August 2024 - openSUSE Commits - openSUSE Mailing Lists

commit obs-service-source_validator for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package obs-service-source_validator for openSUSE:Factory checked in at 2024-08-29 15:43:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/obs-service-source_validator (Old) and /work/SRC/openSUSE:Factory/.obs-service-source_validator.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "obs-service-source_validator" Thu Aug 29 15:43:47 2024 rev:80 rq:1197300 version:0.38 Changes: -------- --- /work/SRC/openSUSE:Factory/obs-service-source_validator/obs-service-source_validator.changes 2024-08-13 13:24:52.622328795 +0200 +++ /work/SRC/openSUSE:Factory/.obs-service-source_validator.new.2698/obs-service-source_validator.changes 2024-08-29 15:44:49.388859942 +0200 @@ -1,0 +2,6 @@ +Thu Aug 29 06:43:56 UTC 2024 - adrian(a)suse.de + +- Update to version 0.38: + * Fix 20-files-present-and-referenced against osc 1.9.0 (osclib_version 2.0) + +------------------------------------------------------------------- Old: ---- obs-service-source_validator-0.37.tar.bz2 New: ---- obs-service-source_validator-0.38.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ obs-service-source_validator.spec ++++++ --- /var/tmp/diff_new_pack.MSdi8P/_old 2024-08-29 15:44:49.904881367 +0200 +++ /var/tmp/diff_new_pack.MSdi8P/_new 2024-08-29 15:44:49.904881367 +0200 @@ -23,14 +23,14 @@ %endif Name: obs-service-source_validator -Version: 0.37 +Version: 0.38 Release: 0 Summary: An OBS source service: running all the osc source-validator checks License: GPL-2.0-or-later Group: Development/Tools/Building URL: https://github.com/openSUSE/obs-service-source_validator # use osc service mr to update -Source: %{name}-%{version}.tar.bz2 +Source: %{name}-%{version}.tar.xz BuildRequires: %{build_pkg_name} BuildRequires: zstd Requires: %{_bindir}/cpio ++++++ _service ++++++ --- /var/tmp/diff_new_pack.MSdi8P/_old 2024-08-29 15:44:49.944883028 +0200 +++ /var/tmp/diff_new_pack.MSdi8P/_new 2024-08-29 15:44:49.948883194 +0200 @@ -11,7 +11,7 @@ <service name="recompress" mode="manual"> <param name="file">*.tar</param> - <param name="compression">bz2</param> + <param name="compression">xz</param> </service> <service name="set_version" mode="manual"> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.MSdi8P/_old 2024-08-29 15:44:49.972884190 +0200 +++ /var/tmp/diff_new_pack.MSdi8P/_new 2024-08-29 15:44:49.976884357 +0200 @@ -3,6 +3,6 @@ <param name="url">git://github.com/openSUSE/obs-service-source_validator.git</param> <param name="changesrevision">c68d7a28c4ecd88b179359b030098503e75adc0b</param></service><service name="tar_scm"> <param name="url">https://github.com/openSUSE/obs-service-source_validator.git</param> - <param name="changesrevision">e602fba058693dfd8610ad660ec00ee7a44b3bae</param></service></servicedata> + <param name="changesrevision">27f3bcbc5282a612af2db23a29fa742b48ff0d3e</param></service></servicedata> (No newline at EOF) ++++++ debian.dsc ++++++ --- /var/tmp/diff_new_pack.MSdi8P/_old 2024-08-29 15:44:50.004885519 +0200 +++ /var/tmp/diff_new_pack.MSdi8P/_new 2024-08-29 15:44:50.008885685 +0200 @@ -1,6 +1,6 @@ Format: 1.0 Source: obs-service-source-validator -Version: 0.37-0 +Version: 0.38-0 Binary: obs-service-source-validator Maintainer: Hib Eris <hib(a)hiberis.nl> Architecture: all

1 0

commit text-engine for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package text-engine for openSUSE:Factory checked in at 2024-08-29 15:43:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/text-engine (Old) and /work/SRC/openSUSE:Factory/.text-engine.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "text-engine" Thu Aug 29 15:43:37 2024 rev:3 rq:1197222 version:0.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/text-engine/text-engine.changes 2024-07-30 11:57:59.414069871 +0200 +++ /work/SRC/openSUSE:Factory/.text-engine.new.2698/text-engine.changes 2024-08-29 15:44:35.560285771 +0200 @@ -1,0 +2,6 @@ +Thu Aug 29 01:22:11 UTC 2024 - Richard Rahl <rrahl0(a)opensuse.org> + +- fix build by using -Wno-unused-parameter -Wno-unused-variable + -Wno-deprecated-declarations -Wno-incompatible-pointer-types + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ text-engine.spec ++++++ --- /var/tmp/diff_new_pack.yaLHdr/_old 2024-08-29 15:44:36.024305040 +0200 +++ /var/tmp/diff_new_pack.yaLHdr/_new 2024-08-29 15:44:36.028305207 +0200 @@ -56,6 +56,7 @@ %autosetup -p1 %build +export CFLAGS="${optflags} -Wno-unused-parameter -Wno-unused-variable -Wno-deprecated-declarations -Wno-incompatible-pointer-types" %meson %meson_build

1 0

commit aranym for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package aranym for openSUSE:Factory checked in at 2024-08-29 15:43:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aranym (Old) and /work/SRC/openSUSE:Factory/.aranym.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "aranym" Thu Aug 29 15:43:29 2024 rev:47 rq:1197130 version:1.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/aranym/aranym.changes 2024-04-14 12:24:35.641505953 +0200 +++ /work/SRC/openSUSE:Factory/.aranym.new.2698/aranym.changes 2024-08-29 15:44:30.828089255 +0200 @@ -1,0 +2,5 @@ +Wed Aug 28 17:14:24 UTC 2024 - Andreas Schwab <schwab(a)linux-m68k.org> + +- configure.patch: fix missing header in configure test + +------------------------------------------------------------------- New: ---- configure.patch BETA DEBUG BEGIN: New: - configure.patch: fix missing header in configure test BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aranym.spec ++++++ --- /var/tmp/diff_new_pack.PyPwoM/_old 2024-08-29 15:44:31.404113176 +0200 +++ /var/tmp/diff_new_pack.PyPwoM/_new 2024-08-29 15:44:31.408113342 +0200 @@ -28,6 +28,7 @@ Patch0: pow10.patch Patch1: lto.patch Patch2: includes.patch +Patch3: configure.patch BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: mpfr-devel ++++++ configure.patch ++++++ Index: aranym-1.1.0/configure =================================================================== --- aranym-1.1.0.orig/configure +++ aranym-1.1.0/configure @@ -10743,6 +10743,7 @@ else #include <net/if.h> #include <net/if_tun.h> #endif + #include <string.h> int main () Index: aranym-1.1.0/configure.ac =================================================================== --- aranym-1.1.0.orig/configure.ac +++ aranym-1.1.0/configure.ac @@ -539,6 +539,7 @@ AC_CACHE_CHECK([whether TUN/TAP is suppo #include <net/if.h> #include <net/if_tun.h> #endif + #include <string.h> ], [ struct ifreq ifr; memset(&ifr, 0, sizeof(ifr));

1 0

commit rxtx-java for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rxtx-java for openSUSE:Factory checked in at 2024-08-29 15:43:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rxtx-java (Old) and /work/SRC/openSUSE:Factory/.rxtx-java.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rxtx-java" Thu Aug 29 15:43:28 2024 rev:9 rq:1197126 version:2.2~pre2 Changes: -------- --- /work/SRC/openSUSE:Factory/rxtx-java/rxtx-java.changes 2024-03-08 18:09:39.539197431 +0100 +++ /work/SRC/openSUSE:Factory/.rxtx-java.new.2698/rxtx-java.changes 2024-08-29 15:44:29.956053040 +0200 @@ -1,0 +2,7 @@ +Wed Aug 28 17:38:13 UTC 2024 - Fridrich Strba <fstrba(a)suse.com> + +- Disable -Wimplicit-function-declaration + * fixes build with gcc 14 on architectures where glibc does not + distribute sys/io.h + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rxtx-java.spec ++++++ --- /var/tmp/diff_new_pack.24clcz/_old 2024-08-29 15:44:30.536077127 +0200 +++ /var/tmp/diff_new_pack.24clcz/_new 2024-08-29 15:44:30.540077294 +0200 @@ -103,7 +103,7 @@ export THREADS_FLAG=native rm acinclude.m4 config.guess config.sub install-sh ltmain.sh missing mkinstalldirs aclocal.m4 Makefile.in ltconfig stamp-h.in ./autogen.sh -CFLAGS="%{optflags}" LDFLAGS=-s \ +CFLAGS="%{optflags} -Wno-implicit-function-declaration" LDFLAGS=-s \ %configure %make_build

