[Bug 931429] New: readd tcp wrappers until dropped by upstream
http://bugzilla.suse.com/show_bug.cgi?id=931429 Bug ID: 931429 Summary: readd tcp wrappers until dropped by upstream Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: pcerny@suse.com Reporter: meissner@suse.com QA Contact: qa-bugs@suse.de CC: crrodriguez@opensuse.org Found By: --- Blocker: --- user is angry that tcp wrapper support was dropped from openssh. ------------------------------------------------------------------- Sat May 17 22:31:29 UTC 2014 - crrodriguez@opensuse.org - Remove tcpwrappers support now, This feature was removed in upstream code at the end of April and the underlying libraries are abandonware. See: http://comments.gmane.org/gmane.linux.suse.general/348119 It should still stay in until upstream drops it. http://lists.opensuse.org/opensuse-de/2015-05/msg00232.html http://lists.opensuse.org/opensuse-de/2015-05/msg00251.html -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 --- Comment #1 from Cristian Rodríguez <crrodriguez@opensuse.org> --- (In reply to Marcus Meissner from comment #0)
user is angry that tcp wrapper support was dropped from openssh.
------------------------------------------------------------------- Sat May 17 22:31:29 UTC 2014 - crrodriguez@opensuse.org
- Remove tcpwrappers support now, This feature was removed in upstream code at the end of April and the underlying libraries are abandonware. See: http://comments.gmane.org/gmane.linux.suse.general/348119
It should still stay in until upstream drops it.
http://lists.opensuse.org/opensuse-de/2015-05/msg00232.html http://lists.opensuse.org/opensuse-de/2015-05/msg00251.html
They already dropped it, it is that the openSSH package has not been updated..http://www.openssh.com/txt/release-6.7 gone since 6.7..current openSSH version is 6.8. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |werner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pcerny@suse.com Flags| |needinfo?(pcerny@suse.com) --- Comment #2 from Dr. Werner Fink <werner@suse.com> --- (In reply to Cristian Rodríguez from comment #1) There is a patch which is also used by Debian maintainers of the openssh: http://sourceforge.net/projects/mancha/files/misc/openssh-6.8p1-libwrap.diff... also I'm trying to push our openssh from 6.6p1 upto 6.8p1. As I've heared from Marcus that Petr is also working on I'd like to ask if I should go further? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 Petr Cerny <pcerny@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(pcerny@suse.com) | --- Comment #3 from Petr Cerny <pcerny@suse.com> --- The update in openSUSE has been on my todo list for many months, yet there are some issues with FIPS patches which I haven't had time to deal with due to more pressing things. I should be able to look into it in the upcoming weeks now. As for the tcpwrappers - I don't feel very comfortable with adding it back. While I'm fine with adding the patch as such, I don't see a good reason to build it by default, especially when building own packages in BS is really easy. From my point of view tcpwrappers are legacy - feel free to try to convince me otherwise, though. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 --- Comment #4 from Petr Cerny <pcerny@suse.com> --- (In reply to Petr Cerny from comment #3)
As for the tcpwrappers - I don't feel very comfortable with adding it back. While I'm fine with adding the patch as such, I don't see a good reason to build it by default, especially when building own packages in BS is really easy.
Or we could make it a configurable run-time option, that would be off by default. That might make more sense... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 --- Comment #5 from Dr. Werner Fink <werner@suse.com> --- Created attachment 634875 --> http://bugzilla.suse.com/attachment.cgi?id=634875&action=edit openssh-6.8p1-fips.patch (In reply to Petr Cerny from comment #3) Not sure if this is correct, but the MD5 in key.c is gone and the do_ssh1_kex() part in sshd.c seems to be moved to use derive_ssh1_session_id() from kex.c which is already handled by the fips patch. Though ... I've not tested it -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Flags| |needinfo?(meissner@suse.com | |) --- Comment #6 from Dr. Werner Fink <werner@suse.com> --- I hang on patch openssh-6.6p1-audit5-session_key_destruction.patch as upstream has changed a lot in e.g. ssh_packet_close() of packet.c ... that is the changes becomes not trivial and without deep knowledge on audit memory management the risk of crashing and/or causing a memory leak increases a lot. I'll copy my current tree to ~werner/Export/ The question rises if there is an upstream source for FIPS as well as audit patches for `openssh-6.8p1' -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 --- Comment #7 from Petr Cerny <pcerny@suse.com> --- (In reply to Werner Fink from comment #6)
I hang on patch openssh-6.6p1-audit5-session_key_destruction.patch as upstream has changed a lot in e.g. ssh_packet_close() of packet.c ... that is the changes becomes not trivial and without deep knowledge on audit memory management the risk of crashing and/or causing a memory leak increases a lot.
I'll copy my current tree to ~werner/Export/
The question rises if there is an upstream source for FIPS as well as audit patches for `openssh-6.8p1'
Not really. As far as I know, the only upstream for both the FIPS us and RH (because I didn't really like the way they did it, I deviated from them). The audit patches are easier, since those I took verbatim from Fedora (several versions back). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 http://bugzilla.suse.com/show_bug.cgi?id=931429#c8 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(meissner@suse.com | |) | --- Comment #8 from Marcus Meissner <meissner@suse.com> --- removing old needinfo -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=931429 http://bugzilla.suse.com/show_bug.cgi?id=931429#c9 Tomáš Chvátal <tchvatal@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #9 from Tomáš Chvátal <tchvatal@suse.com> --- This version of openSUSE changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE, or consider the bug still valid, please feel free to reopen this bug against that version, or open a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com