Hello community,
here is the log from the commit of package openssh for openSUSE:Factory
checked in at Tue Mar 3 22:42:41 CET 2009.
--------
--- openssh/openssh-askpass-gnome.changes 2008-04-09 14:35:50.000000000 +0200
+++ openssh/openssh-askpass-gnome.changes 2009-03-03 21:38:19.792350000 +0100
@@ -1,0 +2,5 @@
+Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz
+
+- update to 5.2p1
+
+-------------------------------------------------------------------
--- openssh/openssh.changes 2008-12-01 15:43:59.000000000 +0100
+++ openssh/openssh.changes 2009-03-03 21:38:27.297017000 +0100
@@ -1,0 +2,54 @@
+Mon Feb 23 17:27:45 CET 2009 - anicka@suse.cz
+
+- update to 5.2p1
+ * This release changes the default cipher order to prefer the AES CTR
+ modes and the revised "arcfour256" mode to CBC mode ciphers that are
+ susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
+ * This release also adds countermeasures to mitigate CPNI-957037-style
+ attacks against the SSH protocol's use of CBC-mode ciphers. Upon
+ detection of an invalid packet length or Message Authentication
+ Code, ssh/sshd will continue reading up to the maximum supported
+ packet length rather than immediately terminating the connection.
+ This eliminates most of the known differences in behaviour that
+ leaked information about the plaintext of injected data which formed
+ the basis of this attack. We believe that these attacks are rendered
+ infeasible by these changes.
+ * Added a -y option to ssh(1) to force logging to syslog rather than
+ stderr, which is useful when running daemonised (ssh -f)
+ * The sshd_config(5) ForceCommand directive now accepts commandline
+ arguments for the internal-sftp server.
+ * The ssh(1) ~C escape commandline now support runtime creation of
+ dynamic (-D) port forwards.
+ * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
+ (bz#1482)
+ * Support remote port forwarding with a listen port of '0'. This
+ informs the server that it should dynamically allocate a listen
+ port and report it back to the client. (bz#1003)
+ * sshd(8) now supports setting PermitEmptyPasswords and
+ AllowAgentForwarding in Match blocks
+ * Repair a ssh(1) crash introduced in openssh-5.1 when the client is
+ sent a zero-length banner (bz#1496)
+ * Due to interoperability problems with certain
+ broken SSH implementations, the eow@openssh.com and
+ no-more-sessions@openssh.com protocol extensions are now only sent
+ to peers that identify themselves as OpenSSH.
+ * Make ssh(1) send the correct channel number for
+ SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
+ avoid triggering 'Non-public channel' error messages on sshd(8) in
+ openssh-5.1.
+ * Avoid printing 'Non-public channel' warnings in sshd(8), since the
+ ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
+ a behaviour introduced in openssh-5.1).
+ * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
+ * Correct fail-on-error behaviour in sftp(1) batchmode for remote
+ stat operations. (bz#1541)
+ * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
+ connections. (bz#1543)
+ * Avoid hang in ssh(1) when attempting to connect to a server that
+ has MaxSessions=0 set.
+ * Multiple fixes to sshd(8) configuration test (-T) mode
+ * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
+ 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
+ * Many manual page improvements.