1 0

commit python38 for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python38 for openSUSE:Factory checked in at 2024-08-29 15:43:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python38 (Old) and /work/SRC/openSUSE:Factory/.python38.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python38" Thu Aug 29 15:43:26 2024 rev:53 rq:1197121 version:3.8.19 Changes: -------- --- /work/SRC/openSUSE:Factory/python38/python38.changes 2024-08-10 19:14:02.101316411 +0200 +++ /work/SRC/openSUSE:Factory/.python38.new.2698/python38.changes 2024-08-29 15:44:28.403988586 +0200 @@ -1,0 +2,7 @@ +Wed Aug 28 16:54:34 UTC 2024 - Matej Cepl <mcepl(a)cepl.eu> + +- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent + malformed payload to cause infinite loops in zipfile.Path + (bsc#1229704, CVE-2024-8088). + +------------------------------------------------------------------- New: ---- CVE-2024-8088-inf-loop-zipfile_Path.patch BETA DEBUG BEGIN: New: - Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent malformed payload to cause infinite loops in zipfile.Path BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python38.spec ++++++ --- /var/tmp/diff_new_pack.TjUiKS/_old 2024-08-29 15:44:29.488033605 +0200 +++ /var/tmp/diff_new_pack.TjUiKS/_new 2024-08-29 15:44:29.492033771 +0200 @@ -36,7 +36,7 @@ %bcond_without general %endif -%if 0%{?do_profiling} +%if 0%{?do_profiling} && !0%{?qemu_user_space_build} %bcond_without profileopt %else %bcond_with profileopt @@ -207,6 +207,9 @@ # PATCH-FIX-UPSTREAM CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch bsc#1227233 mcepl(a)suse.com # Remove for support for anything but OpenSSL 1.1.1 or newer Patch48: CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch +# PATCH-FIX-UPSTREAM CVE-2024-8088-inf-loop-zipfile_Path.patch bsc#1229704 mcepl(a)suse.com +# avoid denial of service in zipfile +Patch49: CVE-2024-8088-inf-loop-zipfile_Path.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -484,6 +487,7 @@ %patch -p1 -P 46 %patch -p1 -P 47 %patch -p1 -P 48 +%patch -p1 -P 49 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ CVE-2024-8088-inf-loop-zipfile_Path.patch ++++++ From dcb320a0c85713c5dfe89a83d6eb295ad1511be8 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" <jaraco(a)jaraco.com> Date: Tue, 27 Aug 2024 17:10:30 -0400 Subject: [PATCH] [3.8] [3.9] [3.11] gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286d78d328c2f575e0b05b16fe447d1656d6) (cherry picked from commit 17b77bb41409259bad1cd6c74761c18b6ab1e860) (cherry picked from commit 66d3383) Co-authored-by: Jason R. Coombs <jaraco(a)jaraco.com> --- Lib/test/test_zipfile.py | 75 ++++++++++ Lib/zipfile.py | 9 - Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst | 3 3 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst Index: Python-3.8.19/Lib/test/test_zipfile.py =================================================================== --- Python-3.8.19.orig/Lib/test/test_zipfile.py +++ Python-3.8.19/Lib/test/test_zipfile.py @@ -3007,6 +3007,81 @@ class TestPath(unittest.TestCase): data = ['/'.join(string.ascii_lowercase + str(n)) for n in range(10000)] zipfile.CompleteDirs._implied_dirs(data) + def test_malformed_paths(self): + """ + Path should handle malformed paths gracefully. + + Paths with leading slashes are not visible. + + Paths with dots are treated like regular files. + """ + data = io.BytesIO() + zf = zipfile.ZipFile(data, "w") + zf.writestr("../parent.txt", b"content") + zf.filename = '' + root = zipfile.Path(zf) + assert list(map(str, root.iterdir())) == ['../'] + assert root.joinpath('..').joinpath('parent.txt').read_bytes() == b'content' + + def test_unsupported_names(self): + """ + Path segments with special characters are readable. + + On some platforms or file systems, characters like + ``:`` and ``?`` are not allowed, but they are valid + in the zip file. + """ + data = io.BytesIO() + zf = zipfile.ZipFile(data, "w") + zf.writestr("path?", b"content") + zf.writestr("V: NMS.flac", b"fLaC...") + zf.filename = '' + root = zipfile.Path(zf) + contents = root.iterdir() + assert next(contents).name == 'path?' + assert next(contents).name == 'V: NMS.flac' + assert root.joinpath('V: NMS.flac').read_bytes() == b"fLaC..." + + def test_backslash_not_separator(self): + """ + In a zip file, backslashes are not separators. + """ + data = io.BytesIO() + zf = zipfile.ZipFile(data, "w") + zf.writestr(DirtyZipInfo.for_name("foo\\bar", zf), b"content") + zf.filename = '' + root = zipfile.Path(zf) + (first,) = root.iterdir() + assert not first.is_dir() + assert first.name == 'foo\\bar' + + +class DirtyZipInfo(zipfile.ZipInfo): + """ + Bypass name sanitization. + """ + + def __init__(self, filename, *args, **kwargs): + super().__init__(filename, *args, **kwargs) + self.filename = filename + + @classmethod + def for_name(cls, name, archive): + """ + Construct the same way that ZipFile.writestr does. + + TODO: extract this functionality and re-use + """ + self = cls(filename=name, date_time=time.localtime(time.time())[:6]) + self.compress_type = archive.compression + self.compress_level = archive.compresslevel + if self.filename.endswith('/'): # pragma: no cover + self.external_attr = 0o40775 << 16 # drwxrwxr-x + self.external_attr |= 0x10 # MS-DOS directory flag + else: + self.external_attr = 0o600 << 16 # ?rw------- + return self + if __name__ == "__main__": unittest.main() Index: Python-3.8.19/Lib/zipfile.py =================================================================== --- Python-3.8.19.orig/Lib/zipfile.py +++ Python-3.8.19/Lib/zipfile.py @@ -2161,7 +2161,7 @@ def _parents(path): def _ancestry(path): """ Given a path with elements separated by - posixpath.sep, generate all elements of that path + posixpath.sep, generate all elements of that path. >>> list(_ancestry('b/d')) ['b/d', 'b'] @@ -2173,9 +2173,14 @@ def _ancestry(path): ['b'] >>> list(_ancestry('')) [] + + Multiple separators are treated like a single. + + >>> list(_ancestry('//b//d///f//')) + ['//b//d///f', '//b//d', '//b'] """ path = path.rstrip(posixpath.sep) - while path and path != posixpath.sep: + while path.rstrip(posixpath.sep): yield path path, tail = posixpath.split(path) Index: Python-3.8.19/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst =================================================================== --- /dev/null +++ Python-3.8.19/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst @@ -0,0 +1,3 @@ +Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` +causing infinite loops (gh-122905) without breaking contents using +legitimate characters.

1 0

commit sqlite-jdbc for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sqlite-jdbc for openSUSE:Factory checked in at 2024-08-29 15:43:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sqlite-jdbc (Old) and /work/SRC/openSUSE:Factory/.sqlite-jdbc.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "sqlite-jdbc" Thu Aug 29 15:43:25 2024 rev:20 rq:1197131 version:3.46.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/sqlite-jdbc/sqlite-jdbc.changes 2024-05-28 17:30:46.416297855 +0200 +++ /work/SRC/openSUSE:Factory/.sqlite-jdbc.new.2698/sqlite-jdbc.changes 2024-08-29 15:44:27.543952872 +0200 @@ -1,0 +2,52 @@ +Wed Aug 28 17:09:03 UTC 2024 - Fridrich Strba <fstrba(a)suse.com> + +- Added patch: + * sqlite-jdbc-no-implicit-function-declaration.patch + + fix build with gcc 14 + +------------------------------------------------------------------- +Wed Jul 31 12:32:25 UTC 2024 - Anton Shvetz <shvetz.anton(a)gmail.com> + +- Update to v3.46.0.1 + * Features + ~ add riscv64 binaries (a4a5d48) + * Fixes + ~ jdbc + + generated columns with stored in SQLite are not marked as + generated (429bbe4), closes #1132 + ~ unscoped + + never return arch as aarch64 when running in a 32-bit JVM + (0c3db0b), closes #1127 + + throw java.lang.ExceptionInInitializerError when calling + SQLiteConfig.Pragma.values() (ec0a524), closes #1123 + * Build + ~ deps + + bump org.apache.maven.plugins:maven-javadoc-plugin + (c375a40) + + bump org.graalvm.sdk:nativeimage from 24.0.1 to 24.0.2 + (d50d5e6) + + bump org.codehaus.mojo:versions-maven-plugin (14e07d4) + + bump surefire.version from 3.3.0 to 3.3.1 (edac56b) + + bump org.codehaus.mojo:versions-maven-plugin (f411591) + + bump org.jreleaser:jreleaser-maven-plugin (2376d03) + + bump org.apache.maven.plugins:maven-jar-plugin (d5394ea) + + bump andymckay/cancel-action from 0.4 to 0.5 (99aa8d9) + + bump surefire.version from 3.2.5 to 3.3.0 (b64f8fb) + + bump org.apache.maven.plugins:maven-help-plugin (235143b) + + bump org.apache.maven.plugins:maven-javadoc-plugin + (50ef887) + + bump org.apache.maven.plugins:maven-enforcer-plugin + (efd5449) + + bump org.sonatype.plugins:nexus-staging-maven-plugin + (dbbf4e0) + ~ deps-dev + + bump org.assertj:assertj-core from 3.26.0 to 3.26.3 + (7293f78) + + bump org.junit.jupiter:junit-jupiter (b80a294) + + bump org.assertj:assertj-core from 3.25.3 to 3.26.0 + (6188b48) + * Documentation + ~ add riscv64 in the supported OS table (2b72c94) + ~ mention temporary databases (0035ec4) + +------------------------------------------------------------------- Old: ---- sqlite-jdbc-3.46.0.0.tar.gz New: ---- sqlite-jdbc-3.46.0.1.tar.gz sqlite-jdbc-no-implicit-function-declaration.patch BETA DEBUG BEGIN: New:- Added patch: * sqlite-jdbc-no-implicit-function-declaration.patch + fix build with gcc 14 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sqlite-jdbc.spec ++++++ --- /var/tmp/diff_new_pack.lh4fBW/_old 2024-08-29 15:44:28.151978122 +0200 +++ /var/tmp/diff_new_pack.lh4fBW/_new 2024-08-29 15:44:28.155978288 +0200 @@ -17,7 +17,7 @@ %{!?make_build:%global make_build make %{?_smp_mflags}} -%global version 3.46.0.0 +%global version 3.46.0.1 %global amalgamation_version 3460000 %global debug_package %{nil} Name: sqlite-jdbc @@ -29,6 +29,7 @@ URL: https://github.com/xerial/%{name} Source0: %{url}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://sqlite.org/2024/sqlite-amalgamation-%{amalgamation_version}.zip +Patch0: sqlite-jdbc-no-implicit-function-declaration.patch BuildRequires: dos2unix BuildRequires: fdupes BuildRequires: java-devel >= 1.8 @@ -61,6 +62,7 @@ %prep %setup -q +%patch -P 0 -p1 find src/main/resources \ $ -name \*.so -or -name \*.dylib -or -name \*.dll $ \ ++++++ sqlite-jdbc-3.46.0.0.tar.gz -> sqlite-jdbc-3.46.0.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/sqlite-jdbc/sqlite-jdbc-3.46.0.0.tar.gz /work/SRC/openSUSE:Factory/.sqlite-jdbc.new.2698/sqlite-jdbc-3.46.0.1.tar.gz differ: char 14, line 1 ++++++ sqlite-jdbc-no-implicit-function-declaration.patch ++++++ --- sqlite-jdbc-3.46.0.1/Makefile.common 2024-08-28 20:14:17.830336051 +0200 +++ sqlite-jdbc-3.46.0.1/Makefile.common 2024-08-28 20:15:48.184378367 +0200 @@ -66,42 +66,42 @@ Default_CC := $(CROSS_PREFIX)gcc Default_STRIP := $(CROSS_PREFIX)strip -Default_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -fvisibility=hidden +Default_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -fvisibility=hidden -Wno-implicit-function-declaration Default_LINKFLAGS := -shared -static-libgcc -pthread -lm Default_LIBNAME := libsqlitejdbc.so Default_SQLITE_FLAGS := Linux-x86_CC := $(CROSS_PREFIX)gcc Linux-x86_STRIP := $(CROSS_PREFIX)strip -Linux-x86_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -m32 -fvisibility=hidden +Linux-x86_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -m32 -fvisibility=hidden -Wno-implicit-function-declaration Linux-x86_LINKFLAGS := $(Default_LINKFLAGS) Linux-x86_LIBNAME := libsqlitejdbc.so Linux-x86_SQLITE_FLAGS := Linux-x86_64_CC := $(CROSS_PREFIX)gcc Linux-x86_64_STRIP := $(CROSS_PREFIX)strip -Linux-x86_64_CCFLAGS := -Ilib/inc_linux -I$(JAVA_HOME)/include -Os -fPIC -m64 -fvisibility=hidden +Linux-x86_64_CCFLAGS := -Ilib/inc_linux -I$(JAVA_HOME)/include -Os -fPIC -m64 -fvisibility=hidden -Wno-implicit-function-declaration Linux-x86_64_LINKFLAGS := $(Default_LINKFLAGS) Linux-x86_64_LIBNAME := libsqlitejdbc.so Linux-x86_64_SQLITE_FLAGS := Linux-arm_CC := $(CROSS_PREFIX)gcc Linux-arm_STRIP := $(CROSS_PREFIX)strip -Linux-arm_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -mfloat-abi=soft -fvisibility=hidden +Linux-arm_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -mfloat-abi=soft -fvisibility=hidden -Wno-implicit-function-declaration Linux-arm_LINKFLAGS := $(Default_LINKFLAGS) Linux-arm_LIBNAME := libsqlitejdbc.so Linux-arm_SQLITE_FLAGS := Linux-armv6_CC := $(CROSS_PREFIX)gcc Linux-armv6_STRIP := $(CROSS_PREFIX)strip -Linux-armv6_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -mfloat-abi=hard -mfpu=vfp -fPIC -fvisibility=hidden +Linux-armv6_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -mfloat-abi=hard -mfpu=vfp -fPIC -fvisibility=hidden -Wno-implicit-function-declaration Linux-armv6_LINKFLAGS := $(Default_LINKFLAGS) Linux-armv6_LIBNAME := libsqlitejdbc.so Linux-armv6_SQLITE_FLAGS := Linux-armv7_CC := $(CROSS_PREFIX)gcc Linux-armv7_STRIP := $(CROSS_PREFIX)strip -Linux-armv7_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -mfloat-abi=hard -mfpu=vfp -fPIC -fvisibility=hidden +Linux-armv7_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -mfloat-abi=hard -mfpu=vfp -fPIC -fvisibility=hidden -Wno-implicit-function-declaration Linux-armv7_LINKFLAGS := $(Default_LINKFLAGS) Linux-armv7_LIBNAME := libsqlitejdbc.so Linux-armv7_SQLITE_FLAGS := @@ -136,14 +136,14 @@ Linux-ppc64_CC := $(CROSS_PREFIX)gcc Linux-ppc64_STRIP := $(CROSS_PREFIX)strip -Linux-ppc64_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -fvisibility=hidden +Linux-ppc64_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -fvisibility=hidden -Wno-implicit-function-declaration Linux-ppc64_LINKFLAGS := $(Default_LINKFLAGS) Linux-ppc64_LIBNAME := libsqlitejdbc.so Linux-ppc64_SQLITE_FLAGS := Linux-riscv64_CC := $(CROSS_PREFIX)gcc Linux-riscv64_STRIP := $(CROSS_PREFIX)strip -Linux-riscv64_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -fvisibility=hidden +Linux-riscv64_CCFLAGS := -I$(JAVA_HOME)/include -Ilib/inc_linux -Os -fPIC -fvisibility=hidden -Wno-implicit-function-declaration Linux-riscv64_LINKFLAGS := $(Default_LINKFLAGS) Linux-riscv64_LIBNAME := libsqlitejdbc.so Linux-riscv64_SQLITE_FLAGS :=

