Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2018-01-16 09:41:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Tue Jan 16 09:41:33 2018 rev:112 rq:563834 version:7.6p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2017-10-28 14:20:45.833571161 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes 2018-01-16 09:41:36.991806815 +0100 @@ -1,0 +2,644 @@ +Fri Jan 12 12:38:09 UTC 2018 - pce...@suse.com + +- Replace forgotten references to /var/adm/fillup-templates + with new %_fillupdir macro (boo#1069468) +- tighten configuration access rights + +------------------------------------------------------------------- +Fri Jan 12 00:38:37 CET 2018 - pce...@suse.com + +- Update to vanilla 7.6p1 + Most important changes (more details below): + * complete removal of the ancient SSHv1 protocol + * sshd(8) cannot run without privilege separation + * removal of suport for arcfourm blowfish and CAST ciphers + and RIPE-MD160 HMAC + * refuse RSA keys shorter than 1024 bits + Distilled upstream log: +- OpenSSH 7.3 + ---- Security + * sshd(8): Mitigate a potential denial-of-service attack + against the system's crypt(3) function via sshd(8). An + attacker could send very long passwords that would cause + excessive CPU use in crypt(3). sshd(8) now refuses to accept + password authentication requests of length greater than 1024 + characters. Independently reported by Tomas Kuthan (Oracle), + Andres Rojas and Javier Nieto. + * sshd(8): Mitigate timing differences in password + authentication that could be used to discern valid from + invalid account names when long passwords were sent and + particular password hashing algorithms are in use on the + server. CVE-2016-6210, reported by EddieEzra.Harari at + verint.com + * ssh(1), sshd(8): Fix observable timing weakness in the CBC + padding oracle countermeasures. Reported by Jean Paul + Degabriele, Kenny Paterson, Torben Hansen and Martin + Albrecht. Note that CBC ciphers are disabled by default and + only included for legacy compatibility. + * ssh(1), sshd(8): Improve operation ordering of MAC + verification for Encrypt-then-MAC (EtM) mode transport MAC + algorithms to verify the MAC before decrypting any + ciphertext. This removes the possibility of timing + differences leaking facts about the plaintext, though no such + leakage has been observed. Reported by Jean Paul Degabriele, + Kenny Paterson, Torben Hansen and Martin Albrecht. + * sshd(8): (portable only) Ignore PAM environment vars when + UseLogin=yes. If PAM is configured to read user-specified + environment variables and UseLogin=yes in sshd_config, then a + hostile local user may attack /bin/login via LD_PRELOAD or + similar environment variables set via PAM. CVE-2015-8325, + found by Shayan Sadigh. + ---- New Features + * ssh(1): Add a ProxyJump option and corresponding -J + command-line flag to allow simplified indirection through a + one or more SSH bastions or "jump hosts". + * ssh(1): Add an IdentityAgent option to allow specifying + specific agent sockets instead of accepting one from the + environment. + * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to + be optionally overridden when using ssh -W. bz#2577 + * ssh(1), sshd(8): Implement support for the IUTF8 terminal + mode as per draft-sgtatham-secsh-iutf8-00. + * ssh(1), sshd(8): Add support for additional fixed + Diffie-Hellman 2K, 4K and 8K groups from + draft-ietf-curdle-ssh-kex-sha2-03. + * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA + signatures in certificates; + * ssh(1): Add an Include directive for ssh_config(5) files. + * ssh(1): Permit UTF-8 characters in pre-authentication banners + sent from the server. bz#2058 + ---- Bugfixes + * ssh(1), sshd(8): Reduce the syslog level of some relatively + common protocol events from LOG_CRIT. bz#2585 + * sshd(8): Refuse AuthenticationMethods="" in configurations + and accept AuthenticationMethods=any for the default + behaviour of not requiring multiple authentication. bz#2398 + * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN + ATTEMPT!" message when forward and reverse DNS don't match. + bz#2585 + * ssh(1): Close ControlPersist background process stderr except + in debug mode or when logging to syslog. bz#1988 + * misc: Make PROTOCOL description for + direct-streamlo...