April 2014 - openSUSE Commits - openSUSE Mailing Lists

commit avahi for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package avahi for openSUSE:Factory checked in at 2014-04-17 14:47:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/avahi (Old) and /work/SRC/openSUSE:Factory/.avahi.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "avahi" Changes: -------- avahi-mono.changes: same change avahi-qt4.changes: same change --- /work/SRC/openSUSE:Factory/avahi/avahi.changes 2014-03-21 12:14:45.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.avahi.new/avahi.changes 2014-04-17 14:47:09.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Apr 15 15:55:46 UTC 2014 - aj(a)suse.com + +- We've moved everything to /run, adjust file list as well. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ avahi-glib2.spec ++++++ --- /var/tmp/diff_new_pack.oPXgOh/_old 2014-04-17 14:47:11.000000000 +0200 +++ /var/tmp/diff_new_pack.oPXgOh/_new 2014-04-17 14:47:11.000000000 +0200 @@ -973,10 +973,21 @@ %pre %{_sbindir}/groupadd -r avahi 2> /dev/null || : -%{_sbindir}/useradd -r -s /bin/false -c "User for Avahi" -d %{_localstatedir}/run/avahi-daemon -g avahi avahi 2> /dev/null || : +%{_sbindir}/useradd -r -s /bin/false -c "User for Avahi" -d /run/avahi-daemon -g avahi avahi 2> /dev/null || : %if %suse_version >= 1210 %service_add_pre avahi-dnsconfd.service avahi-daemon.service %endif +# bnc#853845,bnc#851953: do not start by default under +# sysconfig as this breaks vlan,bridge,bonding setups +# in pre to revert old default setting from template. +if test -f var/adm/fillup-templates/sysconfig.avahi-autoipd -a \ + -f etc/sysconfig/avahi ; then + . var/adm/fillup-templates/sysconfig.avahi-autoipd + if test "X$AVAHI_AUTOIPD_ENABLE" = "Xyes" ; then + sed -i etc/sysconfig/avahi \ + -e 's/^$AVAHI_AUTOIPD_ENABLE$=.*/\1="no"/' + fi +fi %post %{fillup_only -n avahi} @@ -1112,7 +1123,7 @@ %{_libdir}/avahi/service-types.db # avahi creates the directory itself, we do not package it # since it might be on tmpfs -%attr(-,avahi,avahi) %ghost %{_localstatedir}/run/avahi-daemon +%attr(-,avahi,avahi) %ghost /run/avahi-daemon %doc %{_mandir}/man5/*.5* %doc %{_mandir}/man8/*.8* %exclude %doc %{_mandir}/man8/avahi-autoipd* avahi-mono.spec: same change avahi-qt4.spec: same change ++++++ avahi.spec ++++++ --- /var/tmp/diff_new_pack.oPXgOh/_old 2014-04-17 14:47:11.000000000 +0200 +++ /var/tmp/diff_new_pack.oPXgOh/_new 2014-04-17 14:47:11.000000000 +0200 @@ -975,7 +975,7 @@ %pre %{_sbindir}/groupadd -r avahi 2> /dev/null || : -%{_sbindir}/useradd -r -s /bin/false -c "User for Avahi" -d %{_localstatedir}/run/avahi-daemon -g avahi avahi 2> /dev/null || : +%{_sbindir}/useradd -r -s /bin/false -c "User for Avahi" -d /run/avahi-daemon -g avahi avahi 2> /dev/null || : %if %suse_version >= 1210 %service_add_pre avahi-dnsconfd.service avahi-daemon.service %endif @@ -1125,7 +1125,7 @@ %{_libdir}/avahi/service-types.db # avahi creates the directory itself, we do not package it # since it might be on tmpfs -%attr(-,avahi,avahi) %ghost %{_localstatedir}/run/avahi-daemon +%attr(-,avahi,avahi) %ghost /run/avahi-daemon %doc %{_mandir}/man5/*.5* %doc %{_mandir}/man8/*.8* %exclude %doc %{_mandir}/man8/avahi-autoipd* -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit pesign for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package pesign for openSUSE:Factory checked in at 2014-04-17 14:44:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pesign (Old) and /work/SRC/openSUSE:Factory/.pesign.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pesign" Changes: -------- --- /work/SRC/openSUSE:Factory/pesign/pesign.changes 2014-02-02 07:36:58.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.pesign.new/pesign.changes 2014-04-17 14:44:04.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Apr 16 07:12:05 UTC 2014 - aj(a)suse.com + +- Add pesign-run.patch: Use /run instead of /var/run (bnc#873857). + +------------------------------------------------------------------- New: ---- pesign-run.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pesign.spec ++++++ --- /var/tmp/diff_new_pack.HYkK9s/_old 2014-04-17 14:44:05.000000000 +0200 +++ /var/tmp/diff_new_pack.HYkK9s/_new 2014-04-17 14:44:05.000000000 +0200 @@ -36,6 +36,8 @@ Patch6: use-standard-pid-location.patch # PATCH-FIX-UPSTREAM pesign-no-db.patch glin(a)suse.com -- Allow some commands to proceed without a NSS database Patch7: pesign-no-db.patch +# PATCH-FIX-SUSE pesign-run.patch aj(a)suse.com - Use /run instead of /var/run +Patch8: pesign-run.patch BuildRequires: mozilla-nss-devel BuildRequires: pkg-config BuildRequires: popt-devel @@ -62,6 +64,7 @@ %patch4 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %build make OPTFLAGS="$RPM_OPT_FLAGS" @@ -107,7 +110,7 @@ %{_unitdir}/pesign.service /usr/lib/tmpfiles.d/pesign.conf %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign -%ghost %dir %attr(0770,pesign,pesign) %{_localstatedir}/run/%{name} +%ghost %dir %attr(0770,pesign,pesign) /run/%{name} %dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name} %changelog ++++++ pesign-run.patch ++++++ Index: pesign-0.109/src/Makefile =================================================================== --- pesign-0.109.orig/src/Makefile +++ pesign-0.109/src/Makefile @@ -79,7 +79,7 @@ install_sysvinit: install : $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ + $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/bin/ $(INSTALL) -m 755 pesign $(INSTALLROOT)$(PREFIX)/bin/ $(INSTALL) -m 755 client $(INSTALLROOT)$(PREFIX)/bin/pesign-client Index: pesign-0.109/src/daemon.h =================================================================== --- pesign-0.109.orig/src/daemon.h +++ pesign-0.109/src/daemon.h @@ -47,7 +47,7 @@ typedef enum { } pesignd_cmd; #define PESIGND_VERSION 0xa3cf41cb -#define SOCKPATH "/var/run/pesign/socket" -#define PIDFILE "/var/run/pesign.pid" +#define SOCKPATH "/run/pesign/socket" +#define PIDFILE "/run/pesign.pid" #endif /* DAEMON_H */ Index: pesign-0.109/src/macros.pesign =================================================================== --- pesign-0.109.orig/src/macros.pesign +++ pesign-0.109/src/macros.pesign @@ -34,7 +34,7 @@ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ --certdir ${nss} -c signer %{-o} \ rm -rf ${sattrs} ${sattrs}.sig ${nss} \ - elif [ -S /var/run/pesign/socket ]; then \ + elif [ -S /run/pesign/socket ]; then \ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ -c "/CN=Fedora Secure Boot Signer" \\\ %{-i} %{-o} %{-e} %{-s} %{-C} \ Index: pesign-0.109/src/pesign.sysvinit =================================================================== --- pesign-0.109.orig/src/pesign.sysvinit +++ pesign-0.109/src/pesign.sysvinit @@ -4,7 +4,7 @@ # # chkconfig: - 50 50 # processname: /usr/bin/pesign -# pidfile: /var/run/pesign.pid +# pidfile: /run/pesign.pid ### BEGIN INIT INFO # Provides: pesign # Should-Start: $remote_fs @@ -19,7 +19,7 @@ [ -f /usr/bin/pesign ] || exit 1 -PESIGN_PIDFILE=/var/run/pesign.pid +PESIGN_PIDFILE=/run/pesign.pid RETVAL=0 start(){ @@ -28,15 +28,15 @@ start(){ RETVAL=$? echo touch /var/lock/subsys/pesign - setfacl -m u:kojibuilder:x /var/run/pesign - setfacl -m u:kojibuilder:rw /var/run/pesign/socket - setfacl -m g:kojibuilder:x /var/run/pesign - setfacl -m g:kojibuilder:rw /var/run/pesign/socket + setfacl -m u:kojibuilder:x /run/pesign + setfacl -m u:kojibuilder:rw /run/pesign/socket + setfacl -m g:kojibuilder:x /run/pesign + setfacl -m g:kojibuilder:rw /run/pesign/socket } stop(){ echo -n "Stopping pesign: " - killproc -p /var/run/pesign.pid pesignd + killproc -p /run/pesign.pid pesignd RETVAL=$? echo rm -f /var/lock/subsys/pesign Index: pesign-0.109/src/tmpfiles.conf =================================================================== --- pesign-0.109.orig/src/tmpfiles.conf +++ pesign-0.109/src/tmpfiles.conf @@ -1 +1 @@ -D /var/run/pesign 0770 pesign pesign - +D /run/pesign 0770 pesign pesign - -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit jbigkit for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package jbigkit for openSUSE:Factory checked in at 2014-04-17 14:43:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jbigkit (Old) and /work/SRC/openSUSE:Factory/.jbigkit.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "jbigkit" Changes: -------- --- /work/SRC/openSUSE:Factory/jbigkit/jbigkit.changes 2013-07-19 16:51:59.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.jbigkit.new/jbigkit.changes 2014-04-17 14:44:00.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Apr 15 01:11:00 UTC 2014 - brian(a)aljex.com + +- v2.1 +-Fixes bnc#870855 +-Fixes CVE-2013-6369 + +------------------------------------------------------------------- Old: ---- jbigkit-2.0-shlib.patch jbigkit-2.0.tar.gz New: ---- jbigkit-2.1-shlib.patch jbigkit-2.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jbigkit.spec ++++++ --- /var/tmp/diff_new_pack.vjK7KM/_old 2014-04-17 14:44:01.000000000 +0200 +++ /var/tmp/diff_new_pack.vjK7KM/_new 2014-04-17 14:44:01.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package jbigkit # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: jbigkit %define ver_maj 2 -%define ver_min 0 +%define ver_min 1 Version: %{ver_maj}.%{ver_min} Release: 0 Summary: JBIG1 lossless image compression tools @@ -69,7 +69,7 @@ formats. %prep -%setup -n %name +%setup %patch0 -p1 %build ++++++ jbigkit-2.0-shlib.patch -> jbigkit-2.1-shlib.patch ++++++ --- /work/SRC/openSUSE:Factory/jbigkit/jbigkit-2.0-shlib.patch 2012-05-29 14:15:03.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.jbigkit.new/jbigkit-2.1-shlib.patch 2014-04-17 14:44:00.000000000 +0200 @@ -1,28 +1,28 @@ -diff -aur jbigkit/libjbig/Makefile jbigkit+/libjbig/Makefile ---- jbigkit/libjbig/Makefile 2008-08-30 13:20:52.000000000 -0400 -+++ jbigkit+/libjbig/Makefile 2012-04-12 04:56:11.000000000 -0400 -@@ -2,28 +2,33 @@ - # $Id: Makefile 1285 2008-08-18 13:36:45Z mgk25 $ +diff -ruN jbigkit-2.1/libjbig/Makefile jbigkit-2.1-shlib/libjbig/Makefile +--- jbigkit-2.1/libjbig/Makefile 2014-03-27 14:47:15.000000000 -0400 ++++ jbigkit-2.1-shlib/libjbig/Makefile 2014-04-14 19:54:00.000000000 -0400 +@@ -1,28 +1,33 @@ + # Unix makefile for the JBIG-KIT library # Select an ANSI/ISO C compiler here, GNU gcc is recommended -CC = gcc +CC ?= gcc # Options for the compiler: A high optimization level is suggested --CFLAGS = -g -O -Wall -ansi -pedantic # --coverage -+CFLAGS ?= -g -O -Wall -ansi -pedantic # --coverage +-CFLAGS = -g -O -W -Wall -ansi -pedantic # --coverage ++CFLAGS ?= -g -O -W -Wall -ansi -pedantic # --coverage +PICFLAGS := -fPIC -DPIC --all: libjbig.a tstcodec tstcodec85 +-all: libjbig.a libjbig85.a tstcodec tstcodec85 +all: libjbig.so.$(SOVERSION) libjbig85.so.$(SOVERSION) tstcodec tstcodec85 -tstcodec: tstcodec.o jbig.o jbig_ar.o -- $(CC) $(CFLAGS) -o tstcodec $+ +- $(CC) $(CFLAGS) -o tstcodec tstcodec.o jbig.o jbig_ar.o +tstcodec: tstcodec.o libjbig.so + $(CC) $(CFLAGS) -o tstcodec $< -L. -ljbig -tstcodec85: tstcodec85.o jbig85.o jbig_ar.o -- $(CC) $(CFLAGS) -o tstcodec85 $+ +- $(CC) $(CFLAGS) -o tstcodec85 tstcodec85.o jbig85.o jbig_ar.o +tstcodec85: tstcodec85.o libjbig85.so + $(CC) $(CFLAGS) -o tstcodec85 $^ -L. -ljbig @@ -50,8 +50,8 @@ jbig.o: jbig.c jbig.h jbig_ar.h jbig85.o: jbig85.c jbig85.h jbig_ar.h -@@ -37,12 +42,12 @@ - --msgid-bugs-address='http://www.cl.cam.ac.uk/~mgk25/jbigkit/' $+ +@@ -43,13 +48,13 @@ + clang --analyze *.c test: tstcodec tstcodec85 - ./tstcodec @@ -64,75 +64,85 @@ + LD_LIBRARY_PATH=`pwd` ./tstcodec $@ clean: - rm -f *.{o,gcda,gcno,gcov} *~ core gmon.out dbg_d\=??.pbm t82test.pbm + rm -f *.o *.gcda *.gcno *.gcov *.plist *~ core gmon.out dbg_d\=??.pbm + rm -f t82test.pbm - rm -f tstcodec tstcodec85 + rm -f tstcodec tstcodec85 libjbig*.so libjbig*.so.$(SOVERSION) libjbig*.so.$(VERSION) -diff -aur jbigkit/Makefile jbigkit+/Makefile ---- jbigkit/Makefile 2008-08-30 16:40:22.000000000 -0400 -+++ jbigkit+/Makefile 2012-04-12 04:55:40.000000000 -0400 -@@ -2,33 +2,35 @@ - # $Id: Makefile 1303 2008-08-30 20:16:20Z mgk25 $ +diff -ruN jbigkit-2.1/Makefile jbigkit-2.1-shlib/Makefile +--- jbigkit-2.1/Makefile 2014-03-27 14:47:15.000000000 -0400 ++++ jbigkit-2.1-shlib/Makefile 2014-04-14 20:59:40.000000000 -0400 +@@ -1,37 +1,39 @@ + # Unix makefile for JBIG-KIT # Select an ANSI/ISO C compiler here, GNU gcc is recommended -CC = gcc +CC ?= gcc # Options for the compiler: A high optimization level is suggested - CCFLAGS = -O2 -W - #CCFLAGS = -O -g -W -Wall -ansi -pedantic #-DDEBUG # developer only +-CFLAGS = -O2 -W -Wno-unused-result ++CFLAGS ?= -O2 -W -Wno-unused-result + # CFLAGS = -O -g -W -Wall -Wno-unused-result -ansi -pedantic # -DDEBUG --CFLAGS = $(CCFLAGS) -I../libjbig -+CFLAGS ?= $(CCFLAGS) -I../libjbig + export CC CFLAGS - VERSION=2.0 + VERSION=2.1 +SOVERSION = $(basename $(VERSION)) -+export VERSION SOVERSION CFLAGS CC ++export VERSION SOVERSION all: lib pbm @echo "Enter 'make test' in order to start some automatic tests." lib: -- (cd libjbig; make "CC=$(CC)" "CFLAGS=$(CFLAGS)") +- cd libjbig && $(MAKE) -e + make -C libjbig pbm: lib -- (cd pbmtools; make "CC=$(CC)" "CFLAGS=$(CFLAGS)") +- cd pbmtools && $(MAKE) -e + make -C pbmtools test: lib pbm -- (cd libjbig; make "CC=$(CC)" "CFLAGS=$(CFLAGS)" test) -- (cd pbmtools; make "CC=$(CC)" "CFLAGS=$(CFLAGS)" test) +- cd libjbig && $(MAKE) test +- cd pbmtools && $(MAKE) test + LD_LIBRARY_PATH=`pwd`/libjbig make -C libjbig test + LD_LIBRARY_PATH=`pwd`/libjbig make -C pbmtools test + analyze: +- cd libjbig && $(MAKE) analyze +- cd pbmtools && $(MAKE) analyze ++ make -C libjbig analyze ++ make -C pbmtools analyze + clean: rm -f *~ core -- (cd libjbig; make clean) -- (cd pbmtools; make clean) +- cd libjbig && $(MAKE) clean +- cd pbmtools && $(MAKE) clean + make -C libjbig clean + make -C pbmtools clean - distribution: clean - rm -f libjbig/libjbig*.a -diff -aur jbigkit/pbmtools/Makefile jbigkit+/pbmtools/Makefile ---- jbigkit/pbmtools/Makefile 2008-08-25 18:26:39.000000000 -0400 -+++ jbigkit+/pbmtools/Makefile 2012-04-12 04:55:18.000000000 -0400 -@@ -2,26 +2,26 @@ - # $Id: Makefile 1293 2008-08-25 22:26:39Z mgk25 $ + distribution: + rm -rf jbigkit-$(VERSION) +diff -ruN jbigkit-2.1/pbmtools/Makefile jbigkit-2.1-shlib/pbmtools/Makefile +--- jbigkit-2.1/pbmtools/Makefile 2014-03-27 14:47:15.000000000 -0400 ++++ jbigkit-2.1-shlib/pbmtools/Makefile 2014-04-14 21:04:14.000000000 -0400 +@@ -1,29 +1,29 @@ + # Unix makefile for the JBIG-KIT PBM tools # Select an ANSI/ISO C compiler here, e.g. GNU gcc is recommended -CC = gcc +CC ?= gcc # Options for the compiler --CFLAGS = -g -Wall -ansi -pedantic -I../libjbig # --coverage -+CFLAGS ?= -g -Wall -ansi -pedantic -I../libjbig # --coverage +-CFLAGS = -g -O -W -Wall -Wno-unused-result -ansi -pedantic # --coverage ++CFLAGS ?= -g -O -W -Wall -Wno-unused-result -ansi -pedantic # --coverage + CPPFLAGS = -I../libjbig .SUFFIXES: .1 .5 .txt $(SUFFIXES) + .PHONY: txt test test82 test85 clean + +-all: pbmtojbg jbgtopbm pbmtojbg85 jbgtopbm85 txt ++all: pbmtojbg jbgtopbm pbmtojbg85 jbgtopbm85 # txt - all: pbmtojbg jbgtopbm pbmtojbg85 jbgtopbm85 \ -- pbmtojbg.txt jbgtopbm.txt pbm.txt pgm.txt -+# pbmtojbg.txt jbgtopbm.txt pbm.txt pgm.txt + txt: pbmtojbg.txt jbgtopbm.txt pbm.txt pgm.txt -pbmtojbg: pbmtojbg.o ../libjbig/libjbig.a +pbmtojbg: pbmtojbg.o ../libjbig/libjbig.so @@ -151,7 +161,7 @@ $(CC) $(CFLAGS) -o jbgtopbm85 jbgtopbm85.o -L../libjbig -ljbig85 jbgtopbm.o: jbgtopbm.c ../libjbig/jbig.h -@@ -29,13 +29,13 @@ +@@ -31,13 +31,13 @@ jbgtopbm85.o: jbgtopbm85.c ../libjbig/jbig85.h pbmtojbg85.o: pbmtojbg85.c ../libjbig/jbig85.h @@ -167,5 +177,5 @@ - make -C ../libjbig libjbig85.a + make -C ../libjbig libjbig85.so - test: test82 test85 - + analyze: + clang $(CPPFLAGS) --analyze *.c ++++++ jbigkit-2.0.tar.gz -> jbigkit-2.1.tar.gz ++++++ ++++ 2035 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit bluez for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package bluez for openSUSE:Factory checked in at 2014-04-17 14:43:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bluez (Old) and /work/SRC/openSUSE:Factory/.bluez.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "bluez" Changes: -------- --- /work/SRC/openSUSE:Factory/bluez/bluez.changes 2014-04-05 16:49:49.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.bluez.new/bluez.changes 2014-04-17 14:43:57.000000000 +0200 @@ -1,0 +2,13 @@ +Sun Apr 13 10:46:02 UTC 2014 - seife+obs(a)b1-systems.com + +- update to version 5.18 + "This is mostly a bug fix release with issues fixed regarding LE + single mode device detection and incorrect getpeername() calls + which could have caused incorrect SDP records for profiles + (mainly those using the Profile D-Bus interface with RFCOMM + channel auto-allocation). + On the OBEX side we now have full OBEX authentication support, + which is a fairly useless feature in practice but a mandatory + one for qualification of some OBEX profiles." + +------------------------------------------------------------------- Old: ---- bluez-5.17.tar.xz New: ---- bluez-5.18.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bluez.spec ++++++ --- /var/tmp/diff_new_pack.KGoHnE/_old 2014-04-17 14:43:58.000000000 +0200 +++ /var/tmp/diff_new_pack.KGoHnE/_new 2014-04-17 14:43:58.000000000 +0200 @@ -24,7 +24,7 @@ BuildRequires: systemd-devel BuildRequires: pkgconfig(dbus-1) >= 1.4 %{?systemd_requires} -Version: 5.17 +Version: 5.18 Release: 0 Summary: Bluetooth Stack for Linux License: GPL-2.0+ ++++++ bluez-5.17.tar.xz -> bluez-5.18.tar.xz ++++++ ++++ 15656 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit zypper for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package zypper for openSUSE:Factory checked in at 2014-04-17 14:43:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zypper (Old) and /work/SRC/openSUSE:Factory/.zypper.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "zypper" Changes: -------- --- /work/SRC/openSUSE:Factory/zypper/zypper.changes 2014-04-15 11:45:23.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.zypper.new/zypper.changes 2014-04-17 14:43:54.000000000 +0200 @@ -1,0 +2,6 @@ +Tue Apr 15 17:27:28 CEST 2014 - ma(a)suse.de + +- Add 'download' command (Fate#317077) +- version 1.11.4 + +------------------------------------------------------------------- Old: ---- zypper-1.11.3.tar.bz2 New: ---- zypper-1.11.4.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zypper.spec ++++++ --- /var/tmp/diff_new_pack.IWR1lG/_old 2014-04-17 14:43:55.000000000 +0200 +++ /var/tmp/diff_new_pack.IWR1lG/_new 2014-04-17 14:43:55.000000000 +0200 @@ -22,7 +22,7 @@ BuildRequires: cmake >= 2.4.6 BuildRequires: gcc-c++ >= 4.7 BuildRequires: gettext-devel >= 0.15 -BuildRequires: libzypp-devel >= 14.17.3 +BuildRequires: libzypp-devel >= 14.17.5 BuildRequires: readline-devel >= 5.1 Requires: procps %if 0%{?suse_version} @@ -33,7 +33,7 @@ Summary: Command line software manager using libzypp License: GPL-2.0+ Group: System/Packages -Version: 1.11.3 +Version: 1.11.4 Release: 0 Source: %{name}-%{version}.tar.bz2 Source1: %{name}-rpmlintrc ++++++ zypper-1.11.3.tar.bz2 -> zypper-1.11.4.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/zypper/zypper-1.11.3.tar.bz2 /work/SRC/openSUSE:Factory/.zypper.new/zypper-1.11.4.tar.bz2 differ: char 11, line 1 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libzypp for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package libzypp for openSUSE:Factory checked in at 2014-04-17 14:43:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libzypp (Old) and /work/SRC/openSUSE:Factory/.libzypp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libzypp" Changes: -------- --- /work/SRC/openSUSE:Factory/libzypp/libzypp.changes 2014-04-13 13:13:51.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libzypp.new/libzypp.changes 2014-04-17 14:43:50.000000000 +0200 @@ -1,0 +2,6 @@ +Tue Apr 15 17:03:30 CEST 2014 - ma(a)suse.de + +- Factor out CommitPackageCache for standalone usage. (Fate#317077) +- version 14.17.5 (17) + +------------------------------------------------------------------- Old: ---- libzypp-14.17.4.tar.bz2 New: ---- libzypp-14.17.5.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libzypp.spec ++++++ --- /var/tmp/diff_new_pack.mbIeho/_old 2014-04-17 14:43:51.000000000 +0200 +++ /var/tmp/diff_new_pack.mbIeho/_new 2014-04-17 14:43:51.000000000 +0200 @@ -23,7 +23,7 @@ Summary: Package, Patch, Pattern, and Product Management License: GPL-2.0+ Group: System/Packages -Version: 14.17.4 +Version: 14.17.5 Release: 0 Source: %{name}-%{version}.tar.bz2 Source1: %{name}-rpmlintrc ++++++ libzypp-14.17.4.tar.bz2 -> libzypp-14.17.5.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-14.17.4/VERSION.cmake new/libzypp-14.17.5/VERSION.cmake --- old/libzypp-14.17.4/VERSION.cmake 2014-04-11 16:20:47.000000000 +0200 +++ new/libzypp-14.17.5/VERSION.cmake 2014-04-15 17:04:45.000000000 +0200 @@ -61,8 +61,8 @@ SET(LIBZYPP_MAJOR "14") SET(LIBZYPP_COMPATMINOR "17") SET(LIBZYPP_MINOR "17") -SET(LIBZYPP_PATCH "4") +SET(LIBZYPP_PATCH "5") # -# LAST RELEASED: 14.17.4 (17) +# LAST RELEASED: 14.17.5 (17) # (The number in parenthesis is LIBZYPP_COMPATMINOR) #======= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-14.17.4/package/libzypp.changes new/libzypp-14.17.5/package/libzypp.changes --- old/libzypp-14.17.4/package/libzypp.changes 2014-04-11 16:20:47.000000000 +0200 +++ new/libzypp-14.17.5/package/libzypp.changes 2014-04-15 17:04:45.000000000 +0200 @@ -1,4 +1,10 @@ ------------------------------------------------------------------- +Tue Apr 15 17:03:30 CEST 2014 - ma(a)suse.de + +- Factor out CommitPackageCache for standalone usage. (Fate#317077) +- version 14.17.5 (17) + +------------------------------------------------------------------- Fri Apr 11 16:16:11 CEST 2014 - ma(a)suse.de - history: log %posttrans errors and output diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-14.17.4/zypp/CpeId.cc new/libzypp-14.17.5/zypp/CpeId.cc --- old/libzypp-14.17.4/zypp/CpeId.cc 2014-04-08 13:28:12.000000000 +0200 +++ new/libzypp-14.17.5/zypp/CpeId.cc 2014-04-15 18:04:44.000000000 +0200 @@ -9,6 +9,7 @@ /** \file zypp/CpeId.cc */ #include <iostream> +#include <array> #include "zypp/base/String.h" #include "zypp/base/LogTools.h" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-14.17.4/zypp/Repository.cc new/libzypp-14.17.5/zypp/Repository.cc --- old/libzypp-14.17.4/zypp/Repository.cc 2014-04-04 14:32:12.000000000 +0200 +++ new/libzypp-14.17.5/zypp/Repository.cc 2014-04-15 17:04:45.000000000 +0200 @@ -337,8 +337,8 @@ std::ostream & dumpAsXmlOn( std::ostream & str, const Repository & obj ) { return xmlout::node( str, "repository", { - { "alias", obj.name() }, - { "name", obj.alias() } + { "name", obj.name() }, + { "alias", obj.alias() } } ); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-14.17.4/zypp/parser/xml/XmlEscape.h new/libzypp-14.17.5/zypp/parser/xml/XmlEscape.h --- old/libzypp-14.17.4/zypp/parser/xml/XmlEscape.h 2014-01-14 18:20:53.000000000 +0100 +++ new/libzypp-14.17.5/zypp/parser/xml/XmlEscape.h 2014-04-15 17:04:45.000000000 +0200 @@ -29,8 +29,10 @@ { EscapedString( const std::string & in_r ) : _in( in_r ) {} std::ostream & dumpOn( std::ostream & str ) const; - operator std::string() const + std::string asString() const { std::ostringstream str; dumpOn( str ); return str.str(); } + operator std::string() const + { return asString(); } private: const std::string & _in; }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-14.17.4/zypp/target/CommitPackageCache.cc new/libzypp-14.17.5/zypp/target/CommitPackageCache.cc --- old/libzypp-14.17.4/zypp/target/CommitPackageCache.cc 2013-03-20 09:29:30.000000000 +0100 +++ new/libzypp-14.17.5/zypp/target/CommitPackageCache.cc 2014-04-15 17:04:45.000000000 +0200 @@ -19,6 +19,11 @@ using std::endl; +#include "zypp/target/rpm/librpmDb.h" +#include "zypp/repo/PackageProvider.h" +#include "zypp/repo/DeltaCandidates.h" +#include "zypp/ResPool.h" + /////////////////////////////////////////////////////////////////// namespace zypp { ///////////////////////////////////////////////////////////////// @@ -27,6 +32,71 @@ { ///////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////// + namespace { + /////////////////////////////////////////////////////////////////// + /// \class QueryInstalledEditionHelper + /// \short Helper for PackageProvider queries during download. + /////////////////////////////////////////////////////////////////// + struct QueryInstalledEditionHelper + { + bool operator()( const std::string & name_r, const Edition & ed_r, const Arch & arch_r ) const + { + rpm::librpmDb::db_const_iterator it; + for ( it.findByName( name_r ); *it; ++it ) + { + if ( arch_r == it->tag_arch() + && ( ed_r == Edition::noedition || ed_r == it->tag_edition() ) ) + { + return true; + } + } + return false; + } + }; + } // namespace + /////////////////////////////////////////////////////////////////// + + /////////////////////////////////////////////////////////////////// + // + // class RepoProvidePackage + // + /////////////////////////////////////////////////////////////////// + + struct RepoProvidePackage::Impl + { + repo::RepoMediaAccess _access; + std::list<Repository> _repos; + repo::PackageProviderPolicy _packageProviderPolicy; + }; + + RepoProvidePackage::RepoProvidePackage() + : _impl( new Impl ) + { + const ResPool & pool( ResPool::instance() ); + _impl->_repos.insert( _impl->_repos.begin(), pool.knownRepositoriesBegin(), pool.knownRepositoriesEnd() ); + _impl->_packageProviderPolicy.queryInstalledCB( QueryInstalledEditionHelper() ); + } + + RepoProvidePackage::~RepoProvidePackage() + {} + + ManagedFile RepoProvidePackage::operator()( const PoolItem & pi, bool fromCache_r ) + { + Package::constPtr p = asKind<Package>(pi.resolvable()); + if ( fromCache_r ) + { + repo::PackageProvider pkgProvider( _impl->_access, p, repo::DeltaCandidates(), _impl->_packageProviderPolicy ); + return pkgProvider.providePackageFromCache(); + } + else + { + repo::DeltaCandidates deltas( _impl->_repos, p->name() ); + repo::PackageProvider pkgProvider( _impl->_access, p, deltas, _impl->_packageProviderPolicy ); + return pkgProvider.providePackage(); + } + } + + /////////////////////////////////////////////////////////////////// // // CLASS NAME : CommitPackageCache // diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-14.17.4/zypp/target/CommitPackageCache.h new/libzypp-14.17.5/zypp/target/CommitPackageCache.h --- old/libzypp-14.17.4/zypp/target/CommitPackageCache.h 2014-01-24 08:44:53.000000000 +0100 +++ new/libzypp-14.17.5/zypp/target/CommitPackageCache.h 2014-04-15 17:04:45.000000000 +0200 @@ -29,6 +29,27 @@ { ///////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////// + /// \class RepoProvidePackage + /// \short Default PackageProvider for \ref CommitPackageCache + /// + /// \p pool_r \ref ResPool used to get candidates + /// \p pi item to be commited + /////////////////////////////////////////////////////////////////// + class RepoProvidePackage + { + public: + RepoProvidePackage(); + ~RepoProvidePackage(); + + /** Provide package optionally fron cache only. */ + ManagedFile operator()( const PoolItem & pi, bool fromCache_r ); + + private: + struct Impl; + RW_pointer<Impl> _impl; + }; + + /////////////////////////////////////////////////////////////////// // // CLASS NAME : CommitPackageCache // @@ -44,7 +65,7 @@ public: /** Ctor */ CommitPackageCache( const Pathname & rootDir_r, - const PackageProvider & packageProvider_r ); + const PackageProvider & packageProvider_r = RepoProvidePackage() ); /** Dtor */ ~CommitPackageCache(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-14.17.4/zypp/target/TargetImpl.cc new/libzypp-14.17.5/zypp/target/TargetImpl.cc --- old/libzypp-14.17.4/zypp/target/TargetImpl.cc 2014-04-04 14:47:40.000000000 +0200 +++ new/libzypp-14.17.5/zypp/target/TargetImpl.cc 2014-04-15 17:04:45.000000000 +0200 @@ -51,8 +51,6 @@ #include "zypp/solver/detail/Testcase.h" -#include "zypp/repo/DeltaCandidates.h" -#include "zypp/repo/PackageProvider.h" #include "zypp/repo/SrcPackageProvider.h" #include "zypp/sat/Pool.h" @@ -744,59 +742,6 @@ ZYppCommitResult & result_r ) { RunUpdateMessages( root_r, messagesPath_r, checkPackages_r, result_r ); } - /** Helper for PackageProvider queries during commit. */ - struct QueryInstalledEditionHelper - { - bool operator()( const std::string & name_r, - const Edition & ed_r, - const Arch & arch_r ) const - { - rpm::librpmDb::db_const_iterator it; - for ( it.findByName( name_r ); *it; ++it ) - { - if ( arch_r == it->tag_arch() - && ( ed_r == Edition::noedition || ed_r == it->tag_edition() ) ) - { - return true; - } - } - return false; - } - }; - - /** - * \short Let the Source provide the package. - * \p pool_r \ref ResPool used to get candidates - * \p pi item to be commited - */ - struct RepoProvidePackage - { - repo::RepoMediaAccess &_access; - std::list<Repository> _repos; - repo::PackageProviderPolicy _packageProviderPolicy; - - RepoProvidePackage( repo::RepoMediaAccess &access, ResPool pool_r ) - : _access(access), _repos( pool_r.knownRepositoriesBegin(), pool_r.knownRepositoriesEnd() ) - { - _packageProviderPolicy.queryInstalledCB( QueryInstalledEditionHelper() ); - } - - ManagedFile operator()( const PoolItem & pi, bool fromCache_r ) - { - Package::constPtr p = asKind<Package>(pi.resolvable()); - if ( fromCache_r ) - { - repo::PackageProvider pkgProvider( _access, p, repo::DeltaCandidates(), _packageProviderPolicy ); - return pkgProvider.providePackageFromCache(); - } - else - { - repo::DeltaCandidates deltas( _repos, p->name() ); - repo::PackageProvider pkgProvider( _access, p, deltas, _packageProviderPolicy ); - return pkgProvider.providePackage(); - } - } - }; /////////////////////////////////////////////////////////////////// IMPL_PTR_TYPE(TargetImpl); @@ -1356,9 +1301,7 @@ if ( ! policy_r.dryRun() || policy_r.downloadMode() == DownloadOnly ) { // Prepare the package cache. Pass all items requiring download. - repo::RepoMediaAccess access; - RepoProvidePackage repoProvidePackage( access, pool_r ); - CommitPackageCache packageCache( root(), repoProvidePackage ); + CommitPackageCache packageCache( root() ); packageCache.setCommitList( steps.begin(), steps.end() ); bool miss = false; -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit openssh for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2014-04-17 14:43:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssh" Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-askpass-gnome.changes 2014-04-17 14:43:48.000000000 +0200 @@ -1,0 +2,5 @@ +Fri Apr 11 21:50:51 UTC 2014 - pcerny(a)suse.com + +- Update of the underlying OpenSSH to 6.6p1 + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2014-03-31 20:43:02.