1 0

commit openjfx for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openjfx for openSUSE:Factory checked in at 2024-08-29 15:43:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openjfx (Old) and /work/SRC/openSUSE:Factory/.openjfx.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openjfx" Thu Aug 29 15:43:23 2024 rev:5 rq:1197122 version:17.0.11.0 Changes: -------- --- /work/SRC/openSUSE:Factory/openjfx/openjfx.changes 2024-05-01 14:56:43.558504239 +0200 +++ /work/SRC/openSUSE:Factory/.openjfx.new.2698/openjfx.changes 2024-08-29 15:44:25.787879946 +0200 @@ -1,0 +2,11 @@ +Wed Aug 28 16:32:12 UTC 2024 - Fridrich Strba <fstrba(a)suse.com> + +- Added patches: + * openjfx-freetype.patch + * openjfx-libprism.patch + + fix new errors with gcc 14 +- Modified patch: + * openjfx-pango.patch + + fix new error with gcc 14 + +------------------------------------------------------------------- New: ---- openjfx-freetype.patch openjfx-libprism.patch BETA DEBUG BEGIN: New:- Added patches: * openjfx-freetype.patch * openjfx-libprism.patch New: * openjfx-freetype.patch * openjfx-libprism.patch + fix new errors with gcc 14 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openjfx.spec ++++++ --- /var/tmp/diff_new_pack.FKauVv/_old 2024-08-29 15:44:26.775920977 +0200 +++ /var/tmp/diff_new_pack.FKauVv/_new 2024-08-29 15:44:26.779921143 +0200 @@ -63,6 +63,8 @@ Source29: build.xml Patch0: openjfx-pango.patch Patch1: openjfx-no-return-in-nonvoid-function.patch +Patch2: openjfx-freetype.patch +Patch3: openjfx-libprism.patch BuildRequires: ant BuildRequires: gcc BuildRequires: gcc-c++ @@ -113,6 +115,8 @@ %setup -q -n %{jfx_dir} %patch -P 0 -p1 %patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 #prep for javafx.graphics cp -a modules/javafx.graphics/src/jslc/antlr modules/javafx.graphics/src/main/antlr3 ++++++ openjfx-freetype.patch ++++++ --- jfx/modules/javafx.graphics/src/main/native-font/freetype.c 2024-08-28 18:04:53.293373270 +0200 +++ jfx/modules/javafx.graphics/src/main/native-font/freetype.c 2024-08-28 18:05:34.693689191 +0200 @@ -520,7 +520,7 @@ if (info->lenCoords > SIZE_MAX - DEFAULT_LEN_COORDS) goto fail; info->lenCoords += DEFAULT_LEN_COORDS; - jbyte* newPointCoords = (jfloat*)realloc(info->pointCoords, info->lenCoords * sizeof(jfloat)); + jfloat* newPointCoords = (jfloat*)realloc(info->pointCoords, info->lenCoords * sizeof(jfloat)); if (newPointCoords == NULL) goto fail; info->pointCoords = newPointCoords; } ++++++ openjfx-libprism.patch ++++++ --- jfx/modules/javafx.graphics/src/main/native-prism-es2/x11/X11GLContext.c 2024-08-28 18:04:53.316706782 +0200 +++ jfx/modules/javafx.graphics/src/main/native-prism-es2/x11/X11GLContext.c 2024-08-28 18:27:44.753905337 +0200 @@ -275,7 +275,7 @@ dlsym(RTLD_DEFAULT, "glXSwapIntervalSGI"); if (ctxInfo->glXSwapIntervalSGI == NULL) { - ctxInfo->glXSwapIntervalSGI = glXGetProcAddress("glXSwapIntervalSGI"); + ctxInfo->glXSwapIntervalSGI = (void*)glXGetProcAddress("glXSwapIntervalSGI"); } } ++++++ openjfx-pango.patch ++++++ --- /var/tmp/diff_new_pack.FKauVv/_old 2024-08-29 15:44:26.887925629 +0200 +++ /var/tmp/diff_new_pack.FKauVv/_new 2024-08-29 15:44:26.887925629 +0200 @@ -1,6 +1,6 @@ ---- a/modules/javafx.graphics/src/main/native-font/pango.c -+++ b/modules/javafx.graphics/src/main/native-font/pango.c -@@ -243,7 +243,7 @@ JNIEXPORT jboolean JNICALL OS_NATIVE(FcConfigAppFontAddFile) +--- jfx/modules/javafx.graphics/src/main/native-font/pango.c 2024-08-28 18:04:53.293373270 +0200 ++++ jfx/modules/javafx.graphics/src/main/native-font/pango.c 2024-08-28 18:19:29.190065141 +0200 +@@ -243,7 +243,7 @@ if (text) { // rc = (jboolean)FcConfigAppFontAddFile(arg0, text); if (fp) { @@ -9,4 +9,13 @@ } (*env)->ReleaseStringUTFChars(env, arg1, text); } +@@ -402,7 +402,7 @@ + (JNIEnv *env, jclass that, jlong str, jlong pos) + { + if (!str) return 0; +- return (jlong)g_utf8_strlen((const gchar *)str, (const gchar *)pos); ++ return (jlong)g_utf8_strlen((const gchar *)str, (gssize)pos); + } + + JNIEXPORT jlong JNICALL OS_NATIVE(g_1utf16_1to_1utf8)

1 0

commit uim for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package uim for openSUSE:Factory checked in at 2024-08-29 15:43:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/uim (Old) and /work/SRC/openSUSE:Factory/.uim.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "uim" Thu Aug 29 15:43:21 2024 rev:58 rq:1197119 version:1.8.8 Changes: -------- --- /work/SRC/openSUSE:Factory/uim/uim.changes 2024-02-21 17:57:18.609242467 +0100 +++ /work/SRC/openSUSE:Factory/.uim.new.2698/uim.changes 2024-08-29 15:44:24.775837918 +0200 @@ -1,0 +2,7 @@ +Wed Aug 28 16:10:25 UTC 2024 - Takashi Iwai <tiwai(a)suse.com> + +- Fix build errors with gcc14: + uim-gcc14-fix.patch + also run autogen.sh to refresh + +------------------------------------------------------------------- New: ---- uim-gcc14-fix.patch BETA DEBUG BEGIN: New:- Fix build errors with gcc14: uim-gcc14-fix.patch also run autogen.sh to refresh BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ uim.spec ++++++ --- /var/tmp/diff_new_pack.MHcvyn/_old 2024-08-29 15:44:25.511868484 +0200 +++ /var/tmp/diff_new_pack.MHcvyn/_new 2024-08-29 15:44:25.515868649 +0200 @@ -1,7 +1,7 @@ # # spec file for package uim # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,12 +37,15 @@ Patch3: bugzilla-1175274-emacs-27.1.patch Patch4: uim-fix-multiple_declaration.diff Patch5: riscv.patch +Patch6: uim-gcc14-fix.patch +BuildRequires: automake BuildRequires: emacs-x11 BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: intltool BuildRequires: libqt5-qtbase-devel BuildRequires: libqt5-qtbase-private-headers-devel +BuildRequires: libtool BuildRequires: m17n-lib-devel BuildRequires: ncurses-devel BuildRequires: perl-XML-Parser @@ -115,8 +118,10 @@ %patch -P 3 -p0 %patch -P 4 -p0 %patch -P 5 -p1 +%patch -P 6 -p1 cp emacs/README README.emacs iconv -f euc-jp -t utf-8 < emacs/README.ja > README.ja.emacs +./autogen.sh %build %configure --disable-static \ ++++++ uim-gcc14-fix.patch ++++++ --- configure.ac | 2 ++ replace/bsd-snprintf.c | 2 ++ 2 files changed, 4 insertions(+) --- a/configure.ac +++ b/configure.ac @@ -578,6 +578,7 @@ if test "x$ac_cv_func_snprintf" = xyes; AC_RUN_IFELSE( [AC_LANG_SOURCE([[ #include <stdio.h> +#include <stdlib.h> int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');} ]])], [AC_MSG_RESULT(yes)], @@ -601,6 +602,7 @@ if test "x$ac_cv_func_asprintf" != xyes [AC_LANG_SOURCE([[ #include <sys/types.h> #include <stdio.h> +#include <stdlib.h> #include <stdarg.h> int x_snprintf(char *str,size_t count,const char *fmt,...)