@openssh.com channel open messages match + deployed code. bz#2529 + * ssh(1): Deduplicate LocalForward and RemoteForward entries to + fix failures when both ExitOnForwardFailure and hostname + canonicalisation are enabled. bz#2562 + * sshd(8): Remove fallback from moduli to obsolete "primes" + file that was deprecated in 2001. bz#2559. + * sshd_config(5): Correct description of UseDNS: it affects ssh + hostname processing for authorized_keys, not known_hosts; + bz#2554 + * ssh(1): Fix authentication using lone certificate keys in an + agent without corresponding private keys on the filesystem. + bz#2550 + * sshd(8): Send ClientAliveInterval pings when a time-based + RekeyLimit is set; previously keepalive packets were not + being sent. bz#2252 + ---- Portability + * ssh(1), sshd(8): Fix compilation by automatically disabling + ciphers not supported by OpenSSL. bz#2466 + * misc: Fix compilation failures on some versions of AIX's + compiler related to the definition of the VA_COPY macro. + bz#2589 + * sshd(8): Whitelist more architectures to enable the + seccomp-bpf sandbox. bz#2590 + * ssh-agent(1), sftp-server(8): Disable process tracing on + Solaris using setpflags(__PROC_PROTECT, ...). bz#2584 + * sshd(8): On Solaris, don't call Solaris setproject() with + UsePAM=yes it's PAM's responsibility. bz#2425 +- OpenSSH 7.4 + ---- Potentially-incompatible changes + * ssh(1): Remove 3des-cbc from the client's default proposal. + 64-bit block ciphers are not safe in 2016 and we don't want + to wait until attacks like SWEET32 are extended to SSH. As + 3des-cbc was the only mandatory cipher in the SSH RFCs, this + may cause problems connecting to older devices using the + default configuration, but it's highly likely that such + devices already need explicit configuration for key exchange + and hostkey algorithms already anyway. + * sshd(8): Remove support for pre-authentication compression. + Doing compression early in the protocol probably seemed + reasonable in the 1990s, but today it's clearly a bad idea in + terms of both cryptography (cf. multiple compression oracle + attacks in TLS) and attack surface. Pre-auth compression + support has been disabled by default for >10 years. Support + remains in the client. + * ssh-agent will refuse to load PKCS#11 modules outside a + whitelist of trusted paths by default. The path whitelist may + be specified at run-time. + * sshd(8): When a forced-command appears in both a certificate + and an authorized keys/principals command= restriction, sshd + will now refuse to accept the certificate unless they are + identical. The previous (documented) behaviour of having the + certificate forced-command override the other could be a bit + confusing and error-prone. + * sshd(8): Remove the UseLogin configuration directive and + support for having /bin/login manage login sessions. + ---- Security + * ssh-agent(1): Will now refuse to load PKCS#11 modules from + paths outside a trusted whitelist (run-time configurable). + Requests to load modules could be passed via agent forwarding + and an attacker could attempt to load a hostile PKCS#11 + module across the forwarded agent channel: PKCS#11 modules + are shared libraries, so this would result in code execution + on the system running the ssh-agent if the attacker has + control of the forwarded agent-socket (on the host running + the sshd server) and the ability to write to the filesystem + of the host running ssh-agent (usually the host running the + ssh client). Reported