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes 2014-04-17 14:43:48.000000000 +0200 @@ -1,0 +2,58 @@ +Tue Apr 15 09:26:16 UTC 2014 - rhafer(a)suse.com + +- Remove uneeded dependency on the OpenLDAP server (openldap2) + from openssh-helpers. openssh-helpers just depends on the + openldap client libraries, which will be auto-generated by rpm. + +------------------------------------------------------------------- +Fri Apr 11 21:50:51 UTC 2014 - pcerny(a)suse.com + +- update to 6.6p1 + Security: + * sshd(8): when using environment passing with a sshd_config(5) + AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could + be tricked into accepting any enviornment variable that + contains the characters before the wildcard character. + Features since 6.5p1: + * ssh(1), sshd(8): removal of the J-PAKE authentication code, + which was experimental, never enabled and has been + unmaintained for some time. + * ssh(1): skip 'exec' clauses other clauses predicates failed + to match while processing Match blocks. + * ssh(1): if hostname canonicalisation is enabled and results + in the destination hostname being changed, then re-parse + ssh_config(5) files using the new destination hostname. This + gives 'Host' and 'Match' directives that use the expanded + hostname a chance to be applied. + Bugfixes: + * ssh(1): avoid spurious "getsockname failed: Bad file + descriptor" in ssh -W. bz#2200, debian#738692 + * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and + systrace sandbox modes, as it is reachable if the connection + is terminated during the pre-auth phase. + * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 + bignum parsing. Minimum key length checks render this bug + unexploitable to compromise SSH 1 sessions. + * sshd_config(5): clarify behaviour of a keyword that appears + in multiple matching Match blocks. bz#2184 + * ssh(1): avoid unnecessary hostname lookups when + canonicalisation is disabled. bz#2205 + * sshd(8): avoid sandbox violation crashes in GSSAPI code by + caching the supported list of GSSAPI mechanism OIDs before + entering the sandbox. bz#2107 + * ssh(1): fix possible crashes in SOCKS4 parsing caused by + assumption that the SOCKS username is nul-terminated. + * ssh(1): fix regression for UsePrivilegedPort=yes when + BindAddress is not specified. + * ssh(1), sshd(8): fix memory leak in ECDSA signature + verification. + * ssh(1): fix matching of 'Host' directives in ssh_config(5) + files to be case-insensitive again (regression in 6.5). +- FIPS checks in sftp-server + +------------------------------------------------------------------- +Mon Mar 31 01:22:21 UTC 2014 - pcerny(a)suse.com + +- FIPS checks during ssh client and daemon startup + (-fips-checks.patch) +------------------------------------------------------------------- Old: ---- openssh-6.5p1-X11-forwarding.patch openssh-6.5p1-X_forward_with_disabled_ipv6.patch openssh-6.5p1-audit1-remove_duplicit_audit.patch openssh-6.5p1-audit2-better_audit_of_user_actions.patch openssh-6.5p1-audit3-key_auth_usage.patch openssh-6.5p1-audit4-kex_results.patch openssh-6.5p1-audit5-session_key_destruction.patch openssh-6.5p1-audit6-server_key_destruction.patch openssh-6.5p1-audit7-libaudit_compat.patch openssh-6.5p1-audit8-libaudit_dns_timeouts.patch openssh-6.5p1-blocksigalrm.patch openssh-6.5p1-default-protocol.patch openssh-6.5p1-disable-openssl-abi-check.patch openssh-6.5p1-eal3.patch openssh-6.5p1-fingerprint_hash.patch openssh-6.5p1-fips.patch openssh-6.5p1-gssapi_key_exchange.patch openssh-6.5p1-gssapimitm.patch openssh-6.5p1-host_ident.patch openssh-6.5p1-key-converter.patch openssh-6.5p1-lastlog.patch openssh-6.5p1-ldap.patch openssh-6.5p1-login_options.patch openssh-6.5p1-no_fork-no_pid_file.patch openssh-6.5p1-pam-check-locks.patch openssh-6.5p1-pam-fix2.patch openssh-6.5p1-pam-fix3.patch openssh-6.5p1-pts.patch openssh-6.5p1-saveargv-fix.patch openssh-6.5p1-seccomp_getuid.patch openssh-6.5p1-seed-prng.patch openssh-6.5p1-send_locale.patch openssh-6.5p1-sftp_force_permissions.patch openssh-6.5p1-sftp_homechroot.patch openssh-6.5p1-xauth.patch openssh-6.5p1-xauthlocalhostname.patch openssh-6.5p1.tar.gz New: ---- openssh-6.6p1-X11-forwarding.patch openssh-6.6p1-X_forward_with_disabled_ipv6.patch openssh-6.6p1-audit1-remove_duplicit_audit.patch openssh-6.6p1-audit2-better_audit_of_user_actions.patch openssh-6.6p1-audit3-key_auth_usage.patch openssh-6.6p1-audit3_fips-key_auth_usage.patch openssh-6.6p1-audit4-kex_results.patch openssh-6.6p1-audit4_fips-kex_results.patch openssh-6.6p1-audit5-session_key_destruction.patch openssh-6.6p1-audit6-server_key_destruction.patch openssh-6.6p1-audit7-libaudit_compat.patch openssh-6.6p1-audit8-libaudit_dns_timeouts.patch openssh-6.6p1-blocksigalrm.patch openssh-6.6p1-default-protocol.patch openssh-6.6p1-disable-openssl-abi-check.patch openssh-6.6p1-eal3.patch openssh-6.6p1-fingerprint_hash.patch openssh-6.6p1-fips-checks.patch openssh-6.6p1-fips.patch openssh-6.6p1-gssapi_key_exchange.patch openssh-6.6p1-gssapimitm.patch openssh-6.6p1-host_ident.patch openssh-6.6p1-key-converter.patch openssh-6.6p1-lastlog.patch openssh-6.6p1-ldap.patch openssh-6.6p1-login_options.patch openssh-6.6p1-no_fork-no_pid_file.patch openssh-6.6p1-pam-check-locks.patch openssh-6.6p1-pam-fix2.patch openssh-6.6p1-pam-fix3.patch openssh-6.6p1-pts.patch openssh-6.6p1-saveargv-fix.patch openssh-6.6p1-seccomp_getuid.patch openssh-6.6p1-seed-prng.patch openssh-6.6p1-send_locale.patch openssh-6.6p1-sftp_force_permissions.patch openssh-6.6p1-sftp_homechroot.patch openssh-6.6p1-xauth.patch openssh-6.6p1-xauthlocalhostname.patch openssh-6.6p1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.RHz5yM/_old 2014-04-17 14:43:49.000000000 +0200 +++ /var/tmp/diff_new_pack.RHz5yM/_new 2014-04-17 14:43:49.000000000 +0200 @@ -26,7 +26,7 @@ BuildRequires: pam-devel BuildRequires: tcpd-devel BuildRequires: update-desktop-files -Version: 6.5p1 +Version: 6.6p1 Release: 0 Requires: openssh = %{version} Summary: A GNOME-Based Passphrase Dialog for OpenSSH ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.RHz5yM/_old 2014-04-17 14:43:49.000000000 +0200 +++ /var/tmp/diff_new_pack.RHz5yM/_new 2014-04-17 14:43:49.000000000 +0200 @@ -91,7 +91,7 @@ Conflicts: nonfreessh Recommends: xauth Recommends: %{name}-helpers -Version: 6.5p1 +Version: 6.6p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-3-Clause and MIT @@ -108,43 +108,45 @@ Source8: sysconfig.ssh Source9: sshd-gen-keys-start Source10: sshd.service -Patch1: openssh-6.5p1-key-converter.patch -Patch2: openssh-6.5p1-X11-forwarding.patch -Patch3: openssh-6.5p1-lastlog.patch -Patch4: openssh-6.5p1-pam-fix2.patch -Patch5: openssh-6.5p1-saveargv-fix.patch -Patch6: openssh-6.5p1-pam-fix3.patch -Patch7: openssh-6.5p1-gssapimitm.patch -Patch8: openssh-6.5p1-eal3.patch -Patch9: openssh-6.5p1-blocksigalrm.patch -Patch10: openssh-6.5p1-send_locale.patch -Patch11: openssh-6.5p1-xauthlocalhostname.patch -Patch12: openssh-6.5p1-xauth.patch -Patch13: openssh-6.5p1-default-protocol.patch -Patch14: openssh-6.5p1-pts.patch -Patch15: openssh-6.5p1-pam-check-locks.patch -Patch16: openssh-6.5p1-fingerprint_hash.patch -Patch17: openssh-6.5p1-audit1-remove_duplicit_audit.patch -Patch18: openssh-6.5p1-audit2-better_audit_of_user_actions.patch -Patch19: openssh-6.5p1-audit3-key_auth_usage.patch -Patch20: openssh-6.5p1-audit4-kex_results.patch -Patch21: openssh-6.5p1-audit5-session_key_destruction.patch -Patch22: openssh-6.5p1-audit6-server_key_destruction.patch -Patch23: openssh-6.5p1-audit7-libaudit_compat.patch -Patch24: openssh-6.5p1-audit8-libaudit_dns_timeouts.patch -Patch25: openssh-6.5p1-seed-prng.patch -Patch26: openssh-6.5p1-ldap.patch -Patch27: openssh-6.5p1-fips.patch -Patch28: openssh-6.5p1-gssapi_key_exchange.patch -Patch29: openssh-6.5p1-login_options.patch -Patch30: openssh-6.5p1-disable-openssl-abi-check.patch -Patch31: openssh-6.5p1-no_fork-no_pid_file.patch -Patch32: openssh-6.5p1-host_ident.patch -Patch33: openssh-6.5p1-sftp_homechroot.patch -Patch34: openssh-6.5p1-sftp_force_permissions.patch -Patch35: openssh-6.5p1-seccomp_getuid.patch -Patch36: openssh-6.5p1-X_forward_with_disabled_ipv6.patch - +Patch1: openssh-6.6p1-key-converter.patch +Patch2: openssh-6.6p1-X11-forwarding.patch +Patch3: openssh-6.6p1-lastlog.patch +Patch4: openssh-6.6p1-pam-fix2.patch +Patch5: openssh-6.6p1-saveargv-fix.patch +Patch6: openssh-6.6p1-pam-fix3.patch +Patch7: openssh-6.6p1-gssapimitm.patch +Patch8: openssh-6.6p1-eal3.patch +Patch9: openssh-6.6p1-blocksigalrm.patch +Patch10: openssh-6.6p1-send_locale.patch +Patch11: openssh-6.6p1-xauthlocalhostname.patch +Patch12: openssh-6.6p1-xauth.patch +Patch13: openssh-6.6p1-default-protocol.patch +Patch14: openssh-6.6p1-pts.patch +Patch15: openssh-6.6p1-pam-check-locks.patch +Patch16: openssh-6.6p1-fingerprint_hash.patch +Patch17: openssh-6.6p1-fips.patch +Patch18: openssh-6.6p1-audit1-remove_duplicit_audit.patch +Patch19: openssh-6.6p1-audit2-better_audit_of_user_actions.patch +Patch20: openssh-6.6p1-audit3-key_auth_usage.patch +Patch21: openssh-6.6p1-audit3_fips-key_auth_usage.patch +Patch22: openssh-6.6p1-audit4-kex_results.patch +Patch23: openssh-6.6p1-audit4_fips-kex_results.patch +Patch24: openssh-6.6p1-audit5-session_key_destruction.patch +Patch25: openssh-6.6p1-audit6-server_key_destruction.patch +Patch26: openssh-6.6p1-audit7-libaudit_compat.patch +Patch27: openssh-6.6p1-audit8-libaudit_dns_timeouts.patch +Patch28: openssh-6.6p1-seed-prng.patch +Patch29: openssh-6.6p1-gssapi_key_exchange.patch +Patch30: openssh-6.6p1-login_options.patch +Patch31: openssh-6.6p1-disable-openssl-abi-check.patch +Patch32: openssh-6.6p1-no_fork-no_pid_file.patch +Patch33: openssh-6.6p1-host_ident.patch +Patch34: openssh-6.6p1-sftp_homechroot.patch +Patch35: openssh-6.6p1-sftp_force_permissions.patch +Patch36: openssh-6.6p1-seccomp_getuid.patch +Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch +Patch38: openssh-6.6p1-fips-checks.patch +Patch39: openssh-6.6p1-ldap.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -160,13 +162,22 @@ %package helpers Summary: OpenSSH AuthorizedKeysCommand helpers Group: Productivity/Networking/SSH -Requires: openldap2 Requires: openssh %description helpers Helper applications for OpenSSH which retrieve keys from various sources. +%package fips +Summary: OpenSSH FIPS cryptomodule hashes +Group: Productivity/Networking/SSH +Requires: openssh + +%description fips +Hashes that together with the main package form the FIPS certifiable +cryptomodule. + + %prep %setup -q #patch1 -p2 @@ -207,13 +218,16 @@ %patch34 -p2 %patch35 -p2 %patch36 -p2 +%patch37 -p2 +%patch38 -p2 +%patch39 -p2 cp %{SOURCE3} %{SOURCE4} . %build # set libexec dir in the LDAP patch sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ $( grep -Rl @LIBEXECDIR@ \ - $( grep "^+++" %{PATCH26} | sed -r 's(a)^.+/([^/\t ]+).*$@\1@' ) + $( grep "^+++" %{PATCH39} | sed -r 's(a)^.+/([^/\t ]+).*$@\1@' ) ) autoreconf -fiv @@ -311,6 +325,25 @@ # sshd keys generator wrapper install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start +# the hmac hashes - taken from openssl +# +# re-define the __os_install_post macro: the macro strips +# the binaries and thereby invalidates any hashes created earlier. +# +# this shows up earlier because otherwise the %expand of +# the macro is too late. +%{expand:%%global __os_install_post {%__os_install_post + +for b in \ + %{_bindir}/ssh \ + %{_sbindir}/sshd \ + %{_libexecdir}/ssh/sftp-server \ + ; do + ( printf "\03"; openssl dgst -sha256 -binary < %{buildroot}$b ) > %{buildroot}$b.chk +done + +}} + %pre getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd @@ -343,6 +376,9 @@ %files %defattr(-,root,root) +%exclude %{_bindir}/*.chk +%exclude %{_sbindir}/*.chk +%exclude %{_libexecdir}/ssh/sftp-server.chk %dir %attr(755,root,root) /var/lib/sshd %doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh @@ -384,4 +420,10 @@ %attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema +%files fips +%defattr(-,root,root) +%attr(0444,root,root) %{_bindir}/ssh.chk +%attr(0444,root,root) %{_sbindir}/sshd.chk +%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server.chk + %changelog ++++++ openssh-6.5p1-X11-forwarding.patch -> openssh-6.6p1-X11-forwarding.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-X11-forwarding.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-X11-forwarding.patch 2014-04-17 14:43:47.000000000 +0200 @@ -2,9 +2,9 @@ # configuration # bnc#50836 (was suse #35836) -diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config ---- a/openssh-6.5p1/ssh_config -+++ b/openssh-6.5p1/ssh_config +diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config +--- a/openssh-6.6p1/ssh_config ++++ b/openssh-6.6p1/ssh_config @@ -12,19 +12,30 @@ # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the @@ -37,9 +37,9 @@ # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config +diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config +--- a/openssh-6.6p1/sshd_config ++++ b/openssh-6.6p1/sshd_config @@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication ++++++ openssh-6.5p1-X_forward_with_disabled_ipv6.patch -> openssh-6.6p1-X_forward_with_disabled_ipv6.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-X_forward_with_disabled_ipv6.patch 2014-03-18 16:21:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-X_forward_with_disabled_ipv6.patch 2014-04-17 14:43:47.000000000 +0200 @@ -1,12 +1,12 @@ # HG changeset patch -# Parent bb0162afc928b3eeb69f11419e214e0737bb8034 +# Parent 73eb63cbbd603bf8c13995c478333c1b5a2a020a Do not throw away already open sockets for X11 forwarding if another socket family is not available for bind() -diff --git a/openssh-6.5p1/channels.c b/openssh-6.5p1/channels.c ---- a/openssh-6.5p1/channels.c -+++ b/openssh-6.5p1/channels.c -@@ -3475,22 +3475,24 @@ x11_create_display_inet(int x11_display_ +diff --git a/openssh-6.6p1/channels.c b/openssh-6.6p1/channels.c +--- a/openssh-6.6p1/channels.c ++++ b/openssh-6.6p1/channels.c +@@ -3476,22 +3476,24 @@ x11_create_display_inet(int x11_display_ } if (ai->ai_family == AF_INET6) sock_set_v6only(sock); ++++++ openssh-6.5p1-audit1-remove_duplicit_audit.patch -> openssh-6.6p1-audit1-remove_duplicit_audit.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-audit1-remove_duplicit_audit.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-audit1-remove_duplicit_audit.patch 2014-04-17 14:43:47.000000000 +0200 @@ -8,10 +8,10 @@ # # PRIVSEP(getpwnamallow()) a few lines above already did this. -diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c ---- a/openssh-6.5p1/auth2.c -+++ b/openssh-6.5p1/auth2.c -@@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32 +diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c +--- a/openssh-6.6p1/auth2.c ++++ b/openssh-6.6p1/auth2.c +@@ -236,19 +236,16 @@ input_userauth_request(int type, u_int32 authctxt->pw = PRIVSEP(getpwnamallow(user)); authctxt->user = xstrdup(user); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { ++++++ openssh-6.5p1-audit2-better_audit_of_user_actions.patch -> openssh-6.6p1-audit2-better_audit_of_user_actions.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-audit2-better_audit_of_user_actions.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-audit2-better_audit_of_user_actions.patch 2014-04-17 14:43:47.000000000 +0200 @@ -4,9 +4,9 @@ # https://bugzilla.mindrot.org/attachment.cgi?id=2011 # by jchadima(a)redhat.com -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -370,20 +370,33 @@ audit_connection_from(const char *host, /* this is used on IPv4-only machines */ tid->port = (dev_t)port; @@ -42,9 +42,9 @@ /* not implemented */ } -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -30,97 +30,210 @@ #include "includes.h" #if defined(USE_LINUX_AUDIT) @@ -276,9 +276,9 @@ } #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -135,16 +135,27 @@ audit_connection_from(const char *host, void audit_event(ssh_audit_event_t event) @@ -344,9 +344,9 @@ + # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -44,14 +44,16 @@ enum ssh_audit_event_type { SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */ SSH_CONNECTION_ABANDON, /* closed without completing auth */ @@ -365,10 +365,10 @@ ssh_audit_event_t audit_classify_auth(const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -175,16 +175,17 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); @@ -386,7 +386,7 @@ static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -268,16 +269,17 @@ struct mon_table mon_dispatch_postauth20 +@@ -255,16 +256,17 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, @@ -404,7 +404,7 @@ {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -310,16 +312,17 @@ struct mon_table mon_dispatch_proto15[] +@@ -297,16 +299,17 @@ struct mon_table mon_dispatch_proto15[] struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, @@ -422,7 +422,7 @@ /* Specifies if a certain message is allowed at the moment */ -@@ -1442,16 +1445,22 @@ mm_record_login(Session *s, struct passw +@@ -1420,16 +1423,22 @@ mm_record_login(Session *s, struct passw static void mm_session_close(Session *s) { @@ -445,7 +445,7 @@ { extern struct monitor *pmonitor; Session *s; -@@ -1764,21 +1773,53 @@ mm_answer_audit_event(int socket, Buffer +@@ -1742,21 +1751,53 @@ mm_answer_audit_event(int socket, Buffer return (0); } @@ -500,10 +500,10 @@ void monitor_apply_keystate(struct monitor *pmonitor) { -diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h ---- a/openssh-6.5p1/monitor.h -+++ b/openssh-6.5p1/monitor.h -@@ -64,16 +64,17 @@ enum monitor_reqtype { +diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h +--- a/openssh-6.6p1/monitor.h ++++ b/openssh-6.6p1/monitor.h +@@ -59,16 +59,17 @@ enum monitor_reqtype { MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, @@ -521,10 +521,10 @@ int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event) +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -1184,27 +1184,48 @@ mm_audit_event(ssh_audit_event_t event) buffer_init(&m); buffer_put_int(&m, event); @@ -574,9 +574,9 @@ OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) { -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_sshpam_respond(void *, u_int, char **); @@ -597,9 +597,9 @@ void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c @@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif @@ -657,8 +657,8 @@ original_command = NULL; -@@ -1903,16 +1915,17 @@ session_unused(int id) - bzero(&sessions[id], sizeof(*sessions)); +@@ -1908,16 +1920,17 @@ session_unused(int id) + memset(&sessions[id], 0, sizeof(*sessions)); sessions[id].self = id; sessions[id].used = 0; sessions[id].chanid = -1; @@ -675,7 +675,7 @@ session_new(void) { Session *s, *tmp; -@@ -1985,16 +1998,29 @@ session_open(Authctxt *authctxt, int cha +@@ -1990,16 +2003,29 @@ session_open(Authctxt *authctxt, int cha if (s->pw == NULL || !authctxt->valid) fatal("no user for session %d", s->self); debug("session_open: session %d: link with channel %d", s->self, chanid); @@ -705,7 +705,7 @@ if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) { debug("session_by_tty: session %d tty %s", i, tty); return s; -@@ -2501,16 +2527,40 @@ session_exit_message(Session *s, int sta +@@ -2506,16 +2532,40 @@ session_exit_message(Session *s, int sta * interested in data we write. * Note that we must not call 'chan_read_failed', since there could * be some more data waiting in the pipe. @@ -746,7 +746,7 @@ debug("session_close: session %d pid %ld", s->self, (long)s->pid); -@@ -2541,16 +2591,20 @@ session_close(Session *s) +@@ -2546,16 +2596,20 @@ session_close(Session *s) int status; waitpid(pid, &status, 0); @@ -767,7 +767,7 @@ free(s->auth_proto); free(s->subsys); if (s->env != NULL) { -@@ -2755,16 +2809,25 @@ session_setup_x11fwd(Session *s) +@@ -2760,16 +2814,25 @@ session_setup_x11fwd(Session *s) } static void @@ -793,7 +793,7 @@ debug("do_cleanup"); /* no cleanup if we're in the child for login shell */ -@@ -2803,10 +2866,10 @@ do_cleanup(Authctxt *authctxt) +@@ -2808,10 +2871,10 @@ do_cleanup(Authctxt *authctxt) /* remove agent socket */ auth_sock_cleanup_proc(authctxt->pw); @@ -805,9 +805,9 @@ - session_destroy_all(session_pty_cleanup2); + session_destroy_all(do_cleanup_one_session); } -diff --git a/openssh-6.5p1/session.h b/openssh-6.5p1/session.h ---- a/openssh-6.5p1/session.h -+++ b/openssh-6.5p1/session.h +diff --git a/openssh-6.6p1/session.h b/openssh-6.6p1/session.h +--- a/openssh-6.6p1/session.h ++++ b/openssh-6.6p1/session.h @@ -56,29 +56,37 @@ struct Session { int *x11_chanids; int is_subsystem; @@ -846,10 +846,10 @@ const char *value); #endif -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -2504,13 +2504,14 @@ cleanup_exit(int i) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -2529,13 +2529,14 @@ cleanup_exit(int i) if (kill(pmonitor->m_pid, SIGKILL) != 0 && errno != ESRCH) error("%s: kill(%d): %s", __func__, ++++++ openssh-6.5p1-audit3-key_auth_usage.patch -> openssh-6.6p1-audit3-key_auth_usage.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-audit3-key_auth_usage.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-audit3-key_auth_usage.patch 2014-04-17 14:43:47.000000000 +0200 @@ -5,9 +5,9 @@ # (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975) # by jchadima(a)redhat.com -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li) } @@ -31,9 +31,9 @@ const char *user = the_authctxt ? the_authctxt->user : "(unknown user)"; if (cannot_audit(0)) -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -36,16 +36,18 @@ #include "log.h" #include "audit.h" @@ -101,9 +101,9 @@ audit_connection_from(const char *host, int port) { /* not implemented */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -31,16 +31,17 @@ #ifdef SSH_AUDIT_EVENTS @@ -178,9 +178,9 @@ +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -23,16 +23,17 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @@ -212,69 +212,10 @@ +void audit_key(int, int *, const Key *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c ---- a/openssh-6.5p1/auth-rsa.c -+++ b/openssh-6.5p1/auth-rsa.c -@@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key) - return challenge; - } - - int - auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) - { - u_char buf[32], mdbuf[16]; - MD5_CTX md; -- int len; -+ int len, rv; -+#ifdef SSH_AUDIT_EVENTS -+ char *fp; -+#endif - - /* don't allow short keys */ - if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { - error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits", - BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); - return (0); - } - -@@ -108,22 +111,28 @@ auth_rsa_verify_response(Key *key, BIGNU - memset(buf, 0, 32); - BN_bn2bin(challenge, buf + 32 - len); - MD5_Init(&md); - MD5_Update(&md, buf, 32); - MD5_Update(&md, session_id, 16); - MD5_Final(mdbuf, &md); - - /* Verify that the response is the original challenge. */ -- if (timingsafe_bcmp(response, mdbuf, 16) != 0) { -- /* Wrong answer. */ -- return (0); -+ rv = timingsafe_bcmp(response, mdbuf, 16) == 0; -+ -+#ifdef SSH_AUDIT_EVENTS -+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); -+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) { -+ debug("unsuccessful audit"); -+ rv = 0; - } -- /* Correct answer. */ -- return (1); -+ free(fp); -+#endif -+ -+ return rv; - } - - /* - * Performs the RSA authentication challenge-response dialog with the client, - * and returns true (non-zero) if the client gave the correct answer to - * our challenge; returns zero if the client gives a wrong answer. - */ - -diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h ---- a/openssh-6.5p1/auth.h -+++ b/openssh-6.5p1/auth.h -@@ -182,16 +182,17 @@ int allowed_user(struct passwd *); +diff --git a/openssh-6.6p1/auth.h b/openssh-6.6p1/auth.h +--- a/openssh-6.6p1/auth.h ++++ b/openssh-6.6p1/auth.h +@@ -178,16 +178,17 @@ int allowed_user(struct passwd *); struct passwd * getpwnamallow(const char *user); char *get_challenge(Authctxt *); @@ -292,7 +233,7 @@ HostStatus check_key_in_hostfiles(struct passwd *, Key *, const char *, const char *, const char *); -@@ -199,16 +200,17 @@ check_key_in_hostfiles(struct passwd *, +@@ -195,16 +196,17 @@ check_key_in_hostfiles(struct passwd *, /* hostkey handling */ Key *get_hostkey_by_index(int); Key *get_hostkey_public_by_index(int); @@ -310,9 +251,9 @@ struct passwd *fakepw(void); -diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c ---- a/openssh-6.5p1/auth2-hostbased.c -+++ b/openssh-6.5p1/auth2-hostbased.c +diff --git a/openssh-6.6p1/auth2-hostbased.c b/openssh-6.6p1/auth2-hostbased.c +--- a/openssh-6.6p1/auth2-hostbased.c ++++ b/openssh-6.6p1/auth2-hostbased.c @@ -124,33 +124,45 @@ userauth_hostbased(Authctxt *authctxt) #endif @@ -360,9 +301,9 @@ const char *resolvedname, *ipaddr, *lookup, *reason; HostStatus host_status; int len; -diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c ---- a/openssh-6.5p1/auth2-pubkey.c -+++ b/openssh-6.5p1/auth2-pubkey.c +diff --git a/openssh-6.6p1/auth2-pubkey.c b/openssh-6.6p1/auth2-pubkey.c +--- a/openssh-6.6p1/auth2-pubkey.c ++++ b/openssh-6.6p1/auth2-pubkey.c @@ -153,17 +153,17 @@ userauth_pubkey(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); @@ -411,10 +352,10 @@ int i; extra = NULL; -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -1340,26 +1340,30 @@ monitor_valid_hostbasedblob(u_char *data } int @@ -445,7 +386,7 @@ switch (key_blobtype) { case MM_USERKEY: valid_data = monitor_valid_userblob(data, datalen); -@@ -1392,17 +1396,27 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1370,17 +1374,27 @@ mm_answer_keyverify(int sock, Buffer *m) break; default: valid_data = 0; @@ -474,10 +415,10 @@ free(signature); free(data); -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -426,30 +426,31 @@ mm_key_allowed(enum mm_keytype type, cha /* * This key verify needs to send the key type along, because the @@ -510,7 +451,7 @@ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__); -@@ -459,16 +460,29 @@ mm_key_verify(Key *key, u_char *sig, u_i +@@ -457,16 +458,29 @@ mm_key_verify(Key *key, u_char *sig, u_i verified = buffer_get_int(&m); @@ -540,9 +481,9 @@ u_int len; Newkeys *newkey = NULL; Enc *enc; -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int void mm_inform_authserv(char *, char *); struct passwd *mm_getpwnamallow(const char *); ++++++ openssh-6.6p1-audit3_fips-key_auth_usage.patch ++++++ # HG changeset patch # Parent c487e15d91bc5cdfb0aedcf4d3c7fe4d0f309a73 diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c --- a/openssh-6.6p1/auth-rsa.c +++ b/openssh-6.6p1/auth-rsa.c @@ -94,16 +94,20 @@ int auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[SSH_DIGEST_MAX_LENGTH]) { u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH]; struct ssh_digest_ctx *md; int len; int dgst; size_t dgst_len; + int rv; +#ifdef SSH_AUDIT_EVENTS + char *fp; +#endif /* don't allow short keys */ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { error("%s: RSA modulus too small: %d < minimum %d bits", __func__, BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); return (0); } @@ -121,22 +125,28 @@ auth_rsa_verify_response(Key *key, BIGNU if ((md = ssh_digest_start(dgst)) == NULL || ssh_digest_update(md, buf, 2 * dgst_len) < 0 || ssh_digest_update(md, session_id, dgst_len) < 0 || ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0) fatal("%s: md5 failed", __func__); ssh_digest_free(md); /* Verify that the response is the original challenge. */ - if (timingsafe_bcmp(response, mdbuf, dgst_len) != 0) { - /* Wrong answer. */ - return (0); + rv = timingsafe_bcmp(response, mdbuf, dgst_len) == 0; + +#ifdef SSH_AUDIT_EVENTS + fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); + if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) { + debug("unsuccessful audit"); + rv = 0; } - /* Correct answer. */ - return (1); + free(fp); +#endif + + return rv; } /* * Performs the RSA authentication challenge-response dialog with the client, * and returns true (non-zero) if the client gave the correct answer to * our challenge; returns zero if the client gives a wrong answer. */ ++++++ openssh-6.5p1-audit4-kex_results.patch -> openssh-6.6p1-audit4-kex_results.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-audit4-kex_results.patch 2014-03-31 20:43:02.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-audit4-kex_results.patch 2014-04-17 14:43:47.000000000 +0200 @@ -5,32 +5,9 @@ # (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976) # by jchadima(a)redhat.com -diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in ---- a/openssh-6.5p1/Makefile.in -+++ b/openssh-6.5p1/Makefile.in -@@ -71,17 +71,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o - readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ - atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ - monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ - kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ - msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ - kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ - ssh-ed25519.o digest.o \ -- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o -+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ -+ auditstub.o - - SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o mux.o \ - roaming_common.o roaming_client.o - - SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ - audit.o audit-bsm.o audit-linux.o platform.o \ - sshpty.o sshlogin.o servconf.o serverloop.o \ -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event) case SSH_AUTH_FAIL_KBDINT: bsm_audit_bad_login("interactive password entry"); @@ -53,9 +30,9 @@ + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -35,16 +35,18 @@ #include "log.h" @@ -141,9 +118,9 @@ +} + #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -23,24 +23,27 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @@ -233,9 +210,9 @@ +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -53,10 +53,14 @@ void audit_event(ssh_audit_event_t); void audit_count_session_open(void); void audit_session_open(struct logininfo *); @@ -251,10 +228,10 @@ +void audit_kex_body(int, char *, char *, char *, pid_t, uid_t); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c +diff --git a/openssh-6.6p1/auditstub.c b/openssh-6.6p1/auditstub.