Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2018-02-02 22:19:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Fri Feb 2 22:19:52 2018 rev:114 rq:571577 version:7.6p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2016-07-28 23:45:14.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-askpass-gnome.changes 2018-02-02 22:19:53.864554713 +0100 @@ -1,0 +2,11 @@ +Wed Jan 31 22:54:55 UTC 2018 - [email protected] + +- .spec file cleanup + +------------------------------------------------------------------- +Fri Nov 3 12:27:18 UTC 2017 - [email protected] + +- upgrade to 7.6p1 + see main package changelog for details + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2018-01-22 15:56:42.935142459 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes 2018-02-02 22:19:53.908552659 +0100 @@ -1,0 +2,11 @@ +Wed Jan 31 13:31:41 UTC 2018 - [email protected] + +- Add missing crypto hardware enablement patches for IBM mainframes + (FATE#323902) + +------------------------------------------------------------------- +Wed Jan 24 21:42:35 UTC 2018 - [email protected] + +- add missing part of systemd integration (unit type) + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.F1pRlK/_old 2018-02-02 22:19:54.832509524 +0100 +++ /var/tmp/diff_new_pack.F1pRlK/_new 2018-02-02 22:19:54.836509338 +0100 @@ -16,26 +16,18 @@ # +%define _name openssh Name: openssh-askpass-gnome -BuildRequires: autoconf -BuildRequires: automake BuildRequires: gtk2-devel -BuildRequires: krb5-devel -BuildRequires: openssh -BuildRequires: openssl-devel -BuildRequires: pam-devel -BuildRequires: tcpd-devel -BuildRequires: update-desktop-files Version: 7.6p1 Release: 0 -Requires: openssh = %{version} +Requires: %{_name} = %{version} Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause Group: Productivity/Networking/SSH Url: http://www.openssh.com/ -%define _name openssh -Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc +Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz +Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc BuildRoot: %{_tmppath}/%{name}-%{version}-build %description ++++++ openssh-7.6p1-SUSE_patches.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SUSE_patches/openssh-7.6p1-seccomp_ioctl_s390_EP11.patch new/SUSE_patches/openssh-7.6p1-seccomp_ioctl_s390_EP11.patch --- old/SUSE_patches/openssh-7.6p1-seccomp_ioctl_s390_EP11.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/SUSE_patches/openssh-7.6p1-seccomp_ioctl_s390_EP11.patch 2018-01-30 00:18:17.000000000 +0100 @@ -0,0 +1,36 @@ +# HG changeset patch +# Parent a64f36149cef8579bcca3c9207219603d5d3da48 +Patch from IBM enabling use of EP11 hw crypto accelerator, submitted upstreams: + +From: Eduardo Barretto <[email protected]> +To: [email protected] +Subject: [PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390) +Date: Tue, 9 May 2017 14:27:15 -0300 + +The EP11 crypto card needs to make an ioctl call, which receives an +specific argument. This crypto card is for s390 only. + +Signed-off-by: Eduardo Barretto <[email protected]> + +diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c +--- a/openssh-7.6p1/sandbox-seccomp-filter.c ++++ b/openssh-7.6p1/sandbox-seccomp-filter.c +@@ -248,16 +248,18 @@ static const struct sock_filter preauth_ + SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), + SC_DENY(__NR_socketcall, EACCES), + #endif + #if defined(__NR_ioctl) && defined(__s390__) + /* Allow ioctls for ICA crypto card on s390 */ + SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), + SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), + SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), ++ /* Allow ioctls for EP11 crypto card on s390 */ ++ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB), + #endif + #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) + /* + * On Linux x32, the clock_gettime VDSO falls back to the + * x86-64 syscall under some circumstances, e.g. + * https://bugs.debian.org/849923 + */ + SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SUSE_patches/openssh-7.6p1-seccomp_ipc_flock.patch new/SUSE_patches/openssh-7.6p1-seccomp_ipc_flock.patch --- old/SUSE_patches/openssh-7.6p1-seccomp_ipc_flock.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/SUSE_patches/openssh-7.6p1-seccomp_ipc_flock.patch 2018-01-30 00:14:40.000000000 +0100 @@ -0,0 +1,60 @@ +# HG changeset patch +# Parent 089f89e036e8d906db26a1e538c879ebc9c0f830 +Patch from IBM enabling the use of OpenCryptoki, submitted upstreams: + +From: Eduardo Barretto <[email protected]> +To: [email protected] +Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture +Date: Tue, 9 May 2017 14:27:13 -0300 + +In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock +and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 +implementation) which calls the libraries that will communicate with the +crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, +this is only need on s390 architecture. + +Signed-off-by: Eduardo Barretto <[email protected]> + +diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c +--- a/openssh-7.6p1/sandbox-seccomp-filter.c ++++ b/openssh-7.6p1/sandbox-seccomp-filter.c +@@ -167,16 +167,19 @@ static const struct sock_filter preauth_ + SC_ALLOW(__NR_exit_group), + #endif + #ifdef __NR_geteuid + SC_ALLOW(__NR_geteuid), + #endif + #ifdef __NR_geteuid32 + SC_ALLOW(__NR_geteuid32), + #endif ++#if defined(__NR_flock) && defined(__s390__) ++ SC_ALLOW(__NR_flock), ++#endif + #ifdef __NR_getpgid + SC_ALLOW(__NR_getpgid), + #endif + #ifdef __NR_getpid + SC_ALLOW(__NR_getpid), + #endif + #ifdef __NR_getrandom + SC_ALLOW(__NR_getrandom), +@@ -185,16 +188,19 @@ static const struct sock_filter preauth_ + SC_ALLOW(__NR_gettimeofday), + #endif + #ifdef __NR_getuid + SC_ALLOW(__NR_getuid), + #endif + #ifdef __NR_getuid32 + SC_ALLOW(__NR_getuid32), + #endif ++#if defined(__NR_ipc) && defined(__s390__) ++ SC_ALLOW(__NR_ipc), ++#endif + #ifdef __NR_madvise + SC_ALLOW(__NR_madvise), + #endif + #ifdef __NR_mmap + SC_ALLOW(__NR_mmap), + #endif + #ifdef __NR_mmap2 + SC_ALLOW(__NR_mmap2), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SUSE_patches/patch.series new/SUSE_patches/patch.series --- old/SUSE_patches/patch.series 2018-01-11 23:02:18.000000000 +0100 +++ new/SUSE_patches/patch.series 2018-01-30 00:54:43.000000000 +0100 @@ -13,6 +13,8 @@ openssh-7.6p1-seccomp_getuid.patch openssh-7.6p1-seccomp_geteuid.patch openssh-7.6p1-seccomp_stat.patch +openssh-7.6p1-seccomp_ipc_flock.patch +openssh-7.6p1-seccomp_ioctl_s390_EP11.patch openssh-7.6p1-fips.patch openssh-7.6p1-cavstest-ctr.patch openssh-7.6p1-cavstest-kdf.patch ++++++ sshd.service ++++++ --- /var/tmp/diff_new_pack.F1pRlK/_old 2018-02-02 22:19:55.068498507 +0100 +++ /var/tmp/diff_new_pack.F1pRlK/_new 2018-02-02 22:19:55.068498507 +0100 @@ -3,8 +3,10 @@ After=network.target [Service] +Type=notify EnvironmentFile=-/etc/sysconfig/ssh ExecStartPre=/usr/sbin/sshd-gen-keys-start +ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ExecReload=/bin/kill -HUP $MAINPID KillMode=process