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
openssh-5.1p1-askpass-fix.diff
openssh-5.1p1-audit.patch
openssh-5.1p1-blocksigalrm.diff
openssh-5.1p1-default-protocol.diff
openssh-5.1p1.dif
openssh-5.1p1-eal3.diff
openssh-5.1p1-engines.diff
openssh-5.1p1-forwards.diff
openssh-5.1p1-gcc-fix.patch
openssh-5.1p1-gssapimitm.patch
openssh-5.1p1-pam-fix2.diff
openssh-5.1p1-pam-fix3.diff
openssh-5.1p1-pam-fix4.diff
openssh-5.1p1-pts.diff
openssh-5.1p1-saveargv-fix.diff
openssh-5.1p1-send_locale.diff
openssh-5.1p1-strnvis.diff
openssh-5.1p1.tar.bz2
openssh-5.1p1-tmpdir.diff
openssh-5.1p1-xauth.diff
openssh-5.1p1-xauthlocalhostname.diff
New:
----
openssh-5.2p1-askpass-fix.diff
openssh-5.2p1-audit.patch
openssh-5.2p1-blocksigalrm.diff
openssh-5.2p1-default-protocol.diff
openssh-5.2p1.dif
openssh-5.2p1-eal3.diff
openssh-5.2p1-engines.diff
openssh-5.2p1-forwards.diff
openssh-5.2p1-gcc-fix.patch
openssh-5.2p1-gssapimitm.patch
openssh-5.2p1-pam-fix2.diff
openssh-5.2p1-pam-fix3.diff
openssh-5.2p1-pam-fix4.diff
openssh-5.2p1-pts.diff
openssh-5.2p1-saveargv-fix.diff
openssh-5.2p1-send_locale.diff
openssh-5.2p1.tar.bz2
openssh-5.2p1-tmpdir.diff
openssh-5.2p1-xauth.diff
openssh-5.2p1-xauthlocalhostname.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.R30939/_old 2009-03-03 22:41:10.000000000 +0100
+++ /var/tmp/diff_new_pack.R30939/_new 2009-03-03 22:41:10.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package openssh-askpass-gnome (Version 5.1p1)
+# spec file for package openssh-askpass-gnome (Version 5.2p1)
#
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -22,8 +22,8 @@
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
License: BSD 3-Clause
Group: Productivity/Networking/SSH
-Version: 5.1p1
-Release: 41
+Version: 5.2p1
+Release: 1
Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
@@ -118,6 +118,8 @@
%attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass
%changelog
+* Mon Feb 23 2009 anicka@suse.cz
+- update to 5.2p1
* Wed Apr 09 2008 anicka@suse.cz
- update to 5.0p1
* Wed Apr 02 2008 anicka@suse.cz
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.R30939/_old 2009-03-03 22:41:10.000000000 +0100
+++ /var/tmp/diff_new_pack.R30939/_new 2009-03-03 22:41:10.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package openssh (Version 5.1p1)
+# spec file for package openssh (Version 5.2p1)
#
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -37,8 +37,8 @@
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh
AutoReqProv: on
-Version: 5.1p1
-Release: 41
+Version: 5.2p1
+Release: 1
%define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program)
Url: http://www.openssh.com/
@@ -70,7 +70,6 @@
Patch44: %{name}-%{version}-audit.patch
Patch45: %{name}-%{version}-pts.diff
Patch46: %{name}-%{version}-pam-fix4.diff
-Patch47: %{name}-%{version}-strnvis.diff
Patch48: %{name}-%{version}-forwards.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -162,7 +161,6 @@
%patch44 -p1
%patch45
%patch46 -p1
-%patch47
%patch48
cp -v %{SOURCE4} .
cp -v %{SOURCE6} .
@@ -294,7 +292,7 @@
%attr(0755,root,root) /usr/%_lib/ssh/sftp-server
%attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign
%dir /etc/slp.reg.d
-/etc/slp.reg.d/ssh.reg
+%config /etc/slp.reg.d/ssh.reg
/var/adm/fillup-templates/sysconfig.ssh
%config %{_fwdefdir}/sshd
@@ -304,9 +302,60 @@
%attr(0755,root,root) /usr/%_lib/ssh/x11-ssh-askpass
%doc %_mandir/man1/ssh-askpass.1x.gz
%doc %_mandir/man1/x11-ssh-askpass.1x.gz
-%config %_appdefdir/SshAskpass
+%_appdefdir/SshAskpass
%changelog
+* Mon Feb 23 2009 anicka@suse.cz
+- update to 5.2p1
+ * This release changes the default cipher order to prefer the AES CTR
+ modes and the revised "arcfour256" mode to CBC mode ciphers that are
+ susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
+ * This release also adds countermeasures to mitigate CPNI-957037-style
+ attacks against the SSH protocol's use of CBC-mode ciphers. Upon
+ detection of an invalid packet length or Message Authentication
+ Code, ssh/sshd will continue reading up to the maximum supported
+ packet length rather than immediately terminating the connection.