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/auditstub.c ++++ b/openssh-6.6p1/auditstub.c @@ -0,0 +1,39 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -295,45 +272,9 @@ +{ +} + -diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c ---- a/openssh-6.5p1/cipher.c -+++ b/openssh-6.5p1/cipher.c -@@ -52,31 +52,17 @@ - - /* compatibility with old or broken OpenSSL versions */ - #include "openbsd-compat/openssl-compat.h" - - extern const EVP_CIPHER *evp_ssh1_bf(void); - extern const EVP_CIPHER *evp_ssh1_3des(void); - extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); - --struct Cipher { -- char *name; -- int number; /* for ssh1 only */ -- u_int block_size; -- u_int key_len; -- u_int iv_len; /* defaults to block_size */ -- u_int auth_len; -- u_int discard_len; -- u_int flags; --#define CFLAG_CBC (1<<0) --#define CFLAG_CHACHAPOLY (1<<1) -- const EVP_CIPHER *(*evptype)(void); --}; -- --static const struct Cipher ciphers[] = { -+struct Cipher ciphers[] = { - { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, - { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, - { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, - { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, - - { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, - { "blowfish-cbc", - SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, -diff --git a/openssh-6.5p1/cipher.h b/openssh-6.5p1/cipher.h ---- a/openssh-6.5p1/cipher.h -+++ b/openssh-6.5p1/cipher.h +diff --git a/openssh-6.6p1/cipher.h b/openssh-6.6p1/cipher.h +--- a/openssh-6.6p1/cipher.h ++++ b/openssh-6.6p1/cipher.h @@ -58,17 +58,30 @@ #define SSH_CIPHER_MAX 31 @@ -366,9 +307,9 @@ const Cipher *cipher; }; -diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c ---- a/openssh-6.5p1/kex.c -+++ b/openssh-6.5p1/kex.c +diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c +--- a/openssh-6.6p1/kex.c ++++ b/openssh-6.6p1/kex.c @@ -45,16 +45,17 @@ #include "kex.h" #include "log.h" @@ -476,16 +417,16 @@ for (mode = 0; mode < MODE_MAX; mode++) { newkeys = kex->newkeys[mode]; need = MAX(need, newkeys->enc.key_len); -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -93,16 +93,17 @@ +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -92,16 +92,17 @@ + #endif #include "monitor_wrap.h" #include "monitor_fdpass.h" #include "misc.h" #include "compat.h" #include "ssh2.h" - #include "jpake.h" #include "roaming.h" #include "authfd.h" +#include "audit.h" @@ -497,7 +438,7 @@ /* Imports */ extern ServerOptions options; extern u_int utmp_len; -@@ -182,16 +183,18 @@ int mm_answer_gss_accept_ctx(int, Buffer +@@ -176,16 +177,18 @@ int mm_answer_gss_accept_ctx(int, Buffer int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); #endif @@ -516,7 +457,7 @@ static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -233,16 +236,18 @@ struct mon_table mon_dispatch_proto20[] +@@ -227,16 +230,18 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, @@ -535,7 +476,7 @@ #ifdef SKEY {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, -@@ -270,16 +275,18 @@ struct mon_table mon_dispatch_postauth20 +@@ -257,16 +262,18 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, @@ -554,7 +495,7 @@ {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -301,28 +308,32 @@ struct mon_table mon_dispatch_proto15[] +@@ -288,28 +295,32 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, @@ -587,16 +528,15 @@ /* Specifies if a certain message is allowed at the moment */ -@@ -2411,8 +2422,52 @@ mm_answer_jpake_check_confirm(int sock, +@@ -2187,8 +2198,52 @@ mm_answer_gss_userok(int sock, Buffer *m - monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1); + auth_method = "gssapi-with-mic"; - auth_method = "jpake-01(a)openssh.com"; - return authenticated; + /* Monitor loop will terminate if authenticated */ + return (authenticated); } + #endif /* GSSAPI */ - #endif /* JPAKE */ -+ +#ifdef SSH_AUDIT_EVENTS +int +mm_answer_audit_unsupported_body(int sock, Buffer *m) @@ -640,10 +580,11 @@ +} + +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h ---- a/openssh-6.5p1/monitor.h -+++ b/openssh-6.5p1/monitor.h -@@ -65,16 +65,18 @@ enum monitor_reqtype { ++ +diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h +--- a/openssh-6.6p1/monitor.h ++++ b/openssh-6.6p1/monitor.h +@@ -60,16 +60,18 @@ enum monitor_reqtype { MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, @@ -662,19 +603,18 @@ int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k, +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -1320,8 +1320,46 @@ mm_ssh_gssapi_userok(char *user) + authenticated = buffer_get_int(&m); - success = buffer_get_int(&m); buffer_free(&m); - - debug3("%s: success = %d", __func__, success); - return success; + debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); + return (authenticated); } - #endif /* JPAKE */ -+ + #endif /* GSSAPI */ + +#ifdef SSH_AUDIT_EVENTS +void +mm_audit_unsupported_body(int what) @@ -712,9 +652,10 @@ + buffer_free(&m); +} +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h ++ +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha void mm_sshpam_free_ctx(void *); #endif @@ -734,28 +675,10 @@ void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -114,16 +114,17 @@ - #include "session.h" - #include "monitor_mm.h" - #include "monitor.h" - #ifdef GSSAPI - #include "ssh-gss.h" - #endif - #include "monitor_wrap.h" - #include "roaming.h" -+#include "audit.h" - #include "ssh-sandbox.h" - #include "version.h" - - #ifdef LIBWRAP - #include <tcpd.h> - #include <syslog.h> - int allow_severity; - int deny_severity; -@@ -2312,16 +2313,20 @@ do_ssh1_kex(void) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -2325,16 +2325,20 @@ do_ssh1_kex(void) packet_disconnect("Warning: client selects unsupported cipher."); /* Get check bytes from the packet. These must match those we ++++++ openssh-6.6p1-audit4_fips-kex_results.patch ++++++ # HG changeset patch # Parent dec5efd68e0b652282f2b9b31f5999342123d33d diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in --- a/openssh-6.6p1/Makefile.in +++ b/openssh-6.6p1/Makefile.in @@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ ssh-pkcs11.o krl.o smult_curve25519_ref.o \ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ ssh-ed25519.o digest-openssl.o hmac.o \ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ - fips.o + fips.o \ + auditstub.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ roaming_common.o roaming_client.o SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ diff --git a/openssh-6.6p1/cipher.c b/openssh-6.6p1/cipher.c --- a/openssh-6.6p1/cipher.c +++ b/openssh-6.6p1/cipher.c @@ -54,30 +54,16 @@ /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" extern const EVP_CIPHER *evp_ssh1_bf(void); extern const EVP_CIPHER *evp_ssh1_3des(void); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); -struct Cipher { - char *name; - int number; /* for ssh1 only */ - u_int block_size; - u_int key_len; - u_int iv_len; /* defaults to block_size */ - u_int auth_len; - u_int discard_len; - u_int flags; -#define CFLAG_CBC (1<<0) -#define CFLAG_CHACHAPOLY (1<<1) - const EVP_CIPHER *(*evptype)(void); -}; - static const struct Cipher ciphers_all[] = { { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, { "blowfish-cbc", diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c --- a/openssh-6.6p1/sshd.c +++ b/openssh-6.6p1/sshd.c @@ -119,16 +119,18 @@ #endif #include "monitor_wrap.h" #include "roaming.h" #include "ssh-sandbox.h" #include "version.h" #include "fips.h" +#include "audit.h" + #ifdef LIBWRAP #include <tcpd.h> #include <syslog.h> int allow_severity; int deny_severity; #endif /* LIBWRAP */ #ifndef O_NOCTTY ++++++ openssh-6.5p1-audit5-session_key_destruction.patch -> openssh-6.6p1-audit5-session_key_destruction.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-audit5-session_key_destruction.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-audit5-session_key_destruction.patch 2014-04-17 14:43:47.000000000 +0200 @@ -4,9 +4,9 @@ # https://bugzilla.mindrot.org/attachment.cgi?id=2014 # by jchadima(a)redhat.com -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -480,9 +480,15 @@ audit_unsupported_body(int what) /* not implemented */ } @@ -23,9 +23,9 @@ + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -289,24 +289,25 @@ audit_unsupported_body(int what) /* no problem, the next instruction will be fatal() */ return; @@ -91,9 +91,9 @@ +} + #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -138,16 +138,22 @@ audit_unsupported(int what) } @@ -138,9 +138,9 @@ +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -57,10 +57,12 @@ int audit_run_command(const char *); void audit_end_command(int, const char *); ssh_audit_event_t audit_classify_auth(const char *); @@ -154,9 +154,9 @@ +void audit_session_key_free_body(int ctos, pid_t, uid_t); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c ---- a/openssh-6.5p1/auditstub.c -+++ b/openssh-6.5p1/auditstub.c +diff --git a/openssh-6.6p1/auditstub.c b/openssh-6.6p1/auditstub.c +--- a/openssh-6.6p1/auditstub.c ++++ b/openssh-6.6p1/auditstub.c @@ -22,18 +22,29 @@ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT @@ -187,10 +187,10 @@ +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +{ +} -diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c ---- a/openssh-6.5p1/kex.c -+++ b/openssh-6.5p1/kex.c -@@ -698,8 +698,39 @@ dump_digest(char *msg, u_char *digest, i +diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c +--- a/openssh-6.6p1/kex.c ++++ b/openssh-6.6p1/kex.c +@@ -700,8 +700,39 @@ dump_digest(char *msg, u_char *digest, i if (i%32 == 31) fprintf(stderr, "\n"); else if (i%8 == 7) @@ -230,10 +230,10 @@ + memset(&newkeys->comp, 0, sizeof(newkeys->comp)); +} + -diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h ---- a/openssh-6.5p1/kex.h -+++ b/openssh-6.5p1/kex.h -@@ -163,16 +163,18 @@ void kexdh_client(Kex *); +diff --git a/openssh-6.6p1/kex.h b/openssh-6.6p1/kex.h +--- a/openssh-6.6p1/kex.h ++++ b/openssh-6.6p1/kex.h +@@ -162,16 +162,18 @@ void kexdh_client(Kex *); void kexdh_server(Kex *); void kexgex_client(Kex *); void kexgex_server(Kex *); @@ -252,15 +252,15 @@ int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); #ifdef OPENSSL_HAS_ECC -diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c ---- a/openssh-6.5p1/mac.c -+++ b/openssh-6.5p1/mac.c -@@ -219,16 +219,30 @@ mac_clear(Mac *mac) +diff --git a/openssh-6.6p1/mac.c b/openssh-6.6p1/mac.c +--- a/openssh-6.6p1/mac.c ++++ b/openssh-6.6p1/mac.c +@@ -253,16 +253,30 @@ mac_clear(Mac *mac) if (mac->umac_ctx != NULL) umac128_delete(mac->umac_ctx); - } else if (mac->evp_md != NULL) - HMAC_cleanup(&mac->evp_ctx); - mac->evp_md = NULL; + } else if (mac->hmac_ctx != NULL) + ssh_hmac_free(mac->hmac_ctx); + mac->hmac_ctx = NULL; mac->umac_ctx = NULL; } @@ -286,9 +286,9 @@ char *maclist, *cp, *p; if (names == NULL || strcmp(names, "") == 0) -diff --git a/openssh-6.5p1/mac.h b/openssh-6.5p1/mac.h ---- a/openssh-6.5p1/mac.h -+++ b/openssh-6.5p1/mac.h +diff --git a/openssh-6.6p1/mac.h b/openssh-6.6p1/mac.h +--- a/openssh-6.6p1/mac.h ++++ b/openssh-6.6p1/mac.h @@ -24,8 +24,9 @@ */ @@ -299,10 +299,10 @@ u_char *mac_compute(Mac *, u_int32_t, u_char *, int); void mac_clear(Mac *); +void mac_destroy(Mac *); -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer * +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -179,16 +179,17 @@ int mm_answer_gss_checkmic(int, Buffer * #endif #ifdef SSH_AUDIT_EVENTS @@ -320,7 +320,7 @@ static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -238,16 +239,17 @@ struct mon_table mon_dispatch_proto20[] +@@ -232,16 +233,17 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, @@ -338,7 +338,7 @@ #ifdef SKEY {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, -@@ -277,16 +279,17 @@ struct mon_table mon_dispatch_postauth20 +@@ -264,16 +266,17 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, #ifdef SSH_AUDIT_EVENTS @@ -356,7 +356,7 @@ {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -310,30 +313,32 @@ struct mon_table mon_dispatch_proto15[] +@@ -297,30 +300,32 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, @@ -389,7 +389,7 @@ /* Specifies if a certain message is allowed at the moment */ -@@ -1971,21 +1976,23 @@ mm_get_keystate(struct monitor *pmonitor +@@ -1949,21 +1954,23 @@ mm_get_keystate(struct monitor *pmonitor goto skip; } else { /* Get the Kex for rekeying */ @@ -413,7 +413,7 @@ packets = buffer_get_int(&m); bytes = buffer_get_int64(&m); packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes); -@@ -2021,16 +2028,31 @@ mm_get_keystate(struct monitor *pmonitor +@@ -1999,16 +2006,31 @@ mm_get_keystate(struct monitor *pmonitor /* Roaming */ if (compat20) { @@ -445,7 +445,7 @@ mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) { size_t len = (size_t) size * ncount; -@@ -2465,9 +2487,27 @@ mm_answer_audit_kex_body(int sock, Buffe +@@ -2240,10 +2262,28 @@ mm_answer_audit_kex_body(int sock, Buffe free(mac); free(compress); buffer_clear(m); @@ -473,10 +473,11 @@ + return 0; +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h ---- a/openssh-6.5p1/monitor.h -+++ b/openssh-6.5p1/monitor.h -@@ -67,16 +67,17 @@ enum monitor_reqtype { + +diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h +--- a/openssh-6.6p1/monitor.h ++++ b/openssh-6.6p1/monitor.h +@@ -62,16 +62,17 @@ enum monitor_reqtype { MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -494,10 +495,10 @@ int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -649,22 +649,24 @@ mm_send_keystate(struct monitor *monitor __func__, packet_get_newkeys(MODE_OUT), packet_get_newkeys(MODE_IN)); @@ -522,7 +523,7 @@ buffer_put_int(&m, packets); buffer_put_int64(&m, bytes); packet_get_state(MODE_IN, &seqnr, &blocks, &packets, &bytes); -@@ -1520,9 +1522,24 @@ mm_audit_kex_body(int ctos, char *cipher +@@ -1356,10 +1358,25 @@ mm_audit_kex_body(int ctos, char *cipher buffer_put_int64(&m, uid); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m); @@ -547,9 +548,10 @@ + buffer_free(&m); +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h + +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *); #ifdef SSH_AUDIT_EVENTS @@ -568,9 +570,9 @@ void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c ---- a/openssh-6.5p1/packet.c -+++ b/openssh-6.5p1/packet.c +diff --git a/openssh-6.6p1/packet.c b/openssh-6.6p1/packet.c +--- a/openssh-6.6p1/packet.c ++++ b/openssh-6.6p1/packet.c @@ -56,16 +56,17 @@ #include <stdio.h> #include <stdlib.h> @@ -701,9 +703,9 @@ - mac = &active_state->newkeys[mode]->mac; - comp = &active_state->newkeys[mode]->comp; - mac_clear(mac); -- memset(enc->iv, 0, enc->iv_len); -- memset(enc->key, 0, enc->key_len); -- memset(mac->key, 0, mac->key_len); +- explicit_bzero(enc->iv, enc->iv_len); +- explicit_bzero(enc->key, enc->key_len); +- explicit_bzero(mac->key, mac->key_len); - free(enc->name); - free(enc->iv); - free(enc->key); @@ -823,9 +825,9 @@ + backup_state = NULL; } + -diff --git a/openssh-6.5p1/packet.h b/openssh-6.5p1/packet.h ---- a/openssh-6.5p1/packet.h -+++ b/openssh-6.5p1/packet.h +diff --git a/openssh-6.6p1/packet.h b/openssh-6.6p1/packet.h +--- a/openssh-6.6p1/packet.h ++++ b/openssh-6.6p1/packet.h @@ -119,9 +119,10 @@ void packet_set_rekey_limits(u_int32_t, time_t packet_get_rekey_timeout(void); @@ -837,10 +839,10 @@ +void packet_destroy_all(int, int); #endif /* PACKET_H */ -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c -@@ -1689,16 +1689,19 @@ do_child(Session *s, const char *command +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c +@@ -1694,16 +1694,19 @@ do_child(Session *s, const char *command int env_size; char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; @@ -860,10 +862,10 @@ do_pwchange(s); exit(1); } -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -711,16 +711,18 @@ privsep_preauth(Authctxt *authctxt) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -720,16 +720,18 @@ privsep_preauth(Authctxt *authctxt) setproctitle("%s", "[net]"); if (box != NULL) ssh_sandbox_child(box); @@ -882,7 +884,7 @@ #ifdef DISABLE_FD_PASSING if (1) { #else -@@ -735,16 +737,20 @@ privsep_postauth(Authctxt *authctxt) +@@ -744,16 +746,20 @@ privsep_postauth(Authctxt *authctxt) monitor_reinit(pmonitor); pmonitor->m_pid = fork(); @@ -903,7 +905,7 @@ /* child */ -@@ -2104,16 +2110,17 @@ main(int ac, char **av) +@@ -2118,16 +2124,17 @@ main(int ac, char **av) do_authentication(authctxt); } /* @@ -921,7 +923,7 @@ * Cancel the alarm we set to limit the time taken for * authentication. */ -@@ -2156,16 +2163,18 @@ main(int ac, char **av) +@@ -2170,16 +2177,18 @@ main(int ac, char **av) packet_set_timeout(options.client_alive_interval, options.client_alive_count_max); @@ -940,7 +942,7 @@ verbose("Closing connection to %.500s port %d", remote_ip, remote_port); #ifdef USE_PAM -@@ -2497,26 +2506,38 @@ do_ssh2_kex(void) +@@ -2523,26 +2532,38 @@ do_ssh2_kex(void) #endif debug("KEX done"); } ++++++ openssh-6.5p1-audit6-server_key_destruction.patch -> openssh-6.6p1-audit6-server_key_destruction.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-audit6-server_key_destruction.patch 2014-03-01 21:20:17.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-audit6-server_key_destruction.patch 2014-04-17 14:43:47.000000000 +0200 @@ -4,9 +4,9 @@ # https://bugzilla.mindrot.org/attachment.cgi?id=2015 # by jchadima(a)redhat.com -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char /* not implemented */ } @@ -35,9 +35,9 @@ + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL, get_remote_ipaddr(), NULL, 1); @@ -94,9 +94,9 @@ + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char * This will be called on succesfull session key discard */ @@ -127,9 +127,9 @@ +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -43,26 +43,30 @@ enum ssh_audit_event_type { SSH_INVALID_USER, SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */ @@ -161,10 +161,10 @@ +void audit_generate_ephemeral_server_key(const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c ---- a/openssh-6.5p1/key.c -+++ b/openssh-6.5p1/key.c -@@ -1959,16 +1959,43 @@ key_demote(const Key *k) +diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c +--- a/openssh-6.6p1/key.c ++++ b/openssh-6.6p1/key.c +@@ -1964,16 +1964,43 @@ key_demote(const Key *k) fatal("key_demote: bad key type %d", k->type); break; } @@ -208,9 +208,9 @@ } /* Return the cert-less equivalent to a certified key type */ -diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h ---- a/openssh-6.5p1/key.h -+++ b/openssh-6.5p1/key.h +diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h +--- a/openssh-6.6p1/key.h ++++ b/openssh-6.6p1/key.h @@ -113,16 +113,17 @@ int key_read(Key *, char **); u_int key_size(const Key *); enum fp_type key_fp_type_select(void); @@ -229,10 +229,10 @@ void key_cert_copy(const Key *, struct Key *); int key_cert_check_authority(const Key *, int, int, const char *, const char **); -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -110,16 +110,18 @@ extern u_int utmp_len; +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -109,16 +109,18 @@ extern u_int utmp_len; extern Newkeys *current_keys[]; extern z_stream incoming_stream; extern z_stream outgoing_stream; @@ -251,7 +251,7 @@ u_char *keyin; u_int keyinlen; u_char *keyout; -@@ -186,16 +188,17 @@ int mm_answer_gss_checkmic(int, Buffer * +@@ -180,16 +182,17 @@ int mm_answer_gss_checkmic(int, Buffer * #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); @@ -269,7 +269,7 @@ static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -240,16 +243,17 @@ struct mon_table mon_dispatch_proto20[] +@@ -234,16 +237,17 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif @@ -287,7 +287,7 @@ #ifdef SKEY {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, -@@ -280,16 +284,17 @@ struct mon_table mon_dispatch_postauth20 +@@ -267,16 +271,17 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_TERM, 0, mm_answer_term}, #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -305,7 +305,7 @@ {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -314,31 +319,33 @@ struct mon_table mon_dispatch_proto15[] +@@ -301,31 +306,33 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif @@ -339,7 +339,7 @@ /* Specifies if a certain message is allowed at the moment */ -@@ -1761,16 +1768,18 @@ mm_answer_term(int sock, Buffer *req) +@@ -1739,16 +1746,18 @@ mm_answer_term(int sock, Buffer *req) /* The child is terminating */ session_destroy_all(&mm_session_close); @@ -358,7 +358,7 @@ /* Terminate process */ exit(res); -@@ -2505,9 +2514,30 @@ mm_answer_audit_session_key_free_body(in +@@ -2280,10 +2289,31 @@ mm_answer_audit_session_key_free_body(in audit_session_key_free_body(ctos, pid, uid); @@ -389,10 +389,11 @@ + return 0; +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h ---- a/openssh-6.5p1/monitor.h -+++ b/openssh-6.5p1/monitor.h -@@ -68,16 +68,17 @@ enum monitor_reqtype { + +diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h +--- a/openssh-6.6p1/monitor.h ++++ b/openssh-6.6p1/monitor.h +@@ -63,16 +63,17 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, @@ -410,10 +411,10 @@ int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos, +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -1373,10 +1373,26 @@ mm_audit_session_key_free_body(int ctos, buffer_put_int(&m, ctos); buffer_put_int64(&m, pid); buffer_put_int64(&m, uid); @@ -439,9 +440,10 @@ + buffer_free(&m); +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h + +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *); #ifdef SSH_AUDIT_EVENTS #include "audit.h" @@ -460,9 +462,9 @@ void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c @@ -132,17 +132,17 @@ static int session_pty_req(Session *); /* import */ @@ -482,7 +484,7 @@ /* data */ static int sessions_first_unused = -1; static int sessions_nalloc = 0; -@@ -1688,17 +1688,17 @@ do_child(Session *s, const char *command +@@ -1693,17 +1693,17 @@ do_child(Session *s, const char *command char **env; int env_size; char *argv[ARGV_MAX]; @@ -501,10 +503,10 @@ if (s->authctxt->force_pwchange) { do_setusercontext(pw); child_close_fds(); -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -256,17 +256,17 @@ Buffer cfg; +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -259,17 +259,17 @@ Buffer cfg; /* message to be displayed after login */ Buffer loginmsg; @@ -523,7 +525,7 @@ /* * Close all listening sockets */ -@@ -275,16 +275,25 @@ close_listen_socks(void) +@@ -278,16 +278,25 @@ close_listen_socks(void) { int i; @@ -549,7 +551,7 @@ if (startup_pipes) for (i = 0; i < options.max_startups; i++) if (startup_pipes[i] != -1) -@@ -554,60 +563,99 @@ sshd_exchange_identification(int sock_in +@@ -557,60 +566,99 @@ sshd_exchange_identification(int sock_in close(sock_out); logit("Protocol major versions differ for %s: %.200s vs. %.200s", get_remote_ipaddr(), @@ -606,7 +608,7 @@ } } sensitive_data.ssh1_host_key = NULL; - memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH); + explicit_bzero(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); } /* Demote private to public keys for network child */ @@ -618,14 +620,14 @@ + uid_t uid; int i; ++ pid = getpid(); ++ uid = getuid(); if (sensitive_data.server_key) { tmp = key_demote(sensitive_data.server_key); key_free(sensitive_data.server_key); sensitive_data.server_key = tmp; } -+ pid = getpid(); -+ uid = getuid(); for (i = 0; i < options.num_host_key_files; i++) { if (sensitive_data.host_keys[i]) { + char *fp; @@ -652,7 +654,7 @@ } static void -@@ -1192,16 +1240,17 @@ server_accept_loop(int *sock_in, int *so +@@ -1201,16 +1249,17 @@ server_accept_loop(int *sock_in, int *so /* Wait in select until there is a connection. */ ret = select(maxfd+1, fdset, NULL, NULL, NULL); @@ -670,7 +672,7 @@ generate_ephemeral_server_key(); key_used = 0; key_do_regen = 0; -@@ -2153,27 +2202,28 @@ main(int ac, char **av) +@@ -2167,27 +2216,28 @@ main(int ac, char **av) /* * In privilege separation, we fork another child and prepare * file descriptor passing. @@ -700,10 +702,10 @@ verbose("Closing connection to %.500s port %d", remote_ip, remote_port); -@@ -2392,17 +2442,17 @@ do_ssh1_kex(void) - MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); - MD5_Final(session_key + 16, &md); - memset(buf, 0, bytes); +@@ -2412,17 +2462,17 @@ do_ssh1_kex(void) + fatal("%s: hash failed", __func__); + ssh_digest_free(md); + explicit_bzero(buf, bytes); free(buf); for (i = 0; i < 16; i++) session_id[i] = session_key[i] ^ session_key[i + 16]; @@ -719,7 +721,7 @@ BN_clear_free(session_key_int); /* Set the session key. From this on all communications will be encrypted. */ -@@ -2527,16 +2577,18 @@ cleanup_exit(int i) +@@ -2553,16 +2603,18 @@ cleanup_exit(int i) debug("Killing privsep child %d", pmonitor->m_pid); if (kill(pmonitor->m_pid, SIGKILL) != 0 && errno != ESRCH) ++++++ openssh-6.5p1-audit7-libaudit_compat.patch -> openssh-6.6p1-audit7-libaudit_compat.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-audit7-libaudit_compat.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-audit7-libaudit_compat.patch 2014-04-17 14:43:47.000000000 +0200 @@ -1,8 +1,8 @@ # definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -25,16 +25,17 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * @@ -21,10 +21,10 @@ #include "key.h" #include "hostfile.h" #include "auth.h" -diff --git a/openssh-6.5p1/compat-libaudit.h b/openssh-6.5p1/compat-libaudit.h +diff --git a/openssh-6.6p1/compat-libaudit.h b/openssh-6.6p1/compat-libaudit.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/compat-libaudit.h ++++ b/openssh-6.6p1/compat-libaudit.h @@ -0,0 +1,79 @@ +/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */ +/* libaudit.h -- ++++++ openssh-6.5p1-audit8-libaudit_dns_timeouts.patch -> openssh-6.6p1-audit8-libaudit_dns_timeouts.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-audit8-libaudit_dns_timeouts.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-audit8-libaudit_dns_timeouts.patch 2014-04-17 14:43:47.000000000 +0200 @@ -4,9 +4,9 @@ # Note that this particular solution causes the logs to always contain # "hostname=?, addr=?" when DNS lookups are disabled. -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) ++++++ openssh-6.5p1-blocksigalrm.patch -> openssh-6.6p1-blocksigalrm.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-blocksigalrm.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-blocksigalrm.patch 2014-04-17 14:43:47.000000000 +0200 @@ -2,9 +2,9 @@ # grace_alarm_handler) # bnc#57354 -diff --git a/openssh-6.5p1/log.c b/openssh-6.5p1/log.c ---- a/openssh-6.5p1/log.c -+++ b/openssh-6.5p1/log.c +diff --git a/openssh-6.6p1/log.c b/openssh-6.6p1/log.c +--- a/openssh-6.6p1/log.c ++++ b/openssh-6.6p1/log.c @@ -47,16 +47,17 @@ #include <unistd.h> #include <errno.h> ++++++ openssh-6.5p1-default-protocol.patch -> openssh-6.6p1-default-protocol.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-default-protocol.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-default-protocol.patch 2014-04-17 14:43:47.000000000 +0200 @@ -1,8 +1,8 @@ # only enable SSHv2 protocol by default (upstream default is fallback to v1) -diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config ---- a/openssh-6.5p1/ssh_config -+++ b/openssh-6.5p1/ssh_config +diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config +--- a/openssh-6.6p1/ssh_config ++++ b/openssh-6.6p1/ssh_config @@ -41,17 +41,17 @@ ForwardX11Trusted yes # CheckHostIP yes # AddressFamily any ++++++ openssh-6.5p1-disable-openssl-abi-check.patch -> openssh-6.6p1-disable-openssl-abi-check.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-disable-openssl-abi-check.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-disable-openssl-abi-check.patch 2014-04-17 14:43:47.000000000 +0200 @@ -2,9 +2,9 @@ # reliable indicator of ABI changes and doesn't make much sense in a # distribution package -diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c ---- a/openssh-6.5p1/entropy.c -+++ b/openssh-6.5p1/entropy.c +diff --git a/openssh-6.6p1/entropy.c b/openssh-6.6p1/entropy.c +--- a/openssh-6.6p1/entropy.c ++++ b/openssh-6.6p1/entropy.c @@ -212,22 +212,23 @@ seed_rng(void) #endif /* ++++++ openssh-6.5p1-eal3.patch -> openssh-6.6p1-eal3.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-eal3.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-eal3.patch 2014-04-17 14:43:47.000000000 +0200 @@ -1,8 +1,8 @@ # fix paths and references in sshd man pages -diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8 ---- a/openssh-6.5p1/sshd.8 -+++ b/openssh-6.5p1/sshd.8 +diff --git a/openssh-6.6p1/sshd.8 b/openssh-6.6p1/sshd.8 +--- a/openssh-6.6p1/sshd.8 ++++ b/openssh-6.6p1/sshd.8 @@ -875,17 +875,17 @@ See If this file exists, .Nm @@ -41,9 +41,9 @@ OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5 ---- a/openssh-6.5p1/sshd_config.5 -+++ b/openssh-6.5p1/sshd_config.5 +diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5 +--- a/openssh-6.6p1/sshd_config.5 ++++ b/openssh-6.6p1/sshd_config.5 @@ -278,18 +278,17 @@ The contents of the specified file are s authentication is allowed. If the argument is ++++++ openssh-6.5p1-fingerprint_hash.patch -> openssh-6.6p1-fingerprint_hash.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-fingerprint_hash.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-fingerprint_hash.patch 2014-04-17 14:43:47.000000000 +0200 @@ -1,14 +1,14 @@ # HG changeset patch -# Parent 450c3933f35c6801a682ea32c588e4c9ff73414a +# Parent a3a898b117b0f726e6cc923f18463de8e45e74f5 # select fingerprint hash algorithms based on the environment variable # SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints # Petr Cerny <pcerny(a)suse.cz> -diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c ---- a/openssh-6.5p1/auth-rsa.c -+++ b/openssh-6.5p1/auth-rsa.c -@@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p +diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c +--- a/openssh-6.6p1/auth-rsa.c ++++ b/openssh-6.6p1/auth-rsa.c +@@ -230,17 +230,17 @@ rsa_key_allowed_in_file(struct passwd *p /* check the real bits */ keybits = BN_num_bits(key->rsa->n); @@ -27,9 +27,9 @@ if (auth_key_is_revoked(key)) break; -diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c ---- a/openssh-6.5p1/auth.c -+++ b/openssh-6.5p1/auth.c +diff --git a/openssh-6.6p1/auth.c b/openssh-6.6p1/auth.c +--- a/openssh-6.6p1/auth.c ++++ b/openssh-6.6p1/auth.c @@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key) case -1: /* Error opening revoked_keys_file: refuse all keys */ @@ -49,9 +49,9 @@ fatal("key_in_file returned junk"); } -diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c ---- a/openssh-6.5p1/auth2-hostbased.c -+++ b/openssh-6.5p1/auth2-hostbased.c +diff --git a/openssh-6.6p1/auth2-hostbased.c b/openssh-6.6p1/auth2-hostbased.c +--- a/openssh-6.6p1/auth2-hostbased.c ++++ b/openssh-6.6p1/auth2-hostbased.c @@ -202,23 +202,23 @@ hostbased_key_allowed(struct passwd *pw, _PATH_SSH_SYSTEM_HOSTFILE2, options.ignore_user_known_hosts ? NULL : @@ -78,9 +78,9 @@ return (host_status == HOST_OK); } -diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c ---- a/openssh-6.5p1/auth2-pubkey.c -+++ b/openssh-6.5p1/auth2-pubkey.c +diff --git a/openssh-6.6p1/auth2-pubkey.c b/openssh-6.6p1/auth2-pubkey.c +--- a/openssh-6.6p1/auth2-pubkey.c ++++ b/openssh-6.6p1/auth2-pubkey.c @@ -208,25 +208,25 @@ pubkey_auth_info(Authctxt *authctxt, con i = vasprintf(&extra, fmt, ap); va_end(ap); @@ -166,9 +166,9 @@ options.trusted_user_ca_keys); goto out; } -diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c ---- a/openssh-6.5p1/key.c -+++ b/openssh-6.5p1/key.c +diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c +--- a/openssh-6.6p1/key.c ++++ b/openssh-6.6p1/key.c @@ -420,30 +420,39 @@ key_fingerprint_raw(const Key *k, enum f *dgst_raw_length = ssh_digest_bytes(hash_alg); } else { @@ -278,7 +278,7 @@ dgst_rep); break; } - memset(dgst_raw, 0, dgst_raw_len); + explicit_bzero(dgst_raw, dgst_raw_len); free(dgst_raw); return retval; } @@ -348,9 +348,9 @@ * the buffer containing the number. */ static int -diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h ---- a/openssh-6.5p1/key.h -+++ b/openssh-6.5p1/key.h +diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h +--- a/openssh-6.6p1/key.h ++++ b/openssh-6.6p1/key.h @@ -53,16 +53,18 @@ enum fp_type { SSH_FP_MD5, SSH_FP_SHA256 @@ -389,9 +389,9 @@ int key_type_is_cert(int); int key_type_plain(int); int key_to_certified(Key *, int); -diff --git a/openssh-6.5p1/ssh-add.c b/openssh-6.5p1/ssh-add.c ---- a/openssh-6.5p1/ssh-add.c -+++ b/openssh-6.5p1/ssh-add.c +diff --git a/openssh-6.6p1/ssh-add.c b/openssh-6.6p1/ssh-add.c +--- a/openssh-6.6p1/ssh-add.c ++++ b/openssh-6.6p1/ssh-add.c @@ -325,17 +325,17 @@ list_identities(AuthenticationConnection int version; @@ -411,9 +411,9 @@ if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); fprintf(stdout, " %s\n", comment); -diff --git a/openssh-6.5p1/ssh-agent.c b/openssh-6.5p1/ssh-agent.c ---- a/openssh-6.5p1/ssh-agent.c -+++ b/openssh-6.5p1/ssh-agent.c +diff --git a/openssh-6.6p1/ssh-agent.c b/openssh-6.6p1/ssh-agent.c +--- a/openssh-6.6p1/ssh-agent.c ++++ b/openssh-6.6p1/ssh-agent.c @@ -193,17 +193,17 @@ lookup_identity(Key *key, int version) /* Check confirmation of keysign request */ @@ -433,9 +433,9 @@ return (ret); } -diff --git a/openssh-6.5p1/ssh-keygen.c b/openssh-6.5p1/ssh-keygen.c ---- a/openssh-6.5p1/ssh-keygen.c -+++ b/openssh-6.5p1/ssh-keygen.c +diff --git a/openssh-6.6p1/ssh-keygen.c b/openssh-6.6p1/ssh-keygen.c +--- a/openssh-6.6p1/ssh-keygen.c ++++ b/openssh-6.6p1/ssh-keygen.c @@ -741,27 +741,27 @@ do_download(struct passwd *pw) { #ifdef ENABLE_PKCS11 @@ -583,10 +583,10 @@ printf("The key's randomart image is:\n"); printf("%s\n", ra); free(ra); -diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c ---- a/openssh-6.5p1/sshconnect.c -+++ b/openssh-6.5p1/sshconnect.c -@@ -906,18 +906,18 @@ check_host_key(char *hostname, struct so +diff --git a/openssh-6.6p1/sshconnect.c b/openssh-6.6p1/sshconnect.c +--- a/openssh-6.6p1/sshconnect.c ++++ b/openssh-6.6p1/sshconnect.c +@@ -909,18 +909,18 @@ check_host_key(char *hostname, struct so "address '%.128s' to the list of known " "hosts (%.30s).", type, ip, user_hostfiles[0]); @@ -607,7 +607,7 @@ break; case HOST_NEW: if (options.host_key_alias == NULL && port != 0 && -@@ -947,18 +947,18 @@ check_host_key(char *hostname, struct so +@@ -950,18 +950,18 @@ check_host_key(char *hostname, struct so if (show_other_keys(host_hostkeys, host_key)) snprintf(msg1, sizeof(msg1), @@ -628,7 +628,7 @@ "Matching host key fingerprint" " found in DNS.