Hello community,
here is the log from the commit of package openssh
checked in at Wed Apr 9 22:21:18 CEST 2008.
--------
--- openssh/openssh-askpass-gnome.changes 2007-12-05 10:56:17.000000000 +0100
+++ openssh/openssh-askpass-gnome.changes 2008-04-09 14:35:50.000000000 +0200
@@ -1,0 +2,10 @@
+Wed Apr 9 14:35:42 CEST 2008 - anicka@suse.cz
+
+- update to 5.0p1
+
+-------------------------------------------------------------------
+Wed Apr 2 15:06:01 CEST 2008 - anicka@suse.cz
+
+- update to 4.9p1
+
+-------------------------------------------------------------------
--- openssh/openssh.changes 2008-01-04 11:12:30.000000000 +0100
+++ openssh/openssh.changes 2008-04-09 14:38:58.000000000 +0200
@@ -1,0 +2,69 @@
+Wed Apr 9 14:37:57 CEST 2008 - anicka@suse.cz
+
+- update to 5.0p1
+ * CVE-2008-1483: Avoid possible hijacking of X11-forwarded
+ connections by refusing to listen on a port unless all address
+ families bind successfully.
+- remove CVE-2008-1483 patch
+
+-------------------------------------------------------------------
+Wed Apr 2 14:57:26 CEST 2008 - anicka@suse.cz
+
+- update to 4.9p1
+ * Disable execution of ~/.ssh/rc for sessions where a command has been
+ forced by the sshd_config ForceCommand directive. Users who had
+ write access to this file could use it to execute abritrary commands.
+ This behaviour was documented, but was an unsafe default and an extra
+ hassle for administrators.
+ * Added chroot(2) support for sshd(8), controlled by a new option
+ "ChrootDirectory". Please refer to sshd_config(5) for details, and
+ please use this feature carefully. (bz#177 bz#1352)
+ * Linked sftp-server(8) into sshd(8). The internal sftp server is
+ used when the command "internal-sftp" is specified in a Subsystem
+ or ForceCommand declaration. When used with ChrootDirectory, the
+ internal sftp server requires no special configuration of files
+ inside the chroot environment. Please refer to sshd_config(5) for
+ more information.
+ * Added a "no-user-rc" option for authorized_keys to disable execution
+ of ~/.ssh/rc
+ * Added a protocol extension method "posix-rename@openssh.com" for
+ sftp-server(8) to perform POSIX atomic rename() operations.
+ (bz#1400)
+ * Removed the fixed limit of 100 file handles in sftp-server(8). The
+ server will now dynamically allocate handles up to the number of
+ available file descriptors. (bz#1397)
+ * ssh(8) will now skip generation of SSH protocol 1 ephemeral server
+ keys when in inetd mode and protocol 2 connections are negotiated.
+ This speeds up protocol 2 connections to inetd-mode servers that
+ also allow Protocol 1 (bz#440)
+ * Accept the PermitRootLogin directive in a sshd_config(5) Match
+ block. Allows for, e.g. permitting root only from the local
+ network.
+ * Reworked sftp(1) argument splitting and escaping to be more
+ internally consistent (i.e. between sftp commands) and more
+ consistent with sh(1). Please note that this will change the
+ interpretation of some quoted strings, especially those with
+ embedded backslash escape sequences. (bz#778)
+ * Support "Banner=none" in sshd_config(5) to disable sending of a
+ pre-login banner (e.g. in a Match block).
+ * ssh(1) ProxyCommands are now executed with $SHELL rather than
+ /bin/sh.
+ * ssh(1)'s ConnectTimeout option is now applied to both the TCP
+ connection and the SSH banner exchange (previously it just covered
+ the TCP connection). This allows callers of ssh(1) to better detect
+ and deal with stuck servers that accept a TCP connection but don't
+ progress the protocol, and also makes ConnectTimeout useful for
+ connections via a ProxyCommand.
+ * Many new regression tests, including interop tests against PuTTY's
+ plink.