+ This eliminates most of the known differences in behaviour that
+ leaked information about the plaintext of injected data which formed
+ the basis of this attack. We believe that these attacks are rendered
+ infeasible by these changes.
+ * Added a -y option to ssh(1) to force logging to syslog rather than
+ stderr, which is useful when running daemonised (ssh -f)
+ * The sshd_config(5) ForceCommand directive now accepts commandline
+ arguments for the internal-sftp server.
+ * The ssh(1) ~C escape commandline now support runtime creation of
+ dynamic (-D) port forwards.
+ * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
+ (bz#1482)
+ * Support remote port forwarding with a listen port of '0'. This
+ informs the server that it should dynamically allocate a listen
+ port and report it back to the client. (bz#1003)
+ * sshd(8) now supports setting PermitEmptyPasswords and
+ AllowAgentForwarding in Match blocks
+ * Repair a ssh(1) crash introduced in openssh-5.1 when the client is
+ sent a zero-length banner (bz#1496)
+ * Due to interoperability problems with certain
+ broken SSH implementations, the eow@openssh.com and
+ no-more-sessions@openssh.com protocol extensions are now only sent
+ to peers that identify themselves as OpenSSH.
+ * Make ssh(1) send the correct channel number for
+ SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
+ avoid triggering 'Non-public channel' error messages on sshd(8) in
+ openssh-5.1.
+ * Avoid printing 'Non-public channel' warnings in sshd(8), since the
+ ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
+ a behaviour introduced in openssh-5.1).
+ * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
+ * Correct fail-on-error behaviour in sftp(1) batchmode for remote
+ stat operations. (bz#1541)
+ * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
+ connections. (bz#1543)
+ * Avoid hang in ssh(1) when attempting to connect to a server that
+ has MaxSessions=0 set.
+ * Multiple fixes to sshd(8) configuration test (-T) mode
+ * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
+ 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
+ * Many manual page improvements.
* Mon Dec 01 2008 anicka@suse.cz
- respect SSH_MAX_FORWARDS_PER_DIRECTION (bnc#448775)
* Mon Nov 10 2008 anicka@suse.cz
++++++ openssh-5.1p1-askpass-fix.diff -> openssh-5.2p1-askpass-fix.diff ++++++
++++++ openssh-5.1p1-audit.patch -> openssh-5.2p1-audit.patch ++++++
--- openssh/openssh-5.1p1-audit.patch 2008-07-22 20:32:05.000000000 +0200
+++ openssh/openssh-5.2p1-audit.patch 2009-02-23 17:08:57.000000000 +0100
@@ -1,7 +1,7 @@
# add support for Linux audit (FATE #120269)
================================================================================
---- openssh-5.1p1/Makefile.in
-+++ openssh-5.1p1/Makefile.in
+--- openssh-5.2p1/Makefile.in
++++ openssh-5.2p1/Makefile.in
@@ -44,6 +44,7 @@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
@@ -19,8 +19,8 @@
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
---- openssh-5.1p1/auth.c
-+++ openssh-5.1p1/auth.c
+--- openssh-5.2p1/auth.c
++++ openssh-5.2p1/auth.c
@@ -287,6 +287,12 @@
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
@@ -45,9 +45,9 @@
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