1 0

commit python-dataclasses-json for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-dataclasses-json for openSUSE:Factory checked in at 2024-08-29 15:43:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-dataclasses-json (Old) and /work/SRC/openSUSE:Factory/.python-dataclasses-json.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-dataclasses-json" Thu Aug 29 15:43:12 2024 rev:3 rq:1197031 version:0.6.7 Changes: -------- --- /work/SRC/openSUSE:Factory/python-dataclasses-json/python-dataclasses-json.changes 2024-06-17 19:29:55.307191446 +0200 +++ /work/SRC/openSUSE:Factory/.python-dataclasses-json.new.2698/python-dataclasses-json.changes 2024-08-29 15:44:12.955347041 +0200 @@ -1,0 +2,5 @@ +Tue Aug 27 16:56:04 UTC 2024 - Guang Yee <gyee(a)suse.com> + +- Enable sle15_python_module_pythons + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-dataclasses-json.spec ++++++ --- /var/tmp/diff_new_pack.1r0j2q/_old 2024-08-29 15:44:15.019432758 +0200 +++ /var/tmp/diff_new_pack.1r0j2q/_new 2024-08-29 15:44:15.035433422 +0200 @@ -16,6 +16,7 @@ # +%{?sle15_python_module_pythons} Name: python-dataclasses-json Version: 0.6.7 Release: 0