+ * Support BSM auditing on Mac OS X
+ * bugfixes
+- remove addrlist, pam_session_close, strict-aliasing-fix patches
+ (not needed anymore)
+
+-------------------------------------------------------------------
+Tue Mar 25 11:10:14 CET 2008 - anicka@suse.cz
+
+- fix CVE-2008-1483 (bnc#373527)
+
+-------------------------------------------------------------------
Old:
----
openssh-4.7p1-addrlist.dif
openssh-4.7p1-askpass-fix.diff
openssh-4.7p1-audit.patch
openssh-4.7p1-blocksigalrm.diff
openssh-4.7p1-default-protocol.diff
openssh-4.7p1.dif
openssh-4.7p1-eal3.diff
openssh-4.7p1-engines.diff
openssh-4.7p1-gcc-fix.patch
openssh-4.7p1-gssapimitm.patch
openssh-4.7p1-pam-fix2.diff
openssh-4.7p1-pam-fix3.diff
openssh-4.7p1-pam_session_close.diff
openssh-4.7p1-saveargv-fix.diff
openssh-4.7p1-send_locale.diff
openssh-4.7p1-strict-aliasing-fix.diff
openssh-4.7p1.tar.bz2
openssh-4.7p1-tmpdir.diff
openssh-4.7p1-xauth.diff
openssh-4.7p1-xauthlocalhostname.diff
New:
----
openssh-5.0p1-askpass-fix.diff
openssh-5.0p1-audit.patch
openssh-5.0p1-blocksigalrm.diff
openssh-5.0p1-default-protocol.diff
openssh-5.0p1.dif
openssh-5.0p1-eal3.diff
openssh-5.0p1-engines.diff
openssh-5.0p1-gcc-fix.patch
openssh-5.0p1-gssapimitm.patch
openssh-5.0p1-pam-fix2.diff
openssh-5.0p1-pam-fix3.diff
openssh-5.0p1-saveargv-fix.diff
openssh-5.0p1-send_locale.diff
openssh-5.0p1.tar.bz2
openssh-5.0p1-tmpdir.diff
openssh-5.0p1-xauth.diff
openssh-5.0p1-xauthlocalhostname.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.H14536/_old 2008-04-09 22:19:28.000000000 +0200
+++ /var/tmp/diff_new_pack.H14536/_new 2008-04-09 22:19:28.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package openssh-askpass-gnome (Version 4.7p1)
+# spec file for package openssh-askpass-gnome (Version 5.0p1)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -10,12 +10,13 @@
# norootforbuild
+
Name: openssh-askpass-gnome
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
License: BSD 3-Clause
Group: Productivity/Networking/SSH
-Version: 4.7p1
-Release: 12
+Version: 5.0p1
+Release: 1
Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
@@ -24,7 +25,6 @@
Source: %{_name}-%{version}.tar.bz2
Patch: %{_name}-%{version}.dif
Patch15: %{_name}-%{version}-pam-fix2.diff
-Patch17: %{_name}-%{version}-strict-aliasing-fix.diff
Patch18: %{_name}-%{version}-saveargv-fix.diff
Patch19: %{_name}-%{version}-pam-fix3.diff
Patch21: %{_name}-%{version}-gssapimitm.patch
@@ -68,7 +68,6 @@
%setup -q -n %{_name}-%{version}
%patch
%patch15
-%patch17
%patch18
%patch19
%patch21
@@ -112,7 +111,11 @@
%attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass
%changelog
-* Wed Dec 05 2007 - anicka@suse.cz
+* Wed Apr 09 2008 anicka@suse.cz
+- update to 5.0p1
+* Wed Apr 02 2008 anicka@suse.cz
+- update to 4.9p1
+* Wed Dec 05 2007 anicka@suse.cz
- - update to 4.7p1
* Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. This is symmetric with -k
@@ -121,7 +124,7 @@
* increase default channel windows
* put the MAC list into a display
* many bugfixes
-* Tue Dec 12 2006 - anicka@suse.cz
+* Tue Dec 12 2006 anicka@suse.cz
- update to 4.5p1
* Use privsep_pw if we have it, but only require it if we
absolutely need it.
@@ -133,7 +136,7 @@
be already full (of alive requests)
* include signal.h, errno.h, sys/in.h
* some more bugfixes
-* Wed Oct 04 2006 - postadal@suse.cz
+* Wed Oct 04 2006 postadal@suse.cz
- updated to version 4.4p1 [#208662]
* fixed pre-authentication DoS, that would cause sshd(8) to spin
until the login grace time expired
@@ -155,23 +158,23 @@
* extended sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments
- removed obsoleted patches: autoconf-fix.patch
-* Tue Jul 25 2006 - schwab@suse.de
+* Tue Jul 25 2006 schwab@suse.de
- Fix syntax error in configure script.