---- openssh-5.1p1/config.h.in
-+++ openssh-5.1p1/config.h.in
-@@ -1388,6 +1388,9 @@
+--- openssh-5.2p1/config.h.in
++++ openssh-5.2p1/config.h.in
+@@ -1397,6 +1397,9 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
@@ -57,9 +57,9 @@
/* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN
---- openssh-5.1p1/configure.ac
-+++ openssh-5.1p1/configure.ac
-@@ -3314,6 +3314,20 @@
+--- openssh-5.2p1/configure.ac
++++ openssh-5.2p1/configure.ac
+@@ -3340,6 +3340,20 @@
fi ]
)
@@ -80,7 +80,7 @@
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
-@@ -4134,6 +4148,7 @@
+@@ -4160,6 +4174,7 @@
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
@@ -88,8 +88,8 @@
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
---- openssh-5.1p1/loginrec.c
-+++ openssh-5.1p1/loginrec.c
+--- openssh-5.2p1/loginrec.c
++++ openssh-5.2p1/loginrec.c
@@ -176,6 +176,10 @@
#include "auth.h"
#include "buffer.h"
@@ -174,8 +174,8 @@
/**
** Low-level libutil login() functions
**/
---- openssh-5.1p1/loginrec.h
-+++ openssh-5.1p1/loginrec.h
+--- openssh-5.2p1/loginrec.h
++++ openssh-5.2p1/loginrec.h
@@ -127,5 +127,9 @@
char *line_abbrevname(char *dst, const char *src, int dstsize);
++++++ openssh-5.1p1-blocksigalrm.diff -> openssh-5.2p1-blocksigalrm.diff ++++++
++++++ openssh-5.1p1-default-protocol.diff -> openssh-5.2p1-default-protocol.diff ++++++
--- openssh/openssh-5.1p1-default-protocol.diff 2008-07-22 20:32:05.000000000 +0200
+++ openssh/openssh-5.2p1-default-protocol.diff 2009-02-23 17:08:57.000000000 +0100
@@ -7,5 +7,5 @@
-# Protocol 2,1
+ Protocol 2
# Cipher 3des
- # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+ # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
++++++ openssh-5.1p1.dif -> openssh-5.2p1.dif ++++++
++++++ openssh-5.1p1-eal3.diff -> openssh-5.2p1-eal3.diff ++++++
--- openssh/openssh-5.1p1-eal3.diff 2008-07-22 20:32:04.000000000 +0200
+++ openssh/openssh-5.2p1-eal3.diff 2009-02-23 17:08:56.000000000 +0100
@@ -1,6 +1,6 @@
---- openssh-5.1p1/sshd.8
-+++ openssh-5.1p1/sshd.8
-@@ -785,7 +785,7 @@
+--- openssh-5.2p1/sshd.8
++++ openssh-5.2p1/sshd.8
+@@ -783,7 +783,7 @@
The file format is described in
.Xr moduli 5 .
.Pp
@@ -9,7 +9,7 @@
See
.Xr motd 5 .
.Pp
-@@ -798,7 +798,7 @@
+@@ -796,7 +796,7 @@
refused.
The file should be world-readable.
.Pp
@@ -18,7 +18,7 @@
This file is used in exactly the same way as
.Pa hosts.equiv ,
but allows host-based authentication without permitting login with
-@@ -875,8 +875,7 @@
+@@ -873,8 +873,7 @@
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
@@ -28,8 +28,8 @@
.Xr sshd_config 5 ,
.Xr inetd 8 ,
.Xr sftp-server 8
---- openssh-5.1p1/sshd_config.5
-+++ openssh-5.1p1/sshd_config.5
+--- openssh-5.2p1/sshd_config.5
++++ openssh-5.2p1/sshd_config.5
@@ -177,9 +177,6 @@
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
++++++ openssh-5.1p1-engines.diff -> openssh-5.2p1-engines.diff ++++++
--- openssh/openssh-5.1p1-engines.diff 2008-07-22 20:32:04.000000000 +0200
+++ openssh/openssh-5.2p1-engines.diff 2009-02-23 17:08:56.000000000 +0100
@@ -1,5 +1,5 @@
---- openssh-5.1p1/ssh-add.c
-+++ openssh-5.1p1/ssh-add.c
+--- openssh-5.2p1/ssh-add.c
++++ openssh-5.2p1/ssh-add.c
@@ -43,6 +43,7 @@
#include