\n"); else -@@ -1212,17 +1212,17 @@ fail: +@@ -1215,17 +1215,17 @@ fail: /* returns 0 if key verifies or -1 if key does NOT verify */ int @@ -647,7 +647,7 @@ verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { if (flags & DNS_VERIFY_FOUND) { -@@ -1319,18 +1319,18 @@ show_other_keys(struct hostkeys *hostkey +@@ -1322,18 +1322,18 @@ show_other_keys(struct hostkeys *hostkey char *fp, *ra; const struct hostkey_entry *found; @@ -668,7 +668,7 @@ key_type(found->key), fp); if (options.visual_host_key) logit("%s", ra); -@@ -1341,17 +1341,17 @@ show_other_keys(struct hostkeys *hostkey +@@ -1344,17 +1344,17 @@ show_other_keys(struct hostkeys *hostkey return ret; } @@ -687,10 +687,10 @@ error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that a host key has just been changed."); error("The fingerprint for the %s key sent by the remote host is\n%s.", -diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c ---- a/openssh-6.5p1/sshconnect2.c -+++ b/openssh-6.5p1/sshconnect2.c -@@ -592,17 +592,17 @@ input_userauth_pk_ok(int type, u_int32_t +diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c +--- a/openssh-6.6p1/sshconnect2.c ++++ b/openssh-6.6p1/sshconnect2.c +@@ -577,17 +577,17 @@ input_userauth_pk_ok(int type, u_int32_t goto done; } if (key->type != pktype) { @@ -709,7 +709,7 @@ * moved to the end of the queue. this also avoids confusion by * duplicate keys */ -@@ -1206,17 +1206,17 @@ sign_and_send_pubkey(Authctxt *authctxt, +@@ -988,17 +988,17 @@ sign_and_send_pubkey(Authctxt *authctxt, Buffer b; u_char *blob, *signature; u_int bloblen, slen; ++++++ openssh-6.6p1-fips-checks.patch ++++++ # HG changeset patch # Parent 12ad7b6077ef9c6b3a3a53b4f0084c3eb2f80fe7 diff --git a/openssh-6.6p1/fips-check.c b/openssh-6.6p1/fips-check.c new file mode 100644 --- /dev/null +++ b/openssh-6.6p1/fips-check.c @@ -0,0 +1,37 @@ +#include "includes.h" +#include <fcntl.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> + +#include "digest.h" +#include "fips.h" + +#include <openssl/err.h> + +#define PROC_NAME_LEN 64 + +static const char *argv0; + +void +print_help_exit(int ev) +{ + fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0); + fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n"); + fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n"); + exit(ev); +} + +int +main(int argc, char **argv) +{ + + fips_ssh_init(); +// printf("SSL Error: %lx: %s", ERR_get_error(), ERR_get_string(ERR_get_error(), NULL)); + + return 0; +} diff --git a/openssh-6.6p1/fips.c b/openssh-6.6p1/fips.c --- a/openssh-6.6p1/fips.c +++ b/openssh-6.6p1/fips.c @@ -24,21 +24,342 @@ #include "includes.h" #include "fips.h" #include "digest.h" #include "key.h" #include "log.h" +#include "xmalloc.h" +#include <openbsd-compat/openssl-compat.h> + +#include <errno.h> +#include <fcntl.h> +#include <string.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> #include <openssl/crypto.h> +#include <openssl/err.h> + +enum fips_checksum_status { + CHECK_OK = 0, + CHECK_FAIL, + CHECK_MISSING +}; static int fips_state = -1; +static char * +hex_fingerprint(u_int raw_len, u_char *raw) +{ + char *retval; + u_int i; + + /* reserve space for both the key hash and the string for the hash type */ + retval = malloc(3 * raw_len); + for (i = 0; i < raw_len; i++) { + char hex[4]; + snprintf(hex, sizeof(hex), "%02x:", raw[i]); + strlcat(retval, hex, raw_len * 3); + } + + return retval; +} + +/* calculates hash of contents of file given by filename using algorithm alg + * and placing the resukt into newly allacated memory - remember to free it + * when not needed anymore */ +static int +hash_file(const char *filename, int alg, u_char **hash_out) +{ + int check = -1; + int hash_len; + int fd; + struct stat fs; + void *hmap; + char *hash; + + hash_len = ssh_digest_bytes(alg); + hash = xmalloc(hash_len); + + fd = open(filename, O_RDONLY); + if (-1 == fd) + goto bail_out; + + if (-1 == fstat(fd, &fs)) + goto bail_out; + + hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0); + + if ((void *)(-1) != hmap) { + check = ssh_digest_memory(alg, hmap, fs.st_size, hash, hash_len); + munmap(hmap, fs.st_size); + } + close(fd); + +bail_out: + if (0 == check) { + check = CHECK_OK; + *hash_out = hash; + } else { + check = CHECK_FAIL; + *hash_out = NULL; + free(hash); + } + return check; +} + +/* find pathname of binary of process with PID pid. exe is buffer expected to + * be capable of holding at least max_pathlen characters + */ +static int +get_executable_path(pid_t pid, char *exe, int max_pathlen) +{ + char exe_sl[PROC_EXE_PATH_LEN]; + int n; + + n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid); + if ((n <= 10) || (n >= max_pathlen)) { + fatal("error compiling filename of link to executable"); + } + + n = readlink(exe_sl, exe, max_pathlen); + if (n < max_pathlen) { + exe[n] = 0; + } else { + fatal("error getting executable pathname"); + } + return 0; +} + +/* Read checksum file chk, storing the algorithm used for generating it into + * *alg; allocate enough memory to hold the hash and return it in *hash. + * Remember to free() it when not needed anymore. + */ +static int +read_hash(const char *chk, int *alg, u_char **hash) +{ + int check = -1; + int hash_len; + int fdh, n; + char alg_c; + char *hash_in; + + *hash = NULL; + + fdh = open(chk, O_RDONLY); + if (-1 == fdh) { + switch (errno) { + case ENOENT: + check = CHECK_MISSING; + debug("fips: checksum file %s is missing\n", chk); + break; + default: + check = CHECK_FAIL; + debug("fips: ckecksum file %s not accessible\n", chk); + break; + + } + goto bail_out; + } + + n = read(fdh, &alg_c, 1); + if (1 != n) { + check = CHECK_FAIL; + goto bail_out; + } + + *alg = (int)alg_c; + hash_len = ssh_digest_bytes(*alg); + hash_in = xmalloc(hash_len); + + n = read(fdh, (void *)hash_in, hash_len); + if (hash_len != n) { + debug("fips: unable to read whole checksum from checksum file\n"); + free (hash_in); + check = CHECK_FAIL; + } else { + check = CHECK_OK; + *hash = hash_in; + } +bail_out: + return check; +} + +static int +fips_hash_self(void) +{ + int check = -1; + int alg; + u_char *hash, *hash_chk; + char *exe, *chk; + + exe = xmalloc(PATH_MAX); + chk = xmalloc(PATH_MAX); + + /* we will need to add the ".chk" suffix and the null terminator */ + check = get_executable_path(getpid(), exe + , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1); + + strncpy(chk, exe, PATH_MAX); + strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX); + + check = read_hash(chk, &alg, &hash_chk); + if (CHECK_OK != check) + goto cleanup_chk; + + check = hash_file(exe, alg, &hash); + if (CHECK_OK != check) + goto cleanup; + + check = memcmp(hash, hash_chk, ssh_digest_bytes(alg)); + if (0 == check) { + check = CHECK_OK; + debug("fips: checksum matches\n"); + } else { + check = CHECK_FAIL; + debug("fips: checksum mismatch!\n"); + } + +cleanup: + free(hash); +cleanup_chk: + free(hash_chk); + free(chk); + free(exe); + + return check; +} + +static int +fips_check_required_proc(void) +{ + int fips_required = 0; + int fips_fd; + char fips_sys = 0; + + struct stat dummy; + if (-1 == stat(FIPS_PROC_PATH, &dummy)) { + switch (errno) { + case ENOENT: + case ENOTDIR: + break; + default: + fatal("Check for system-wide FIPS mode is required and %s cannot" + " be accessed for reason other than non-existence - aborting" + , FIPS_PROC_PATH); + break; + } + } else { + if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY))) + fatal("Check for system-wide FIPS mode is required and %s cannot" + " be opened for reading - aborting" + , FIPS_PROC_PATH); + if (1 > read(fips_fd, &fips_sys, 1)) + fatal("Check for system-wide FIPS mode is required and %s doesn't" + " return at least one character - aborting" + , FIPS_PROC_PATH); + close(fips_sys); + switch (fips_sys) { + case '0': + case '1': + fips_required = fips_sys - '0'; + break; + default: + fatal("Bogus character %c found in %s - aborting" + , fips_sys, FIPS_PROC_PATH); + } + } + return fips_required; +} + +static int +fips_check_required_env(void) +{ + int fips_required = 0; + char *env = getenv(SSH_FORCE_FIPS_ENV); + + if (env) { + errno = 0; + fips_required = strtol(env, NULL, 10); + if (errno) { + debug("bogus value in the %s environment variable, ignoring\n" + , SSH_FORCE_FIPS_ENV); + fips_required = 0; + } else + fips_required = 1; + } + return fips_required; +} + +static int +fips_required(void) +{ + int fips_requests = 0; + fips_requests += fips_check_required_proc(); + fips_requests += fips_check_required_env(); + return fips_requests; +} + +/* check whether FIPS mode is required and perform selfchecksum/selftest */ +void +fips_ssh_init(void) +{ + int checksum; + + checksum = fips_hash_self(); + + if (fips_required()) { + switch (checksum) { + case CHECK_OK: + debug("fips: mandatory checksum ok"); + break; + case CHECK_FAIL: + fatal("fips: mandatory checksum failed - aborting"); + break; + case CHECK_MISSING: + fatal("fips: mandatory checksum data missing - aborting"); + break; + default: + fatal("Fatal error: internal error at %s:%u" + , __FILE__, __LINE__); + break; + } + fips_state = FIPS_mode_set(1); + if (1 != fips_state) { + ERR_load_crypto_strings(); + u_long err = ERR_get_error(); + error("fips: OpenSSL error %lx: %s", err, ERR_error_string(err, NULL)); + fatal("fips: unable to set OpenSSL into FIPS mode - aborting" + , fips_state); + } + } else { + switch (checksum) { + case CHECK_OK: + debug("fips: checksum ok"); + break; + case CHECK_FAIL: + fatal("fips: checksum failed - aborting"); + break; + case CHECK_MISSING: + debug("fips: mandatory checksum data missing, but not required - continuing non-FIPS"); + break; + default: + fatal("Fatal error: internal error at %s:%u", + __FILE__, __LINE__); + break; + } + } + return; +} + int fips_mode() { if (-1 == fips_state) { fips_state = FIPS_mode(); if (fips_state) debug("FIPS mode initialized"); } diff --git a/openssh-6.6p1/fips.h b/openssh-6.6p1/fips.h --- a/openssh-6.6p1/fips.h +++ b/openssh-6.6p1/fips.h @@ -1,10 +1,10 @@ /* - * Copyright (c) 2012 Petr Cerny. All rights reserved. + * Copyright (c) 2012-2014 Petr Cerny. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the @@ -19,15 +19,22 @@ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef FIPS_H #define FIPS_H +#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS" +#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled" + +#define PROC_EXE_PATH_LEN 64 +#define CHECKSUM_SUFFIX ".chk" + +void fips_ssh_init(void); int fips_mode(void); int fips_correct_dgst(int); int fips_dgst_min(void); enum fp_type fips_correct_fp_type(enum fp_type); #endif diff --git a/openssh-6.6p1/sftp-server.c b/openssh-6.6p1/sftp-server.c --- a/openssh-6.6p1/sftp-server.c +++ b/openssh-6.6p1/sftp-server.c @@ -47,16 +47,18 @@ #include "log.h" #include "misc.h" #include "match.h" #include "uidswap.h" #include "sftp.h" #include "sftp-common.h" +#include "fips.h" + /* helper */ #define get_int64() buffer_get_int64(&iqueue); #define get_int() buffer_get_int(&iqueue); #define get_string(lenp) buffer_get_string(&iqueue, lenp); /* Our verbosity */ static LogLevel log_level = SYSLOG_LEVEL_ERROR; @@ -1453,16 +1455,19 @@ sftp_server_main(int argc, char **argv, ssize_t len, olen, set_size; SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; char *cp, *homedir = NULL, buf[4*4096]; long mask; extern char *optarg; extern char *__progname; + /* initialize fips */ + fips_ssh_init(); + __progname = ssh_get_progname(argv[0]); log_init(__progname, log_level, log_facility, log_stderr); pw = pwcopy(user_pw); while (!skipargs && (ch = getopt(argc, argv, "d:f:l:P:p:Q:u:m:cehR")) != -1) { switch (ch) { diff --git a/openssh-6.6p1/ssh.c b/openssh-6.6p1/ssh.c --- a/openssh-6.6p1/ssh.c +++ b/openssh-6.6p1/ssh.c @@ -420,16 +420,19 @@ main(int ac, char **av) struct stat st; struct passwd *pw; int timeout_ms; extern int optind, optreset; extern char *optarg; Forward fwd; struct addrinfo *addrs = NULL; + /* initialize fips */ + fips_ssh_init(); + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); __progname = ssh_get_progname(av[0]); #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ /* Save argv so it isn't clobbered by setproctitle() emulation */ diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c --- a/openssh-6.6p1/sshd.c +++ b/openssh-6.6p1/sshd.c @@ -1466,16 +1466,19 @@ main(int ac, char **av) u_int64_t ibytes, obytes; mode_t new_umask; Key *key; Key *pubkey; int keytype; Authctxt *authctxt; struct connection_info *connection_info = get_connection_info(0, 0); + /* initialize fips */ + fips_ssh_init(); + #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); #endif __progname = ssh_get_progname(av[0]); /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; ++++++ openssh-6.5p1-fips.patch -> openssh-6.6p1-fips.patch ++++++ ++++ 1069 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-fips.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-fips.patch ++++++ openssh-6.5p1-gssapi_key_exchange.patch -> openssh-6.6p1-gssapi_key_exchange.patch ++++++ ++++ 926 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-gssapi_key_exchange.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-gssapi_key_exchange.patch ++++++ openssh-6.5p1-gssapimitm.patch -> openssh-6.6p1-gssapimitm.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-gssapimitm.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-gssapimitm.patch 2014-04-17 14:43:47.000000000 +0200 @@ -13,10 +13,10 @@ # recommended to use the 'gssapi-with-mic' mechanism. Existing installations # are encouraged to upgrade as soon as possible. -diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c ---- a/openssh-6.5p1/auth2-gss.c -+++ b/openssh-6.5p1/auth2-gss.c -@@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p +diff --git a/openssh-6.6p1/auth2-gss.c b/openssh-6.6p1/auth2-gss.c +--- a/openssh-6.6p1/auth2-gss.c ++++ b/openssh-6.6p1/auth2-gss.c +@@ -168,16 +168,25 @@ input_gssapi_token(int type, u_int32_t p dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); if (flags & GSS_C_INTEG_FLAG) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, @@ -42,7 +42,7 @@ static void input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) -@@ -291,9 +300,15 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -286,9 +295,15 @@ input_gssapi_mic(int type, u_int32_t ple } Authmethod method_gssapi = { @@ -58,10 +58,10 @@ +}; + #endif /* GSSAPI */ -diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c ---- a/openssh-6.5p1/auth2.c -+++ b/openssh-6.5p1/auth2.c -@@ -65,26 +65,28 @@ extern Buffer loginmsg; +diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c +--- a/openssh-6.6p1/auth2.c ++++ b/openssh-6.6p1/auth2.c +@@ -65,23 +65,25 @@ extern Buffer loginmsg; extern Authmethod method_none; extern Authmethod method_pubkey; @@ -72,9 +72,6 @@ extern Authmethod method_gssapi; +extern Authmethod method_gssapi_old; #endif - #ifdef JPAKE - extern Authmethod method_jpake; - #endif Authmethod *authmethods[] = { &method_none, @@ -83,17 +80,17 @@ &method_gssapi, + &method_gssapi_old, #endif - #ifdef JPAKE - &method_jpake, - #endif &method_passwd, &method_kbdint, &method_hostbased, NULL -diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c ---- a/openssh-6.5p1/readconf.c -+++ b/openssh-6.5p1/readconf.c -@@ -134,17 +134,17 @@ typedef enum { + }; + + /* protocol */ +diff --git a/openssh-6.6p1/readconf.c b/openssh-6.6p1/readconf.c +--- a/openssh-6.6p1/readconf.c ++++ b/openssh-6.6p1/readconf.c +@@ -135,17 +135,17 @@ typedef enum { oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, @@ -108,11 +105,11 @@ oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, - oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, + oVisualHostKey, oUseRoaming, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, -@@ -178,19 +178,21 @@ static struct { +@@ -179,19 +179,21 @@ static struct { { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "kerberosauthentication", oUnsupported }, @@ -134,7 +131,7 @@ { "identitiesonly", oIdentitiesOnly }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, -@@ -837,16 +839,20 @@ parse_time: +@@ -839,16 +841,20 @@ parse_time: case oGssAuthentication: intptr = &options->gss_authentication; @@ -155,7 +152,7 @@ case oCheckHostIP: intptr = &options->check_host_ip; goto parse_flag; -@@ -1484,16 +1490,17 @@ initialize_options(Options * options) +@@ -1493,16 +1499,17 @@ initialize_options(Options * options) options->xauth_location = NULL; options->gateway_ports = -1; options->use_privileged_port = -1; @@ -173,7 +170,7 @@ options->batch_mode = -1; options->check_host_ip = -1; options->strict_host_key_checking = -1; -@@ -1591,16 +1598,18 @@ fill_default_options(Options * options) +@@ -1613,16 +1620,18 @@ fill_default_options(Options * options) if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; if (options->challenge_response_authentication == -1) @@ -192,9 +189,9 @@ options->rhosts_rsa_authentication = 0; if (options->hostbased_authentication == -1) options->hostbased_authentication = 0; -diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h ---- a/openssh-6.5p1/readconf.h -+++ b/openssh-6.5p1/readconf.h +diff --git a/openssh-6.6p1/readconf.h b/openssh-6.6p1/readconf.h +--- a/openssh-6.6p1/readconf.h ++++ b/openssh-6.6p1/readconf.h @@ -50,16 +50,17 @@ typedef struct { * authentication. */ int rsa_authentication; /* Try RSA authentication. */ @@ -209,13 +206,13 @@ * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ - int zero_knowledge_password_authentication; /* Try jpake */ int batch_mode; /* Batch mode: do not ask for passwords. */ int check_host_ip; /* Also keep track of keys for IP address */ int strict_host_key_checking; /* Strict host key checking. */ -diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c ---- a/openssh-6.5p1/servconf.c -+++ b/openssh-6.5p1/servconf.c + int compression; /* Compress packets in both directions. */ +diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c +--- a/openssh-6.6p1/servconf.c ++++ b/openssh-6.6p1/servconf.c @@ -104,16 +104,17 @@ initialize_server_options(ServerOptions options->rsa_authentication = -1; options->pubkey_authentication = -1; @@ -234,7 +231,7 @@ options->use_login = -1; options->compression = -1; options->rekey_limit = -1; -@@ -242,16 +243,18 @@ fill_default_server_options(ServerOption +@@ -241,16 +242,18 @@ fill_default_server_options(ServerOption if (options->kerberos_ticket_cleanup == -1) options->kerberos_ticket_cleanup = 1; if (options->kerberos_get_afs_token == -1) @@ -253,7 +250,7 @@ options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; -@@ -338,17 +341,17 @@ typedef enum { +@@ -335,17 +338,17 @@ typedef enum { sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, @@ -266,13 +263,13 @@ + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, sHostCertificate, + sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sDeprecated, sUnsupported -@@ -405,19 +408,21 @@ static struct { +@@ -402,19 +405,21 @@ static struct { { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -291,10 +288,10 @@ { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ - #ifdef JPAKE - { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, - #else -@@ -1093,16 +1098,20 @@ process_server_config_line(ServerOptions + { "checkmail", sDeprecated, SSHCFG_GLOBAL }, + { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, + { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, +@@ -1085,16 +1090,20 @@ process_server_config_line(ServerOptions case sGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; @@ -311,13 +308,13 @@ intptr = &options->password_authentication; goto parse_flag; - case sZeroKnowledgePasswordAuthentication: - intptr = &options->zero_knowledge_password_authentication; + case sKbdInteractiveAuthentication: + intptr = &options->kbd_interactive_authentication; goto parse_flag; -diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h ---- a/openssh-6.5p1/servconf.h -+++ b/openssh-6.5p1/servconf.h +diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h +--- a/openssh-6.6p1/servconf.h ++++ b/openssh-6.6p1/servconf.h @@ -108,16 +108,17 @@ typedef struct { * such as SecurID or * /etc/passwd */ @@ -332,13 +329,13 @@ * authentication. */ int kbd_interactive_authentication; /* If true, permit */ int challenge_response_authentication; - int zero_knowledge_password_authentication; - /* If true, permit jpake auth */ int permit_empty_passwd; /* If false, do not permit empty * passwords. */ -diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config ---- a/openssh-6.5p1/ssh_config -+++ b/openssh-6.5p1/ssh_config + int permit_user_env; /* If true, read ~/.ssh/environment */ + int use_login; /* If true, login(1) is used */ +diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config +--- a/openssh-6.6p1/ssh_config ++++ b/openssh-6.6p1/ssh_config @@ -51,9 +51,16 @@ ForwardX11Trusted yes # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-ripemd160 @@ -356,10 +353,10 @@ +# GSSAPIEnableMITMAttack no + # RekeyLimit 1G 1h -diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c ---- a/openssh-6.5p1/sshconnect2.c -+++ b/openssh-6.5p1/sshconnect2.c -@@ -324,16 +324,21 @@ static char *authmethods_get(void); +diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c +--- a/openssh-6.6p1/sshconnect2.c ++++ b/openssh-6.6p1/sshconnect2.c +@@ -316,16 +316,21 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -381,7 +378,7 @@ NULL}, {"publickey", userauth_pubkey, -@@ -698,17 +703,19 @@ process_gssapi_token(void *ctxt, gss_buf +@@ -683,17 +688,19 @@ process_gssapi_token(void *ctxt, gss_buf packet_put_string(send_tok.value, send_tok.length); packet_send(); @@ -402,9 +399,9 @@ gssbuf.value = buffer_ptr(&b); gssbuf.length = buffer_len(&b); -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config +diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config +--- a/openssh-6.6p1/sshd_config ++++ b/openssh-6.6p1/sshd_config @@ -80,16 +80,23 @@ PasswordAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes ++++++ openssh-6.5p1-host_ident.patch -> openssh-6.6p1-host_ident.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-host_ident.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-host_ident.patch 2014-04-17 14:43:47.000000000 +0200 @@ -1,10 +1,10 @@ # identify hashed hosts in known_hosts and suggest command line for their # removal -diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c ---- a/openssh-6.5p1/sshconnect.c -+++ b/openssh-6.5p1/sshconnect.c -@@ -1067,16 +1067,21 @@ check_host_key(char *hostname, struct so +diff --git a/openssh-6.6p1/sshconnect.c b/openssh-6.6p1/sshconnect.c +--- a/openssh-6.6p1/sshconnect.c ++++ b/openssh-6.6p1/sshconnect.c +@@ -1070,16 +1070,21 @@ check_host_key(char *hostname, struct so ip_found->file, ip_found->line); } /* The host key has changed. */ ++++++ openssh-6.5p1-key-converter.patch -> openssh-6.6p1-key-converter.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-key-converter.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-key-converter.patch 2014-04-17 14:43:47.000000000 +0200 @@ -1,9 +1,9 @@ # SSHv1 to SSHv2 RSA keys converter -diff --git a/openssh-6.5p1/converter/Makefile b/openssh-6.5p1/converter/Makefile +diff --git a/openssh-6.6p1/converter/Makefile b/openssh-6.6p1/converter/Makefile new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/converter/Makefile ++++ b/openssh-6.6p1/converter/Makefile @@ -0,0 +1,17 @@ + +bindir=/usr/bin @@ -22,10 +22,10 @@ + install -m 755 ssh-keyconverter $(DESTDIR)$(bindir) + if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi + install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1 -diff --git a/openssh-6.5p1/converter/ssh-keyconverter.1 b/openssh-6.5p1/converter/ssh-keyconverter.1 +diff --git a/openssh-6.6p1/converter/ssh-keyconverter.1 b/openssh-6.6p1/converter/ssh-keyconverter.1 new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/converter/ssh-keyconverter.1 ++++ b/openssh-6.6p1/converter/ssh-keyconverter.1 @@ -0,0 +1,155 @@ +.\" Manpage for ssh-keyconverter +.\" @@ -182,10 +182,10 @@ +.%D March 2001 +.%O work in progress material +.Re -diff --git a/openssh-6.5p1/converter/ssh-keyconverter.c b/openssh-6.5p1/converter/ssh-keyconverter.c +diff --git a/openssh-6.6p1/converter/ssh-keyconverter.c b/openssh-6.6p1/converter/ssh-keyconverter.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/converter/ssh-keyconverter.c ++++ b/openssh-6.6p1/converter/ssh-keyconverter.c @@ -0,0 +1,345 @@ +/* + * SSH v1 to v2 RSA key converter. ++++++ openssh-6.5p1-lastlog.patch -> openssh-6.6p1-lastlog.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-lastlog.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-lastlog.patch 2014-04-17 14:43:47.000000000 +0200 @@ -1,9 +1,9 @@ # set uid for functions that use it to seek in lastlog and wtmp files # bnc#18024 (was suse #3024) -diff --git a/openssh-6.5p1/sshlogin.c b/openssh-6.5p1/sshlogin.c ---- a/openssh-6.5p1/sshlogin.c -+++ b/openssh-6.5p1/sshlogin.c +diff --git a/openssh-6.6p1/sshlogin.c b/openssh-6.6p1/sshlogin.c +--- a/openssh-6.6p1/sshlogin.c ++++ b/openssh-6.6p1/sshlogin.c @@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty, { struct logininfo *li; ++++++ openssh-6.5p1-ldap.patch -> openssh-6.6p1-ldap.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-ldap.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-ldap.patch 2014-04-17 14:43:47.000000000 +0200 @@ -8,10 +8,10 @@ # internal versions. ssh-keyconverter consequently fails to link as it lacks # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) -diff --git a/openssh-6.5p1/HOWTO.ldap-keys b/openssh-6.5p1/HOWTO.ldap-keys +diff --git a/openssh-6.6p1/HOWTO.ldap-keys b/openssh-6.6p1/HOWTO.ldap-keys new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/HOWTO.ldap-keys ++++ b/openssh-6.6p1/HOWTO.ldap-keys @@ -0,0 +1,108 @@ + +HOW TO START @@ -121,9 +121,9 @@ + - frederic peters. + - Finlay dobbie. + - Stefan Fisher. -diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in ---- a/openssh-6.5p1/Makefile.in -+++ b/openssh-6.5p1/Makefile.in +diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in +--- a/openssh-6.6p1/Makefile.in ++++ b/openssh-6.6p1/Makefile.in @@ -20,16 +20,18 @@ srcdir=@srcdir@ top_srcdir=@top_srcdir@ @@ -164,7 +164,7 @@ log.o match.o md-sha256.o moduli.o nchan.o packet.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ -@@ -94,18 +98,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -96,18 +100,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw kexc25519s.o auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ @@ -185,7 +185,7 @@ PATHSUBS = \ -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ -e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \ -@@ -169,16 +173,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss +@@ -171,16 +175,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o @@ -205,7 +205,7 @@ # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o -@@ -271,30 +278,38 @@ install-files: +@@ -273,30 +280,38 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) @@ -244,7 +244,7 @@ install-sysconf: if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ -@@ -314,16 +329,23 @@ install-sysconf: +@@ -316,16 +331,23 @@ install-sysconf: echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \ mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \ else \ @@ -268,7 +268,7 @@ else \ ./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \ fi ; \ -@@ -377,27 +399,30 @@ uninstall: +@@ -379,27 +401,30 @@ uninstall: -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) @@ -299,10 +299,10 @@ ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac ---- a/openssh-6.5p1/configure.ac -+++ b/openssh-6.5p1/configure.ac -@@ -1573,16 +1573,116 @@ AC_ARG_WITH([audit], +diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac +--- a/openssh-6.6p1/configure.ac ++++ b/openssh-6.6p1/configure.ac +@@ -1599,16 +1599,116 @@ AC_ARG_WITH([audit], AC_MSG_RESULT([no]) ;; *) @@ -419,10 +419,10 @@ if test "x$withval" = "xyes"; then use_pie=yes fi -diff --git a/openssh-6.5p1/ldap-helper.c b/openssh-6.5p1/ldap-helper.c +diff --git a/openssh-6.6p1/ldap-helper.c b/openssh-6.6p1/ldap-helper.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldap-helper.c ++++ b/openssh-6.6p1/ldap-helper.c @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -579,10 +579,10 @@ +void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + -diff --git a/openssh-6.5p1/ldap-helper.h b/openssh-6.5p1/ldap-helper.h +diff --git a/openssh-6.6p1/ldap-helper.h b/openssh-6.6p1/ldap-helper.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldap-helper.h ++++ b/openssh-6.6p1/ldap-helper.h @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -616,10 +616,10 @@ +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -diff --git a/openssh-6.5p1/ldap.conf b/openssh-6.5p1/ldap.conf +diff --git a/openssh-6.6p1/ldap.conf b/openssh-6.6p1/ldap.conf new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldap.conf ++++ b/openssh-6.6p1/ldap.conf @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -709,10 +709,10 @@ +#tls_cert +#tls_key + -diff --git a/openssh-6.5p1/ldapbody.c b/openssh-6.5p1/ldapbody.c +diff --git a/openssh-6.6p1/ldapbody.c b/openssh-6.6p1/ldapbody.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapbody.c ++++ b/openssh-6.6p1/ldapbody.c @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1208,10 +1208,10 @@ + return; +} + -diff --git a/openssh-6.5p1/ldapbody.h b/openssh-6.5p1/ldapbody.h +diff --git a/openssh-6.6p1/ldapbody.h b/openssh-6.6p1/ldapbody.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapbody.h ++++ b/openssh-6.6p1/ldapbody.h @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1250,10 +1250,10 @@ + +#endif /* LDAPBODY_H */ + -diff --git a/openssh-6.5p1/ldapconf.c b/openssh-6.5p1/ldapconf.c +diff --git a/openssh-6.6p1/ldapconf.c b/openssh-6.6p1/ldapconf.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapconf.c ++++ b/openssh-6.6p1/ldapconf.c @@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1937,10 +1937,10 @@ + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -diff --git a/openssh-6.5p1/ldapconf.h b/openssh-6.5p1/ldapconf.h +diff --git a/openssh-6.6p1/ldapconf.h b/openssh-6.6p1/ldapconf.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapconf.h ++++ b/openssh-6.6p1/ldapconf.h @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2013,10 +2013,10 @@ +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff --git a/openssh-6.5p1/ldapincludes.h b/openssh-6.5p1/ldapincludes.h +diff --git a/openssh-6.6p1/ldapincludes.h b/openssh-6.6p1/ldapincludes.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapincludes.h ++++ b/openssh-6.6p1/ldapincludes.h @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2059,10 +2059,10 @@ +#endif + +#endif /* LDAPINCLUDES_H */ -diff --git a/openssh-6.5p1/ldapmisc.c b/openssh-6.5p1/ldapmisc.c +diff --git a/openssh-6.6p1/ldapmisc.c b/openssh-6.6p1/ldapmisc.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapmisc.c ++++ b/openssh-6.6p1/ldapmisc.c @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2143,10 +2143,10 @@ +} +#endif + -diff --git a/openssh-6.5p1/ldapmisc.h b/openssh-6.5p1/ldapmisc.h +diff --git a/openssh-6.6p1/ldapmisc.h b/openssh-6.6p1/ldapmisc.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapmisc.h ++++ b/openssh-6.6p1/ldapmisc.