-* Wed Jan 25 2006 - mls@suse.de
+* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
-* Tue Jan 03 2006 - postadal@suse.cz
+* Tue Jan 03 2006 postadal@suse.cz
- updated to version 4.2p1
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
-* Thu Sep 08 2005 - postadal@suse.cz
+* Thu Sep 08 2005 postadal@suse.cz
- don't strip
-* Thu Aug 04 2005 - uli@suse.de
+* Thu Aug 04 2005 uli@suse.de
- parallelize build
-* Fri Jun 10 2005 - postadal@suse.cz
+* Fri Jun 10 2005 postadal@suse.cz
- updated to version 4.1p1
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
sendenv-fix, documentation-fix
-* Wed Jan 19 2005 - postadal@suse.cz
+* Wed Jan 19 2005 postadal@suse.cz
- renamed askpass-gnome package to openssh-askpass-gnome
-* Wed Jan 19 2005 - postadal@suse.cz
+* Wed Jan 19 2005 postadal@suse.cz
- splited spec file to decreas number of build dependencies
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.H14536/_old 2008-04-09 22:19:28.000000000 +0200
+++ /var/tmp/diff_new_pack.H14536/_new 2008-04-09 22:19:28.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package openssh (Version 4.7p1)
+# spec file for package openssh (Version 5.0p1)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -10,6 +10,7 @@
# norootforbuild
+
Name: openssh
%define _fwdefdir /etc/sysconfig/SuSEfirewall2.d/services
%define _prefix %(xft-config --prefix)
@@ -28,8 +29,8 @@
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh
AutoReqProv: on
-Version: 4.7p1
-Release: 11
+Version: 5.0p1
+Release: 1
%define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program)
Url: http://www.openssh.com/
@@ -44,10 +45,8 @@
Source8: ssh-askpass
Source9: sshd.fw
Patch: %{name}-%{version}.dif
-Patch1: %{name}-%{version}-addrlist.dif
Patch12: %{name}-%{version}-askpass-fix.diff
Patch15: %{name}-%{version}-pam-fix2.diff
-Patch17: %{name}-%{version}-strict-aliasing-fix.diff
Patch18: %{name}-%{version}-saveargv-fix.diff
Patch19: %{name}-%{version}-pam-fix3.diff
Patch21: %{name}-%{version}-gssapimitm.patch
@@ -62,10 +61,10 @@
Patch42: %{name}-gssapi_krb5-fix.patch
Patch43: %{name}-%{version}-default-protocol.diff
Patch44: %{name}-%{version}-audit.patch
-Patch45: %{name}-%{version}-pam_session_close.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%package askpass
+License: BSD 3-Clause; X11/MIT
Summary: A passphrase dialog for OpenSSH and the X Window System
Requires: openssh = %{version}
Provides: openssh:/usr/%_lib/ssh/ssh-askpass
@@ -136,9 +135,7 @@
%prep
%setup -q -b 3 -a 1 -a 5
%patch
-%patch1
%patch15
-%patch17
%patch18
%patch19
%patch21
@@ -153,7 +150,6 @@
%patch42
%patch43
%patch44 -p1
-%patch45
cp -v %{SOURCE4} .
cp -v %{SOURCE6} .