by Jann Horn of Project Zero. + * sshd(8): When privilege separation is disabled, forwarded + Unix- domain sockets would be created by sshd(8) with the + privileges of 'root' instead of the authenticated user. This + release refuses Unix-domain socket forwarding when privilege + separation is disabled (Privilege separation has been enabled + by default for 14 years). Reported by Jann Horn of Project + Zero. + * sshd(8): Avoid theoretical leak of host private key material + to privilege-separated child processes via realloc() when + reading keys. No such leak was observed in practice for + normal-sized keys, nor does a leak to the child processes + directly expose key material to unprivileged users. Reported + by Jann Horn of Project Zero. + * sshd(8): The shared memory manager used by pre-authentication + compression support had a bounds checks that could be elided + by some optimising compilers. Additionally, this memory + manager was incorrectly accessible when pre-authentication + compression was disabled. This could potentially allow + attacks against the privileged monitor process from the + sandboxed privilege-separation process (a compromise of the + latter would be required first). This release removes + support for pre-authentication compression from sshd(8). + Reported by Guido Vranken using the Stack unstable + optimisation identification tool + (http://css.csail.mit.edu/stack/) + * sshd(8): Fix denial-of-service condition where an attacker + who sends multiple KEXINIT messages may consume up to 128MB + per connection. Reported by Shi Lei of Gear Team, Qihoo 360. + * sshd(8): Validate address ranges for AllowUser and DenyUsers + directives at configuration load time and refuse to accept + invalid ones. It was previously possible to specify invalid + CIDR address ranges (e.g. user@127.1.2.3/55) and these would + always match, possibly resulting in granting access where it + was not intended. Reported by Laurence Parry. + ---- New Features + * ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by + the version in PuTTY by Simon Tatham. This allows a + multiplexing client to communicate with the master process + using a subset of the SSH packet and channels protocol over a + Unix-domain socket, with the main process acting as a proxy + that translates channel IDs, etc. This allows multiplexing + mode to run on systems that lack file- descriptor passing + (used by current multiplexing code) and potentially, in + conjunction with Unix-domain socket forwarding, with the + client and multiplexing master process on different machines. + Multiplexing proxy mode may be invoked using "ssh -O proxy + ..." + * sshd(8): Add a sshd_config DisableForwarding option that ++++ 447 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh.changes ++++ and /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes Old: ---- openssh-7.2p2-IPv6_X_forwarding.patch openssh-7.2p2-X11_trusted_forwarding.patch openssh-7.2p2-X_forward_with_disabled_ipv6.patch openssh-7.2p2-additional_seccomp_archs.patch openssh-7.2p2-allow_DSS_by_default.patch openssh-7.2p2-allow_root_password_login.patch openssh-7.2p2-audit.patch openssh-7.2p2-audit_fixes.patch openssh-7.2p2-audit_seed_prng.patch openssh-7.2p2-blocksigalrm.patch openssh-7.2p2-cavstest-ctr.patch openssh-7.2p2-cavstest-kdf.patch openssh-7.2p2-disable_openssl_abi_check.patch openssh-7.2p2-disable_preauth_compression.patch openssh-7.2p2-disable_short_DH_parameters.patch openssh-7.2p2-dont_use_pthreads_in_PAM.patch openssh-7.2p2-eal3.patch openssh-7.2p2-enable_PAM_by_default.patch openssh-7.2p2-fips.patch openssh-7.2p2-gssapi_key_exchange.patch openssh-7.2p2-host_ident.patch openssh-7.2p2-hostname_changes_when_forwarding_X.patch openssh-7.2p2-ignore_PAM_with_UseLogin.patch openssh-7.2p2-keep_slogin.patch openssh-7.2p2-kex_resource_depletion.patch openssh-7.2p2-lastlog.patch openssh-7.2p2-ldap.patch