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2183,9 +2183,9 @@ + +#endif /* LDAPMISC_H */ + -diff --git a/openssh-6.5p1/openbsd-compat/base64.c b/openssh-6.5p1/openbsd-compat/base64.c ---- a/openssh-6.5p1/openbsd-compat/base64.c -+++ b/openssh-6.5p1/openbsd-compat/base64.c +diff --git a/openssh-6.6p1/openbsd-compat/base64.c b/openssh-6.6p1/openbsd-compat/base64.c +--- a/openssh-6.6p1/openbsd-compat/base64.c ++++ b/openssh-6.6p1/openbsd-compat/base64.c @@ -41,17 +41,17 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. @@ -2243,9 +2243,9 @@ */ int -diff --git a/openssh-6.5p1/openbsd-compat/base64.h b/openssh-6.5p1/openbsd-compat/base64.h ---- a/openssh-6.5p1/openbsd-compat/base64.h -+++ b/openssh-6.5p1/openbsd-compat/base64.h +diff --git a/openssh-6.6p1/openbsd-compat/base64.h b/openssh-6.6p1/openbsd-compat/base64.h +--- a/openssh-6.6p1/openbsd-compat/base64.h ++++ b/openssh-6.6p1/openbsd-compat/base64.h @@ -42,24 +42,24 @@ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. */ @@ -2275,10 +2275,10 @@ #endif /* HAVE___B64_PTON */ #endif /* _BSD_BASE64_H */ -diff --git a/openssh-6.5p1/openssh-lpk-openldap.schema b/openssh-6.5p1/openssh-lpk-openldap.schema +diff --git a/openssh-6.6p1/openssh-lpk-openldap.schema b/openssh-6.6p1/openssh-lpk-openldap.schema new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/openssh-lpk-openldap.schema ++++ b/openssh-6.6p1/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2301,10 +2301,10 @@ + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/openssh-6.5p1/openssh-lpk-sun.schema b/openssh-6.5p1/openssh-lpk-sun.schema +diff --git a/openssh-6.6p1/openssh-lpk-sun.schema b/openssh-6.6p1/openssh-lpk-sun.schema new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/openssh-lpk-sun.schema ++++ b/openssh-6.6p1/openssh-lpk-sun.schema @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2329,10 +2329,10 @@ + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/openssh-6.5p1/ssh-ldap-helper.8 b/openssh-6.5p1/ssh-ldap-helper.8 +diff --git a/openssh-6.6p1/ssh-ldap-helper.8 b/openssh-6.6p1/ssh-ldap-helper.8 new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ssh-ldap-helper.8 ++++ b/openssh-6.6p1/ssh-ldap-helper.8 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2413,19 +2413,19 @@ +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima(a)redhat.com -diff --git a/openssh-6.5p1/ssh-ldap-wrapper b/openssh-6.5p1/ssh-ldap-wrapper +diff --git a/openssh-6.6p1/ssh-ldap-wrapper b/openssh-6.6p1/ssh-ldap-wrapper new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ssh-ldap-wrapper ++++ b/openssh-6.6p1/ssh-ldap-wrapper @@ -0,0 +1,4 @@ +#!/bin/sh + +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" + -diff --git a/openssh-6.5p1/ssh-ldap.conf.5 b/openssh-6.5p1/ssh-ldap.conf.5 +diff --git a/openssh-6.6p1/ssh-ldap.conf.5 b/openssh-6.6p1/ssh-ldap.conf.5 new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ssh-ldap.conf.5 ++++ b/openssh-6.6p1/ssh-ldap.conf.5 @@ -0,0 +1,376 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" ++++++ openssh-6.5p1-login_options.patch -> openssh-6.6p1-login_options.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-login_options.patch 2014-03-18 16:21:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-login_options.patch 2014-04-17 14:43:48.000000000 +0200 @@ -4,9 +4,9 @@ # # bnc#833605 -diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac ---- a/openssh-6.5p1/configure.ac -+++ b/openssh-6.5p1/configure.ac +diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac +--- a/openssh-6.6p1/configure.ac ++++ b/openssh-6.6p1/configure.ac @@ -719,16 +719,18 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) ++++++ openssh-6.5p1-no_fork-no_pid_file.patch -> openssh-6.6p1-no_fork-no_pid_file.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-no_fork-no_pid_file.patch 2014-03-18 16:21:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-no_fork-no_pid_file.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,9 +1,9 @@ # Do not write a PID file when not daemonizing (e.g. when running from systemd) -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -1985,17 +1985,17 @@ main(int ac, char **av) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -1994,17 +1994,17 @@ main(int ac, char **av) signal(SIGCHLD, main_sigchld_handler); signal(SIGTERM, sigterm_handler); signal(SIGQUIT, sigterm_handler); ++++++ openssh-6.5p1-pam-check-locks.patch -> openssh-6.6p1-pam-check-locks.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-pam-check-locks.patch 2014-02-15 17:17:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-pam-check-locks.patch 2014-04-17 14:43:48.000000000 +0200 @@ -2,9 +2,9 @@ # UsePAM is used # bnc#708678, FATE#312033 -diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c ---- a/openssh-6.5p1/auth.c -+++ b/openssh-6.5p1/auth.c +diff --git a/openssh-6.6p1/auth.c b/openssh-6.6p1/auth.c +--- a/openssh-6.6p1/auth.c ++++ b/openssh-6.6p1/auth.c @@ -103,17 +103,17 @@ allowed_user(struct passwd * pw) struct spwd *spw = NULL; #endif @@ -43,9 +43,9 @@ #endif #ifdef LOCKED_PASSWD_PREFIX if (strncmp(passwd, LOCKED_PASSWD_PREFIX, -diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c ---- a/openssh-6.5p1/servconf.c -+++ b/openssh-6.5p1/servconf.c +diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c +--- a/openssh-6.6p1/servconf.c ++++ b/openssh-6.6p1/servconf.c @@ -66,16 +66,17 @@ extern Buffer cfg; void @@ -64,7 +64,7 @@ options->address_family = -1; options->num_host_key_files = 0; options->num_host_cert_files = 0; -@@ -158,16 +159,18 @@ initialize_server_options(ServerOptions +@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions } void @@ -83,7 +83,7 @@ /* fill default hostkeys for protocols */ if (options->protocol & SSH_PROTO_1) options->host_key_files[options->num_host_key_files++] = -@@ -320,17 +323,17 @@ fill_default_server_options(ServerOption +@@ -317,17 +320,17 @@ fill_default_server_options(ServerOption #endif } @@ -102,7 +102,7 @@ sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, -@@ -365,18 +368,20 @@ typedef enum { +@@ -362,18 +365,20 @@ typedef enum { static struct { const char *name; ServerOpCodes opcode; @@ -123,7 +123,7 @@ { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL }, -@@ -878,16 +883,19 @@ process_server_config_line(ServerOptions +@@ -870,16 +875,19 @@ process_server_config_line(ServerOptions } } @@ -143,10 +143,10 @@ /* ignore ports from configfile if cmdline specifies ports */ if (options->ports_from_cmdline) return 0; -diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h ---- a/openssh-6.5p1/servconf.h -+++ b/openssh-6.5p1/servconf.h -@@ -162,16 +162,17 @@ typedef struct { +diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h +--- a/openssh-6.6p1/servconf.h ++++ b/openssh-6.6p1/servconf.h +@@ -160,16 +160,17 @@ typedef struct { */ u_int num_authkeys_files; /* Files containing public keys */ @@ -164,10 +164,10 @@ char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0 ---- a/openssh-6.5p1/sshd_config.0 -+++ b/openssh-6.5p1/sshd_config.0 -@@ -720,16 +720,24 @@ DESCRIPTION +diff --git a/openssh-6.6p1/sshd_config.0 b/openssh-6.6p1/sshd_config.0 +--- a/openssh-6.6p1/sshd_config.0 ++++ b/openssh-6.6p1/sshd_config.0 +@@ -728,16 +728,24 @@ DESCRIPTION Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable @@ -192,10 +192,10 @@ privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. If UsePrivilegeSeparation is set to -diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5 ---- a/openssh-6.5p1/sshd_config.5 -+++ b/openssh-6.5p1/sshd_config.5 -@@ -1199,16 +1199,28 @@ or +diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5 +--- a/openssh-6.6p1/sshd_config.5 ++++ b/openssh-6.6p1/sshd_config.5 +@@ -1214,16 +1214,28 @@ or .Pp If .Cm UsePAM ++++++ openssh-6.5p1-pam-fix2.patch -> openssh-6.6p1-pam-fix2.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-pam-fix2.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-pam-fix2.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,9 +1,9 @@ # force PAM in defaullt install (this was removed from upstream in 3.8p1) # bnc#46749 -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config +diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config +--- a/openssh-6.6p1/sshd_config ++++ b/openssh-6.6p1/sshd_config @@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for ++++++ openssh-6.5p1-pam-fix2.patch -> openssh-6.6p1-pam-fix3.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-pam-fix2.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-pam-fix3.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,44 +1,26 @@ -# force PAM in defaullt install (this was removed from upstream in 3.8p1) -# bnc#46749 +# posix threads are generally not supported nor safe +# (see upstream log from 2005-05-24) -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config -@@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys - #HostbasedAuthentication no - # Change to yes if you don't trust ~/.ssh/known_hosts for - # RhostsRSAAuthentication and HostbasedAuthentication - #IgnoreUserKnownHosts no - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes - - # To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes - - # Kerberos options - #KerberosAuthentication no - #KerberosOrLocalPasswd yes -@@ -89,17 +89,17 @@ AuthorizedKeysFile .ssh/authorized_keys - # and session processing. If this is enabled, PAM authentication will - # be allowed through the ChallengeResponseAuthentication and - # PasswordAuthentication. Depending on your PAM configuration, - # PAM authentication via ChallengeResponseAuthentication may bypass - # the setting of "PermitRootLogin without-password". - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. --#UsePAM no -+UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes - #GatewayPorts no - X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PermitTTY yes +diff --git a/openssh-6.6p1/auth-pam.c b/openssh-6.6p1/auth-pam.c +--- a/openssh-6.6p1/auth-pam.c ++++ b/openssh-6.6p1/auth-pam.c +@@ -781,17 +781,19 @@ sshpam_query(void *ctx, char **name, cha + } + if (type == PAM_SUCCESS) { + if (!sshpam_authctxt->valid || + (sshpam_authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) + fatal("Internal error: PAM auth " + "succeeded when it should have " + "failed"); ++#ifndef UNSUPPORTED_POSIX_THREADS_HACK + import_environments(&buffer); ++#endif + *num = 0; + **echo_on = 0; + ctxt->pam_done = 1; + free(msg); + return (0); + } + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", ++++++ openssh-6.5p1-pts.patch -> openssh-6.6p1-pts.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-pts.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-pts.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,9 +1,9 @@ # use same lines naming as utempter (prevents problems with using different # formats in ?tmp? files) -diff --git a/openssh-6.5p1/loginrec.c b/openssh-6.5p1/loginrec.c ---- a/openssh-6.5p1/loginrec.c -+++ b/openssh-6.5p1/loginrec.c +diff --git a/openssh-6.6p1/loginrec.c b/openssh-6.6p1/loginrec.c +--- a/openssh-6.6p1/loginrec.c ++++ b/openssh-6.6p1/loginrec.c @@ -538,17 +538,17 @@ getlast_entry(struct logininfo *li) /* * 'line' string utility functions ++++++ openssh-6.5p1-saveargv-fix.patch -> openssh-6.6p1-saveargv-fix.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-saveargv-fix.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-saveargv-fix.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,9 +1,9 @@ # related to bnc#49845, upstream bug #529 -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -1399,17 +1399,21 @@ main(int ac, char **av) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -1405,17 +1405,21 @@ main(int ac, char **av) saved_argv = xcalloc(ac + 1, sizeof(*saved_argv)); for (i = 0; i < ac; i++) saved_argv[i] = xstrdup(av[i]); ++++++ openssh-6.5p1-seccomp_getuid.patch -> openssh-6.6p1-seccomp_getuid.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-seccomp_getuid.patch 2014-02-21 19:52:30.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-seccomp_getuid.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,11 +1,11 @@ # HG changeset patch -# Parent d625afd0d51ac51161b25728bc2f227c098fa0fb +# Parent 47040f4641d43b039f19c8c902b0259729bb88e2 add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread from being killed by the seccomp filter -diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-seccomp-filter.c ---- a/openssh-6.5p1/sandbox-seccomp-filter.c -+++ b/openssh-6.5p1/sandbox-seccomp-filter.c +diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c +--- a/openssh-6.6p1/sandbox-seccomp-filter.c ++++ b/openssh-6.6p1/sandbox-seccomp-filter.c @@ -85,16 +85,20 @@ static const struct sock_filter preauth_ offsetof(struct seccomp_data, arch)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), ++++++ openssh-6.5p1-seed-prng.patch -> openssh-6.6p1-seed-prng.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-seed-prng.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-seed-prng.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,9 +1,9 @@ # extended support for (re-)seeding the OpenSSL PRNG from /dev/random # bnc#703221, FATE#312172 -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char /* not implemented */ } @@ -20,9 +20,9 @@ + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons } audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, @@ -55,9 +55,9 @@ + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char /* * This will be called on generation of the ephemeral server key @@ -75,9 +75,9 @@ +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -63,10 +63,11 @@ void audit_key(int, int *, const Key *); void audit_unsupported(int); void audit_kex(int, char *, char *, char *); @@ -90,9 +90,9 @@ +void audit_linux_prng_seed(long, const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c ---- a/openssh-6.5p1/entropy.c -+++ b/openssh-6.5p1/entropy.c +diff --git a/openssh-6.6p1/entropy.c b/openssh-6.6p1/entropy.c +--- a/openssh-6.6p1/entropy.c ++++ b/openssh-6.6p1/entropy.c @@ -45,16 +45,17 @@ #include "ssh.h" @@ -126,15 +126,15 @@ if (RAND_status() != 1) fatal("PRNG is not seeded"); } -diff --git a/openssh-6.5p1/openbsd-compat/Makefile.in b/openssh-6.5p1/openbsd-compat/Makefile.in ---- a/openssh-6.5p1/openbsd-compat/Makefile.in -+++ b/openssh-6.5p1/openbsd-compat/Makefile.in +diff --git a/openssh-6.6p1/openbsd-compat/Makefile.in b/openssh-6.6p1/openbsd-compat/Makefile.in +--- a/openssh-6.6p1/openbsd-compat/Makefile.in ++++ b/openssh-6.6p1/openbsd-compat/Makefile.in @@ -15,17 +15,17 @@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ - OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o + OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o @@ -148,10 +148,10 @@ $(COMPAT): ../config.h $(OPENBSD): ../config.h -diff --git a/openssh-6.5p1/openbsd-compat/port-linux-prng.c b/openssh-6.5p1/openbsd-compat/port-linux-prng.c +diff --git a/openssh-6.6p1/openbsd-compat/port-linux-prng.c b/openssh-6.6p1/openbsd-compat/port-linux-prng.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/openbsd-compat/port-linux-prng.c ++++ b/openssh-6.6p1/openbsd-compat/port-linux-prng.c @@ -0,0 +1,79 @@ +/* + * Copyright (c) 2011 Jan F. Chadima <jchadima(a)redhat.com> @@ -232,9 +232,9 @@ + fatal ("EOF reading %s", random); + } +} -diff --git a/openssh-6.5p1/openbsd-compat/port-linux.h b/openssh-6.5p1/openbsd-compat/port-linux.h ---- a/openssh-6.5p1/openbsd-compat/port-linux.h -+++ b/openssh-6.5p1/openbsd-compat/port-linux.h +diff --git a/openssh-6.6p1/openbsd-compat/port-linux.h b/openssh-6.6p1/openbsd-compat/port-linux.h +--- a/openssh-6.6p1/openbsd-compat/port-linux.h ++++ b/openssh-6.6p1/openbsd-compat/port-linux.h @@ -14,16 +14,20 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF @@ -256,9 +256,9 @@ void ssh_selinux_setfscreatecon(const char *); #endif -diff --git a/openssh-6.5p1/ssh-add.1 b/openssh-6.5p1/ssh-add.1 ---- a/openssh-6.5p1/ssh-add.1 -+++ b/openssh-6.5p1/ssh-add.1 +diff --git a/openssh-6.6p1/ssh-add.1 b/openssh-6.6p1/ssh-add.1 +--- a/openssh-6.6p1/ssh-add.1 ++++ b/openssh-6.6p1/ssh-add.1 @@ -156,16 +156,30 @@ or related script. (Note that on some machines it may be necessary to redirect the input from @@ -290,9 +290,9 @@ .It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa -diff --git a/openssh-6.5p1/ssh-agent.1 b/openssh-6.5p1/ssh-agent.1 ---- a/openssh-6.5p1/ssh-agent.1 -+++ b/openssh-6.5p1/ssh-agent.1 +diff --git a/openssh-6.6p1/ssh-agent.1 b/openssh-6.6p1/ssh-agent.1 +--- a/openssh-6.6p1/ssh-agent.1 ++++ b/openssh-6.6p1/ssh-agent.1 @@ -196,16 +196,33 @@ Contains the protocol version 2 ED25519 .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. @@ -327,9 +327,9 @@ .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. -diff --git a/openssh-6.5p1/ssh-keygen.1 b/openssh-6.5p1/ssh-keygen.1 ---- a/openssh-6.5p1/ssh-keygen.1 -+++ b/openssh-6.5p1/ssh-keygen.1 +diff --git a/openssh-6.6p1/ssh-keygen.1 b/openssh-6.6p1/ssh-keygen.1 +--- a/openssh-6.6p1/ssh-keygen.1 ++++ b/openssh-6.6p1/ssh-keygen.1 @@ -827,16 +827,33 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. @@ -364,9 +364,9 @@ .Xr sshd 8 .Rs .%R RFC 4716 -diff --git a/openssh-6.5p1/ssh-keysign.8 b/openssh-6.5p1/ssh-keysign.8 ---- a/openssh-6.5p1/ssh-keysign.8 -+++ b/openssh-6.5p1/ssh-keysign.8 +diff --git a/openssh-6.6p1/ssh-keysign.8 b/openssh-6.6p1/ssh-keysign.8 +--- a/openssh-6.6p1/ssh-keysign.8 ++++ b/openssh-6.6p1/ssh-keysign.8 @@ -75,16 +75,33 @@ must be set-uid root if host-based authe .Pp .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub @@ -401,9 +401,9 @@ .Sh HISTORY .Nm first appeared in -diff --git a/openssh-6.5p1/ssh.1 b/openssh-6.5p1/ssh.1 ---- a/openssh-6.5p1/ssh.1 -+++ b/openssh-6.5p1/ssh.1 +diff --git a/openssh-6.6p1/ssh.1 b/openssh-6.6p1/ssh.1 +--- a/openssh-6.6p1/ssh.1 ++++ b/openssh-6.6p1/ssh.1 @@ -1304,16 +1304,30 @@ reads and adds lines of the format .Dq VARNAME=value @@ -435,9 +435,9 @@ world-readable if the user's home directory is on an NFS partition, because .Xr sshd 8 -diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8 ---- a/openssh-6.5p1/sshd.8 -+++ b/openssh-6.5p1/sshd.8 +diff --git a/openssh-6.6p1/sshd.8 b/openssh-6.6p1/sshd.8 +--- a/openssh-6.6p1/sshd.8 ++++ b/openssh-6.6p1/sshd.8 @@ -946,16 +946,33 @@ and not group or world-writable. .It Pa /var/run/sshd.pid Contains the process ID of the @@ -472,9 +472,9 @@ .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c @@ -50,16 +50,18 @@ #ifdef HAVE_SYS_STAT_H # include <sys/stat.h> @@ -494,7 +494,7 @@ #ifdef HAVE_PATHS_H #include <paths.h> #endif -@@ -215,16 +217,23 @@ struct { +@@ -218,16 +220,23 @@ struct { Key **host_pubkeys; /* all public host keys */ Key **host_certificates; /* all public host certificates */ int have_ssh1_key; @@ -518,7 +518,7 @@ /* This is set to true when a signal is received. */ static volatile sig_atomic_t received_sighup = 0; static volatile sig_atomic_t received_sigterm = 0; -@@ -1313,16 +1322,21 @@ server_accept_loop(int *sock_in, int *so +@@ -1322,16 +1331,21 @@ server_accept_loop(int *sock_in, int *so for (j = 0; j < options.max_startups; j++) if (startup_pipes[j] == -1) { startup_pipes[j] = startup_p[0]; ++++++ openssh-6.5p1-send_locale.patch -> openssh-6.6p1-send_locale.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-send_locale.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-send_locale.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,9 +1,9 @@ # send locales in default configuration # bnc#65747 -diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config ---- a/openssh-6.5p1/ssh_config -+++ b/openssh-6.5p1/ssh_config +diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config +--- a/openssh-6.6p1/ssh_config ++++ b/openssh-6.6p1/ssh_config @@ -58,9 +58,14 @@ ForwardX11Trusted yes # ProxyCommand ssh -q -W %h:%p gateway.example.com @@ -19,9 +19,9 @@ +SendEnv LC_IDENTIFICATION LC_ALL + # RekeyLimit 1G 1h -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config +diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config +--- a/openssh-6.6p1/sshd_config ++++ b/openssh-6.6p1/sshd_config @@ -127,14 +127,19 @@ UsePrivilegeSeparation sandbox # Defaul #VersionAddendum none ++++++ openssh-6.5p1-sftp_force_permissions.patch -> openssh-6.6p1-sftp_force_permissions.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-sftp_force_permissions.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-sftp_force_permissions.patch 2014-04-17 14:43:48.000000000 +0200 @@ -3,9 +3,9 @@ # http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.ht… # http://marc.info/?l=openssh-unix-dev&m=128896838930893 -diff --git a/openssh-6.5p1/sftp-server.8 b/openssh-6.5p1/sftp-server.8 ---- a/openssh-6.5p1/sftp-server.8 -+++ b/openssh-6.5p1/sftp-server.8 +diff --git a/openssh-6.6p1/sftp-server.8 b/openssh-6.6p1/sftp-server.8 +--- a/openssh-6.6p1/sftp-server.8 ++++ b/openssh-6.6p1/sftp-server.8 @@ -33,16 +33,17 @@ .Bk -words .Op Fl ehR @@ -45,9 +45,9 @@ .Pa /dev/log . Use of .Nm -diff --git a/openssh-6.5p1/sftp-server.c b/openssh-6.5p1/sftp-server.c ---- a/openssh-6.5p1/sftp-server.c -+++ b/openssh-6.5p1/sftp-server.c +diff --git a/openssh-6.6p1/sftp-server.c b/openssh-6.6p1/sftp-server.c +--- a/openssh-6.6p1/sftp-server.c ++++ b/openssh-6.6p1/sftp-server.c @@ -75,16 +75,20 @@ static u_int version; static int init_done; ++++++ openssh-6.5p1-sftp_homechroot.patch -> openssh-6.6p1-sftp_homechroot.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-sftp_homechroot.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-sftp_homechroot.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,8 +1,8 @@ # run sftp sessions inside a chroot -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c @@ -120,16 +120,18 @@ int do_exec(Session *, const char *); void do_login(Session *, const char *); #ifdef LOGIN_NEEDS_UTMPX @@ -44,7 +44,7 @@ verbose("Starting session: %s%s%s for %s from %.200s port %d", session_type, -@@ -1458,67 +1465,132 @@ do_nologin(struct passwd *pw) +@@ -1463,67 +1470,132 @@ do_nologin(struct passwd *pw) while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); fclose(f); @@ -153,10 +153,11 @@ if (!S_ISDIR(st.st_mode)) fatal("chroot path %s\"%s\" is not a directory", cp == NULL ? "" : "component ", component); +- + } + setenv ("TZ", "/etc/localtime", 0); + tzset(); - ++ + if (st.st_uid) { + test_nosuid(path, st.st_dev); + ++chroot_no_tree; @@ -179,10 +180,10 @@ do_setusercontext(struct passwd *pw) { char *chroot_path, *tmp; -diff --git a/openssh-6.5p1/sftp-chrootenv.h b/openssh-6.5p1/sftp-chrootenv.h +diff --git a/openssh-6.6p1/sftp-chrootenv.h b/openssh-6.6p1/sftp-chrootenv.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/sftp-chrootenv.h ++++ b/openssh-6.6p1/sftp-chrootenv.h @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2009 Jan F Chadima. All rights reserved. @@ -214,9 +215,9 @@ + +#endif + -diff --git a/openssh-6.5p1/sftp-common.c b/openssh-6.5p1/sftp-common.c ---- a/openssh-6.5p1/sftp-common.c -+++ b/openssh-6.5p1/sftp-common.c +diff --git a/openssh-6.6p1/sftp-common.c b/openssh-6.6p1/sftp-common.c +--- a/openssh-6.6p1/sftp-common.c ++++ b/openssh-6.6p1/sftp-common.c @@ -42,16 +42,17 @@ #endif @@ -261,9 +262,9 @@ if (ltime != NULL) { now = time(NULL); if (now - (365*24*60*60)/2 < st->st_mtime && -diff --git a/openssh-6.5p1/sftp-server-main.c b/openssh-6.5p1/sftp-server-main.c ---- a/openssh-6.5p1/sftp-server-main.c -+++ b/openssh-6.5p1/sftp-server-main.c +diff --git a/openssh-6.6p1/sftp-server-main.c b/openssh-6.6p1/sftp-server-main.c +--- a/openssh-6.6p1/sftp-server-main.c ++++ b/openssh-6.6p1/sftp-server-main.c @@ -17,21 +17,24 @@ #include "includes.h" @@ -289,9 +290,9 @@ int main(int argc, char **argv) -diff --git a/openssh-6.5p1/sftp.c b/openssh-6.5p1/sftp.c ---- a/openssh-6.5p1/sftp.c -+++ b/openssh-6.5p1/sftp.c +diff --git a/openssh-6.6p1/sftp.c b/openssh-6.6p1/sftp.c +--- a/openssh-6.6p1/sftp.c ++++ b/openssh-6.6p1/sftp.c @@ -109,16 +109,18 @@ struct complete_ctx { char **remote_pathp; }; @@ -311,9 +312,9 @@ #define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */ #define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */ #define LS_NAME_SORT 0x0008 /* Sort by name (default) */ -diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0 ---- a/openssh-6.5p1/sshd_config.0 -+++ b/openssh-6.5p1/sshd_config.0 +diff --git a/openssh-6.6p1/sshd_config.0 b/openssh-6.6p1/sshd_config.0 +--- a/openssh-6.6p1/sshd_config.0 ++++ b/openssh-6.6p1/sshd_config.0 @@ -189,16 +189,24 @@ DESCRIPTION session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), @@ -339,9 +340,9 @@ ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', -diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5 ---- a/openssh-6.5p1/sshd_config.5 -+++ b/openssh-6.5p1/sshd_config.5 +diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5 +--- a/openssh-6.6p1/sshd_config.5 ++++ b/openssh-6.6p1/sshd_config.5 @@ -324,16 +324,27 @@ For file transfer sessions using no additional configuration of the environment is necessary if the in-process sftp server is used, ++++++ openssh-6.5p1-xauth.patch -> openssh-6.6p1-xauth.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-xauth.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-xauth.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,10 +1,10 @@ # try to remove xauth cookies on logout # bnc#98815 -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c -@@ -2505,18 +2505,50 @@ session_exit_message(Session *s, int sta +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c +@@ -2510,18 +2510,50 @@ session_exit_message(Session *s, int sta if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); } ++++++ openssh-6.5p1-xauthlocalhostname.patch -> openssh-6.6p1-xauthlocalhostname.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.5p1-xauthlocalhostname.patch 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-6.6p1-xauthlocalhostname.patch 2014-04-17 14:43:48.000000000 +0200 @@ -1,10 +1,10 @@ # handle hostname changes when forwarding X # bnc#98627 -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c -@@ -1141,17 +1141,17 @@ copy_environment(char **source, char *** +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c +@@ -1146,17 +1146,17 @@ copy_environment(char **source, char *** debug3("Copy environment: %s=%s", var_name, var_val); child_set_env(env, envsize, var_name, var_val); @@ -23,7 +23,7 @@ #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; #endif -@@ -1328,25 +1328,27 @@ do_setup_env(Session *s, const char *she +@@ -1333,25 +1333,27 @@ do_setup_env(Session *s, const char *she read_environment_file(&env, &envsize, buf); } if (debug_flag) { @@ -52,7 +52,7 @@ do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; -@@ -1390,22 +1392,30 @@ do_rc_files(Session *s, const char *shel +@@ -1395,22 +1397,30 @@ do_rc_files(Session *s, const char *shel "%.500s add %.100s %.100s %.100s\n", options.xauth_location, s->auth_display, s->auth_proto, s->auth_data); @@ -83,7 +83,7 @@ } static void -@@ -1659,16 +1669,17 @@ child_close_fds(void) +@@ -1664,16 +1674,17 @@ child_close_fds(void) * ids, and executing the command or shell. */ #define ARGV_MAX 10 @@ -101,7 +101,7 @@ /* remove hostkey from the child's memory */ destroy_sensitive_data(); -@@ -1725,17 +1736,17 @@ do_child(Session *s, const char *command +@@ -1730,17 +1741,17 @@ do_child(Session *s, const char *command * legal, and means /bin/sh. */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; @@ -120,7 +120,7 @@ /* we have to stash the hostname before we close our socket. */ if (options.use_login) hostname = get_remote_name_or_ip(utmp_len, -@@ -1794,17 +1805,17 @@ do_child(Session *s, const char *command +@@ -1799,17 +1810,17 @@ do_child(Session *s, const char *command strerror(errno)); if (r) exit(1); ++++++ openssh-6.5p1.tar.gz -> openssh-6.6p1.tar.gz ++++++ ++++ 7786 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit v4l-utils for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package v4l-utils for openSUSE:Factory checked in at 2014-04-17 14:43:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/v4l-utils (Old) and /work/SRC/openSUSE:Factory/.v4l-utils.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "v4l-utils" Changes: -------- --- /work/SRC/openSUSE:Factory/v4l-utils/v4l-utils.changes 2013-03-22 12:09:36.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.v4l-utils.new/v4l-utils.changes 2014-04-17 14:43:42.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Jan 2 10:02:04 UTC 2014 - dmueller(a)suse.com + +- fix compiled-in paths by specifying PREFIX and LIBDIR correctly + during build + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ v4l-utils.spec ++++++ --- /var/tmp/diff_new_pack.T2OdXu/_old 2014-04-17 14:43:43.000000000 +0200 +++ /var/tmp/diff_new_pack.T2OdXu/_new 2014-04-17 14:43:43.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package v4l-utils # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -146,7 +146,7 @@ %patch2 -p1 %build -make CFLAGS="%{optflags} -fno-strict-aliasing" CXXFLAGS="%{optflags}" %{?_smp_mflags} +make PREFIX=%{_prefix} LIBDIR=%{_libdir} CFLAGS="%{optflags} -fno-strict-aliasing" CXXFLAGS="%{optflags}" %{?_smp_mflags} %install make install PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} UDEVRULESDIR=%{_udevrulesdir} -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit wicked for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package wicked for openSUSE:Factory checked in at 2014-04-17 14:43:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wicked (Old) and /work/SRC/openSUSE:Factory/.wicked.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "wicked" Changes: -------- --- /work/SRC/openSUSE:Factory/wicked/wicked.changes 2014-04-01 11:34:14.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.wicked.new/wicked.changes 2014-04-17 14:43:39.000000000 +0200 @@ -1,0 +2,11 @@ +Mon Apr 14 17:28:11 UTC 2014 - mt(a)suse.de + +- version 0.5.19 +- server/nanny: do not fail on missed dbus objects or object + creation errors due to already deleted interfaces in the + kernel while processing the event (bnc#867806,bnc#871388) +- netlink: verify if device still exists on newlink events +- nanny: fixed endless loop on policies without name and user + control default, added device mach with identify capabilities + +------------------------------------------------------------------- Old: ---- wicked-0.5.18.tar.bz2 New: ---- wicked-0.5.19.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wicked.spec ++++++ --- /var/tmp/diff_new_pack.Eu3RTs/_old 2014-04-17 14:43:39.000000000 +0200 +++ /var/tmp/diff_new_pack.Eu3RTs/_new 2014-04-17 14:43:39.000000000 +0200 @@ -18,7 +18,7 @@ %define release_prefix %{?snapshot:%{snapshot}}%{!?snapshot:0} Name: wicked -Version: 0.5.18 +Version: 0.5.19 Release: %{release_prefix}.0.0 Summary: Network configuration infrastructure License: GPL-2.0 ++++++ wicked-0.5.18.tar.bz2 -> wicked-0.5.19.