cd ../x11-ssh-askpass-%{xversion}
++++++ openssh-4.7p1-askpass-fix.diff -> openssh-5.0p1-askpass-fix.diff ++++++
++++++ openssh-4.7p1-audit.patch -> openssh-5.0p1-audit.patch ++++++
++++++ openssh-4.7p1-blocksigalrm.diff -> openssh-5.0p1-blocksigalrm.diff ++++++
++++++ openssh-4.7p1-default-protocol.diff -> openssh-5.0p1-default-protocol.diff ++++++
++++++ openssh-4.7p1-addrlist.dif -> openssh-5.0p1.dif ++++++
--- openssh/openssh-4.7p1-addrlist.dif 2007-03-12 10:53:56.000000000 +0100
+++ openssh/openssh-5.0p1.dif 2007-03-12 10:53:56.000000000 +0100
@@ -1,87 +1,45 @@
---- sshd.c
-+++ sshd.c
-@@ -253,6 +253,62 @@
+--- ssh_config
++++ ssh_config
+@@ -17,9 +17,20 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
- static void do_ssh1_kex(void);
- static void do_ssh2_kex(void);
-+char * isaddr(struct addrinfo *addr, char *name);
-+void remove_duplicities(struct addrinfo *addr, char *port);
-+
-+/*
-+ * returns port if addr equals name
-+ */
-+
-+char*
-+isaddr(struct addrinfo *addr, char *name)
-+{
-+ char ntop[NI_MAXHOST];
-+ char *strport;
-+
-+ strport = (char*) malloc(NI_MAXSERV+1);
-+ if (getnameinfo(addr->ai_addr, addr->ai_addrlen,
-+ ntop, sizeof(ntop), strport, sizeof(strport),
-+ NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-+ error("getnameinfo failed");
-+ free(strport);
-+ return NULL;
-+ }
-+ if (!strcmp(ntop,name))
-+ return strport;
-+ else{
-+ free(strport);
-+ return NULL;
-+ }
-+
-+}
-+
-+/*
-+ * it removes all "0.0.0.0" elements with given port
-+ * from the list
-+ */
-+
-+void
-+remove_duplicities(struct addrinfo *ai_start, char *port)
-+{
-+ struct addrinfo *ai, *ai1, *aiprev, *ainext;
-+ char *port1;
-+
-+ aiprev=ai_start;
-+ for (ai = ai_start->ai_next; ai; ai = ainext) {
-+ ainext = ai->ai_next;
-+ port1 = isaddr(ai, "0.0.0.0");
-+ if (port1 && !strcmp(port,port1)){
-+ aiprev->ai_next = ainext;
-+ free(ai);
-+ free(port1);
-+ } else {
-+ if (port1)
-+ free(port1);
-+ aiprev = ai;
-+ }
-+ }
-+}
-
- /*
- * Close all listening sockets
-@@ -942,6 +998,7 @@
- int ret, listen_sock, on = 1;
- struct addrinfo *ai;
- char ntop[NI_MAXHOST], strport[NI_MAXSERV];
-+ char *port;
+-# Host *
++Host *
+ # ForwardAgent no
+ # ForwardX11 no
++
++# If you do not trust your remote host (or its administrator), you
++# should not forward X11 connections to your local X11-display for
++# security reasons: Someone stealing the authentification data on the
++# remote side (the "spoofed" X-server by the remote sshd) can read your
++# keystrokes as you type, just like any other X11 client could do.
++# Set this to "no" here for global effect or in your own ~/.ssh/config
++# file if you want to have the remote X11 authentification data to
++# expire after two minutes after remote login.
++ForwardX11Trusted yes
++
+ # RhostsRSAAuthentication no
+ # RSAAuthentication yes
+ # PasswordAuthentication yes
+--- sshd_config
++++ sshd_config
+@@ -82,7 +82,7 @@
- for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
- if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -987,6 +1044,13 @@
- continue;
- }
- listen_socks[num_listen_socks] = listen_sock;
-+
-+ port = isaddr(ai,"::");
-+ if (port) {
-+ remove_duplicities(ai, port);
-+ free(port);
-+ }
-+
- num_listen_socks++;
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+-#X11Forwarding no
++X11Forwarding yes
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PrintMotd yes
+--- sshlogin.c
++++ sshlogin.c
+@@ -126,6 +126,7 @@
- /* Start listening on the port. */
+ li = login_alloc_entry(pid, user, host, tty);
+ login_set_addr(li, addr, addrlen);
++ li->uid=uid;
+ login_login(li);
+ login_free_entry(li);
+ }
++++++ openssh-4.7p1-eal3.diff -> openssh-5.0p1-eal3.diff ++++++
++++++ openssh-4.7p1-engines.diff -> openssh-5.0p1-engines.diff ++++++
--- openssh/openssh-4.7p1-engines.diff 2007-03-12 10:53:59.000000000 +0100
+++ openssh/openssh-5.0p1-engines.diff 2008-03-31 10:57:54.000000000 +0200
@@ -1,14 +1,14 @@
---- openssh-4.6p1/ssh-add.c
-+++ openssh-4.6p1/ssh-add.c
-@@ -42,6 +42,7 @@
- #include