1 0

commit openssh for openSUSE:Factory
by Source-Sync 29 Aug '24

29 Aug '24

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-08-29 15:42:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssh" Thu Aug 29 15:42:55 2024 rev:183 rq:1196434 version:9.8p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2024-08-22 12:34:44.668863513 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh-askpass-gnome.changes 2024-08-29 15:43:26.885433583 +0200 @@ -1,0 +2,7 @@ +Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa(a)suse.com> + +- Update to openssh 9.8p1: + * No changes for askpass, see main package changelog for + details. + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-08-22 12:34:44.724865841 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes 2024-08-29 15:43:27.253448884 +0200 @@ -1,0 +2,309 @@ +Fri Aug 23 12:10:00 UTC 2024 - Antonio Larrosa <alarrosa(a)suse.com> + +- Add patch to fix sshd not logging in the audit failed login + attempts (submitted to upstream in + https://github.com/openssh/openssh-portable/pull/516) + * fix-audit-fail-attempt.patch +- Use --enable-dsa-keys when building openssh. It's required if + the user sets the crypto-policy mode to LEGACY, where DSA keys + should be allowed. The option was added by upstream in 9.7 and + set to disabled by default. +- These two changes fix 2 of the 3 issues reported in bsc#1229650. + +------------------------------------------------------------------- +Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa <alarrosa(a)suse.com> + +- Fix a dbus connection leaked in the logind patch that was + missing a sd_bus_unref call (found by Matthias Gerstner): + * logind_set_tty.patch +- Add a patch that fixes a small memory leak when parsing the + subsystem configuration option: + * fix-memleak-in-process_server_config_line_depth.patch + +------------------------------------------------------------------- +Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa(a)suse.com> + +- Update to openssh 9.8p1: + = Security + * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387). + A critical vulnerability in sshd(8) was present in Portable + OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may + allow arbitrary code execution with root privileges. + Successful exploitation has been demonstrated on 32-bit + Linux/glibc systems with ASLR. Under lab conditions, the attack + requires on average 6-8 hours of continuous connections up to + the maximum the server will accept. Exploitation on 64-bit + systems is believed to be possible but has not been + demonstrated at this time. It's likely that these attacks will + be improved upon. + Exploitation on non-glibc systems is conceivable but has not + been examined. Systems that lack ASLR or users of downstream + Linux distributions that have modified OpenSSH to disable + per-connection ASLR re-randomisation (yes - this is a thing, no + - we don't understand why) may potentially have an easier path + to exploitation. OpenBSD is not vulnerable. + We thank the Qualys Security Advisory Team for discovering, + reporting and demonstrating exploitability of this problem, and + for providing detailed feedback on additional mitigation + measures. + * 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318, + CVE-2024-39894). + In OpenSSH version 9.5 through 9.7 (inclusive), when connected + to an OpenSSH server version 9.5 or later, a logic error in the + ssh(1) ObscureKeystrokeTiming feature (on by default) rendered + this feature ineffective - a passive observer could still + detect which network packets contained real keystrokes when the + countermeasure was active because both fake and real keystroke + packets were being sent unconditionally. + This bug was found by Philippos Giavridis and also + independently by Jacky Wei En Kung, Daniel Hugenroth and + Alastair Beresford of the University of Cambridge Computer Lab. + Worse, the unconditional sending of both fake and real + keystroke packets broke another long-standing timing attack + mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke + echo packets for traffic received on TTYs in echo-off mode, + such as when entering a password into su(8) or sudo(8). This + bug rendered these fake keystroke echoes ineffective and could + allow a passive observer of a SSH session to once again detect + when echo was off and obtain fairly limited timing information + about keystrokes in this situation (20ms granularity by + default). + This additional implication of the bug was identified by + Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and + we thank them for their detailed analysis. + This bug does not affect connections when + ObscureKeystrokeTiming was disabled or sessions where no TTY + was requested. + + = Future deprecation notice + * OpenSSH plans to remove support for the DSA signature algorithm + in early 2025. This release disables DSA by default at compile + time. + DSA, as specified in the SSHv2 protocol, is inherently weak - + being limited to a 160 bit private key and use of the SHA1 + digest. Its estimated security level is only 80 bits symmetric + equivalent. + OpenSSH has disabled DSA keys by default since 2015 but has + retained run-time optional support for them. DSA was the only + mandatory-to-implement algorithm in the SSHv2 RFCs, mostly + because alternative algorithms were encumbered by patents when + the SSHv2 protocol was specified. + This has not been the case for decades at this point and better + algorithms are well supported by all actively-maintained SSH + implementations. We do not consider the costs of maintaining + DSA in OpenSSH to be justified and hope that removing it from + OpenSSH can accelerate its wider deprecation in supporting + cryptography libraries. + This release, and its deactivation of DSA by default at + compile-time, marks the second step in our timeline to finally + deprecate DSA. The final step of removing DSA support entirely + is planned for the first OpenSSH release of 2025. + DSA support may be re-enabled in OpenBSD by setting + "DSAKEY=yes" in Makefile.inc. To enable DSA support in + portable OpenSSH, pass the "--enable-dsa-keys" option to + configure. + + = Potentially-incompatible changes + * all: as mentioned above, the DSA signature algorithm is now + disabled at compile time. + * sshd(8): the server will now block client addresses that + repeatedly fail authentication, repeatedly connect without ever + completing authentication or that crash the server. See the + discussion of PerSourcePenalties below for more information. + Operators of servers that accept connections from many users, + or servers that accept connections from addresses behind NAT or + proxies may need to consider these settings. + * sshd(8): the server has been split into a listener binary, + sshd(8), and a per-session binary "sshd-session". This allows + for a much smaller listener binary, as it no longer needs to + support the SSH protocol. As part of this work, support for + disabling privilege separation (which previously required code + changes to disable) and disabling re-execution of sshd(8) has + been removed. Further separation of sshd-session into + additional, minimal binaries is planned for the future. + * sshd(8): several log messages have changed. In particular, some + log messages will be tagged with as originating from a process + named "sshd-session" rather than "sshd". + * ssh-keyscan(1): this tool previously emitted comment lines + containing the hostname and SSH protocol banner to standard + error. This release now emits them to standard output, but adds + a new "-q" flag to silence them altogether. + * sshd(8): (portable OpenSSH only) sshd will no longer use + argv[0] as the PAM service name. A new "PAMServiceName" + sshd_config(5) directive allows selecting the service name at + runtime. This defaults to "sshd". bz2101 + * (portable OpenSSH only) Automatically-generated files, such as + configure, config.h.in, etc will now be checked in to the + portable OpenSSH git release branch (e.g. V_9_8). This should + ensure that the contents of the signed release branch exactly + match the contents of the signed release tarball. + + = New features + * sshd(8): as described above, sshd(8) will now penalise client + addresses that, for various reasons, do not successfully + complete authentication. This feature is controlled by a new + sshd_config(5) PerSourcePenalties option and is on by default. + sshd(8) will now identify situations where the session did not + authenticate as expected. These conditions include when the + client repeatedly attempted authentication unsucessfully + (possibly indicating an attack against one or more accounts, + e.g. password guessing), or when client behaviour caused sshd + to crash (possibly indicating attempts to exploit bugs in + sshd). + When such a condition is observed, sshd will record a penalty + of some duration (e.g. 30 seconds) against the client's + address. If this time is above a minimum configurable + threshold, then all connections from the client address will be + refused (along with any others in the same + PerSourceNetBlockSize CIDR range) until the penalty expire. + Repeated offenses by the same client address will accrue + greater penalties, up to a configurable maximum. Address ranges + may be fully exempted from penalties, e.g. to guarantee access + from a set of trusted management addresses, using the new + sshd_config(5) PerSourcePenaltyExemptList option. + We hope these options will make it significantly more difficult + for attackers to find accounts with weak/guessable passwords or + exploit bugs in sshd(8) itself. This option is enabled by + default. + * ssh(8): allow the HostkeyAlgorithms directive to disable the + implicit fallback from certificate host key to plain host keys. + + = Bugfixes + * misc: fix a number of inaccuracies in the PROTOCOL.* + documentation files. GHPR430 GHPR487 + * all: switch to strtonum(3) for more robust integer parsing in + most places. + * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() + * ssh-keysign(8): stricter validation of messaging socket fd + GHPR492 + * sftp(1): flush stdout after writing "sftp>" prompt when not + using editline. GHPR480 + * sftp-server(8): fix home-directory extension implementation, + it previously always returned the current user's home directory + contrary to the spec. GHPR477 + * ssh-keyscan(1): do not close stdin to prevent error messages + when stdin is read multiple times. E.g. + echo localhost | ssh-keyscan -f - -f - + * regression tests: fix rekey test that was testing the same KEX + algorithm repeatedly instead of testing all of them. bz3692 + * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms + directive documentation, especially around what is supported + vs available. bz3701. + + = Portability + * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules + unconditionally. The previous behaviour was to expose it only + when particular authentication methods were in use. + * build: fix OpenSSL ED25519 support detection. An incorrect + function signature in configure.ac previously prevented + enabling the recently added support for ED25519 private keys in + PEM PKCS8 format. + * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY + environment variable to enable SSH_ASKPASS, similarly to the + X11 DISPLAY environment variable. GHPR479 + * build: improve detection of the -fzero-call-used-regs compiler + flag. bz3673. + * build: relax OpenSSL version check to accept all OpenSSL 3.x + versions. + * sshd(8): add support for notifying systemd on server listen and + reload, using a standalone implementation that doesn't depend + on libsystemd. bz2641 + +- Update to openssh 9.7p1: + + = New features + * ssh(1), sshd(8): add a "global" ChannelTimeout type that + watches all open channels and will close all open channels if + there is no traffic on any of them for the specified interval. + This is in addition to the existing per-channel timeouts added + recently. + This supports situations like having both session and x11 + forwarding channels open where one may be idle for an extended + period but the other is actively used. The global timeout could + close both channels when both have been idle for too long. + * All: make DSA key support compile-time optional, defaulting to + on. + + = Bugfixes + * sshd(8): don't append an unnecessary space to the end of + subsystem arguments (bz3667) + * ssh(1): fix the multiplexing "channel proxy" mode, broken when + keystroke timing obfuscation was added. (GHPR#463) + * ssh(1), sshd(8): fix spurious configuration parsing errors when + options that accept array arguments are overridden (bz3657). + * ssh-agent(1): fix potential spin in signal handler (bz3670) + * Many fixes to manual pages and other documentation, including + GHPR#462, GHPR#454, GHPR#442 and GHPR#441. + * Greatly improve interop testing against PuTTY. + + = Portability + * Improve the error message when the autoconf OpenSSL header + check fails (bz#3668) + * Improve detection of broken toolchain -fzero-call-used-regs + support (bz3645). + * Fix regress/misc/fuzz-harness fuzzers and make them compile + without warnings when using clang16 +- Use gcc-11 in SLE to avoid a "parameter name omitted" error +- Rebase patches: + * logind_set_tty.patch + * openssh-6.6.1p1-selinux-contexts.patch + * openssh-6.6p1-keycat.patch + * openssh-6.6p1-privsep-selinux.patch + * openssh-7.6p1-cleanup-selinux.patch + * openssh-7.7p1-cavstest-ctr.patch + * openssh-7.7p1-cavstest-kdf.patch + * openssh-7.7p1-fips.patch + * openssh-7.7p1-fips_checks.patch + * openssh-7.7p1-ldap.patch + * openssh-7.7p1-pam_check_locks.patch + * openssh-7.7p1-systemd-notify.patch + * openssh-7.8p1-role-mls.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.4p1-vendordir.patch + * openssh-9.6p1-crypto-policies-man.patch + * openssh-mitigate-lingering-secrets.patch + * openssh-reenable-dh-group14-sha1-default.patch + * wtmpdb.patch +- Thanks to Fedora developers for an initial version of the + rebase of the following patches: + * openssh-8.0p1-gssapi-keyex.patch + * openssh-7.8p1-role-mls.patch + * openssh-8.1p1-audit.patch +- Remove patches that are already included in 9.8p1: + * fix-CVE-2024-6387.patch + * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch + * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch + * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch +- Remove patch that is now merged into + openssh-7.7p1-cavstest-ctr.patch and + openssh-7.7p1-cavstest-kdf.patch where it belongs: + * fix-missing-lz.patch + +------------------------------------------------------------------- +Mon Jul 15 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa(a)suse.com> + +- Add sshd.socket and sshd@.service units as alternative to the + sshd.service that makes systemd listen to the ssh port + and run sshd per incoming connection. To enable this, + disable sshd.service and enable sshd.socket . If you want to + use a non standard sshd port with sshd.socket you can do + "systemctl edit sshd.socket" and add something like: + + [Socket] + ListenStream=8022 + + which listens on port 8022 as well as on port 22. If you want + to reset the list of listened ports and just use 8022, use: ++++ 12 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh.changes ++++ and /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes Old: ---- 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch fix-CVE-2024-6387.patch fix-missing-lz.patch openssh-9.6p1.tar.gz openssh-9.6p1.tar.gz.asc New: ---- fix-audit-fail-attempt.patch fix-memleak-in-process_server_config_line_depth.patch openssh-9.8p1.tar.gz openssh-9.8p1.tar.gz.asc sshd.socket sshd@.service BETA DEBUG BEGIN: Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * fix-CVE-2024-6387.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-- Remove patch that is now merged into Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-- Remove patches that are already included in 9.8p1: /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * fix-CVE-2024-6387.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- openssh-7.7p1-cavstest-kdf.patch where it belongs: /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * fix-missing-lz.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- BETA DEBUG END: BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- https://github.com/openssh/openssh-portable/pull/516) /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * fix-audit-fail-attempt.