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/ChangeLog.git new/wicked-0.5.19/ChangeLog.git --- old/wicked-0.5.18/ChangeLog.git 2014-03-28 19:43:42.000000000 +0100 +++ new/wicked-0.5.19/ChangeLog.git 2014-04-14 19:27:29.000000000 +0200 @@ -1,3 +1,78 @@ +commit d9aef8cdd30ae9b0632fca787fef9a954564d4a3 +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Mon Apr 14 19:22:39 2014 +0200 + + version 0.5.19 + +commit ecd2a2e6dfb939f45904ce48d3f590a3d60dd619 +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Thu Apr 10 21:49:17 2014 +0200 + + fsm: release device references on free + +commit 0ce76c25d233dcd4227e38e73ba9a915f2bc4e42 +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Thu Apr 10 21:45:33 2014 +0200 + + netlink: verify if device exists on newlink events + +commit 58506b5be46a55a4a32a0afe32b5211256aaee91 +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Thu Apr 10 21:41:10 2014 +0200 + + client: adjusted ifstatus output indenting + +commit 609127c5456b7111b0d534a7d983a81374d82729 +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Thu Apr 10 21:20:02 2014 +0200 + + nanny: do not fail on events for deleted devices + +commit 8b139182a7f83f4d0b4fe1a05735a299c439b825 +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Thu Apr 10 21:09:31 2014 +0200 + + server: do not fail on missed dbus objects + + The events may arrive for non-existing devices when they + get deleted [in the kernel] while we're processing them. + +commit 5dac78d666a7b6849c9bcd480a250849542a464f +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Thu Apr 10 20:58:09 2014 +0200 + + dbus: do not fail on dbus object creation failures + +commit 87140f2b05b890861c7d57264ef5becbcd32bb55 +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Thu Apr 10 20:35:12 2014 +0200 + + fsm: do not fail completely in ni_fsm_refresh_state + +commit c61f3e55284efb95ed2537dff686eab1418e89dd +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Wed Apr 9 11:55:25 2014 +0200 + + nanny: do not register device when object disapears + +commit 1b3f254deee181125bd06352f8482ba90462633f +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Wed Apr 2 12:00:49 2014 +0200 + + nanny: added initial device name,alias,ifindex match + +commit 75e56c6da0e9759ad05f6f696bafb230387a32d7 +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Wed Apr 2 11:53:28 2014 +0200 + + nanny: user control off by default, show it correctly + +commit 743cac740e30caa774065a513cee09a63babc8ea +Author: Marius Tomaschewski <mt(a)suse.de> +Date: Wed Apr 2 11:52:04 2014 +0200 + + nanny: fixed endless loop on policies without name + commit 058f194c521e5525e9fb793d264916cc72126811 Author: Marius Tomaschewski <mt(a)suse.de> Date: Fri Mar 28 19:41:59 2014 +0100 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/VERSION new/wicked-0.5.19/VERSION --- old/wicked-0.5.18/VERSION 2014-03-28 19:42:17.000000000 +0100 +++ new/wicked-0.5.19/VERSION 2014-04-14 19:23:16.000000000 +0200 @@ -1 +1 @@ -0.5.18 +0.5.19 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/client/ifcheck.c new/wicked-0.5.19/client/ifcheck.c --- old/wicked-0.5.18/client/ifcheck.c 2014-03-28 12:39:58.000000000 +0100 +++ new/wicked-0.5.19/client/ifcheck.c 2014-04-14 19:21:31.000000000 +0200 @@ -325,11 +325,17 @@ } if (!ni_fsm_create_client(fsm)) { + /* Severe error we always explicitly return */ + status = NI_WICKED_RC_ERROR; + goto cleanup; + } + + if (!ni_fsm_refresh_state(fsm)) { + /* Severe error we always explicitly return */ status = NI_WICKED_RC_ERROR; goto cleanup; } - ni_fsm_refresh_state(fsm); status = NI_WICKED_ST_OK; if (0 == checks.count) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/client/ifdown.c new/wicked-0.5.19/client/ifdown.c --- old/wicked-0.5.18/client/ifdown.c 2014-02-25 14:03:37.000000000 +0100 +++ new/wicked-0.5.19/client/ifdown.c 2014-04-14 19:21:31.000000000 +0200 @@ -151,11 +151,15 @@ ifmarker.target_range.min = NI_FSM_STATE_NONE; ifmarker.target_range.max = max_state; - if (!ni_fsm_create_client(fsm)) + if (!ni_fsm_create_client(fsm)) { /* Severe error we always explicitly return */ return NI_WICKED_RC_ERROR; + } - ni_fsm_refresh_state(fsm); + if (!ni_fsm_refresh_state(fsm)) { + /* Severe error we always explicitly return */ + return NI_WICKED_RC_ERROR; + } /* Get workers that match given criteria */ nmarked = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/client/ifreload.c new/wicked-0.5.19/client/ifreload.c --- old/wicked-0.5.18/client/ifreload.c 2014-03-28 12:39:58.000000000 +0100 +++ new/wicked-0.5.19/client/ifreload.c 2014-04-14 19:21:31.000000000 +0200 @@ -147,7 +147,11 @@ goto cleanup; } - ni_fsm_refresh_state(fsm); + if (!ni_fsm_refresh_state(fsm)) { + /* Severe error we always explicitly return */ + status = NI_WICKED_RC_ERROR; + goto cleanup; + } if (opt_ifconfig.count == 0) { const ni_string_array_t *sources = ni_config_sources("ifconfig"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/client/ifstatus.c new/wicked-0.5.19/client/ifstatus.c --- old/wicked-0.5.18/client/ifstatus.c 2014-03-28 14:14:45.000000000 +0100 +++ new/wicked-0.5.19/client/ifstatus.c 2014-04-14 19:21:31.000000000 +0200 @@ -215,12 +215,12 @@ va_list ap; if (!ni_string_empty(dev)) { - printf("%-15s", dev); + printf("%-16s", dev); } else { printf("%-6s", ""); } if (!ni_string_empty(tag)) { - printf("%-8s ", tag); + printf("%-9s ", tag); } if (!ni_string_empty(fmt)) { va_start(ap, fmt); @@ -563,14 +563,16 @@ } if (!ni_fsm_create_client(fsm)) { + /* Severe error we always explicitly return */ status = NI_WICKED_ST_ERROR; goto cleanup; } - /* TODO: we connect to wickedd here. currently, it - * may exit(1), that is with NI_WICKED_ST_ERROR... - */ - ni_fsm_refresh_state(fsm); + if (!ni_fsm_refresh_state(fsm)) { + /* Severe error we always explicitly return */ + status = NI_WICKED_ST_ERROR; + goto cleanup; + } if (check_config && opt_ifconfig.count == 0) { const ni_string_array_t *sources = ni_config_sources("ifconfig"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/client/ifup.c new/wicked-0.5.19/client/ifup.c --- old/wicked-0.5.18/client/ifup.c 2014-03-28 12:39:58.000000000 +0100 +++ new/wicked-0.5.19/client/ifup.c 2014-04-14 19:21:31.000000000 +0200 @@ -206,7 +206,11 @@ goto cleanup; } - ni_fsm_refresh_state(fsm); + if (!ni_fsm_refresh_state(fsm)) { + /* Severe error we always explicitly return */ + status = NI_WICKED_RC_ERROR; + goto cleanup; + } if (opt_ifconfig.count == 0) { const ni_string_array_t *sources = ni_config_sources("ifconfig"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/configure new/wicked-0.5.19/configure --- old/wicked-0.5.18/configure 2014-03-28 19:43:07.000000000 +0100 +++ new/wicked-0.5.19/configure 2014-04-14 19:25:13.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for wicked 0.5.18. +# Generated by GNU Autoconf 2.69 for wicked 0.5.19. # # Report bugs to <http://bugs.opensuse.org>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='wicked' PACKAGE_TARNAME='wicked' -PACKAGE_VERSION='0.5.18' -PACKAGE_STRING='wicked 0.5.18' +PACKAGE_VERSION='0.5.19' +PACKAGE_STRING='wicked 0.5.19' PACKAGE_BUGREPORT='http://bugs.opensuse.org' PACKAGE_URL='https://github.com/openSUSE/wicked' @@ -1377,7 +1377,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures wicked 0.5.18 to adapt to many kinds of systems. +\`configure' configures wicked 0.5.19 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1447,7 +1447,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of wicked 0.5.18:";; + short | recursive ) echo "Configuration of wicked 0.5.19:";; esac cat <<\_ACEOF @@ -1596,7 +1596,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -wicked configure 0.5.18 +wicked configure 0.5.19 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2195,7 +2195,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by wicked $as_me 0.5.18, which was +It was created by wicked $as_me 0.5.19, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3058,7 +3058,7 @@ # Define the identity of the package. PACKAGE='wicked' - VERSION='0.5.18' + VERSION='0.5.19' cat >>confdefs.h <<_ACEOF @@ -3122,7 +3122,7 @@ # with (CUR-AGE) used in the library soname. # CUR=5 -REV=18 +REV=19 AGE=5 # Calculate package (soname version) suffix for the spec file. @@ -14769,7 +14769,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by wicked $as_me 0.5.18, which was +This file was extended by wicked $as_me 0.5.19, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14836,7 +14836,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -wicked config.status 0.5.18 +wicked config.status 0.5.19 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/configure.ac new/wicked-0.5.19/configure.ac --- old/wicked-0.5.18/configure.ac 2014-03-28 19:42:17.000000000 +0100 +++ new/wicked-0.5.19/configure.ac 2014-04-14 19:23:16.000000000 +0200 @@ -18,7 +18,7 @@ # with (CUR-AGE) used in the library soname. # CUR=5 -REV=18 +REV=19 AGE=5 # Calculate package (soname version) suffix for the spec file. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/include/wicked/fsm.h new/wicked-0.5.19/include/wicked/fsm.h --- old/wicked-0.5.18/include/wicked/fsm.h 2014-03-28 12:39:58.000000000 +0100 +++ new/wicked-0.5.19/include/wicked/fsm.h 2014-04-14 19:21:31.000000000 +0200 @@ -251,7 +251,7 @@ extern ni_bool_t ni_fsm_policies_changed_since(const ni_fsm_t *, unsigned int *tstamp); extern ni_dbus_client_t * ni_fsm_create_client(ni_fsm_t *); -extern void ni_fsm_refresh_state(ni_fsm_t *); +extern ni_bool_t ni_fsm_refresh_state(ni_fsm_t *); extern unsigned int ni_fsm_schedule(ni_fsm_t *); extern ni_bool_t ni_fsm_do(ni_fsm_t *fsm, long *timeout_p); extern void ni_fsm_mainloop(ni_fsm_t *); @@ -277,6 +277,9 @@ extern const char * ni_ifworker_state_name(unsigned int state); extern ni_bool_t ni_ifworker_state_from_name(const char *, unsigned int *); extern ni_fsm_require_t * ni_ifworker_reachability_check_new(xml_node_t *); +extern ni_bool_t ni_ifworker_match_netdev_name(const ni_ifworker_t *, const char *); +extern ni_bool_t ni_ifworker_match_netdev_alias(const ni_ifworker_t *, const char *); +extern ni_bool_t ni_ifworker_match_netdev_ifindex(const ni_ifworker_t *, unsigned int); extern ni_bool_t ni_ifworker_match_alias(const ni_ifworker_t *, const char *); extern void ni_ifworker_set_config(ni_ifworker_t *, xml_node_t *, const char *); extern ni_bool_t ni_ifworker_check_config(const ni_ifworker_t *, const xml_node_t *, const char *); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/nanny/device.c new/wicked-0.5.19/nanny/device.c --- old/wicked-0.5.18/nanny/device.c 2014-02-26 20:35:14.000000000 +0100 +++ new/wicked-0.5.19/nanny/device.c 2014-04-14 19:21:31.000000000 +0200 @@ -429,8 +429,6 @@ { ni_managed_device_t *mdev; - ni_assert(w); - for (mdev = mgr->device_list; mdev; mdev = mdev->next) { if (mdev->worker == w) return mdev; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/nanny/main.c new/wicked-0.5.19/nanny/main.c --- old/wicked-0.5.18/nanny/main.c 2014-03-28 12:39:58.000000000 +0100 +++ new/wicked-0.5.19/nanny/main.c 2014-04-14 19:21:31.000000000 +0200 @@ -300,9 +300,10 @@ // A new device was added. Could be a virtual device like // a VLAN or vif, or a hotplug device // Create a worker and a managed_netif for this device. - w = ni_fsm_recv_new_netif_path(mgr->fsm, object_path); - ni_nanny_register_device(mgr, w); - ni_nanny_schedule_recheck(mgr, w); + if ((w = ni_fsm_recv_new_netif_path(mgr->fsm, object_path))) { + ni_nanny_register_device(mgr, w); + ni_nanny_schedule_recheck(mgr, w); + } return; } @@ -311,28 +312,32 @@ signal_name, object_path); return; } - - ni_assert(w->type == NI_IFWORKER_TYPE_NETDEV); - ni_assert(w->device); + if (w->type != NI_IFWORKER_TYPE_NETDEV || w->device == NULL) { + ni_error("%s: received signal \"%s\" from \"%s\" (not a managed network device)", + w->name, signal_name, object_path); + return; + } if (event == NI_EVENT_DEVICE_DELETE) { - ni_debug_nanny("%s: received signal %s from %s", w->name, signal_name, object_path); + ni_debug_nanny("%s: received signal \"%s\" from \"%s\"", + w->name, signal_name, object_path); // delete the worker and the managed netif ni_nanny_unregister_device(mgr, w); return; } if ((mdev = ni_nanny_get_device(mgr, w)) == NULL) { - ni_debug_nanny("%s: received signal %s from %s (not a managed device)", + ni_debug_nanny("%s: received signal \"%s\" from \"%s\" (not a managed device)", w->name, signal_name, object_path); return; } - ni_debug_nanny("%s: received signal %s; state=%s, policy=%s%s", + ni_debug_nanny("%s: received signal %s; state=%s, policy=%s%s%s", w->name, signal_name, ni_managed_state_to_string(mdev->state), mdev->selected_policy? ni_fsm_policy_name(mdev->selected_policy->fsm_policy): "<none>", - mdev->monitor? ", user controlled" : ""); + mdev->allowed? ", user control allowed" : "", + mdev->monitor? ", monitored" : ""); switch (event) { case NI_EVENT_LINK_DOWN: @@ -387,9 +392,10 @@ // We receive a deviceCreate signal when a modem was plugged in if (event == NI_EVENT_DEVICE_CREATE) { - w = ni_fsm_recv_new_modem_path(mgr->fsm, object_path); - ni_nanny_register_device(mgr, w); - ni_nanny_schedule_recheck(mgr, w); + if ((w = ni_fsm_recv_new_modem_path(mgr->fsm, object_path))) { + ni_nanny_register_device(mgr, w); + ni_nanny_schedule_recheck(mgr, w); + } return; } @@ -399,10 +405,13 @@ return; } - ni_debug_nanny("%s: received signal %s from %s", w->name, signal_name, object_path); - ni_assert(w->type == NI_IFWORKER_TYPE_MODEM); - ni_assert(w->modem); + if (w->type != NI_IFWORKER_TYPE_MODEM || w->modem == NULL) { + ni_error("%s: received signal \"%s\" from \"%s\" (not a managed modem device)", + w->name, signal_name, object_path); + return; + } + ni_debug_nanny("%s: received signal %s from %s", w->name, signal_name, object_path); if (event == NI_EVENT_DEVICE_DELETE) { // delete the worker and the managed modem ni_nanny_unregister_device(mgr, w); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/nanny/nanny.c new/wicked-0.5.19/nanny/nanny.c --- old/wicked-0.5.18/nanny/nanny.c 2014-03-18 15:10:50.000000000 +0100 +++ new/wicked-0.5.19/nanny/nanny.c 2014-04-14 19:21:31.000000000 +0200 @@ -324,7 +324,7 @@ break; } - mdev->allowed = TRUE; + mdev->allowed = FALSE; if (match->auto_enable) mdev->monitor = TRUE; } @@ -332,7 +332,7 @@ ni_debug_nanny("new device %s, class %s%s%s", w->name, mdev->object->class->name, mdev->allowed? ", user control allowed" : "", - mdev->monitor? ", auto-enabled" : ""); + mdev->monitor? ", monitored (auto-enabled)" : ""); if (mdev->monitor) ni_nanny_schedule_recheck(mgr, w); @@ -640,7 +640,7 @@ do { snprintf(namebuf, sizeof(namebuf), "policy%u", counter++); - } while (ni_fsm_policy_by_name(mgr->fsm, namebuf) == NULL); + } while (ni_fsm_policy_by_name(mgr->fsm, namebuf) && counter); name = namebuf; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/server/main.c new/wicked-0.5.19/server/main.c --- old/wicked-0.5.18/server/main.c 2014-03-28 12:39:58.000000000 +0100 +++ new/wicked-0.5.19/server/main.c 2014-04-14 19:21:31.000000000 +0200 @@ -347,10 +347,14 @@ /* A new netif was discovered; create a dbus server object * enacpsulating it. */ object = ni_objectmodel_register_netif(dbus_server, dev, NULL); - } else - if (!(object = ni_objectmodel_get_netif_object(dbus_server, dev))) { - ni_error("cannot send %s event for model \"%s\" - no dbus device", - ni_event_type_to_name(event), dev->name); + } else { + object = ni_objectmodel_get_netif_object(dbus_server, dev); + } + if (!object) { + /* usually a "bad event", e.g. when the underlying netdev + * does not exists any more, but events still arrive ... */ + ni_debug_events("cannot handle %s event for model \"%s\" - no dbus object", + ni_event_type_to_name(event), dev->name); return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/src/dbus-object.c new/wicked-0.5.19/src/dbus-object.c --- old/wicked-0.5.18/src/dbus-object.c 2014-02-18 15:27:29.000000000 +0100 +++ new/wicked-0.5.19/src/dbus-object.c 2014-04-14 19:21:31.000000000 +0200 @@ -301,7 +301,7 @@ const ni_dbus_service_t *svc; unsigned int i; - if (object->interfaces == NULL) + if (object == NULL || object->interfaces == NULL) return NULL; for (i = 0; (svc = object->interfaces[i]) != NULL; ++i) { @@ -364,7 +364,7 @@ const ni_dbus_service_t *svc; unsigned int i, found = 0; - if (object->interfaces == NULL || method == NULL) + if (object == NULL || object->interfaces == NULL || method == NULL) return 0; for (i = 0; (svc = object->interfaces[i]) != NULL; ++i) { @@ -383,7 +383,7 @@ const ni_dbus_service_t *svc, *best = NULL; unsigned int i; - if (object->interfaces == NULL) + if (object == NULL || object->interfaces == NULL) return NULL; for (i = 0; (svc = object->interfaces[i]) != NULL; ++i) { @@ -404,7 +404,7 @@ const ni_dbus_service_t *svc; unsigned int i; - if (object->interfaces == NULL) + if (object == NULL || object->interfaces == NULL) return NULL; for (i = 0; (svc = object->interfaces[i]) != NULL; ++i) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/src/dbus-objects/interface.c new/wicked-0.5.19/src/dbus-objects/interface.c --- old/wicked-0.5.18/src/dbus-objects/interface.c 2014-03-28 14:14:45.000000000 +0100 +++ new/wicked-0.5.19/src/dbus-objects/interface.c 2014-04-14 19:21:31.000000000 +0200 @@ -374,8 +374,10 @@ object = ni_dbus_object_new(class, NULL, ni_netdev_get(dev)); } - if (object == NULL) - ni_fatal("Unable to create dbus object for network interface %s", dev->name); + if (object == NULL) { + ni_error("Unable to create dbus object for network interface %s", dev->name); + return NULL; + } ni_objectmodel_bind_compatible_interfaces(object); return object; @@ -504,8 +506,16 @@ ni_netdev_t * ni_objectmodel_unwrap_netif(const ni_dbus_object_t *object, DBusError *error) { - ni_netdev_t *dev = object->handle; + ni_netdev_t *dev; + + if (!object) { + if (error) + dbus_set_error(error, DBUS_ERROR_FAILED, + "Cannot unwrap network interface from a NULL dbus object"); + return NULL; + } + dev = object->handle; if (ni_dbus_object_isa(object, &ni_objectmodel_netif_class)) return dev; if (error) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/src/dbus-objects/modem.c new/wicked-0.5.19/src/dbus-objects/modem.c --- old/wicked-0.5.18/src/dbus-objects/modem.c 2014-03-28 12:39:58.000000000 +0100 +++ new/wicked-0.5.19/src/dbus-objects/modem.c 2014-04-14 19:21:31.000000000 +0200 @@ -198,8 +198,11 @@ object = ni_dbus_object_new(class, NULL, ni_modem_hold(modem)); } - if (object == NULL) - ni_fatal("Unable to create proxy object for modem %s (%s)", modem->device, modem->real_path); + if (object == NULL) { + ni_error("Unable to create proxy object for modem %s (%s)", + modem->device, modem->real_path); + return NULL; + } ni_objectmodel_bind_compatible_interfaces(object); return object; @@ -262,8 +265,16 @@ ni_modem_t * ni_objectmodel_unwrap_modem(const ni_dbus_object_t *object, DBusError *error) { - ni_modem_t *modem = object->handle; + ni_modem_t *modem; + + if (!object) { + if (error) + dbus_set_error(error, DBUS_ERROR_FAILED, + "Cannot unwrap modem from a NULL dbus object"); + return NULL; + } + modem = object->handle; if (ni_dbus_object_isa(object, &ni_objectmodel_mm_modem_class)) return modem; if (ni_dbus_object_isa(object, &ni_objectmodel_modem_class)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/src/fsm-policy.c new/wicked-0.5.19/src/fsm-policy.c --- old/wicked-0.5.18/src/fsm-policy.c 2014-03-18 15:10:50.000000000 +0100 +++ new/wicked-0.5.19/src/fsm-policy.c 2014-04-14 19:21:31.000000000 +0200 @@ -1180,37 +1180,71 @@ /* * <device>...</device> + * <device:name>...</device:name> + * <device:alias>...</device:alias> + * <device:ifindex>...</device:ifindex> */ static ni_bool_t -__ni_fsm_policy_match_device_check(const ni_ifcondition_t *cond, ni_ifworker_t *w) +__ni_fsm_policy_match_device_name_check(const ni_ifcondition_t *cond, ni_ifworker_t *w) { - ni_warn("<device> condition not implemented yet"); - return FALSE; + return ni_ifworker_match_netdev_name(w, cond->args.string); } - -static ni_ifcondition_t * -ni_ifcondition_device(xml_node_t *node) +static ni_bool_t +__ni_fsm_policy_match_device_alias_check(const ni_ifcondition_t *cond, ni_ifworker_t *w) { - ni_ifcondition_t *result; + return ni_ifworker_match_netdev_alias(w, cond->args.string); +} +static ni_bool_t +__ni_fsm_policy_match_device_ifindex_check(const ni_ifcondition_t *cond, ni_ifworker_t *w) +{ + unsigned int ifindex; - result = ni_ifcondition_new(__ni_fsm_policy_match_device_check); - result->args.device.node = node; - return result; + if (ni_parse_uint(cond->args.string, &ifindex, 10) < 0 || !ifindex) + return FALSE; + return ni_ifworker_match_netdev_ifindex(w, ifindex); } -/* - * <device-alias>foobidoo</device-alias> - */ -static ni_bool_t -__ni_fsm_policy_match_device_alias_check(const ni_ifcondition_t *cond, ni_ifworker_t *w) +static ni_ifcondition_t * +ni_ifcondition_device_element(xml_node_t *node, const char *name) { - return ni_ifworker_match_alias(w, cond->args.string); + if (ni_string_eq(name, "name")) { + return ni_ifcondition_new_cdata(__ni_fsm_policy_match_device_name_check, node); + } + if (ni_string_eq(name, "alias")) { + return ni_ifcondition_new_cdata(__ni_fsm_policy_match_device_alias_check, node); + } + if (ni_string_eq(name, "ifindex")) { + return ni_ifcondition_new_cdata(__ni_fsm_policy_match_device_ifindex_check, node); + } + ni_error("%s: unknown device condition <%s>", xml_node_location(node), name); + return NULL; } static ni_ifcondition_t * -ni_ifcondition_device_alias(xml_node_t *node) +ni_ifcondition_device(xml_node_t *node) { - return ni_ifcondition_new_cdata(__ni_fsm_policy_match_device_alias_check, node); + ni_ifcondition_t *result = NULL; + + if (!node->children && node->cdata) + return ni_ifcondition_new_cdata(__ni_fsm_policy_match_device_name_check, node); + + for (node = node->children; node; node = node->next) { + ni_ifcondition_t *cond; + + cond = ni_ifcondition_device_element(node, node->name); + if (cond == NULL) { + if (result) + ni_ifcondition_free(result); + return NULL; + } + + if (result == NULL) + result = cond; + else + result = ni_ifcondition_and_terms(result, cond); + } + + return result; } /* @@ -1468,30 +1502,30 @@ return ni_ifcondition_none(node); if (!strcmp(node->name, "type")) return ni_ifcondition_type(node); - if (!strcmp(node->name, "device")) - return ni_ifcondition_device(node); if (!strcmp(node->name, "class")) return ni_ifcondition_class(node); if (!strcmp(node->name, "sharable")) return ni_ifcondition_sharable(node); if (!strcmp(node->name, "link-type")) return ni_ifcondition_linktype(node); - if (!strcmp(node->name, "device-alias")) - return ni_ifcondition_device_alias(node); if (!strcmp(node->name, "control-mode")) return ni_ifcondition_control_mode(node); if (!strcmp(node->name, "boot-stage")) return ni_ifcondition_boot_stage(node); if (!strcmp(node->name, "minimum-device-state")) return ni_ifcondition_min_device_state(node); + if (!strcmp(node->name, "device")) + return ni_ifcondition_device(node); + if (!strncmp(node->name, "device:", sizeof("device:")-1)) + return ni_ifcondition_device_element(node, node->name + sizeof("device:")-1); if (!strcmp(node->name, "modem")) return ni_ifcondition_modem(node); - if (!strncmp(node->name, "modem:", 6)) - return ni_ifcondition_modem_element(node, node->name + 6); + if (!strncmp(node->name, "modem:", sizeof("modem:")-1)) + return ni_ifcondition_modem_element(node, node->name + sizeof("modem:")-1); if (!strcmp(node->name, "wireless")) return ni_ifcondition_wireless(node); - if (!strncmp(node->name, "wireless:", 9)) - return ni_ifcondition_wireless_element(node, node->name + 9); + if (!strncmp(node->name, "wireless:", sizeof("wireless:")-1)) + return ni_ifcondition_wireless_element(node, node->name + sizeof("wireless:")-1); ni_error("%s: unsupported policy conditional <%s>", xml_node_location(node), node->name); return NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/src/fsm.c new/wicked-0.5.19/src/fsm.c --- old/wicked-0.5.18/src/fsm.c 2014-03-28 14:14:45.000000000 +0100 +++ new/wicked-0.5.19/src/fsm.c 2014-04-14 19:21:31.000000000 +0200 @@ -41,9 +41,9 @@ static int ni_ifworker_bind_device_apis(ni_ifworker_t *, const ni_dbus_service_t *); static void ni_ifworker_control_init(ni_ifworker_control_t *); static void ni_ifworker_control_destroy(ni_ifworker_control_t *); -static void __ni_ifworker_refresh_netdevs(ni_fsm_t *); +static ni_bool_t __ni_ifworker_refresh_netdevs(ni_fsm_t *); #ifdef MODEM -static void __ni_ifworker_refresh_modems(ni_fsm_t *); +static ni_bool_t __ni_ifworker_refresh_modems(ni_fsm_t *); #endif static int ni_fsm_user_prompt_default(const ni_fsm_prompt_t *, xml_node_t *, void *); static void ni_ifworker_refresh_client_info(ni_ifworker_t *, ni_device_clientinfo_t *); @@ -176,6 +176,10 @@ { ni_string_free(&w->name); ni_ifworker_reset(w); + if (w->device) + ni_netdev_put(w->device); + if (w->modem) + ni_modem_release(w->modem); free(w); } @@ -593,6 +597,81 @@ } ni_bool_t +ni_ifworker_match_netdev_name(const ni_ifworker_t *w, const char *ifname) +{ + xml_node_t *node; + + if (!ifname) + return FALSE; + + if (w->device && ni_string_eq(w->device->name, ifname)) + return TRUE; + + if (w->config.node && (node = xml_node_get_child(w->config.node, "name"))) { + const char *namespace = xml_node_get_attr(node, "namespace"); + if (!namespace && ni_string_eq(node->cdata, ifname)) + return TRUE; + } + + return FALSE; +} + +static ni_bool_t +__ni_ifworker_match_netdev_ifindex(unsigned int ifindex, const char *value) +{ + unsigned int index; + + if (ni_parse_uint(value, &index, 10) < 0 || !index) + return FALSE; + return ifindex == index; +} + +ni_bool_t +ni_ifworker_match_netdev_ifindex(const ni_ifworker_t *w, unsigned int ifindex) +{ + xml_node_t *node; + + if (!ifindex) + return FALSE; + + if (w->device && w->device->link.ifindex == ifindex) + return TRUE; + + if (w->config.node && (node = xml_node_get_child(w->config.node, "name"))) { + const char *namespace = xml_node_get_attr(node, "namespace"); + + if (namespace && ni_string_eq(namespace, "ifindex")) + return __ni_ifworker_match_netdev_ifindex(ifindex, node->cdata); + } + return FALSE; +} + +ni_bool_t +ni_ifworker_match_netdev_alias(const ni_ifworker_t *w, const char *ifalias) +{ + xml_node_t *node; + + if (!ifalias) + return FALSE; + + if (w->device && ni_string_eq(w->device->link.alias, ifalias)) + return TRUE; + + if (w->config.node && (node = xml_node_get_child(w->config.node, "alias"))) { + if (ni_string_eq(node->cdata, ifalias)) + return TRUE; + } + if (w->config.node && (node = xml_node_get_child(w->config.node, "name"))) { + const char *namespace = xml_node_get_attr(node, "namespace"); + + if (namespace && ni_string_eq(namespace, "alias")) + return ni_string_eq(node->cdata, ifalias); + } + + return FALSE; +} + +ni_bool_t ni_ifworker_match_alias(const ni_ifworker_t *w, const char *alias) { xml_node_t *node; @@ -603,7 +682,7 @@ if (w->device && ni_string_eq(w->device->link.alias, alias)) return TRUE; - if (w->config.node && (node = xml_node_get_child(w->config.node, "alias")) != NULL) { + if (w->config.node && (node = xml_node_get_child(w->config.node, "alias"))) { if (ni_string_eq(node->cdata, alias)) return TRUE; } @@ -2373,7 +2452,7 @@ } } -void +ni_bool_t ni_fsm_refresh_state(ni_fsm_t *fsm) { ni_ifworker_t *w; @@ -2390,9 +2469,11 @@ w->readonly = fsm->readonly; } - __ni_ifworker_refresh_netdevs(fsm); + if (!__ni_ifworker_refresh_netdevs(fsm)) + return FALSE; #ifdef MODEM - __ni_ifworker_refresh_modems(fsm); + if (!__ni_ifworker_refresh_modems(fsm)) + return FALSE; #endif for (i = 0; i < fsm->workers.count; ++i) { @@ -2416,23 +2497,29 @@ } else if (!w->done) ni_ifworker_update_state(w, NI_FSM_STATE_DEVICE_EXISTS, __NI_FSM_STATE_MAX); } + return TRUE; } -static void +static ni_bool_t __ni_ifworker_refresh_netdevs(ni_fsm_t *fsm) { static ni_dbus_object_t *list_object = NULL; ni_dbus_object_t *object; - if (!list_object && !(list_object = ni_call_get_netif_list_object())) - ni_fatal("unable to get server's interface list"); + if (!list_object && !(list_object = ni_call_get_netif_list_object())) { + ni_error("unable to get server's interface list"); + return FALSE; + } /* Call ObjectManager.GetManagedObjects to get list of objects and their properties */ - if (!ni_dbus_object_refresh_children(list_object)) - ni_fatal("Couldn't refresh list of active network interfaces"); + if (!ni_dbus_object_refresh_children(list_object)) { + ni_error("Couldn't refresh list of active network interfaces"); + return FALSE; + } for (object = list_object->children; object; object = object->next) ni_fsm_recv_new_netif(fsm, object, FALSE); + return TRUE; } ni_ifworker_t * @@ -2493,30 +2580,37 @@ static ni_dbus_object_t *list_object = NULL; ni_dbus_object_t *object; - if (!list_object && !(list_object = ni_call_get_netif_list_object())) - ni_fatal("unable to get server's netdev list"); + if (!list_object && !(list_object = ni_call_get_netif_list_object())) { + ni_error("unable to get server's netdev list"); + return NULL; + } object = ni_dbus_object_create(list_object, path, NULL, NULL); return ni_fsm_recv_new_netif(fsm, object, TRUE); } #ifdef MODEM -static void +static ni_bool_t __ni_ifworker_refresh_modems(ni_fsm_t *fsm) { static ni_dbus_object_t *list_object = NULL; ni_dbus_object_t *object; - if (!list_object && !(list_object = ni_call_get_modem_list_object())) - ni_fatal("unable to get server's modem list"); + if (!list_object && !(list_object = ni_call_get_modem_list_object())) { + ni_error("unable to get server's modem list"); + return FALSE; + } /* Call ObjectManager.GetManagedObjects to get list of objects and their properties */ - if (!ni_dbus_object_refresh_children(list_object)) - ni_fatal("Couldn't refresh list of available modems"); + if (!ni_dbus_object_refresh_children(list_object)) { + ni_error("Couldn't refresh list of available modems"); + return FALSE; + } for (object = list_object->children; object; object = object->next) { ni_fsm_recv_new_modem(fsm, object, FALSE); } + return TRUE; } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/src/ifevent.c new/wicked-0.5.19/src/ifevent.c --- old/wicked-0.5.18/src/ifevent.c 2014-02-25 14:03:37.000000000 +0100 +++ new/wicked-0.5.19/src/ifevent.c 2014-04-14 19:21:31.000000000 +0200 @@ -144,6 +144,13 @@ return rv; } +static inline ni_bool_t +__ni_netdev_still_exists(unsigned int ifindex) +{ + char namebuf[IF_NAMESIZE+1] = {'\0'}; + return if_indextoname(ifindex, namebuf) != NULL; +} + /* * Process NEWLINK event */ @@ -169,6 +176,16 @@ } old = ni_netdev_by_index(nc, ifi->ifi_index); + if (!__ni_netdev_still_exists(ifi->ifi_index)) { + if (old) { + __ni_netdev_event(nc, old, NI_EVENT_DEVICE_DELETE); + ni_netconfig_device_remove(nc, old); + ni_client_state_drop(old->link.ifindex); + return 0; + } + return -1; + } + if (old != NULL) { old_flags = old->link.ifflags; dev = old; @@ -244,6 +261,8 @@ { struct ifinfomsg *ifi; ni_netdev_t *dev; + struct nlattr *nla; + const char *ifname = NULL; if (!(ifi = ni_rtnl_ifinfomsg(h, RTM_DELLINK))) return -1; @@ -253,9 +272,14 @@ return 0; } + if ((nla = nlmsg_find_attr(h, sizeof(*ifi), IFLA_IFNAME)) != NULL) { + ifname = (char *) nla_data(nla); + } + /* Open code interface removal. */ if ((dev = ni_netdev_by_index(nc, ifi->ifi_index)) == NULL) { - ni_error("bad RTM_DELLINK message for unknown interface index %d", ifi->ifi_index); + ni_debug_events("RTM_DELLINK message for unknown interface %s index %d", + ifname, ifi->ifi_index); return -1; } else { dev->link.ifflags = __ni_netdev_translate_ifflags(ifi->ifi_flags); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wicked-0.5.18/wicked.spec new/wicked-0.5.19/wicked.spec --- old/wicked-0.5.18/wicked.spec 2014-03-28 19:43:13.000000000 +0100 +++ new/wicked-0.5.19/wicked.spec 2014-04-14 19:25:19.000000000 +0200 @@ -18,7 +18,7 @@ %define release_prefix %{?snapshot:%{snapshot}}%{!?snapshot:0} Name: wicked -Version: 0.5.18 +Version: 0.5.19 Release: %{release_prefix}.0.0 Summary: Network configuration infrastructure License: GPL-2.0 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit openssl for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2014-04-17 14:35:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssl" Changes: -------- --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-04-15 07:34:11.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-04-17 14:35:57.000000000 +0200 @@ -2,14 +1,0 @@ -Fri Apr 11 02:40:34 UTC 2014 - crrodriguez(a)opensuse.org - -- openssl-gcc-attributes.patch - * annotate memory allocation wrappers with attribute(alloc_size) - so the compiler can tell us if it knows they are being misused - * OPENSSL_showfatal is annotated with attribute printf to detect - format string problems. - -- It is time to try to disable SSLv2 again, it was tried a while - ago but broke too many things, nowadays Debian, Ubuntu, the BSDs - all have disabled it, most components are already fixed. - I will fix the remaining fallout if any. (email me) - -------------------------------------------------------------------- Old: ---- openssl-gcc-attributes.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.rrt9Eu/_old 2014-04-17 14:35:58.000000000 +0200 +++ /var/tmp/diff_new_pack.rrt9Eu/_new 2014-04-17 14:35:58.000000000 +0200 @@ -64,7 +64,6 @@ Patch16: openssl-1.0.1e-fips-ec.patch Patch17: openssl-1.0.1e-fips-ctor.patch Patch18: openssl-1.0.1e-new-fips-reqs.patch -Patch19: openssl-gcc-attributes.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -170,7 +169,7 @@ %patch16 -p1 %patch17 -p1 %patch18 -p1 -%patch19 -p1 + cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -218,9 +217,6 @@ # config_flags="threads shared no-rc5 no-idea \ fips \ -%if 0%{suse_version} > 1310 -no-ssl2 \ -%endif %ifarch x86_64 enable-ec_nistp_64_gcc_128 \ %endif -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit wxWidgets-3_0 for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package wxWidgets-3_0 for openSUSE:Factory checked in at 2014-04-17 14:11:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wxWidgets-3_0 (Old) and /work/SRC/openSUSE:Factory/.wxWidgets-3_0.