
+ gss_buffer_desc recv_tok, send_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc recv_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ OM_uint32 ret_flags = 0;
+ int r;
+
@ -2537,7 +2538,8 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
+ struct ssh *ssh)
+{
+ Gssctxt *gss = ssh->kex->gss;
+ gss_buffer_desc recv_tok, send_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc recv_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ OM_uint32 ret_flags = 0;
+ int r;
+

7
openssh.spec
View File

@ -43,7 +43,7 @@
Summary: An open source implementation of SSH protocol version 2
Name: openssh
Version: %{openssh_ver}
Release: 12%{?dist}
Release: 13%{?dist}
URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -692,6 +692,11 @@ test -f %{sysconfig_anaconda} && \
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
%changelog
* Mon Mar 16 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-13
- CVE-2026-3497: Fix information disclosure or denial of service due
to uninitialized variables in gssapi-keyex
Resolves: RHEL-155811
* Mon Dec 08 2025 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-12
- CVE-2025-61984: Reject usernames with control characters
Resolves: RHEL-128397