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-- Use --enable-dsa-keys when building openssh. It's required if New:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- subsystem configuration option: /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * fix-memleak-in-process_server_config_line_depth.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.173528718 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.177528885 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 9.6p1 +Version: 9.8p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.225530880 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.229531046 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -39,7 +39,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 9.6p1 +Version: 9.8p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT @@ -61,6 +61,8 @@ Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring Source14: sysusers-sshd.conf Source15: sshd-sle.pamd +Source16: sshd@.service +Source17: sshd.socket Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch @@ -119,7 +121,6 @@ Patch51: wtmpdb.patch Patch52: logind_set_tty.patch Patch54: openssh-mitigate-lingering-secrets.patch -Patch100: fix-missing-lz.patch Patch102: openssh-7.8p1-role-mls.patch Patch103: openssh-6.6p1-privsep-selinux.patch Patch104: openssh-6.6p1-keycat.patch @@ -128,19 +129,17 @@ # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch -# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387 -Patch109: fix-CVE-2024-6387.patch -# PATCH-FIX-UPSTREAM -Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch -# PATCH-FIX-UPSTREAM -Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch -# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894 -Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch +Patch109: fix-memleak-in-process_server_config_line_depth.patch +# PATCH-FIX-UPSTREAM alarrosa(a)suse.com -- https://github.com/openssh/openssh-portable/pull/516 +Patch110: fix-audit-fail-attempt.patch %if 0%{with allow_root_password_login_by_default} Patch1000: openssh-7.7p1-allow_root_password_login.patch %endif BuildRequires: audit-devel BuildRequires: automake +%if 0%{?sle_version} >= 150500 +BuildRequires: gcc11 +%endif BuildRequires: groff BuildRequires: libedit-devel BuildRequires: libselinux-devel @@ -328,6 +327,9 @@ ) %build +%if 0%{?sle_version} >= 150500 +export CC=gcc-11 +%endif autoreconf -fiv %ifarch s390 s390x %{sparc} PIEFLAGS="-fPIE" @@ -368,6 +370,7 @@ --disable-lastlog \ --with-logind \ %endif + --enable-dsa-keys \ --with-security-key-builtin \ --target=%{_target_cpu}-suse-linux @@ -392,6 +395,8 @@ install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/ %endif install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service +install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service +install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket ln -s service %{buildroot}%{_sbindir}/rcsshd install -d -m 755 %{buildroot}%{_fillupdir} install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir} @@ -471,11 +476,11 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||: %endif -%service_add_pre sshd.service +%service_add_pre sshd.service sshd.socket %post server %{fillup_only -n ssh} -%service_add_post sshd.service +%service_add_post sshd.service sshd.socket %if ! %{defined _distconfdir} test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \ @@ -487,16 +492,16 @@ %endif %preun server -%service_del_preun sshd.service +%service_del_preun sshd.service sshd.socket %postun server # The openssh-fips trigger script for openssh will normally restart sshd once # it gets installed, so only restart the service here if openssh-fips is not # present. if rpm -q openssh-fips >/dev/null 2>/dev/null; then -%service_del_postun_without_restart sshd.service +%service_del_postun_without_restart sshd.service sshd.socket else -%service_del_postun sshd.service +%service_del_postun sshd.service sshd.socket fi %if ! %{defined _distconfdir} @@ -584,11 +589,14 @@ %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf %endif %attr(0644,root,root) %{_unitdir}/sshd.service +%attr(0644,root,root) %{_unitdir}/sshd@.service +%attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_sysusersdir}/sshd.conf %attr(0444,root,root) %{_mandir}/man5/sshd_config* %attr(0444,root,root) %{_mandir}/man8/sftp-server.8* %attr(0444,root,root) %{_mandir}/man8/sshd.8* %attr(0755,root,root) %{_libexecdir}/ssh/sftp-server +%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session %if 0%{?suse_version} < 1600 %dir %{_sysconfdir}/slp.reg.d %config %{_sysconfdir}/slp.reg.d/ssh.reg ++++++ fix-audit-fail-attempt.patch ++++++ Index: openssh-9.8p1/sshd-session.c =================================================================== --- openssh-9.8p1.orig/sshd-session.c +++ openssh-9.8p1/sshd-session.c @@ -1624,9 +1624,6 @@ cleanup_exit(int i) } } } - /* Override default fatal exit value when auth was attempted */ - if (i == 255 && auth_attempted) - _exit(EXIT_AUTH_ATTEMPTED); #ifdef SSH_AUDIT_EVENTS /* done after do_cleanup so it can cancel the PAM auth 'thread' */ if (the_active_state != NULL && @@ -1636,5 +1633,8 @@ cleanup_exit(int i) #endif clobber_stack(); + /* Override default fatal exit value when auth was attempted */ + if (i == 255 && auth_attempted) + _exit(EXIT_AUTH_ATTEMPTED); _exit(i); } ++++++ fix-memleak-in-process_server_config_line_depth.patch ++++++ From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001 From: Antonio Larrosa <alarrosa(a)suse.com> Date: Mon, 12 Aug 2024 11:32:42 +0200 Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth The return value of argv_assemble is owned by the caller and should be free'd. When processing the sSubsystem case there are two calls to argv_assemble but only one of them is freed. This patch fixes the small (29 bytes according to valgrind) memory leak. The output from valgrind: ==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913 ==115369== at 0x4845794: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==115369== by 0x124A22: argv_assemble (misc.c:2165) ==115369== by 0x1385E5: process_server_config_line_depth.constprop.0 (servconf.c:2004) ==115369== by 0x13984D: parse_server_config_depth.constprop.0 (servconf.c:3032) ==115369== by 0x139986: parse_server_config.constprop.0 (servconf.c:3049) ==115369== by 0x111C6E: main (sshd.c:1445) Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515 --- servconf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/servconf.c b/servconf.c index 5a20d6f8..0b989b95 100644 --- a/servconf.c +++ b/servconf.c @@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options, char *line, xasprintf(&options->subsystem_args[options->num_subsystems], "%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2); free(arg2); + free(arg); argv_consume(&ac); options->num_subsystems++; break; -- 2.45.2 ++++++ logind_set_tty.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.365536701 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.369536868 +0200 @@ -14,11 +14,11 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD) - scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) - $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS) + $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) diff --git a/configure.ac b/configure.ac index a12c6f7ad..860df3379 100644 --- a/configure.ac @@ -106,7 +106,7 @@ #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN if (li->type == LTYPE_LOGIN && !sys_auth_record_login(li->username,li->hostname,li->line, -@@ -1476,6 +1486,88 @@ wtmpdb_write_entry(struct logininfo *li) +@@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li) } #endif @@ -171,9 +171,12 @@ + + free(dbus_path); + -+ if (sd_bus_flush(bus) < 0) ++ if (sd_bus_flush(bus) < 0) { ++ sd_bus_unref(bus); + return (0); ++ } + ++ sd_bus_unref(bus); + return (1); +} + ++++++ openssh-6.6.1p1-selinux-contexts.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.385537533 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.389537699 +0200 @@ -104,10 +104,10 @@ #endif #ifdef LINUX_OOM_ADJUST -Index: openssh-9.6p1/sshd.c +Index: openssh-9.6p1/sshd-session.c =================================================================== ---- openssh-9.6p1.orig/sshd.c -+++ openssh-9.6p1/sshd.c +--- openssh-9.6p1.orig/sshd-session.c ++++ openssh-9.6p1/sshd-session.c @@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh) demote_sensitive_data(ssh); ++++++ openssh-6.6p1-keycat.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.405538365 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.409538531 +0200 @@ -37,14 +37,14 @@ =================================================================== --- openssh-9.3p2.orig/Makefile.in +++ openssh-9.3p2/Makefile.in -@@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh +@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign +SSH_KEYCAT=$(libexecdir)/ssh-keycat + SSHD_SESSION=$(libexecdir)/sshd-session SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper - SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper @@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@ K5LIBS=@K5LIBS@ GSSLIBS=@GSSLIBS@ @@ -53,12 +53,12 @@ LIBEDIT=@LIBEDIT@ LIBFIDO2=@LIBFIDO2@ LIBWTMPDB=@LIBWTMPDB@ -@@ -75,7 +77,7 @@ MKDIR_P=@MKDIR_P@ +@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ .SUFFIXES: .lo --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) @@ -99,9 +99,9 @@ =================================================================== --- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c +++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c -@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt; +@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt; + extern Authctxt *the_authctxt; extern int inetd_flag; - extern int rexeced_flag; +/* Wrapper around is_selinux_enabled() to log its return value once only */ +int @@ -129,14 +129,14 @@ { const char *reqlvl; char *role; -@@ -329,16 +343,16 @@ sshd_selinux_setup_pam_variables(void) +@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void) ssh_selinux_get_role_level(&role, &reqlvl); - rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); + rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); - if (inetd_flag && !rexeced_flag) { + if (inetd_flag) { use_current = "1"; } else { use_current = ""; ++++++ openssh-6.6p1-privsep-selinux.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.425539196 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.429539363 +0200 @@ -52,7 +52,7 @@ platform_setusercontext(pw); - if (platform_privileged_uidswap()) { -+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) { ++ if (platform_privileged_uidswap() && !is_child) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { @@ -98,11 +98,11 @@ exit(sftp_server_main(i, argv, s->pw)); } -Index: openssh-9.3p2/sshd.c +Index: openssh-9.3p2/sshd-session.c =================================================================== ---- openssh-9.3p2.orig/sshd.c -+++ openssh-9.3p2/sshd.c -@@ -510,6 +510,10 @@ privsep_preauth_child(struct ssh *ssh) +--- openssh-9.3p2.orig/sshd-session.c ++++ openssh-9.3p2/sshd-session.c +@@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh) /* Demote the private keys to public keys. */ demote_sensitive_data(ssh); @@ -113,14 +113,13 @@ /* Demote the child */ if (privsep_chroot) { /* Change our root directory */ -@@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct - - #ifdef DISABLE_FD_PASSING - if (1) { -+#elif defined(WITH_SELINUX) -+ if (0) { -+ /* even root user can be confined by SELinux */ - #else - if (authctxt->pw->pw_uid == 0) { +@@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct + * fd passing, as AFAIK PTY allocation on this platform doesn't require + * special privileges to begin with. + */ +-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) ++#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX) + skip_privdrop = 1; #endif + ++++++ openssh-7.6p1-cleanup-selinux.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.445540028 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.449540194 +0200 @@ -9,16 +9,16 @@ +extern int inetd_flag; +extern int rexeced_flag; +extern Authctxt *the_authctxt; + extern struct authmethod_cfg methodcfg_pubkey; static char * - format_key(const struct sshkey *key) @@ -459,7 +462,8 @@ match_principals_command(struct passwd * if ((pid = subprocess("AuthorizedPrincipalsCommand", command, ac, av, &f, SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, - runas_pw, temporarily_use_uid, restore_uid)) == 0) + runas_pw, temporarily_use_uid, restore_uid, -+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) ++ inetd_flag, the_authctxt)) == 0) goto out; uid_swapped = 1; @@ -28,7 +28,7 @@ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, - runas_pw, temporarily_use_uid, restore_uid)) == 0) + runas_pw, temporarily_use_uid, restore_uid, -+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) ++ inetd_flag, the_authctxt)) == 0) goto out; uid_swapped = 1; @@ -87,14 +87,13 @@ =================================================================== --- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c +++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c -@@ -49,11 +49,6 @@ +@@ -49,10 +49,6 @@ #include <unistd.h> #endif -extern ServerOptions options; -extern Authctxt *the_authctxt; -extern int inetd_flag; --extern int rexeced_flag; - /* Wrapper around is_selinux_enabled() to log its return value once only */ int @@ -133,7 +132,7 @@ if (r == 0) { /* If launched from xinetd, we must use current level */ -- if (inetd_flag && !rexeced_flag) { +- if (inetd_flag) { + if (inetd) { security_context_t sshdsc=NULL; @@ -157,7 +156,7 @@ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); -- if (inetd_flag && !rexeced_flag) { +- if (inetd_flag) { + if (inetd) { use_current = "1"; } else { @@ -222,56 +221,46 @@ =================================================================== --- openssh-9.3p2.orig/platform.c +++ openssh-9.3p2/platform.c -@@ -34,6 +34,9 @@ +@@ -34,6 +34,8 @@ + #include "openbsd-compat/openbsd-compat.h" - extern int use_privsep; extern ServerOptions options; +extern int inetd_flag; -+extern int rexeced_flag; +extern Authctxt *the_authctxt; - void - platform_pre_listen(void) -@@ -185,7 +188,9 @@ platform_setusercontext_post_groups(stru + /* return 1 if we are running with privilege to swap UIDs, 0 otherwise */ + int +@@ -185,7 +187,9 @@ platform_setusercontext_post_groups(stru } #endif /* HAVE_SETPCRED */ #ifdef WITH_SELINUX - sshd_selinux_setup_exec_context(pw->pw_name); + sshd_selinux_setup_exec_context(pw->pw_name, -+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt, ++ inetd_flag, do_pam_putenv, the_authctxt, + options.use_pam); #endif } -Index: openssh-9.3p2/sshd.c +Index: openssh-9.3p2/sshd-session.c =================================================================== ---- openssh-9.3p2.orig/sshd.c -+++ openssh-9.3p2/sshd.c +--- openssh-9.3p2.orig/sshd-session.c ++++ openssh-9.3p2/sshd-session.c @@ -166,7 +166,7 @@ int debug_flag = 0; - static int test_flag = 0; + int debug_flag = 0; /* Flag indicating that the daemon is being started from inetd. */ -static int inetd_flag = 0; +int inetd_flag = 0; - /* Flag indicating that sshd should not detach and become a daemon. */ - static int no_daemon_flag = 0; -@@ -179,7 +179,7 @@ static char **saved_argv; - static int saved_argc; - - /* re-exec */ --static int rexeced_flag = 0; -+int rexeced_flag = 0; - static int rexec_flag = 1; - static int rexec_argc = 0; - static char **rexec_argv; + /* debug goes to stderr unless inetd_flag is set */ + static int log_stderr = 0; @@ -2396,7 +2396,9 @@ main(int ac, char **av) } #endif #ifdef WITH_SELINUX - sshd_selinux_setup_exec_context(authctxt->pw->pw_name); + sshd_selinux_setup_exec_context(authctxt->pw->pw_name, -+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt, ++ inetd_flag, do_pam_putenv, the_authctxt, + options.use_pam); #endif #ifdef USE_PAM ++++++ openssh-7.7p1-cavstest-ctr.