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "wxWidgets-3_0" Changes: -------- --- /work/SRC/openSUSE:Factory/wxWidgets-3_0/wxWidgets-3_0.changes 2014-02-19 07:26:01.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.wxWidgets-3_0.new/wxWidgets-3_0.changes 2014-04-17 14:11:53.000000000 +0200 @@ -1,0 +2,10 @@ +Tue Mar 11 09:48:36 UTC 2014 - jengelh(a)inai.de + +- Exclude libwx_webview from SLE11 build + +------------------------------------------------------------------- +Mon Feb 17 14:21:18 UTC 2014 - seiler(a)b1-systems.de + +- added baselibs.conf to provide *-32bit packages + +------------------------------------------------------------------- New: ---- baselibs.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wxWidgets-3_0.spec ++++++ --- /var/tmp/diff_new_pack.uQPads/_old 2014-04-17 14:11:54.000000000 +0200 +++ /var/tmp/diff_new_pack.uQPads/_new 2014-04-17 14:11:54.000000000 +0200 @@ -61,7 +61,11 @@ BuildRequires: libmspack-devel BuildRequires: libtiff-devel BuildRequires: pkgconfig(glu) +%if 0%{?suse_version} >= 1140 BuildRequires: pkgconfig(webkit-1.0) +%else +BuildRequires: libwebkit-gtk-devel +%endif Version: 3.0.0 Release: 0 %define wx_minor %(echo %{version} | sed 's/\.[0-9][0-9]*$//') @@ -114,6 +118,7 @@ # This script is not used during build, but it makes possible to # identify and backport wxPython fixes to wxWidgets. Source6: wxpython-mkdiff.sh +Source50: baselibs.conf Url: http://www.wxwidgets.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build # PATCH-FEATURE-OPENSUSE wxWidgets-config-force-rpath.patch sbrabec(a)suse.cz -- Force rpath use for installed libraries. ++++++ baselibs.conf ++++++ libwx_baseu-3_0-0-stl libwx_baseu_net-3_0-0-stl libwx_baseu_xml-3_0-0-stl libwx_gtk2u_adv-3_0-0-stl libwx_gtk2u_aui-3_0-0-stl libwx_gtk2u_core-3_0-0-stl libwx_gtk2u_gl-3_0-0-stl libwx_gtk2u_html-3_0-0-stl libwx_gtk2u_media-3_0-0-stl libwx_gtk2u_propgrid-3_0-0-stl libwx_gtk2u_qa-3_0-0-stl libwx_gtk2u_ribbon-3_0-0-stl libwx_gtk2u_richtext-3_0-0-stl libwx_gtk2u_stc-3_0-0-stl libwx_gtk2u_webview-3_0-0-stl libwx_gtk2u_xrc-3_0-0-stl wxWidgets-3_0-compat-lib-config wxWidgets-3_0-devel wxWidgets-3_0-plugin-sound_sdlu-3_0-stl -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit mokutil for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package mokutil for openSUSE:Factory checked in at 2014-04-17 14:11:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mokutil (Old) and /work/SRC/openSUSE:Factory/.mokutil.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "mokutil" Changes: -------- --- /work/SRC/openSUSE:Factory/mokutil/mokutil.changes 2014-04-11 13:39:59.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.mokutil.new/mokutil.changes 2014-04-17 14:11:47.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Apr 16 04:11:50 UTC 2014 - glin(a)suse.com + +- Add mokutil-fix-hash-file-read.patch to fix the error handling of + reading a hash file + +------------------------------------------------------------------- New: ---- mokutil-fix-hash-file-read.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mokutil.spec ++++++ --- /var/tmp/diff_new_pack.D4MO4l/_old 2014-04-17 14:11:48.000000000 +0200 +++ /var/tmp/diff_new_pack.D4MO4l/_new 2014-04-17 14:11:48.000000000 +0200 @@ -40,6 +40,8 @@ Patch7: mokutil-check-corrupted-key-list.patch # PATCH-FIX-UPSTREAM mokutil-no-invalid-x509.patch glin(a)suse.com -- Don't import an invalid x509 certificate Patch8: mokutil-no-invalid-x509.patch +# PATCH-FIX-UPSTREAM mokutil-fix-hash-file-read.patch glin(a)suse.com -- Fix the error handling of reading a hash file +Patch9: mokutil-fix-hash-file-read.patch # PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin(a)suse.com -- Add an option to revoke the built-in certificate Patch100: mokutil-support-revoke-builtin-cert.patch BuildRequires: autoconf @@ -69,6 +71,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %patch100 -p1 %build ++++++ mokutil-fix-hash-file-read.patch ++++++ >From 59fb1efb45cc59bfc7a30ade20ef9900c13ec711 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin(a)suse.com> Date: Fri, 11 Apr 2014 11:37:31 +0800 Subject: [PATCH] Fix error handling of reading password hash file Signed-off-by: Gary Ching-Pang Lin <glin(a)suse.com> --- src/mokutil.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index cdb5739..d9b657b 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -87,6 +87,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX #define SETTINGS_LEN (DEFAULT_SALT_SIZE*2) +#define BUF_SIZE 300 static int use_simple_hash; @@ -779,7 +780,7 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, int pw_len) static int get_hash_from_file (const char *file, pw_crypt_t *pw_crypt) { - char string[300]; + char string[BUF_SIZE]; ssize_t read_len = 0; int fd; @@ -789,22 +790,25 @@ get_hash_from_file (const char *file, pw_crypt_t *pw_crypt) return -1; } - while (read_len < 300) { - int rc = read (fd, string + read_len, 300 - read_len); - if (rc == EAGAIN) - continue; + bzero (string, BUF_SIZE); + + while (read_len < BUF_SIZE) { + ssize_t rc = read (fd, string + read_len, BUF_SIZE - read_len); if (rc < 0) { + if (errno == EINTR || errno == EAGAIN) + continue; + fprintf (stderr, "Failed to read %s: %m\n", file); close (fd); return -1; - } - if (rc == 0) + } else if (rc == 0) { break; + } read_len += rc; } close (fd); - if (string[read_len-1] != '\0') { + if (string[read_len] != '\0') { fprintf (stderr, "corrupted string\n"); return -1; } -- 1.8.4.5 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit nagios-plugins-bind for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package nagios-plugins-bind for openSUSE:Factory checked in at 2014-04-17 14:11:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nagios-plugins-bind (Old) and /work/SRC/openSUSE:Factory/.nagios-plugins-bind.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "nagios-plugins-bind" Changes: -------- --- /work/SRC/openSUSE:Factory/nagios-plugins-bind/nagios-plugins-bind.changes 2013-01-24 15:37:20.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.nagios-plugins-bind.new/nagios-plugins-bind.changes 2014-04-17 14:11:43.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Apr 9 23:15:25 UTC 2014 - lars(a)linux-schulserver.de + +- use the correct pnp4nagios template directory + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nagios-plugins-bind.spec ++++++ --- /var/tmp/diff_new_pack.eRHWTL/_old 2014-04-17 14:11:43.000000000 +0200 +++ /var/tmp/diff_new_pack.eRHWTL/_new 2014-04-17 14:11:43.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package nagios-plugins-bind # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,9 +28,9 @@ Source2: check_bind.php BuildRequires: nagios-rpm-macros Requires: bind-utils -Requires: sudo Requires: coreutils Requires: gawk +Requires: sudo BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -53,7 +53,7 @@ s|Default is: 9.4|Default is: \$version|g; \ s|9.5|9.5\|9.6|g" %{SOURCE0} > %{buildroot}/%{nagios_plugindir}/check_bind chmod +x %{buildroot}/%{nagios_plugindir}/check_bind -install -Dp -m 0644 %{SOURCE2} %{buildroot}%{pnp4nagios_templatedir}.special/check_bind.php +install -Dp -m 0644 %{SOURCE2} %{buildroot}%{pnp4nagios_templatedir}/check_bind.php install -Dp -m 0644 %{SOURCE1} %{buildroot}%{_defaultdocdir}/%{name}/LICENSE %clean @@ -67,8 +67,8 @@ %dir %{nagios_libdir} %dir %{nagios_plugindir} %dir %{pnp4nagios_datadir} -%dir %{pnp4nagios_templatedir}.special +%dir %{pnp4nagios_templatedir} %{nagios_plugindir}/check_bind -%{pnp4nagios_templatedir}.special/check_bind.php +%{pnp4nagios_templatedir}/check_bind.php %changelog -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libqt5-qttools for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package libqt5-qttools for openSUSE:Factory checked in at 2014-04-17 14:11:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libqt5-qttools (Old) and /work/SRC/openSUSE:Factory/.libqt5-qttools.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libqt5-qttools" Changes: -------- --- /work/SRC/openSUSE:Factory/libqt5-qttools/libqt5-qttools.changes 2014-03-27 09:30:24.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libqt5-qttools.new/libqt5-qttools.changes 2014-04-17 14:11:38.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Apr 16 22:13:03 UTC 2014 - hrvoje.senjan(a)gmail.com + +- Split out linguist related binaries and CMake files to separate + packages: libqt5-linguist and libqt5-linguist-devel. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libqt5-qttools.spec ++++++ --- /var/tmp/diff_new_pack.bKpof3/_old 2014-04-17 14:11:39.000000000 +0200 +++ /var/tmp/diff_new_pack.bKpof3/_new 2014-04-17 14:11:39.000000000 +0200 @@ -47,6 +47,7 @@ BuildRequires: libqt5-qtdeclarative-private-headers-devel >= %{version} BuildRequires: libxslt-devel BuildRequires: update-desktop-files +Recommends: libqt5-linguist %if %qt5_snapshot #to create the forwarding headers BuildRequires: perl @@ -75,6 +76,7 @@ Requires: libQt5Designer5 = %{version} Requires: libQt5DesignerComponents5 = %{version} Requires: libQt5Help5 = %{version} +Requires: libqt5-linguist-devel = %{version} Requires: libxslt-devel %description devel @@ -127,6 +129,22 @@ %description -n libQt5Help5 The Qt 5 Help library. +%package -n libqt5-linguist +Summary: Qt 5 Linguist Tools +Group: Development/Libraries/X11 + +%description -n libqt5-linguist +The Qt 5 Linguist Tools. + +%package -n libqt5-linguist-devel +Summary: Qt 5 Linguist Tools - development files +Group: Development/Libraries/X11 +Requires: libqt5-linguist = %{version} +Requires: pkgconfig(Qt5Core) >= %{version} + +%description -n libqt5-linguist-devel +The Qt 5 Linguist Tools - development files. + %post -p /sbin/ldconfig %post -n libQt5CLucene5 -p /sbin/ldconfig @@ -196,12 +214,45 @@ %files %defattr(-,root,root,755) %doc LGPL_EXCEPTION.txt LICENSE.FDL LICENSE.GPL LICENSE.LGPL -%_bindir/* -%{_libqt5_bindir}/* -%{_datadir}/applications/*.desktop -%{_datadir}/pixmaps/*.png +%{_bindir}/assistant* +%{_bindir}/designer* +%{_bindir}/pixeltool* +%{_bindir}/qcollectiongenerator* +%{_bindir}/qdbus* +%{_bindir}/qdbusviewer* +%{_bindir}/qhelpconverter* +%{_bindir}/qhelpgenerator* +%{_bindir}/qtdiag* +%{_bindir}/qtpaths* +%{_libqt5_bindir}/assistant* +%{_libqt5_bindir}/designer* +%{_libqt5_bindir}/pixeltool* +%{_libqt5_bindir}/qcollectiongenerator* +%{_libqt5_bindir}/qdbus* +%{_libqt5_bindir}/qdbusviewer* +%{_libqt5_bindir}/qhelpconverter* +%{_libqt5_bindir}/qhelpgenerator* +%{_libqt5_bindir}/qtdiag* +%{_libqt5_bindir}/qtpaths* +%{_datadir}/applications/assistant5.desktop +%{_datadir}/applications/designer5.desktop +%{_datadir}/pixmaps/assistant5.png +%{_datadir}/pixmaps/designer5.png %{_libqt5_libdir}/qt5/plugins/designer -#%_docdir/packages/libqt5 + +%files -n libqt5-linguist +%defattr(-,root,root,755) +%doc LGPL_EXCEPTION.txt LICENSE.FDL LICENSE.GPL LICENSE.LGPL +%{_bindir}/lconvert* +%{_bindir}/linguist* +%{_bindir}/lrelease* +%{_bindir}/lupdate* +%{_libqt5_bindir}/lconvert* +%{_libqt5_bindir}/linguist* +%{_libqt5_bindir}/lrelease* +%{_libqt5_bindir}/lupdate* +%{_datadir}/applications/linguist5.desktop +%{_datadir}/pixmaps/linguist5.png %files -n libQt5CLucene5 %defattr(-,root,root,755) @@ -223,6 +274,12 @@ %doc LGPL_EXCEPTION.txt LICENSE.FDL LICENSE.GPL LICENSE.LGPL %{_libqt5_libdir}/libQt5Help.so.* +%files -n libqt5-linguist-devel +%defattr(-,root,root,755) +%doc LGPL_EXCEPTION.txt LICENSE.FDL LICENSE.GPL LICENSE.LGPL +%{_libqt5_libdir}/cmake/Qt5LinguistTools/ +%{_datadir}/qt5/phrasebooks + %files private-headers-devel %defattr(-,root,root,755) %doc LGPL_EXCEPTION.txt LICENSE.FDL LICENSE.GPL LICENSE.LGPL @@ -245,14 +302,15 @@ %{_libqt5_includedir}/QtHelp %exclude %{_libqt5_includedir}/QtUiTools/%{so_version} %{_libqt5_includedir}/QtUiTools -%{_libqt5_libdir}/cmake/Qt5* +%{_libqt5_libdir}/cmake/Qt5Designer/ +%{_libqt5_libdir}/cmake/Qt5Help/ +%{_libqt5_libdir}/cmake/Qt5UiTools/ %{_libqt5_libdir}/libQt5*.prl %{_libqt5_libdir}/libQt5*.so %{_libqt5_libdir}/libQt5*.a %{_libqt5_libdir}/pkgconfig/Qt5*.pc %{_libqt5_archdatadir}/mkspecs/modules/qt_lib_*.pri %dir %{_datadir}/qt5 -%{_datadir}/qt5/phrasebooks %files examples %defattr(-,root,root,755) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit python-ZConfig for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package python-ZConfig for openSUSE:Factory checked in at 2014-04-17 14:11:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-ZConfig (Old) and /work/SRC/openSUSE:Factory/.python-ZConfig.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-ZConfig" Changes: -------- --- /work/SRC/openSUSE:Factory/python-ZConfig/python-ZConfig.changes 2013-09-27 18:02:45.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python-ZConfig.new/python-ZConfig.changes 2014-04-17 14:11:31.000000000 +0200 @@ -1,0 +2,7 @@ +Wed Apr 16 17:00:09 UTC 2014 - p.drouand(a)gmail.com + +- Update to version 3.0.4 + + Added Python 3.4 support +- Implement update-alternatives + +------------------------------------------------------------------- Old: ---- ZConfig-3.0.3.tar.gz New: ---- ZConfig-3.0.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-ZConfig.spec ++++++ --- /var/tmp/diff_new_pack.8BZGVY/_old 2014-04-17 14:11:32.000000000 +0200 +++ /var/tmp/diff_new_pack.8BZGVY/_new 2014-04-17 14:11:32.000000000 +0200 @@ -17,7 +17,7 @@ Name: python-ZConfig -Version: 3.0.3 +Version: 3.0.4 Release: 0 Summary: Structured Configuration Library License: ZPL-2.1 @@ -70,16 +70,38 @@ %install python setup.py install --prefix=%{_prefix} --root=%{buildroot} +# Rename binaries to get package installable with py/py3 package +mv %{buildroot}%{_bindir}/zconfig %{buildroot}%{_bindir}/zconfig-%{py_ver} +mv %{buildroot}%{_bindir}/zconfig_schema2html %{buildroot}%{_bindir}/zconfig_schema2html-%{py_ver} +mkdir -p %{buildroot}%{_sysconfdir}/alternatives +touch %{buildroot}%{_sysconfdir}/alternatives/zconfig +ln -sf %{_sysconfdir}/alternatives/zconfig %{buildroot}/%{_bindir}/zconfig +touch %{buildroot}%{_sysconfdir}/alternatives/zconfig_schema2html +ln -sf %{_sysconfdir}/alternatives/zconfig_schema2html %{buildroot}/%{_bindir}/zconfig_schema2html %check python setup.py test -v +%post +update-alternatives \ + --install %{_bindir}/zconfig zconfig %{_bindir}/zconfig-%{py_ver} 30 \ + --slave %{_bindir}/zconfig_schema2html zconfig_schema2html %{_bindir}/zconfig_schema2html-%{py_ver} + +%preun +if [ $1 -eq 0 ] ; then + update-alternatives --remove zconfig %{_bindir}/zconfig-%{py_ver} +fi + %files %defattr(-,root,root) %doc CHANGES.txt COPYRIGHT.txt LICENSE.txt PKG-INFO README.txt %{python_sitelib}/* +%ghost %{_sysconfdir}/alternatives/zconfig +%ghost %{_sysconfdir}/alternatives/zconfig_schema2html %{_bindir}/zconfig +%{_bindir}/zconfig-%{py_ver} %{_bindir}/zconfig_schema2html +%{_bindir}/zconfig_schema2html-%{py_ver} %files doc %defattr(-,root,root,-) ++++++ ZConfig-3.0.3.tar.gz -> ZConfig-3.0.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/.gitignore new/ZConfig-3.0.4/.gitignore --- old/ZConfig-3.0.3/.gitignore 2013-03-03 00:07:52.000000000 +0100 +++ new/ZConfig-3.0.4/.gitignore 2014-03-20 20:47:05.000000000 +0100 @@ -1,4 +1,9 @@ *.pyc *.egg-info __pycache__ -.tox +.tox/ +.installed.cfg +bin/ +develop-eggs/ +eggs/ +parts/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/.travis.yml new/ZConfig-3.0.4/.travis.yml --- old/ZConfig-3.0.3/.travis.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/ZConfig-3.0.4/.travis.yml 2014-03-20 20:47:05.000000000 +0100 @@ -0,0 +1,12 @@ +language: python +python: + - 2.6 + - 2.7 + - 3.2 + - 3.3 +install: + - pip install . --use-mirrors +script: + - python setup.py test -q +notifications: + email: false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/CHANGES.txt new/ZConfig-3.0.4/CHANGES.txt --- old/ZConfig-3.0.3/CHANGES.txt 2013-03-03 00:39:07.000000000 +0100 +++ new/ZConfig-3.0.4/CHANGES.txt 2014-03-20 20:48:28.000000000 +0100 @@ -2,6 +2,11 @@ Change History for ZConfig ========================== +3.0.4 (2014-03-20) +------------------ + +- Added Python 3.4 support. + 3.0.3 (2013-03-02) ------------------ @@ -28,7 +33,7 @@ - Added Python 3.3 support. -- Droped Python 2.4 and 2.5 support. +- Dropped Python 2.4 and 2.5 support. 2.9.3 (2012-06-25) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/PKG-INFO new/ZConfig-3.0.4/PKG-INFO --- old/ZConfig-3.0.3/PKG-INFO 2013-03-03 00:40:47.000000000 +0100 +++ new/ZConfig-3.0.4/PKG-INFO 2014-03-20 20:49:27.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.0 Name: ZConfig -Version: 3.0.3 +Version: 3.0.4 Summary: Structured Configuration Library Home-page: http://www.zope.org/Members/fdrake/zconfig/ Author: Zope Foundation and Contributors @@ -106,6 +106,11 @@ Change History for ZConfig ========================== + 3.0.4 (2014-03-20) + ------------------ + + - Added Python 3.4 support. + 3.0.3 (2013-03-02) ------------------ @@ -132,7 +137,7 @@ - Added Python 3.3 support. - - Droped Python 2.4 and 2.5 support. + - Dropped Python 2.4 and 2.5 support. 2.9.3 (2012-06-25) @@ -379,6 +384,7 @@ Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.2 Classifier: Programming Language :: Python :: 3.3 +Classifier: Programming Language :: Python :: 3.4 Classifier: Programming Language :: Python :: Implementation :: CPython Classifier: Operating System :: OS Independent Classifier: Topic :: Software Development diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/ZConfig.egg-info/PKG-INFO new/ZConfig-3.0.4/ZConfig.egg-info/PKG-INFO --- old/ZConfig-3.0.3/ZConfig.egg-info/PKG-INFO 2013-03-03 00:40:47.000000000 +0100 +++ new/ZConfig-3.0.4/ZConfig.egg-info/PKG-INFO 2014-03-20 20:49:26.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.0 Name: ZConfig -Version: 3.0.3 +Version: 3.0.4 Summary: Structured Configuration Library Home-page: http://www.zope.org/Members/fdrake/zconfig/ Author: Zope Foundation and Contributors @@ -106,6 +106,11 @@ Change History for ZConfig ========================== + 3.0.4 (2014-03-20) + ------------------ + + - Added Python 3.4 support. + 3.0.3 (2013-03-02) ------------------ @@ -132,7 +137,7 @@ - Added Python 3.3 support. - - Droped Python 2.4 and 2.5 support. + - Dropped Python 2.4 and 2.5 support. 2.9.3 (2012-06-25) @@ -379,6 +384,7 @@ Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.2 Classifier: Programming Language :: Python :: 3.3 +Classifier: Programming Language :: Python :: 3.4 Classifier: Programming Language :: Python :: Implementation :: CPython Classifier: Operating System :: OS Independent Classifier: Topic :: Software Development diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/ZConfig.egg-info/SOURCES.txt new/ZConfig-3.0.4/ZConfig.egg-info/SOURCES.txt --- old/ZConfig-3.0.3/ZConfig.egg-info/SOURCES.txt 2013-03-03 00:40:47.000000000 +0100 +++ new/ZConfig-3.0.4/ZConfig.egg-info/SOURCES.txt 2014-03-20 20:49:27.000000000 +0100 @@ -1,4 +1,5 @@ .gitignore +.travis.yml CHANGES.txt COPYRIGHT.txt LICENSE.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/bootstrap.py new/ZConfig-3.0.4/bootstrap.py --- old/ZConfig-3.0.3/bootstrap.py 2013-03-02 23:53:00.000000000 +0100 +++ new/ZConfig-3.0.4/bootstrap.py 2014-03-20 20:47:05.000000000 +0100 @@ -18,7 +18,11 @@ use the -c option to specify an alternate configuration file. """ -import os, shutil, sys, tempfile +import os +import shutil +import sys +import tempfile + from optparse import OptionParser tmpeggs = tempfile.mkdtemp() @@ -31,8 +35,8 @@ Simply run this script in a directory containing a buildout.cfg, using the Python that you want bin/buildout to use. -Note that by using --setup-source and --download-base to point to -local resources, you can keep this script from going over the network. +Note that by using --find-links to point to local resources, you can keep +this script from going over the network. ''' parser = OptionParser(usage=usage) @@ -48,23 +52,21 @@ "bootstrap and buildout will get the newest releases " "even if they are alphas or betas.")) parser.add_option("-c", "--config-file", - help=("Specify the path to the buildout configuration " - "file to be used.")) + help=("Specify the path to the buildout configuration " + "file to be used.")) parser.add_option("-f", "--find-links", - help=("Specify a URL to search for buildout releases")) + help=("Specify a URL to search for buildout releases")) options, args = parser.parse_args() ###################################################################### -# load/install distribute +# load/install setuptools to_reload = False try: - import pkg_resources, setuptools - if not hasattr(pkg_resources, '_distribute'): - to_reload = True - raise ImportError + import pkg_resources + import setuptools except ImportError: ez = {} @@ -73,8 +75,10 @@ except ImportError: from urllib2 import urlopen - exec(urlopen('http://python-distribute.org/distribute_setup.py').read(), ez) - setup_args = dict(to_dir=tmpeggs, download_delay=0, no_fake=True) + # XXX use a more permanent ez_setup.py URL when available. + exec(urlopen('https://bitbucket.org/pypa/setuptools/raw/0.7.2/ez_setup.py' + ).read(), ez) + setup_args = dict(to_dir=tmpeggs, download_delay=0) ez['use_setuptools'](**setup_args) if to_reload: @@ -89,7 +93,7 @@ ###################################################################### # Install buildout -ws = pkg_resources.working_set +ws = pkg_resources.working_set cmd = [sys.executable, '-c', 'from setuptools.command.easy_install import main; main()', @@ -104,8 +108,8 @@ if find_links: cmd.extend(['-f', find_links]) -distribute_path = ws.find( - pkg_resources.Requirement.parse('distribute')).location +setuptools_path = ws.find( + pkg_resources.Requirement.parse('setuptools')).location requirement = 'zc.buildout' version = options.version @@ -113,13 +117,14 @@ # Figure out the most recent final version of zc.buildout. import setuptools.package_index _final_parts = '*final-', '*final' + def _final_version(parsed_version): for part in parsed_version: if (part[:1] == '*') and (part not in _final_parts): return False return True index = setuptools.package_index.PackageIndex( - search_path=[distribute_path]) + search_path=[setuptools_path]) if find_links: index.add_find_links((find_links,)) req = pkg_resources.Requirement.parse(requirement) @@ -142,7 +147,7 @@ cmd.append(requirement) import subprocess -if subprocess.call(cmd, env=dict(os.environ, PYTHONPATH=distribute_path)) != 0: +if subprocess.call(cmd, env=dict(os.environ, PYTHONPATH=setuptools_path)) != 0: raise Exception( "Failed to execute command:\n%s", repr(cmd)[1:-1]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/setup.cfg new/ZConfig-3.0.4/setup.cfg --- old/ZConfig-3.0.3/setup.cfg 2013-03-03 00:40:47.000000000 +0100 +++ new/ZConfig-3.0.4/setup.cfg 2014-03-20 20:49:27.000000000 +0100 @@ -1,7 +1,7 @@ [bdist_rpm] doc_files = LICENSE.txt - NEWS.txt + CHANGES.txt README.txt doc/schema.dtd doc/zconfig.pdf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/setup.py new/ZConfig-3.0.4/setup.py --- old/ZConfig-3.0.3/setup.py 2013-03-03 00:39:30.000000000 +0100 +++ new/ZConfig-3.0.4/setup.py 2014-03-20 20:48:34.000000000 +0100 @@ -18,7 +18,7 @@ options = dict( name="ZConfig", - version='3.0.3', + version='3.0.4', author="Fred L. Drake, Jr.", author_email="fred(a)zope.com", maintainer="Zope Foundation and Contributors", @@ -55,6 +55,7 @@ 'Programming Language :: Python :: 3', 'Programming Language :: Python :: 3.2', 'Programming Language :: Python :: 3.3', + 'Programming Language :: Python :: 3.4', 'Programming Language :: Python :: Implementation :: CPython', 'Operating System :: OS Independent', 'Topic :: Software Development', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ZConfig-3.0.3/tox.ini new/ZConfig-3.0.4/tox.ini --- old/ZConfig-3.0.3/tox.ini 2013-03-03 00:09:20.000000000 +0100 +++ new/ZConfig-3.0.4/tox.ini 2014-03-20 20:44:58.000000000 +0100 @@ -1,5 +1,5 @@ [tox] -envlist = py26,py27,py32,py33 +envlist = py26,py27,py32,py33,py34 [testenv] commands = -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit vlc for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package vlc for openSUSE:Factory checked in at 2014-04-17 14:11:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vlc (Old) and /work/SRC/openSUSE:Factory/.vlc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "vlc" Changes: -------- --- /work/SRC/openSUSE:Factory/vlc/vlc.changes 2014-03-10 12:46:54.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.vlc.new/vlc.changes 2014-04-17 14:11:18.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Apr 15 20:14:20 CEST 2014 - ohering(a)suse.de + +- Require plain lua-devel instead of lua51-devel for 12.1 or older + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vlc.spec ++++++ --- /var/tmp/diff_new_pack.TeXkpa/_old 2014-04-17 14:11:19.000000000 +0200 +++ /var/tmp/diff_new_pack.TeXkpa/_new 2014-04-17 14:11:19.000000000 +0200 @@ -98,7 +98,11 @@ %if 0%{?suse_version} >= 1310 || 0%{?BUILD_ORIG} BuildRequires: live555-devel %endif +%if 0%{?suse_version} >= 1220 BuildRequires: lua51-devel +%else +BuildRequires: lua-devel >= 5.1.0 +%endif BuildRequires: pcre-devel %if 0%{?suse_version} >= 1220 BuildRequires: projectM-devel -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit python-boto for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package python-boto for openSUSE:Factory checked in at 2014-04-17 14:11:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-boto (Old) and /work/SRC/openSUSE:Factory/.python-boto.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-boto" Changes: -------- --- /work/SRC/openSUSE:Factory/python-boto/python-boto-doc.changes 2014-03-12 19:09:01.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python-boto.new/python-boto-doc.changes 2014-04-17 14:11:11.000000000 +0200 @@ -1,0 +2,7 @@ +Wed Apr 16 16:30:50 UTC 2014 - rschweikert(a)suse.com + +- update to version 2.27.0 + + removed patch boto_useSystemCerts.patch + + updated doc explaining use of "system" keyword + +------------------------------------------------------------------- @@ -11 +18 @@ - + no upstream doc cahnges in changelog + + no upstream doc changes in changelog --- /work/SRC/openSUSE:Factory/python-boto/python-boto.changes 2014-03-12 19:09:01.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python-boto.new/python-boto.changes 2014-04-17 14:11:11.000000000 +0200 @@ -1,0 +2,24 @@ +Wed Apr 16 16:27:28 UTC 2014 - rschweikert(a)suse.com + +- add previously missing dependency for python-paramiko +- update to version 2.27.0 + + remove boto_useSystemCerts.patch, changes included in new version + + Added support for AccessLog in ELB (issue 2150, commit 7aa35ea) + + Added better BlockDeviceType deserialization in Autoscaling. + (issue 2149, commit 04d29a5) + + Updated CloudFormation documentation (issue 2147, commit 2535aca) + + Updated Kinesis documentation (issue 2146, commit 01425dc) + + Add optional bucket tags to lss3 output. (issue 2132, commit 0f35924) + + Fix getting instance types for Eucalyptus 4.0. (issue 2118, commit 18dc07d) + + Fixed how quoted strings are handled in SigV4 (issue 2142, commit 2467547) + + Use system supplied certs without a bundle file (issue 2139, commit 70d15b8) + + Fixed incorrect test failures in EC2 trim_snapshots (commit 1fa9df7) + + Raise any exceptions that are tagSet not found (commit 56d7d3e) + + Added request hook docs (issue 2129, commit 64eedce) + + Fixed Route53 alias-healthcheck (issue 2126, commit 141077f) + + Fixed Elastic IP association in EC2 (issue 2131, issue 1310, commit d75fdfa) + + Fixed builds on Travis for installing dependencies (commit 5e84e30) + + Support printing tags on buckets when listing buckets (commit c42a5dd) + + PEP8/pyflakes/(some)pylint (commit 149175e) + +------------------------------------------------------------------- Old: ---- boto-2.26.0.tar.gz boto_useSystemCerts.patch New: ---- boto-2.27.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-boto-doc.spec ++++++ --- /var/tmp/diff_new_pack.YvTLwz/_old 2014-04-17 14:11:12.000000000 +0200 +++ /var/tmp/diff_new_pack.YvTLwz/_new 2014-04-17 14:11:12.000000000 +0200 @@ -17,7 +17,7 @@ Name: python-boto-doc -Version: 2.26.0 +Version: 2.27.0 Release: 0 Url: http://code.google.com/p/boto/ Summary: Amazon Web Services Library ++++++ python-boto.spec ++++++ --- /var/tmp/diff_new_pack.YvTLwz/_old 2014-04-17 14:11:12.000000000 +0200 +++ /var/tmp/diff_new_pack.YvTLwz/_new 2014-04-17 14:11:12.000000000 +0200 @@ -17,7 +17,7 @@ Name: python-boto -Version: 2.26.0 +Version: 2.27.0 Release: 0 Url: http://code.google.com/p/boto/ Summary: Amazon Web Services Library @@ -25,8 +25,8 @@ Group: Development/Languages/Python Source: boto-%{version}.tar.gz Source1: boto.cfg -Patch0: boto_useSystemCerts.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build +Requires: python-paramiko Requires: python-xml BuildRequires: fdupes BuildRequires: python-devel @@ -51,7 +51,6 @@ %prep %setup -q -n boto-%{version} -%patch0 -p1 %build python setup.py build ++++++ boto-2.26.0.tar.gz -> boto-2.27.0.tar.gz ++++++ ++++ 1702 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libqt5-creator for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package libqt5-creator for openSUSE:Factory checked in at 2014-04-17 14:11:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libqt5-creator (Old) and /work/SRC/openSUSE:Factory/.libqt5-creator.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libqt5-creator" Changes: -------- --- /work/SRC/openSUSE:Factory/libqt5-creator/libqt5-creator.changes 2014-04-05 16:47:12.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libqt5-creator.new/libqt5-creator.changes 2014-04-17 14:11:03.000000000 +0200 @@ -1,0 +2,7 @@ +Wed Apr 16 15:15:51 UTC 2014 - hrvoje.senjan(a)gmail.com + +- Update to 3.1.0 final + * For full changelog see: + https://qt.gitorious.org/qt-creator/qt-creator/source/3.1:dist/changes-3.1.0 + +------------------------------------------------------------------- Old: ---- qt-creator-opensource-src-3.1.0-rc1.tar.gz New: ---- qt-creator-opensource-src-3.1.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libqt5-creator.spec ++++++ --- /var/tmp/diff_new_pack.unfBuQ/_old 2014-04-17 14:11:06.000000000 +0200 +++ /var/tmp/diff_new_pack.unfBuQ/_new 2014-04-17 14:11:06.000000000 +0200 @@ -17,16 +17,16 @@ Name: libqt5-creator -Version: 3.1.0~rc1 +Version: 3.1.0 Release: 0 Summary: Lightweight IDE License: SUSE-LGPL-2.1-with-digia-exception-1.1 Group: Development/Tools/IDE Url: http://qt.digia.com/Product/Developer-Tools/ -%define rversion 3.1.0-rc1 +%define rversion 3.1.0 %define rname qt-creator %define qt5_version 5.3.0~beta -Source: http://download.qt-project.org/development_releases/qtcreator/3.1/%{rversio… +Source: http://download.qt-project.org/official_releases/qtcreator/3.1/%{rversion}/… Source1: %{name}-rpmlintrc Source2: qtcreator.desktop # PATCH-FIX-UPSTREAM qbs-path.diff -- install qbs plugin to sane location ++++++ qt-creator-opensource-src-3.1.0-rc1.tar.gz -> qt-creator-opensource-src-3.1.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/libqt5-creator/qt-creator-opensource-src-3.1.0-rc1.tar.gz /work/SRC/openSUSE:Factory/.libqt5-creator.new/qt-creator-opensource-src-3.1.0.tar.gz differ: char 5, line 1 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libqca2 for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package libqca2 for openSUSE:Factory checked in at 2014-04-17 14:10:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libqca2 (Old) and /work/SRC/openSUSE:Factory/.libqca2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libqca2" Changes: -------- --- /work/SRC/openSUSE:Factory/libqca2/libqca2.changes 2013-10-14 09:29:26.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libqca2.new/libqca2.changes 2014-04-17 14:11:01.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Apr 16 16:13:46 UTC 2014 - hrvoje.senjan(a)gmail.com + +- Added detect_ssl2_available.diff: fix build with no-ssl2 in + openssl lib + +------------------------------------------------------------------- New: ---- detect_ssl2_available.