openssh-7.2p2-limit_password_length.patch openssh-7.2p2-login_options.patch openssh-7.2p2-no_fork-no_pid_file.patch openssh-7.2p2-pam_check_locks.patch openssh-7.2p2-prevent_private_key_leakage.patch openssh-7.2p2-prevent_timing_user_enumeration.patch openssh-7.2p2-pts_names_formatting.patch openssh-7.2p2-remove_xauth_cookies_on_exit.patch openssh-7.2p2-restrict_pkcs11-modules.patch openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch openssh-7.2p2-s390_hw_crypto_syscalls.patch openssh-7.2p2-seccomp_geteuid.patch openssh-7.2p2-seccomp_getuid.patch openssh-7.2p2-seccomp_stat.patch openssh-7.2p2-secure_unix_sockets_forwarding.patch openssh-7.2p2-seed-prng.patch openssh-7.2p2-send_locale.patch openssh-7.2p2-sftp_force_permissions.patch openssh-7.2p2-sftp_homechroot.patch openssh-7.2p2-ssh_case_insensitive_host_matching.patch openssh-7.2p2-verify_CIDR_address_ranges.patch openssh-7.2p2.tar.gz openssh-7.2p2.tar.gz.asc New: ---- openssh-7.6p1-SUSE_patches.tar.gz openssh-7.6p1.tar.gz openssh-7.6p1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.qL004o/_old 2018-01-16 09:41:38.775723313 +0100 +++ /var/tmp/diff_new_pack.qL004o/_new 2018-01-16 09:41:38.779723126 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,7 +26,7 @@ BuildRequires: pam-devel BuildRequires: tcpd-devel BuildRequires: update-desktop-files -Version: 7.2p2 +Version: 7.6p1 Release: 0 Requires: openssh = %{version} Summary: A GNOME-Based Passphrase Dialog for OpenSSH ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.qL004o/_old 2018-01-16 09:41:38.799722190 +0100 +++ /var/tmp/diff_new_pack.qL004o/_new 2018-01-16 09:41:38.803722002 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,6 +16,11 @@ # +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif + %if 0%{suse_version} >= 1100 %define has_fw_dir 1 %else @@ -85,6 +90,7 @@ BuildRequires: openldap2-devel BuildRequires: pam-devel %if %{uses_systemd} +BuildRequires: systemd-devel BuildRequires: pkgconfig(systemd) %{?systemd_requires} %endif @@ -93,7 +99,7 @@ %if ! %{uses_systemd} PreReq: %{insserv_prereq} %endif -Version: 7.2p2 +Version: 7.6p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause and MIT @@ -113,54 +119,7 @@ Source10: sshd.service Source11: README.FIPS Source12: cavs_driver-ssh.pl -Patch00: openssh-7.2p2-allow_root_password_login.patch -Patch01: openssh-7.2p2-allow_DSS_by_default.patch -Patch02: openssh-7.2p2-X11_trusted_forwarding.patch -Patch03: openssh-7.2p2-lastlog.patch -Patch04: openssh-7.2p2-enable_PAM_by_default.patch -Patch05: openssh-7.2p2-dont_use_pthreads_in_PAM.patch -Patch06: openssh-7.2p2-eal3.patch -Patch07: openssh-7.2p2-blocksigalrm.patch -Patch08: openssh-7.2p2-send_locale.patch -Patch09: openssh-7.2p2-hostname_changes_when_forwarding_X.patch -Patch10: openssh-7.2p2-remove_xauth_cookies_on_exit.patch -Patch11: openssh-7.2p2-pts_names_formatting.patch -Patch12: openssh-7.2p2-pam_check_locks.patch -Patch13: openssh-7.2p2-disable_short_DH_parameters.patch -Patch14: openssh-7.2p2-seccomp_getuid.patch -Patch15: openssh-7.2p2-seccomp_geteuid.patch -Patch16: openssh-7.2p2-seccomp_stat.patch -Patch17: openssh-7.2p2-additional_seccomp_archs.patch -Patch18: openssh-7.2p2-fips.patch -Patch19: openssh-7.2p2-cavstest-ctr.patch -Patch20: openssh-7.2p2-cavstest-kdf.patch -Patch21: openssh-7.2p2-seed-prng.patch -Patch22: openssh-7.2p2-gssapi_key_exchange.patch -Patch23: openssh-7.2p2-audit.patch -Patch24: openssh-7.2p2-audit_fixes.patch -Patch25: openssh-7.2p2-audit_seed_prng.patch -Patch26: openssh-7.2p2-login_options.patch -Patch27: openssh-7.2p2-disable_openssl_abi_check.patch -Patch28: openssh-7.2p2-no_fork-no_pid_file.patch -Patch29: openssh-7.2p2-host_ident.patch -Patch30: openssh-7.2p2-sftp_homechroot.patch -Patch31: openssh-7.2p2-sftp_force_permissions.patch -Patch32: openssh-7.2p2-X_forward_with_disabled_ipv6.patch -Patch33: openssh-7.2p2-ldap.patch -Patch34: openssh-7.2p2-IPv6_X_forwarding.patch -Patch35: openssh-7.2p2-ignore_PAM_with_UseLogin.patch -Patch36: openssh-7.2p2-prevent_timing_user_enumeration.patch -Patch37: openssh-7.2p2-limit_password_length.patch -Patch38: openssh-7.2p2-keep_slogin.patch -Patch39: openssh-7.2p2-kex_resource_depletion.patch -Patch40: openssh-7.2p2-verify_CIDR_address_ranges.patch -Patch41: openssh-7.2p2-restrict_pkcs11-modules.patch -Patch42: openssh-7.2p2-prevent_private_key_leakage.patch -Patch43: openssh-7.2p2-secure_unix_sockets_forwarding.patch -Patch44: openssh-7.2p2-ssh_case_insensitive_host_matching.patch -Patch45: openssh-7.2p2-disable_preauth_compression.patch -Patch46: openssh-7.2p2-s390_hw_crypto_syscalls.patch -Patch47: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch +Source100: openssh-%{version}-SUSE_patches.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build Conflicts: nonfreessh Recommends: audit @@ -211,64 +170,22 @@ %prep -%setup -q -%patch00 -p2 -%patch01 -p2 -%patch02 -p2 -%patch03 -p2 -%patch04 -p2 -%patch05 -p2 -%patch06 -p2 -%patch07 -p2 -%patch08 -p2 -%patch09 -p2 -%patch10 -p2 -%patch11 -p2 -%patch12 -p2 -%patch13 -p2 -%patch14 -p2 -%patch15 -p2 -%patch16 -p2 -%patch17 -p2 -%patch18 -p2 -%patch19 -p2 -%patch20 -p2 -%patch21 -p2 -%patch22 -p2 -%patch23 -p2 -%patch24 -p2 -%patch25 -p2 -%patch26 -p2 -%patch27 -p2 -%patch28 -p2 -%patch29 -p2 -%patch30 -p2 -%patch31 -p2 -%patch32 -p2 -%patch33 -p2 -%patch34 -p2 -%patch35 -p2 -%patch36 -p2 -%patch37 -p2 -%patch38 -p2 -%patch39 -p2 -%patch40 -p2 -%patch41 -p2 -%patch42 -p2 -%patch43 -p2 -%patch44 -p2 -%patch45 -p2 -%patch46 -p2 -%patch47 -p2 +%setup -q -b 100 cp %{SOURCE3} %{SOURCE4} %{SOURCE11} . +# patch sources +PATCH_DIR="../SUSE_patches" +cat $PATCH_DIR/patch.series | while read p; do + printf ">> applying '$p'\n" + patch -p2 < "${PATCH_DIR}/$p" +done -%build -# set libexec dir in the LDAP patch -sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ - $( grep -Rl @LIBEXECDIR@ \ - $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) - ) +#LDAP: # set libexec dir in the LDAP patch +#LDAP: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ +#LDAP: $( grep -Rl @LIBEXECDIR@ \ +#LDAP: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) +#LDAP: ) +%build autoreconf -fiv %ifarch s390 s390x %sparc PIEFLAGS="-fPIE" @@ -292,6 +209,7 @@ %endif %if %{uses_systemd} --with-pid-dir=/run \ + --with-systemd \ %endif --with-ssl-engine \ --with-pam \ @@ -339,8 +257,8 @@ install -m 0644 %{SOURCE10} . ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd %endif -install -d -m 755 %{buildroot}/var/adm/fillup-templates -install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates +install -d -m 755 %{buildroot}%{_fillupdir} +install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir} # install shell script to automate the process of adding your public key to a remote machine install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir} install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 @@ -449,7 +367,7 @@ %attr(0444,root,root) %doc %{_mandir}/man8/* %dir %{_sysconfdir}/slp.reg.d %config %{_sysconfdir}/slp.reg.d/ssh.reg -/var/adm/fillup-templates/sysconfig.ssh +%{_fillupdir}/sysconfig.ssh %if %{has_fw_dir} %if %{needs_all_dirs} %dir %{_fwdir} @@ -461,10 +379,10 @@ %files helpers %defattr(-,root,root) %attr(0755,root,root) %dir %{_sysconfdir}/ssh -%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf +#verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf %attr(0755,root,root) %dir %{_libexecdir}/ssh -%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* -%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema +#attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* +#doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema %files fips %defattr(-,root,root) ++++++ openssh-7.2p2.tar.gz -> openssh-7.6p1.tar.gz ++++++ ++++ 125655 lines of diff (skipped)