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.481541525 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.485541691 +0200 @@ -7,7 +7,7 @@ --- openssh-8.8p1.orig/Makefile.in +++ openssh-8.8p1/Makefile.in @@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server - SSH_KEYSIGN=$(libexecdir)/ssh-keysign + SSHD_SESSION=$(libexecdir)/sshd-session SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper +CAVSTEST_CTR=$(libexecdir)/cavstest-ctr @@ -16,7 +16,7 @@ STRIP_OPT=@STRIP_OPT@ @@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@ - TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) + TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) +TARGETS += cavstest-ctr$(EXEEXT) + @@ -29,7 +29,7 @@ +# FIPS tests +cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o -+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) ++ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o ++++++ openssh-7.7p1-cavstest-kdf.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.501542357 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.505542523 +0200 @@ -16,7 +16,7 @@ STRIP_OPT=@STRIP_OPT@ @@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@ - TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) + TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -TARGETS += cavstest-ctr$(EXEEXT) +TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) @@ -25,10 +25,10 @@ ssh-xmss.o \ @@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o - $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz +cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o -+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) ++ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o ++++++ openssh-7.7p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.533543687 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.537543853 +0200 @@ -389,17 +389,17 @@ ssh_hmac_update(ctx, m, mlen) < 0 || Index: openssh-9.6p1/kex.c =================================================================== ---- openssh-9.6p1.orig/kex.c -+++ openssh-9.6p1/kex.c +--- openssh-9.6p1.orig/kex-names.c ++++ openssh-9.6p1/kex-names.c @@ -64,6 +64,8 @@ - #include "digest.h" + #include "ssherr.h" #include "xmalloc.h" +#include "fips.h" + - /* prototype */ - static int kex_choose_conf(struct ssh *, uint32_t seq); - static int kex_input_newkeys(int, u_int32_t, struct ssh *); + struct kexalg { + char *name; + u_int type; @@ -87,7 +89,7 @@ struct kexalg { int ec_nid; int hash_alg; @@ -647,8 +647,8 @@ #include "digest.h" +#include "fips.h" - static void add_listen_addr(ServerOptions *, const char *, - const char *, int); + #if !defined(SSHD_PAM_SERVICE) + # define SSHD_PAM_SERVICE "sshd" @@ -207,6 +208,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -785,8 +785,8 @@ --- openssh-9.6p1.orig/sshd.c +++ openssh-9.6p1/sshd.c @@ -128,6 +128,8 @@ + #include "addr.h" #include "srclimit.h" - #include "dh.h" +#include "fips.h" + ++++++ openssh-7.7p1-fips_checks.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.557544685 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.561544852 +0200 @@ -459,14 +459,14 @@ --- openssh-8.8p1.orig/sshd.c +++ openssh-8.8p1/sshd.c @@ -1547,6 +1547,10 @@ main(int ac, char **av) - struct connection_info *connection_info = NULL; + struct connection_info connection_info; sigset_t sigmask; + /* initialize fips - can go before ssh_malloc_init(), since that is a + * OpenBSD-only thing (as of OpenSSH 7.6p1) */ + fips_ssh_init(); + + memset(&connection_info, 0, sizeof(connection_info)); #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); - #endif ++++++ openssh-7.7p1-ldap.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.585545849 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.589546015 +0200 @@ -128,7 +128,7 @@ --- openssh-8.9p1.orig/Makefile.in +++ openssh-8.9p1/Makefile.in @@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server - SSH_KEYSIGN=$(libexecdir)/ssh-keysign + SSHD_SESSION=$(libexecdir)/sshd-session SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper @@ -168,7 +168,7 @@ $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -421,6 +429,10 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT) $(DESTDIR)$(SSHD_SESSION)$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ ++++++ openssh-7.7p1-pam_check_locks.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.605546681 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.609546847 +0200 @@ -32,17 +32,17 @@ --- openssh-8.8p1.orig/servconf.c +++ openssh-8.8p1/servconf.c @@ -92,6 +92,7 @@ initialize_server_options(ServerOptions - /* Portable-specific options */ options->use_pam = -1; + options->pam_service_name = NULL; + options->use_pam_check_locks = -1; /* Standard Options */ options->num_ports = 0; @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption - /* Portable-specific options */ - if (options->use_pam == -1) options->use_pam = 0; + if (options->pam_service_name == NULL) + options->pam_service_name = xstrdup(SSHD_PAM_SERVICE); + if (options->use_pam_check_locks == -1) + options->use_pam_check_locks = 0; @@ -52,26 +52,27 @@ typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ -- sUsePAM, -+ sUsePAM, sUsePAMChecklocks, +- sUsePAM, sPAMServiceName, ++ sUsePAM, sPAMServiceName, sUsePAMChecklocks, /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, -@@ -535,8 +538,10 @@ static struct { - /* Portable-specific options */ +@@ -535,9 +538,11 @@ static struct { #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, + { "pamservicename", sPAMServiceName, SSHCFG_ALL }, + { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL }, #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "pamservicename", sUnsupported, SSHCFG_ALL }, + { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL }, #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ @@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO - case sUsePAM: - intptr = &options->use_pam; - goto parse_flag; + if (*activep && *charptr == NULL) + *charptr = xstrdup(arg); + break; + case sUsePAMChecklocks: + intptr = &options->use_pam_check_locks; + goto parse_flag; @@ -83,9 +84,9 @@ --- openssh-8.8p1.orig/servconf.h +++ openssh-8.8p1/servconf.h @@ -200,6 +200,7 @@ typedef struct { - char *adm_forced_command; int use_pam; /* Enable auth via PAM */ + char *pam_service_name; + int use_pam_check_locks; /* internally check for locked accounts even when using PAM */ int permit_tun; ++++++ openssh-7.7p1-systemd-notify.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.645548344 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.649548510 +0200 @@ -61,7 +61,7 @@ + #include "xmalloc.h" #include "ssh.h" - #include "ssh2.h" + #include "sshpty.h" @@ -308,6 +312,10 @@ sighup_handler(int sig) static void sighup_restart(void) @@ -84,5 +84,5 @@ + /* Accept a connection and return in a forked child */ server_accept_loop(&sock_in, &sock_out, - &newsock, config_s); + &newsock, config_s, log_stderr); ++++++ openssh-7.8p1-role-mls.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.665549175 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.669549342 +0200 @@ -1,8 +1,7 @@ -Index: openssh-9.6p1/auth2.c -=================================================================== ---- openssh-9.6p1.orig/auth2.c -+++ openssh-9.6p1/auth2.c -@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32 +diff -up openssh/auth2.c.role-mls openssh/auth2.c +--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200 +@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32 Authctxt *authctxt = ssh->authctxt; Authmethod *m = NULL; char *user = NULL, *service = NULL, *method = NULL, *style = NULL; @@ -12,7 +11,7 @@ int r, authenticated = 0; double tstart = monotime_double(); -@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32 +@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32 debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -24,36 +23,32 @@ if ((style = strchr(user, ':')) != NULL) *style++ = 0; -@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32 - use_privsep ? " [net]" : ""); +@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32 + setproctitle("%s [net]", authctxt->valid ? user : "unknown"); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; -- if (use_privsep) +#ifdef WITH_SELINUX + authctxt->role = role ? xstrdup(role) : NULL; +#endif -+ if (use_privsep) { - mm_inform_authserv(service, style); + mm_inform_authserv(service, style); +#ifdef WITH_SELINUX -+ mm_inform_authrole(role); ++ mm_inform_authrole(role); +#endif -+ } userauth_banner(ssh); if ((r = kex_server_update_ext_info(ssh)) != 0) fatal_fr(r, "kex_server_update_ext_info failed"); -Index: openssh-9.6p1/auth2-gss.c -=================================================================== ---- openssh-9.6p1.orig/auth2-gss.c -+++ openssh-9.6p1/auth2-gss.c -@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple +diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c +--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200 +@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple Authctxt *authctxt = ssh->authctxt; Gssctxt *gssctxt; int r, authenticated = 0; + char *micuser; struct sshbuf *b; gss_buffer_desc mic, gssbuf; - const char *displayname; -@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple + u_char *p; +@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple fatal_f("sshbuf_new failed"); mic.value = p; mic.length = len; @@ -68,7 +63,7 @@ "gssapi-with-mic", ssh->kex->session_id); if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) -@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple logit("GSSAPI MIC check failed"); sshbuf_free(b); @@ -76,12 +71,11 @@ + free(micuser); free(mic.value); - if ((!use_privsep || mm_is_monitor()) && -Index: openssh-9.6p1/auth2-hostbased.c -=================================================================== ---- openssh-9.6p1.orig/auth2-hostbased.c -+++ openssh-9.6p1/auth2-hostbased.c -@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons + authctxt->postponed = 0; +diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c +--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200 +@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh) /* reconstruct packet */ if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || @@ -98,11 +92,10 @@ (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || (r = sshbuf_put_cstring(b, method)) != 0 || (r = sshbuf_put_string(b, pkalg, alen)) != 0 || -Index: openssh-9.6p1/auth2-pubkey.c -=================================================================== ---- openssh-9.6p1.orig/auth2-pubkey.c -+++ openssh-9.6p1/auth2-pubkey.c -@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c +diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c +--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200 ++++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200 +@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh) goto done; } /* reconstruct packet */ @@ -121,10 +114,9 @@ if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_cstring(b, userstyle)) != 0 || (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || -Index: openssh-9.6p1/auth.h -=================================================================== ---- openssh-9.6p1.orig/auth.h -+++ openssh-9.6p1/auth.h +diff -up openssh/auth.h.role-mls openssh/auth.h +--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200 @@ -65,6 +65,9 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ @@ -135,11 +127,10 @@ /* Method lists for multiple authentication */ char **auth_methods; /* modified from server config */ -Index: openssh-9.6p1/auth-pam.c -=================================================================== ---- openssh-9.6p1.orig/auth-pam.c -+++ openssh-9.6p1/auth-pam.c -@@ -1242,7 +1242,7 @@ is_pam_session_open(void) +diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c +--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200 +@@ -1172,7 +1172,7 @@ is_pam_session_open(void) * during the ssh authentication process. */ int @@ -148,24 +139,22 @@ { int ret = 1; char *compound; -Index: openssh-9.6p1/auth-pam.h -=================================================================== ---- openssh-9.6p1.orig/auth-pam.h -+++ openssh-9.6p1/auth-pam.h +diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h +--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200 @@ -33,7 +33,7 @@ u_int do_pam_account(void); void do_pam_session(struct ssh *); - void do_pam_setcred(int ); + void do_pam_setcred(void); void do_pam_chauthtok(void); -int do_pam_putenv(char *, char *); +int do_pam_putenv(char *, const char *); char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); -Index: openssh-9.6p1/misc.c -=================================================================== ---- openssh-9.6p1.orig/misc.c -+++ openssh-9.6p1/misc.c -@@ -771,6 +771,7 @@ char * +diff -up openssh/misc.c.role-mls openssh/misc.c +--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200 +@@ -542,6 +542,7 @@ char * colon(char *cp) { int flag = 0; @@ -173,7 +162,7 @@ if (*cp == ':') /* Leading colon is part of file name. */ return NULL; -@@ -786,6 +787,13 @@ colon(char *cp) +@@ -557,6 +558,13 @@ colon(char *cp) return (cp); if (*cp == '/') return NULL; @@ -187,11 +176,10 @@ } return NULL; } -Index: openssh-9.6p1/monitor.c -=================================================================== ---- openssh-9.6p1.orig/monitor.c -+++ openssh-9.6p1/monitor.c -@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st +diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c +--- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200 ++++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200 +@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); int mm_answer_authserv(struct ssh *, int, struct sshbuf *); @@ -201,7 +189,7 @@ int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); -@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[] +@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -211,7 +199,7 @@ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in +@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -221,7 +209,7 @@ monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); #ifdef USE_PAM -@@ -908,6 +917,26 @@ key_base_type_match(const char *method, +@@ -877,6 +886,26 @@ key_base_type_match(const char *method, return found; } @@ -248,16 +236,16 @@ int mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) { -@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh, +@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh, struct sshbuf *b; - struct sshkey *hostkey = NULL; + struct sshkey *hostkey = NULL; const u_char *p; - char *userstyle, *cp; + char *userstyle, *s, *cp; size_t len; u_char type; int hostbound = 0, r, fail = 0; -@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh, +@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh, fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) fatal_fr(r, "parse userstyle"); @@ -266,7 +254,7 @@ xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char +@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char { struct sshbuf *b; const u_char *p; @@ -275,7 +263,7 @@ size_t len; int r, fail = 0; u_char type; -@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char +@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) fatal_fr(r, "parse userstyle"); @@ -284,10 +272,9 @@ xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -Index: openssh-9.6p1/monitor.h -=================================================================== ---- openssh-9.6p1.orig/monitor.h -+++ openssh-9.6p1/monitor.h +diff -up openssh/monitor.h.role-mls openssh/monitor.h +--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200 @@ -55,6 +55,10 @@ enum monitor_reqtype { MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, MONITOR_REQ_TERM = 50, @@ -299,11 +286,10 @@ MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, -Index: openssh-9.6p1/monitor_wrap.c -=================================================================== ---- openssh-9.6p1.orig/monitor_wrap.c -+++ openssh-9.6p1/monitor_wrap.c -@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char * +diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c +--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200 ++++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200 +@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char * sshbuf_free(m); } @@ -331,11 +317,10 @@ /* Do the password authentication */ int mm_auth_password(struct ssh *ssh, char *password) -Index: openssh-9.6p1/monitor_wrap.h -=================================================================== ---- openssh-9.6p1.orig/monitor_wrap.h -+++ openssh-9.6p1/monitor_wrap.h -@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct +diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h +--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200 ++++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200 +@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); const u_char *, size_t, const char *, const char *, const char *, u_int compat); void mm_inform_authserv(char *, char *); @@ -345,11 +330,10 @@ struct passwd *mm_getpwnamallow(struct ssh *, const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct ssh *, char *); -Index: openssh-9.6p1/openbsd-compat/Makefile.in -=================================================================== ---- openssh-9.6p1.orig/openbsd-compat/Makefile.in -+++ openssh-9.6p1/openbsd-compat/Makefile.in -@@ -100,7 +100,8 @@ PORTS= port-aix.o \ +diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in +--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200 +@@ -92,7 +92,8 @@ PORTS= port-aix.o \ port-prngd.o \ port-solaris.o \ port-net.o \ @@ -359,11 +343,10 @@ .c.o: $(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $< -Index: openssh-9.6p1/openbsd-compat/port-linux.c -=================================================================== ---- openssh-9.6p1.orig/openbsd-compat/port-linux.c -+++ openssh-9.6p1/openbsd-compat/port-linux.c -@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname) +diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c +--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200 +@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname) return sc; } @@ -401,7 +384,7 @@ /* Set the TTY context for the specified user */ void ssh_selinux_setup_pty(char *pwname, const char *tty) -@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons +@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons debug3("%s: setting TTY context on %s", __func__, tty); @@ -414,10 +397,9 @@ /* XXX: should these calls fatal() upon failure in enforcing mode? */ -Index: openssh-9.6p1/openbsd-compat/port-linux.h -=================================================================== ---- openssh-9.6p1.orig/openbsd-compat/port-linux.h -+++ openssh-9.6p1/openbsd-compat/port-linux.h +diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h +--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200 @@ -20,9 +20,10 @@ #ifdef WITH_SELINUX int ssh_selinux_enabled(void); @@ -430,11 +412,10 @@ #endif #ifdef LINUX_OOM_ADJUST -Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c -=================================================================== ---- /dev/null -+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c -@@ -0,0 +1,421 @@ +diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c +--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200 ++++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200 +@@ -0,0 +1,420 @@ +/* + * Copyright (c) 2005 Daniel Walsh <dwalsh(a)redhat.com> + * Copyright (c) 2014 Petr Lautrbach <plautrba(a)redhat.com> @@ -488,7 +469,6 @@ +extern ServerOptions options; +extern Authctxt *the_authctxt; +extern int inetd_flag; -+extern int rexeced_flag; + +/* Send audit message */ +static int @@ -694,7 +674,7 @@ + + if (r == 0) { + /* If launched from xinetd, we must use current level */ -+ if (inetd_flag && !rexeced_flag) { ++ if (inetd_flag) { + security_context_t sshdsc=NULL; + + if (getcon_raw(&sshdsc) < 0) @@ -768,7 +748,7 @@ + + rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); + -+ if (inetd_flag && !rexeced_flag) { ++ if (inetd_flag) { + use_current = "1"; + } else { + use_current = ""; @@ -856,11 +836,10 @@ +#endif +#endif + -Index: openssh-9.6p1/platform.c -=================================================================== ---- openssh-9.6p1.orig/platform.c -+++ openssh-9.6p1/platform.c -@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru +diff -up openssh/platform.c.role-mls openssh/platform.c +--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200 +@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru } #endif /* HAVE_SETPCRED */ #ifdef WITH_SELINUX @@ -869,11 +848,10 @@ #endif } -Index: openssh-9.6p1/sshd.c -=================================================================== ---- openssh-9.6p1.orig/sshd.c -+++ openssh-9.6p1/sshd.c -@@ -2387,6 +2387,9 @@ main(int ac, char **av) +diff -up openssh/sshd.c.role-mls openssh/sshd.c +--- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200 +@@ -2186,6 +2186,9 @@ main(int ac, char **av) restore_uid(); } #endif @@ -882,5 +860,5 @@ +#endif #ifdef USE_PAM if (options.use_pam) { - do_pam_setcred(1); + do_pam_setcred(); ++++++ openssh-8.0p1-gssapi-keyex.patch ++++++ ++++ 2563 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.0p1-gssapi-keyex.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh-8.0p1-gssapi-keyex.patch ++++++ openssh-8.1p1-audit.patch ++++++ ++++ 875 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh-8.1p1-audit.patch ++++++ openssh-8.4p1-vendordir.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.745552502 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.749552668 +0200 @@ -123,28 +123,21 @@ =================================================================== --- openssh-8.9p1.orig/sshd.c +++ openssh-8.9p1/sshd.c -@@ -148,7 +148,7 @@ extern char *__progname; - ServerOptions options; - - /* Name of the server configuration file. */ --char *config_file_name = _PATH_SERVER_CONFIG_FILE; -+char *config_file_name = NULL; - - /* - * Debug mode flag. This can be set on the command line. If debug -@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av) - int - main(int ac, char **av) - { -+ struct stat st; - struct ssh *ssh = NULL; +@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av) extern char *optarg; extern int optind; + int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0; +- char *config_file_name = _PATH_SERVER_CONFIG_FILE; ++ char *config_file_name = NULL; ++ struct stat st; + int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0; + int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0; + int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0; @@ -1806,7 +1807,21 @@ main(int ac, char **av) - */ - (void)atomicio(vwrite, startup_pipe, "\0", 1); - } -+ } else if (config_file_name == NULL) { + /* Fetch our configuration */ + if ((cfg = sshbuf_new()) == NULL) + fatal("sshbuf_new config failed"); ++ if (config_file_name == NULL) { + /* If only the vendor configuration file exists, use that. + * Else use the standard configuration file. + */ @@ -157,11 +150,12 @@ + config_file_name = _PATH_SERVER_CONFIG_FILE; + } + load_server_config(config_file_name, cfg); - } else if (strcasecmp(config_file_name, "none") != 0) +- if (strcasecmp(config_file_name, "none") != 0) ++ } else if (strcasecmp(config_file_name, "none") != 0) + /* load config specified on commandline */ load_server_config(config_file_name, cfg); - parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, + parse_server_config(&options, config_file_name, cfg, Index: openssh-8.9p1/sshd_config.5 =================================================================== --- openssh-8.9p1.orig/sshd_config.5 ++++++ openssh-9.6p1-crypto-policies-man.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.761553168 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.765553333 +0200 @@ -84,13 +84,14 @@ The list of key exchange algorithms that are offered for GSSAPI key exchange. Possible values are .Bd -literal -offset 3n -@@ -991,9 +993,8 @@ gss-nistp256-sha256-, +@@ -991,10 +993,8 @@ gss-nistp256-sha256-, gss-curve25519-sha256- .Ed .Pp -The default is --.Dq gss-gex-sha1-,gss-group14-sha1- . - This option only applies to protocol version 2 connections using GSSAPI. +-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, +-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . + This option only applies to connections using GSSAPI. +.Pp .It Cm HashKnownHosts Indicates that @@ -159,7 +160,7 @@ .It Cm HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key -@@ -1311,31 +1313,26 @@ it may be zero or more of: +@@ -1311,36 +1313,30 @@ it may be zero or more of: and .Cm pam . .It Cm KexAlgorithms @@ -169,8 +170,12 @@ +existing policies with sub-policies are present in manual page +.Xr update-crypto-policies 8 . +.Pp - Specifies the available KEX (Key Exchange) algorithms. + Specifies the permitted KEX (Key Exchange) algorithms that will be used and + their preference order. + The selected algorithm will the the first algorithm in this list that + the server also supports. Multiple algorithms must be comma-separated. + .Pp If the specified list begins with a .Sq + -character, then the specified algorithms will be appended to the default set @@ -186,6 +191,7 @@ .Sq ^ character, then the specified algorithms will be placed at the head of the -default set. +-.Pp -The default is: -.Bd -literal -offset indent -sntrup761x25519-sha512(a)openssh.com, @@ -199,7 +205,7 @@ -.Ed +built-in openssh default set. .Pp - The list of available key exchange algorithms may also be obtained using + The list of supported key exchange algorithms may also be obtained using .Qq ssh -Q kex . @@ -1445,37 +1442,34 @@ function, and all code in the file. @@ -386,7 +392,7 @@ The list of available ciphers may also be obtained using .Qq ssh -Q cipher . .It Cm ClientAliveCountMax -@@ -764,52 +760,45 @@ For this to work +@@ -764,53 +760,45 @@ For this to work .Cm GSSAPIKeyExchange needs to be enabled in the server and also used by the client. .It Cm GSSAPIKexAlgorithms @@ -415,8 +421,9 @@ .Ed -.Pp -The default is --.Dq gss-gex-sha1-,gss-group14-sha1- . - This option only applies to protocol version 2 connections using GSSAPI. +-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, +-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . + This option only applies to connections using GSSAPI. .It Cm HostbasedAcceptedAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . @@ -492,7 +499,7 @@ The list of available signature algorithms may also be obtained using .Qq ssh -Q HostKeyAlgorithms . .It Cm IgnoreRhosts -@@ -1027,20 +1006,26 @@ file on logout. +@@ -1027,24 +1006,30 @@ file on logout. The default is .Cm yes . .It Cm KexAlgorithms @@ -502,9 +509,13 @@ +existing policies with sub-policies are present in manual page +.Xr update-crypto-policies 8 . +.Pp - Specifies the available KEX (Key Exchange) algorithms. + Specifies the permitted KEX (Key Exchange) algorithms that the server will + offer to clients. + The ordering of this list is not important, as the client specifies the + preference order. Multiple algorithms must be comma-separated. - Alternately if the specified list begins with a + .Pp + If the specified list begins with a .Sq + -character, then the specified algorithms will be appended to the default set -instead of replacing them. @@ -520,9 +531,9 @@ character, then the specified algorithms will be placed at the head of the -default set. +built-in openssh default set. + .Pp The supported algorithms are: .Pp - .Bl -item -compact -offset indent @@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521 sntrup761x25519-sha512(a)openssh.com .El @@ -537,7 +548,7 @@ -diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 -.Ed -.Pp - The list of available key exchange algorithms may also be obtained using + The list of supported key exchange algorithms may also be obtained using .Qq ssh -Q KexAlgorithms . .It Cm ListenAddress @@ -1167,21 +1142,27 @@ function, and all code in the ++++++ openssh-9.6p1.tar.gz -> openssh-9.8p1.tar.gz ++++++ ++++ 23852 lines of diff (skipped) ++++++ openssh-mitigate-lingering-secrets.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:30.153569467 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:30.157569633 +0200 @@ -207,9 +207,9 @@ --- openssh-9.3p2.orig/packet.h +++ openssh-9.3p2/packet.h @@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *); + void ssh_packet_close(struct ssh *); void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *); void ssh_packet_clear_keys(struct ssh *); - void ssh_packet_clear_keys_noaudit(struct ssh *); +void ssh_clear_curkeys(struct ssh *, int); void ssh_clear_newkeys(struct ssh *, int); @@ -264,12 +264,12 @@ /* Macros for decoding/encoding integers */ #define PEEK_U64(p) \ (((u_int64_t)(((const u_char *)(p))[0]) << 56) | \ -Index: openssh-9.3p2/sshd.c +Index: openssh-9.3p2/sshd-session.c =================================================================== ---- openssh-9.3p2.orig/sshd.c -+++ openssh-9.3p2/sshd.c -@@ -272,6 +272,19 @@ static void do_ssh2_kex(struct ssh *); - static char *listener_proctitle; +--- openssh-9.3p2.orig/sshd-session.c ++++ openssh-9.3p2/sshd-session.c +@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *); + static void do_ssh2_kex(struct ssh *); /* + * Clear some stack space. This is a bit naive, but hopefully helps mitigate @@ -285,10 +285,10 @@ +} + +/* - * Close all listening sockets - */ - static void -@@ -430,6 +443,8 @@ destroy_sensitive_data(struct ssh *ssh, + * Signal handler for the alarm after the login grace period has expired. + * As usual, this may only take signal-safe actions, even though it is + * terminal. +@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh, sensitive_data.host_certificates[i] = NULL; } } @@ -297,32 +297,32 @@ } /* Demote private to public keys for network child */ -@@ -600,6 +615,8 @@ privsep_preauth(struct ssh *ssh) - static void - privsep_postauth(struct ssh *ssh, Authctxt *authctxt) +@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh) { + int skip_privdrop = 0; + + clobber_stack(); + - #ifdef DISABLE_FD_PASSING - if (1) { - #else -@@ -2360,6 +2377,7 @@ main(int ac, char **av) - if (use_privsep) { - mm_send_keystate(ssh, pmonitor); - ssh_packet_clear_keys(ssh); -+ clobber_stack(); - exit(0); - } + /* + * Hack for systems that don't support FD passing: retain privileges + * in the post-auth privsep process so it can allocate PTYs directly. +@@ -1354,6 +1356,7 @@ main(int ac, char **av) + */ + mm_send_keystate(ssh, pmonitor); + ssh_packet_clear_keys(ssh); ++ clobber_stack(); + exit(0); + + authenticated: +@@ -1431,6 +1434,7 @@ main(int ac, char **av) -@@ -2436,6 +2454,7 @@ main(int ac, char **av) - if (use_privsep) - mm_terminate(); + mm_terminate(); + clobber_stack(); exit(0); } -@@ -2596,8 +2615,10 @@ cleanup_exit(int i) +@@ -1577,8 +1581,10 @@ cleanup_exit(int i) /* cleanup_exit can be called at the very least from the privsep wrappers used for auditing. Make sure we don't recurse indefinitely. */ @@ -332,10 +332,10 @@ _exit(i); + } in_cleanup = 1; - if (the_active_state != NULL && the_authctxt != NULL) { - do_cleanup(the_active_state, the_authctxt); -@@ -2623,5 +2644,7 @@ cleanup_exit(int i) - (!use_privsep || mm_is_monitor())) + extern int auth_attempted; /* monitor.c */ + +@@ -1604,5 +1610,7 @@ cleanup_exit(int i) + mm_is_monitor()) audit_event(the_active_state, SSH_CONNECTION_ABANDON); #endif + ++++++ openssh-reenable-dh-group14-sha1-default.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:30.177570465 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:30.181570631 +0200 @@ -25,7 +25,7 @@ +diffie-hellman-group14-sha1 .Ed .Pp - The list of available key exchange algorithms may also be obtained using + The list of supported key exchange algorithms may also be obtained using Index: openssh-8.9p1/sshd_config.5 =================================================================== --- openssh-8.9p1.orig/sshd_config.5 @@ -38,5 +38,5 @@ +diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 .Ed .Pp - The list of available key exchange algorithms may also be obtained using + The list of supported key exchange algorithms may also be obtained using ++++++ sshd.socket ++++++ [Unit] Description=OpenSSH Server Socket Conflicts=sshd.service [Socket] ListenStream=22 Accept=yes [Install] WantedBy=sockets.target ++++++ sshd@.service ++++++ [Unit] Description=OpenSSH Per-Connection Server Daemon Documentation=man:systemd-ssh-generator(8) man:sshd(8) After=network.target [Service] EnvironmentFile=-/etc/sysconfig/ssh ExecStartPre=/usr/sbin/sshd-gen-keys-start ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS StandardInput=socket ++++++ wtmpdb.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:30.369578448 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:30.373578614 +0200 @@ -174,12 +174,16 @@ AR=@AR@ AWK=@AWK@ RANLIB=@RANLIB@ -@@ -212,7 +213,7 @@ +@@ -212,10 +213,10 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) + + sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS) +- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) ++ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

1 0