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libqca2.spec ++++++ --- /var/tmp/diff_new_pack.RYieOz/_old 2014-04-17 14:11:03.000000000 +0200 +++ /var/tmp/diff_new_pack.RYieOz/_new 2014-04-17 14:11:03.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package libqca2 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -58,6 +58,8 @@ Patch1: r928413.diff Patch2: disable-insecure-ssl.diff Patch3: qca-2.0.3-gcc47.patch +# PATCH-FIX-UPSTREAM detect_ssl2_available.diff -- fix build with no-ssl2 in openssl lib +Patch4: detect_ssl2_available.diff Requires: gpg2 >= 2.0.0 %requires_eq libqt4 @@ -191,6 +193,7 @@ popd pushd qca-ossl-* %patch2 +%patch4 -p1 popd cd ../../.. %setup -D -q -n qca-%{tar_version} ++++++ detect_ssl2_available.diff ++++++ Description: fix compile when openssl doesn't support ssl2 Origin: upstream, http://websvn.kde.org/?view=revision&revision=1230301 --- qca-ossl/qca-ossl.cpp +++ qca-ossl/qca-ossl.cpp @@ -5235,9 +5235,11 @@ OpenSSL_add_ssl_algorithms(); SSL_CTX *ctx = 0; switch (version) { +#ifndef OPENSSL_NO_SSL2 case TLS::SSL_v2: ctx = SSL_CTX_new(SSLv2_client_method()); break; +#endif case TLS::SSL_v3: ctx = SSL_CTX_new(SSLv3_client_method()); break; -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit yast2-online-update-configuration for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package yast2-online-update-configuration for openSUSE:Factory checked in at 2014-04-17 14:09:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-online-update-configuration (Old) and /work/SRC/openSUSE:Factory/.yast2-online-update-configuration.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "yast2-online-update-configuration" Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-online-update-configuration/yast2-online-update-configuration.changes 2014-03-27 06:11:36.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-online-update-configuration.new/yast2-online-update-configuration.changes 2014-04-17 14:09:59.000000000 +0200 @@ -1,0 +2,7 @@ +Wed Apr 16 13:29:46 UTC 2014 - lslezak(a)suse.cz + +- registration client has been renamed to "scc" (bnc#870869) +- zypp_config.rb: fixed a typo in the constant name +- 3.1.5 + +------------------------------------------------------------------- Old: ---- yast2-online-update-configuration-3.1.4.tar.bz2 New: ---- yast2-online-update-configuration-3.1.5.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-online-update-configuration.spec ++++++ --- /var/tmp/diff_new_pack.AjYVne/_old 2014-04-17 14:10:00.000000000 +0200 +++ /var/tmp/diff_new_pack.AjYVne/_new 2014-04-17 14:10:00.000000000 +0200 @@ -17,7 +17,7 @@ Name: yast2-online-update-configuration -Version: 3.1.4 +Version: 3.1.5 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-online-update-configuration-3.1.4.tar.bz2 -> yast2-online-update-configuration-3.1.5.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-online-update-configuration-3.1.4/package/yast2-online-update-configuration.changes new/yast2-online-update-configuration-3.1.5/package/yast2-online-update-configuration.changes --- old/yast2-online-update-configuration-3.1.4/package/yast2-online-update-configuration.changes 2014-03-26 15:54:03.000000000 +0100 +++ new/yast2-online-update-configuration-3.1.5/package/yast2-online-update-configuration.changes 2014-04-16 15:39:35.000000000 +0200 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Wed Apr 16 13:29:46 UTC 2014 - lslezak(a)suse.cz + +- registration client has been renamed to "scc" (bnc#870869) +- zypp_config.rb: fixed a typo in the constant name +- 3.1.5 + +------------------------------------------------------------------- Wed Mar 26 14:56:00 UTC 2014 - robin.roth(a)kit.edu - Rerun zypper if it returns 103 which indicates that an update to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-online-update-configuration-3.1.4/package/yast2-online-update-configuration.spec new/yast2-online-update-configuration-3.1.5/package/yast2-online-update-configuration.spec --- old/yast2-online-update-configuration-3.1.4/package/yast2-online-update-configuration.spec 2014-03-26 15:54:03.000000000 +0100 +++ new/yast2-online-update-configuration-3.1.5/package/yast2-online-update-configuration.spec 2014-04-16 15:39:35.000000000 +0200 @@ -17,7 +17,7 @@ Name: yast2-online-update-configuration -Version: 3.1.4 +Version: 3.1.5 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-online-update-configuration-3.1.4/src/clients/online_update_configuration.rb new/yast2-online-update-configuration-3.1.5/src/clients/online_update_configuration.rb --- old/yast2-online-update-configuration-3.1.4/src/clients/online_update_configuration.rb 2014-03-26 15:54:03.000000000 +0100 +++ new/yast2-online-update-configuration-3.1.5/src/clients/online_update_configuration.rb 2014-04-16 15:39:35.000000000 +0200 @@ -249,8 +249,8 @@ end if @ret == :register - if WFM.ClientExists("inst_suse_register") - WFM.call("inst_suse_register") + if WFM.ClientExists("scc") + WFM.call("scc") else Popup.Error( _("The registration module is not available.") + "\n" + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-online-update-configuration-3.1.4/src/lib/online-update-configuration/zypp_config.rb new/yast2-online-update-configuration-3.1.5/src/lib/online-update-configuration/zypp_config.rb --- old/yast2-online-update-configuration-3.1.4/src/lib/online-update-configuration/zypp_config.rb 2014-03-26 15:54:03.000000000 +0100 +++ new/yast2-online-update-configuration-3.1.5/src/lib/online-update-configuration/zypp_config.rb 2014-04-16 15:39:35.000000000 +0200 @@ -27,10 +27,10 @@ def set_delta_rpm_config_value new_value return if new_value == use_deltarpm? - Yast::SCR.Write(CONFIG_USE_DELTA_RPM, new_value) + Yast::SCR.Write(CONFIG_USE_DELTARPM, new_value) end def get_delta_rpm_config_value - Yast::SCR.Read(CONFIG_USE_DELTA_RPM) + Yast::SCR.Read(CONFIG_USE_DELTARPM) end end -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit WindowMaker for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package WindowMaker for openSUSE:Factory checked in at 2014-04-17 14:09:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/WindowMaker (Old) and /work/SRC/openSUSE:Factory/.WindowMaker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "WindowMaker" Changes: -------- --- /work/SRC/openSUSE:Factory/WindowMaker/WindowMaker.changes 2013-09-27 19:29:36.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.WindowMaker.new/WindowMaker.changes 2014-04-17 14:09:54.000000000 +0200 @@ -1,0 +2,10 @@ +Thu Apr 10 20:57:27 UTC 2014 - sfalken(a)opensuse.org + +- Added --prefix=/usr and --datadir=/usr/share to %configure to + correct paths to better match with other WindowManagers in + openSUSE +- Updated WindowMaker-menu.patch with corrected paths +- Created patch to fix wmgenmenu to remove hardcodes in source + Add: fix_wmgenmenu_paths.patch + +------------------------------------------------------------------- New: ---- fix_wmgenmenu_paths.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ WindowMaker.spec ++++++ --- /var/tmp/diff_new_pack.917hrF/_old 2014-04-17 14:09:55.000000000 +0200 +++ /var/tmp/diff_new_pack.917hrF/_new 2014-04-17 14:09:55.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package WindowMaker # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -35,6 +35,7 @@ Source7: %{name}-rpmlintrc Patch1: %{name}-config.patch Patch2: %{name}-menu.patch +Patch3: fix_wmgenmenu_paths.patch # Patch101: wm-giflib.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -93,7 +94,8 @@ mkdir menu_orig cp %{name}/{menu.*,plmenu.*} menu_orig %patch1 -%patch2 +%patch2 -p1 +%patch3 -p1 %patch101 cp %{S:4} . cp %{S:6} . @@ -113,6 +115,8 @@ %endif export CFLAGS="$RPM_OPT_FLAGS $(freetype-config --cflags)" %configure \ + --prefix=/usr \ + --datadir=/usr/share \ --disable-static \ --with-pic\ --sysconfdir=/etc/X11 \ @@ -125,6 +129,7 @@ make %{?_smp_mflags} (cd %{name}-extra-0.1 %configure \ + --prefix=/usr \ --disable-static \ --with-pic\ --with-pixmapdir=/usr/share/%{name}/Pixmaps ++++++ WindowMaker-menu.patch ++++++ ++++ 1111 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/WindowMaker/WindowMaker-menu.patch ++++ and /work/SRC/openSUSE:Factory/.WindowMaker.new/WindowMaker-menu.patch ++++++ fix_wmgenmenu_paths.patch ++++++ >From 3981805ec78adf4479f0988cfc2174a02d58a738 Mon Sep 17 00:00:00 2001 From: "Carlos R. Mafra" <crmafra(a)gmail.com> Date: Thu, 10 Apr 2014 19:34:48 +0100 Subject: [PATCH] wmgenmenu: Write paths according to options set at configure time As reported by Shawn W Dunn, the configuration strings written by wmgenmenu in $HOME/GNUstep/Defaults/WMRootMenu were not reflecting his installation directories choices. Fix this by writing strings composed with PKGDATADIR. Signed-off-by: Carlos R. Mafra <crmafra(a)gmail.com> --- diff -rupN WindowMaker-0.95.4.old/util/wmgenmenu.c WindowMaker-0.95.4/util/wmgenmenu.c --- WindowMaker-0.95.4.old/util/wmgenmenu.c 2013-01-09 13:42:39.000000000 -0800 +++ WindowMaker-0.95.4/util/wmgenmenu.c 2014-04-10 13:02:00.693514632 -0700 @@ -35,6 +35,13 @@ int main(int argc, char *argv[]) { char *t; int ch; + char *tmp, *theme_paths, *style_paths, *icon_paths, *bg_paths; + + tmp = wstrconcat("-noext ", PKGDATADIR); + theme_paths = wstrconcat(tmp, "/Themes $HOME/GNUstep/Library/WindowMaker/Themes WITH setstyle"); + style_paths = wstrconcat(tmp, "/Styles $HOME/GNUstep/Library/WindowMaker/Styles WITH setstyle"); + icon_paths = wstrconcat(tmp, "/IconSets $HOME/GNUstep/Library/WindowMaker/IconSets WITH seticons"); + bg_paths = wstrconcat(tmp, "/Backgrounds $HOME/GNUstep/Library/WindowMaker/Backgrounds WITH wmsetbg -u -t"); struct option longopts[] = { { "version", no_argument, NULL, 'v' }, @@ -146,7 +153,7 @@ int main(int argc, char *argv[]) L2Menu = WMCreatePLArray( WMCreatePLString(_("Themes")), WMCreatePLString("OPEN_MENU"), - WMCreatePLString("-noext /usr/local/share/WindowMaker/Themes $HOME/GNUstep/Library/WindowMaker/Themes WITH setstyle"), + WMCreatePLString(theme_paths), NULL ); WMAddToPLArray(L1Menu, L2Menu); @@ -155,7 +162,7 @@ int main(int argc, char *argv[]) L2Menu = WMCreatePLArray( WMCreatePLString(_("Styles")), WMCreatePLString("OPEN_MENU"), - WMCreatePLString("-noext /usr/local/share/WindowMaker/Styles $HOME/GNUstep/Library/WindowMaker/Styles WITH setstyle"), + WMCreatePLString(style_paths), NULL ); WMAddToPLArray(L1Menu, L2Menu); @@ -164,7 +171,7 @@ int main(int argc, char *argv[]) L2Menu = WMCreatePLArray( WMCreatePLString(_("Icon Sets")), WMCreatePLString("OPEN_MENU"), - WMCreatePLString("-noext /usr/local/share/WindowMaker/IconSets $HOME/GNUstep/Library/WindowMaker/IconSets WITH seticons"), + WMCreatePLString(icon_paths), NULL ); WMAddToPLArray(L1Menu, L2Menu); @@ -232,7 +239,7 @@ int main(int argc, char *argv[]) L3Menu = WMCreatePLArray( WMCreatePLString(_("Images")), WMCreatePLString("OPEN_MENU"), - WMCreatePLString("-noext $HOME/GNUstep/Library/WindowMaker/Backgrounds WITH wmsetbg -u -t"), + WMCreatePLString(bg_paths), NULL ); WMAddToPLArray(L2Menu, L3Menu); @@ -321,7 +328,7 @@ int main(int argc, char *argv[]) L1Menu = WMCreatePLArray( WMCreatePLString(_("Configure Window Maker")), WMCreatePLString("EXEC"), - WMCreatePLString("WPrefs"), + WMCreatePLString("/usr/lib/GNUstep/Applications/WPrefs.app/WPrefs"), NULL ); WMAddToPLArray(RMenu, L1Menu); -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit strongswan for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2014-04-17 14:09:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "strongswan" Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2013-11-01 17:44:21.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2014-04-17 14:09:48.000000000 +0200 @@ -1,0 +2,72 @@ +Mon Apr 14 23:36:07 UTC 2014 - mt(a)suse.de + +- Updated to strongSwan 5.1.3 providing the following changes: + - Fixed an authentication bypass vulnerability triggered by rekeying + an unestablished IKEv2 SA while it gets actively initiated. This + allowed an attacker to trick a peer's IKE_SA state to established, + without the need to provide any valid authentication credentials. + (CVE-2014-2338, bnc#870572). + - The acert plugin evaluates X.509 Attribute Certificates. Group + membership information encoded as strings can be used to fulfill + authorization checks defined with the rightgroups option. + Attribute Certificates can be loaded locally or get exchanged in + IKEv2 certificate payloads. + - The pki command gained support to generate X.509 Attribute + Certificates using the --acert subcommand, while the --print + command supports the ac type. The openac utility has been removed + in favor of the new pki functionality. + - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other + protocols has been extended by AEAD mode support, currently limited + to AES-GCM. + - Fixed an issue where CRL/OCSP trustchain validation broke enforcing + CA constraints + - Limited OCSP signing to specific certificates to improve performance + - authKeyIdentifier is not added to self-signed certificates anymore + - Fixed the comparison of IKE configs if only the cipher suites were + different + +------------------------------------------------------------------- +Wed Apr 2 05:53:21 UTC 2014 - mt(a)suse.de + +- Updated to strongSwan 5.1.2 providing the following changes: + - A new default configuration file layout is introduced. The new + default strongswan.conf file mainly includes config snippets from + the strongswan.d and strongswan.d/charon directories (the latter + containing snippets for all plugins). The snippets, with commented + defaults, are automatically generated and installed, if they don't + exist yet. Also installed in $prefix/share/strongswan/templates so + existing files can be compared to the current defaults. + - As an alternative to the non-extensible charon.load setting, the + plugins to load in charon (and optionally other applications) can + now be determined via the charon.plugins.<name>.load setting for + each plugin (enabled in the new default strongswan.conf file via the + charon.load_modular option). The load setting optionally takes a + numeric priority value that allows reordering the plugins (otherwise + the default plugin order is preserved). + - All strongswan.conf settings that were formerly defined in library + specific "global" sections are now application specific (e.g. + settings for plugins in libstrongswan.plugins can now be set only + for charon in charon.plugins). The old options are still supported, + which now allows to define defaults for all applications in the + libstrongswan section. + - The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum + computer IKE key exchange mechanism. The implementation is based on + the ntru-crypto library from the NTRUOpenSourceProject. + The supported security strengths are ntru112, ntru128, ntru192, and + ntru256. Since the private DH group IDs 1030..1033 have been + assigned, the strongSwan Vendor ID must be sent in order to use NTRU + (charon.send_vendor_id = yes). + - Defined a TPMRA remote attestation workitem and added support for it + to the Attestation IMV. + - Compatibility issues between IPComp (compress=yes) and + leftfirewall=yes as well as multiple subnets in left|rightsubnet + have been fixed. + - When enabling its "session" strongswan.conf option, the xauth-pam + plugin opens and closes a PAM session for each established IKE_SA. + Patch courtesy of Andrea Bonomi. + - The strongSwan unit testing framework has been rewritten without the + "check" dependency for improved flexibility and portability. It now + properly supports multi-threaded and memory leak testing and brings + a bunch of new test cases. + +------------------------------------------------------------------- Old: ---- strongswan-5.1.1-rpmlintrc strongswan-5.1.1.tar.bz2 strongswan-5.1.1.tar.bz2.sig New: ---- strongswan-5.1.3-rpmlintrc strongswan-5.1.3.tar.bz2 strongswan-5.1.3.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.WspUdS/_old 2014-04-17 14:09:49.000000000 +0200 +++ /var/tmp/diff_new_pack.WspUdS/_new 2014-04-17 14:09:49.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,12 +17,15 @@ Name: strongswan -Version: 5.1.1 +Version: 5.1.3 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} %define strongswan_libdir %{_libdir}/ipsec +%define strongswan_configs %{_sysconfdir}/strongswan.d +%define strongswan_datadir %{_datadir}/strongswan %define strongswan_plugins %{strongswan_libdir}/plugins +%define strongswan_templates %{strongswan_datadir}/templates %if 0 %bcond_without tests %else @@ -244,7 +247,7 @@ > strongswan.init %build -CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing" +CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" export RPM_OPT_FLAGS CFLAGS #libtoolize --force #autoreconf @@ -434,7 +437,6 @@ %{_libexecdir}/ipsec/_updown_espmark %{_libexecdir}/ipsec/conftest %{_libexecdir}/ipsec/duplicheck -%{_libexecdir}/ipsec/openac %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/pt-tls-client %{_libexecdir}/ipsec/scepclient @@ -459,13 +461,105 @@ %{strongswan_docdir}/ChangeLog %{_mandir}/man8/_updown.8* %{_mandir}/man8/_updown_espmark.8* -%{_mandir}/man8/openac.8* %{_mandir}/man8/scepclient.8* %files libs0 %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf -%dir %{_libexecdir}/ipsec +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tools.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/agent.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr-sql.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/blowfish.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ccm.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/certexpire.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/cmac.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/constraints.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka-3gpp2.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-dynamic.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-gtc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-identity.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-md5.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-mschapv2.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-peap.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-radius.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-pseudonym.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-reauth.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-sql.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-file.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-pcsc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tls.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tnc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-ttls.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/farp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/fips-prf.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcm.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcrypt.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imv.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-pdp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-tnccs.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/unity.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/updown.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/x509.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-eap.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-generic.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-pam.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xcbc.conf %dir %{strongswan_libdir} %{strongswan_libdir}/libchecksum.so %{strongswan_libdir}/libcharon.so.* @@ -569,6 +663,109 @@ %{strongswan_plugins}/libstrongswan-xauth-pam.so %{strongswan_plugins}/libstrongswan-xcbc.so %dir %ghost %{_localstatedir}/run/strongswan +%dir %{strongswan_datadir} +%dir %{strongswan_templates} +%dir %{strongswan_templates}/config +%dir %{strongswan_templates}/config/plugins +%dir %{strongswan_templates}/config/strongswan.d +%dir %{strongswan_templates}/database +%dir %{strongswan_templates}/database/imv +%dir %{strongswan_templates}/database/sql +%{strongswan_templates}/config/strongswan.conf +%{strongswan_templates}/config/plugins/addrblock.conf +%{strongswan_templates}/config/plugins/aes.conf +%{strongswan_templates}/config/plugins/af-alg.conf +%{strongswan_templates}/config/plugins/agent.conf +%{strongswan_templates}/config/plugins/attr-sql.conf +%{strongswan_templates}/config/plugins/attr.conf +%{strongswan_templates}/config/plugins/blowfish.conf +%{strongswan_templates}/config/plugins/ccm.conf +%{strongswan_templates}/config/plugins/certexpire.conf +%{strongswan_templates}/config/plugins/cmac.conf +%{strongswan_templates}/config/plugins/constraints.conf +%{strongswan_templates}/config/plugins/coupling.conf +%{strongswan_templates}/config/plugins/ctr.conf +%{strongswan_templates}/config/plugins/curl.conf +%{strongswan_templates}/config/plugins/des.conf +%{strongswan_templates}/config/plugins/dhcp.conf +%{strongswan_templates}/config/plugins/dnskey.conf +%{strongswan_templates}/config/plugins/duplicheck.conf +%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf +%{strongswan_templates}/config/plugins/eap-aka.conf +%{strongswan_templates}/config/plugins/eap-dynamic.conf +%{strongswan_templates}/config/plugins/eap-gtc.conf +%{strongswan_templates}/config/plugins/eap-identity.conf +%{strongswan_templates}/config/plugins/eap-md5.conf +%{strongswan_templates}/config/plugins/eap-mschapv2.conf +%{strongswan_templates}/config/plugins/eap-peap.conf +%{strongswan_templates}/config/plugins/eap-radius.conf +%{strongswan_templates}/config/plugins/eap-sim-file.conf +%{strongswan_templates}/config/plugins/eap-sim-pcsc.conf +%{strongswan_templates}/config/plugins/eap-sim.conf +%{strongswan_templates}/config/plugins/eap-simaka-pseudonym.conf +%{strongswan_templates}/config/plugins/eap-simaka-reauth.conf +%{strongswan_templates}/config/plugins/eap-simaka-sql.conf +%{strongswan_templates}/config/plugins/eap-tls.conf +%{strongswan_templates}/config/plugins/eap-tnc.conf +%{strongswan_templates}/config/plugins/eap-ttls.conf +%{strongswan_templates}/config/plugins/farp.conf +%{strongswan_templates}/config/plugins/fips-prf.conf +%{strongswan_templates}/config/plugins/gcm.conf +%{strongswan_templates}/config/plugins/gcrypt.conf +%{strongswan_templates}/config/plugins/gmp.conf +%{strongswan_templates}/config/plugins/ha.conf +%{strongswan_templates}/config/plugins/hmac.conf +%{strongswan_templates}/config/plugins/kernel-netlink.conf +%{strongswan_templates}/config/plugins/ldap.conf +%{strongswan_templates}/config/plugins/led.conf +%{strongswan_templates}/config/plugins/md4.conf +%{strongswan_templates}/config/plugins/md5.conf +%{strongswan_templates}/config/plugins/nonce.conf +%{strongswan_templates}/config/plugins/openssl.conf +%{strongswan_templates}/config/plugins/pem.conf +%{strongswan_templates}/config/plugins/pgp.conf +%{strongswan_templates}/config/plugins/pkcs1.conf +%{strongswan_templates}/config/plugins/pkcs11.conf +%{strongswan_templates}/config/plugins/pkcs12.conf +%{strongswan_templates}/config/plugins/pkcs7.conf +%{strongswan_templates}/config/plugins/pkcs8.conf +%{strongswan_templates}/config/plugins/pubkey.conf +%{strongswan_templates}/config/plugins/radattr.conf +%{strongswan_templates}/config/plugins/random.conf +%{strongswan_templates}/config/plugins/rc2.conf +%{strongswan_templates}/config/plugins/resolve.conf +%{strongswan_templates}/config/plugins/revocation.conf +%{strongswan_templates}/config/plugins/sha1.conf +%{strongswan_templates}/config/plugins/sha2.conf +%{strongswan_templates}/config/plugins/smp.conf +%{strongswan_templates}/config/plugins/socket-default.conf +%{strongswan_templates}/config/plugins/soup.conf +%{strongswan_templates}/config/plugins/sql.conf +%{strongswan_templates}/config/plugins/sshkey.conf +%{strongswan_templates}/config/plugins/stroke.conf +%{strongswan_templates}/config/plugins/tnc-imc.conf +%{strongswan_templates}/config/plugins/tnc-imv.conf +%{strongswan_templates}/config/plugins/tnc-pdp.conf +%{strongswan_templates}/config/plugins/tnc-tnccs.conf +%{strongswan_templates}/config/plugins/tnccs-11.conf +%{strongswan_templates}/config/plugins/tnccs-20.conf +%{strongswan_templates}/config/plugins/tnccs-dynamic.conf +%{strongswan_templates}/config/plugins/unity.conf +%{strongswan_templates}/config/plugins/updown.conf +%{strongswan_templates}/config/plugins/x509.conf +%{strongswan_templates}/config/plugins/xauth-eap.conf +%{strongswan_templates}/config/plugins/xauth-generic.conf +%{strongswan_templates}/config/plugins/xauth-pam.conf +%{strongswan_templates}/config/plugins/xcbc.conf +%{strongswan_templates}/config/strongswan.d/charon-logging.conf +%{strongswan_templates}/config/strongswan.d/charon.conf +%{strongswan_templates}/config/strongswan.d/imcv.conf +%{strongswan_templates}/config/strongswan.d/pool.conf +%{strongswan_templates}/config/strongswan.d/starter.conf +%{strongswan_templates}/config/strongswan.d/tnc.conf +%{strongswan_templates}/config/strongswan.d/tools.conf +%{strongswan_templates}/database/imv/data.sql +%{strongswan_templates}/database/imv/tables.sql %if %{with nm} @@ -583,22 +780,47 @@ %files mysql %defattr(-,root,root) +%dir %{strongswan_libdir} %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-mysql.so +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mysql.conf +%dir %{strongswan_datadir} +%dir %{strongswan_templates} +%dir %{strongswan_templates}/config +%dir %{strongswan_templates}/config/plugins +%dir %{strongswan_templates}/database +%dir %{strongswan_templates}/database/sql +%{strongswan_templates}/config/plugins/mysql.conf +%{strongswan_templates}/database/sql/mysql.sql %endif %if %{with sqlite} %files sqlite %defattr(-,root,root) +%dir %{strongswan_libdir} %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-sqlite.so +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sqlite.conf +%dir %{strongswan_datadir} +%dir %{strongswan_templates} +%dir %{strongswan_templates}/config +%dir %{strongswan_templates}/config/plugins +%dir %{strongswan_templates}/database +%dir %{strongswan_templates}/database/sql +%{strongswan_templates}/config/plugins/sqlite.conf +%{strongswan_templates}/database/sql/sqlite.sql %endif %if %{with tests} %files tests %defattr(-,root,root) +%dir %{strongswan_libdir} %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-load-tester.so %{strongswan_plugins}/libstrongswan-test-vectors.so ++++++ strongswan-5.1.1-rpmlintrc -> strongswan-5.1.3-rpmlintrc ++++++ ++++++ strongswan-5.1.1.tar.bz2 -> strongswan-5.1.3.tar.bz2 ++++++ ++++ 96078 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit rubygem-railties-3_2 for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package rubygem-railties-3_2 for openSUSE:Factory checked in at 2014-04-17 14:09:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-railties-3_2 (Old) and /work/SRC/openSUSE:Factory/.rubygem-railties-3_2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rubygem-railties-3_2" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-railties-3_2/rubygem-railties-3_2.changes 2013-03-22 13:16:10.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-railties-3_2.new/rubygem-railties-3_2.changes 2014-04-17 14:09:41.000000000 +0200 @@ -1,0 +2,8 @@ +Thu Apr 3 15:12:09 UTC 2014 - jmassaguerpla(a)suse.com + +- updated to version 3.2.17 + * I had to update other rails components because of security issues, + thus I am updating this one so that we have all rails components + in the same version + +------------------------------------------------------------------- Old: ---- railties-3.2.13.gem New: ---- railties-3.2.17.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-railties-3_2.spec ++++++ --- /var/tmp/diff_new_pack.d6xc16/_old 2014-04-17 14:09:42.000000000 +0200 +++ /var/tmp/diff_new_pack.d6xc16/_new 2014-04-17 14:09:42.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package rubygem-railties-3_2 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: rubygem-railties-3_2 -Version: 3.2.13 +Version: 3.2.17 Release: 0 %define mod_name railties %define mod_full_name %{mod_name}-%{version} -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit rubygem-rails-3_2 for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package rubygem-rails-3_2 for openSUSE:Factory checked in at 2014-04-17 14:09:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-rails-3_2 (Old) and /work/SRC/openSUSE:Factory/.rubygem-rails-3_2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rubygem-rails-3_2" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-rails-3_2/rubygem-rails-3_2.changes 2013-03-20 09:54:57.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-rails-3_2.new/rubygem-rails-3_2.changes 2014-04-17 14:09:33.000000000 +0200 @@ -1,0 +2,8 @@ +Thu Apr 3 15:08:56 UTC 2014 - jmassaguerpla(a)suse.com + +- updated to version 3.2.17 + * I had to update other rails components because of security issues, + thus I am updating this one so that we have all rails components + in the same version + +------------------------------------------------------------------- Old: ---- rails-3.2.13.gem New: ---- rails-3.2.17.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rails-3_2.spec ++++++ --- /var/tmp/diff_new_pack.OGtOHj/_old 2014-04-17 14:09:34.000000000 +0200 +++ /var/tmp/diff_new_pack.OGtOHj/_new 2014-04-17 14:09:34.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package rubygem-rails-3_2 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: rubygem-rails-3_2 -Version: 3.2.13 +Version: 3.2.17 Release: 0 %define mod_name rails %define mod_full_name %{mod_name}-%{version} -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit rubygem-activesupport-3_2 for openSUSE:Factory
by root＠hilbert.suse.de 17 Apr '14

17 Apr '14

Hello community, here is the log from the commit of package rubygem-activesupport-3_2 for openSUSE:Factory checked in at 2014-04-17 14:09:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-activesupport-3_2 (Old) and /work/SRC/openSUSE:Factory/.rubygem-activesupport-3_2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rubygem-activesupport-3_2" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-activesupport-3_2/rubygem-activesupport-3_2.changes 2013-05-07 15:44:32.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-activesupport-3_2.new/rubygem-activesupport-3_2.changes 2014-04-17 14:09:28.000000000 +0200 @@ -1,0 +2,14 @@ +Thu Apr 3 15:25:11 UTC 2014 - jmassaguerpla(a)suse.com + +- activesupport v3.2.17 already has the correct runtime dependency + for i18n gem (>=0.6.4). Thus we don't need the patch anymore + +- removed patches: + * rubygem-activesupport-3_2.diff +------------------------------------------------------------------- +Thu Apr 3 15:06:41 UTC 2014 - jmassaguerpla(a)suse.com + +- update to 3.2.17. It contains among other fixes a patch for + CVE-2013-4389 (bnc#846239) + +------------------------------------------------------------------- Old: ---- activesupport-3.2.13.gem New: ---- activesupport-3.2.17.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-activesupport-3_2.spec ++++++ --- /var/tmp/diff_new_pack.6beoXm/_old 2014-04-17 14:09:28.000000000 +0200 +++ /var/tmp/diff_new_pack.6beoXm/_new 2014-04-17 14:09:28.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package rubygem-activesupport-3_2 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: rubygem-activesupport-3_2 -Version: 3.2.13 +Version: 3.2.17 Release: 0 %define mod_name activesupport %define mod_full_name %{mod_name}-%{version} @@ -32,7 +32,6 @@ Summary: A toolkit of support libraries and Ruby core extensions extracted License: MIT Group: Development/Languages/Ruby -Patch0: rubygem-activesupport-3_2.diff %description A toolkit of support libraries and Ruby core extensions extracted from the @@ -49,9 +48,6 @@ Usually in RDoc and RI formats. %prep -%gem_unpack -%patch0 -%gem_build %build -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0