Hello community, here is the log from the commit of package openssh checked in at Wed Dec 13 01:26:17 CET 2006. -------- --- openssh/openssh-askpass-gnome.changes 2006-10-04 12:58:22.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-askpass-gnome.changes 2006-12-13 01:25:42.000000000 +0100 @@ -1,0 +2,15 @@ +Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz + +- update to 4.5p1 + * Use privsep_pw if we have it, but only require it if we + absolutely need it. + * Correctly check for bad signatures in the monitor, otherwise + the monitor and the unpriv process can get out of sync. + * Clear errno before calling the strtol functions. + * exit instead of doing a blocking tcp send if we detect + a client/server timeout, since the tcp sendqueue might + be already full (of alive requests) + * include signal.h, errno.h, sys/in.h + * some more bugfixes + +------------------------------------------------------------------- --- openssh/openssh.changes 2006-11-22 13:42:50.000000000 +0100 +++ /mounts/work_src_done/STABLE/openssh/openssh.changes 2006-12-12 14:44:00.000000000 +0100 @@ -1,0 +2,15 @@ +Tue Dec 12 14:41:45 CET 2006 - anicka@suse.cz + +- update to 4.5p1 + * Use privsep_pw if we have it, but only require it if we + absolutely need it. + * Correctly check for bad signatures in the monitor, otherwise + the monitor and the unpriv process can get out of sync. + * Clear errno before calling the strtol functions. + * exit instead of doing a blocking tcp send if we detect + a client/server timeout, since the tcp sendqueue might + be already full (of alive requests) + * include signal.h, errno.h, sys/in.h + * some more bugfixes + +------------------------------------------------------------------- Old: ---- openssh-4.4p1-addrlist.dif openssh-4.4p1-askpass-fix.diff openssh-4.4p1-blocksigalrm.diff openssh-4.4p1-eal3.diff openssh-4.4p1-engines.diff openssh-4.4p1-gcc-fix.patch openssh-4.4p1-gssapimitm.patch openssh-4.4p1-pam-fix2.diff openssh-4.4p1-pam-fix3.diff openssh-4.4p1-pwname-home.diff openssh-4.4p1-saveargv-fix.diff openssh-4.4p1-secfix4.5.diff openssh-4.4p1-send_locale.diff openssh-4.4p1-strict-aliasing-fix.diff openssh-4.4p1-tmpdir.diff openssh-4.4p1-xauth.diff openssh-4.4p1-xauthlocalhostname.diff openssh-4.4p1.dif openssh-4.4p1.tar.bz2 New: ---- openssh-4.5p1-addrlist.dif openssh-4.5p1-askpass-fix.diff openssh-4.5p1-blocksigalrm.diff openssh-4.5p1-eal3.diff openssh-4.5p1-engines.diff openssh-4.5p1-gcc-fix.patch openssh-4.5p1-gssapimitm.patch openssh-4.5p1-pam-fix2.diff openssh-4.5p1-pam-fix3.diff openssh-4.5p1-pwname-home.diff openssh-4.5p1-saveargv-fix.diff openssh-4.5p1-send_locale.diff openssh-4.5p1-strict-aliasing-fix.diff openssh-4.5p1-tmpdir.diff openssh-4.5p1-xauth.diff openssh-4.5p1-xauthlocalhostname.diff openssh-4.5p1.dif openssh-4.5p1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.m4HXis/_old 2006-12-13 01:25:58.000000000 +0100 +++ /var/tmp/diff_new_pack.m4HXis/_new 2006-12-13 01:25:58.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package openssh-askpass-gnome (Version 4.4p1) +# spec file for package openssh-askpass-gnome (Version 4.5p1) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -14,8 +14,8 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files License: Other License(s), see package Group: Productivity/Networking/SSH -Version: 4.4p1 -Release: 23 +Version: 4.5p1 +Release: 1 Requires: openssh = %{version} openssh-askpass = %{version} Autoreqprov: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH @@ -111,6 +111,18 @@ %attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass %changelog -n openssh-askpass-gnome +* Tue Dec 12 2006 - anicka@suse.cz +- update to 4.5p1 + * Use privsep_pw if we have it, but only require it if we + absolutely need it. + * Correctly check for bad signatures in the monitor, otherwise + the monitor and the unpriv process can get out of sync. + * Clear errno before calling the strtol functions. + * exit instead of doing a blocking tcp send if we detect + a client/server timeout, since the tcp sendqueue might + be already full (of alive requests) + * include signal.h, errno.h, sys/in.h + * some more bugfixes * Wed Oct 04 2006 - postadal@suse.cz - updated to version 4.4p1 [#208662] * fixed pre-authentication DoS, that would cause sshd(8) to spin ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.m4HXis/_old 2006-12-13 01:25:58.000000000 +0100 +++ /var/tmp/diff_new_pack.m4HXis/_new 2006-12-13 01:25:58.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package openssh (Version 4.4p1) +# spec file for package openssh (Version 4.5p1) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -27,8 +27,8 @@ PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions Conflicts: nonfreessh Autoreqprov: on -Version: 4.4p1 -Release: 22 +Version: 4.5p1 +Release: 1 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) URL: http://www.openssh.com/ @@ -59,7 +59,6 @@ Patch40: %{name}-%{version}-xauth.diff Patch41: %{name}-%{version}-gcc-fix.patch Patch42: %{name}-gssapi_krb5-fix.patch -Patch43: %{name}-%{version}-secfix4.5.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %package askpass Summary: A passphrase dialog for OpenSSH and the X Window System @@ -146,7 +145,6 @@ %patch40 %patch41 %patch42 -%patch43 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion} @@ -284,6 +282,18 @@ %config %_appdefdir/SshAskpass %changelog -n openssh +* Tue Dec 12 2006 - anicka@suse.cz +- update to 4.5p1 + * Use privsep_pw if we have it, but only require it if we + absolutely need it. + * Correctly check for bad signatures in the monitor, otherwise + the monitor and the unpriv process can get out of sync. + * Clear errno before calling the strtol functions. + * exit instead of doing a blocking tcp send if we detect + a client/server timeout, since the tcp sendqueue might + be already full (of alive requests) + * include signal.h, errno.h, sys/in.h + * some more bugfixes * Wed Nov 22 2006 - anicka@suse.cz - fixed README.SuSE [#223025] * Thu Nov 09 2006 - anicka@suse.cz ++++++ openssh-4.4p1-addrlist.dif -> openssh-4.5p1-addrlist.dif ++++++ ++++++ openssh-4.4p1-askpass-fix.diff -> openssh-4.5p1-askpass-fix.diff ++++++ ++++++ openssh-4.4p1-blocksigalrm.diff -> openssh-4.5p1-blocksigalrm.diff ++++++ ++++++ openssh-4.4p1-eal3.diff -> openssh-4.5p1-eal3.diff ++++++ --- openssh/openssh-4.4p1-eal3.diff 2006-11-09 13:57:59.000000000 +0100 +++ /mounts/work_src_done/STABLE/openssh/openssh-4.5p1-eal3.diff 2006-12-12 13:56:43.000000000 +0100 @@ -1,5 +1,5 @@ ---- openssh-4.4p1/sshd.8 -+++ openssh-4.4p1/sshd.8 +--- openssh-4.5p1/sshd.8 ++++ openssh-4.5p1/sshd.8 @@ -739,7 +739,7 @@ The file format is described in .Xr moduli 5 . @@ -28,8 +28,8 @@ .Xr sshd_config 5 , .Xr inetd 8 , .Xr sftp-server 8 ---- openssh-4.4p1/sshd_config.5 -+++ openssh-4.4p1/sshd_config.5 +--- openssh-4.5p1/sshd_config.5 ++++ openssh-4.5p1/sshd_config.5 @@ -169,9 +169,6 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication ++++++ openssh-4.4p1-engines.diff -> openssh-4.5p1-engines.diff ++++++ --- openssh/openssh-4.4p1-engines.diff 2006-11-09 13:57:59.000000000 +0100 +++ /mounts/work_src_done/STABLE/openssh/openssh-4.5p1-engines.diff 2006-12-12 13:56:43.000000000 +0100 @@ -2,8 +2,8 @@ # -- mludvig@suse.cz Index: openssh-3.8p1/ssh-add.c ================================================================================ ---- openssh-4.4p1/ssh-add.c -+++ openssh-4.4p1/ssh-add.c +--- openssh-4.5p1/ssh-add.c ++++ openssh-4.5p1/ssh-add.c @@ -42,6 +42,7 @@ #include <sys/param.h> @@ -23,8 +23,8 @@ /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); if (ac == NULL) { ---- openssh-4.4p1/ssh-agent.c -+++ openssh-4.4p1/ssh-agent.c +--- openssh-4.5p1/ssh-agent.c ++++ openssh-4.5p1/ssh-agent.c @@ -51,6 +51,7 @@ #include <openssl/evp.h> @@ -44,8 +44,8 @@ __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); ---- openssh-4.4p1/ssh-keygen.c -+++ openssh-4.4p1/ssh-keygen.c +--- openssh-4.5p1/ssh-keygen.c ++++ openssh-4.5p1/ssh-keygen.c @@ -21,6 +21,7 @@ #include <openssl/evp.h> @@ -54,7 +54,7 @@ #include <errno.h> #include <fcntl.h> -@@ -1073,6 +1074,11 @@ +@@ -1074,6 +1075,11 @@ __progname = ssh_get_progname(av[0]); SSLeay_add_all_algorithms(); @@ -66,8 +66,8 @@ log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); init_rng(); ---- openssh-4.4p1/ssh-keysign.c -+++ openssh-4.4p1/ssh-keysign.c +--- openssh-4.5p1/ssh-keysign.c ++++ openssh-4.5p1/ssh-keysign.c @@ -38,6 +38,7 @@ #include <openssl/evp.h> #include <openssl/rand.h> @@ -88,8 +88,8 @@ for (i = 0; i < 256; i++) rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); ---- openssh-4.4p1/ssh.c -+++ openssh-4.4p1/ssh.c +--- openssh-4.5p1/ssh.c ++++ openssh-4.5p1/ssh.c @@ -72,6 +72,7 @@ #include <openssl/evp.h> @@ -109,8 +109,8 @@ /* Initialize the command to execute on remote host. */ buffer_init(&command); ---- openssh-4.4p1/sshd.c -+++ openssh-4.4p1/sshd.c +--- openssh-4.5p1/sshd.c ++++ openssh-4.5p1/sshd.c @@ -75,6 +75,7 @@ #include <openssl/bn.h> #include <openssl/md5.h> ++++++ openssh-4.4p1-gcc-fix.patch -> openssh-4.5p1-gcc-fix.patch ++++++ ++++++ openssh-4.4p1-gssapimitm.patch -> openssh-4.5p1-gssapimitm.patch ++++++ ++++++ openssh-4.4p1-pam-fix2.diff -> openssh-4.5p1-pam-fix2.diff ++++++ ++++++ openssh-4.4p1-pam-fix2.diff -> openssh-4.5p1-pam-fix3.diff ++++++ --- openssh/openssh-4.4p1-pam-fix2.diff 2006-11-09 13:57:57.000000000 +0100 +++ /mounts/work_src_done/STABLE/openssh/openssh-4.5p1-pam-fix3.diff 2006-12-12 13:56:42.000000000 +0100 @@ -1,20 +1,13 @@ ---- sshd_config -+++ sshd_config -@@ -53,7 +53,7 @@ - #IgnoreRhosts yes - - # To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords -@@ -78,7 +78,7 @@ - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. --#UsePAM no -+UsePAM yes - - #AllowTcpForwarding yes - #GatewayPorts no +--- auth-pam.c ++++ auth-pam.c +@@ -785,7 +785,9 @@ + fatal("Internal error: PAM auth " + "succeeded when it should have " + "failed"); +- import_environments(&buffer); ++#ifndef USE_POSIX_THREADS ++ import_environments(&buffer); ++#endif + *num = 0; + **echo_on = 0; + ctxt->pam_done = 1; ++++++ openssh-4.4p1-pwname-home.diff -> openssh-4.5p1-pwname-home.diff ++++++ --- openssh/openssh-4.4p1-pwname-home.diff 2006-11-09 13:58:01.000000000 +0100 +++ /mounts/work_src_done/STABLE/openssh/openssh-4.5p1-pwname-home.diff 2006-12-12 13:56:45.000000000 +0100 @@ -1,5 +1,5 @@ ---- openssh-4.4p1/misc.c -+++ openssh-4.4p1/misc.c +--- openssh-4.5p1/misc.c ++++ openssh-4.5p1/misc.c @@ -186,6 +186,29 @@ return (old); } @@ -39,8 +39,8 @@ fatal("tilde_expand_filename: No such uid %d", uid); if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret)) ---- openssh-4.4p1/misc.h -+++ openssh-4.4p1/misc.h +--- openssh-4.5p1/misc.h ++++ openssh-4.5p1/misc.h @@ -34,6 +34,7 @@ char *tohex(const void *, size_t); void sanitise_stdfd(void); @@ -49,8 +49,8 @@ struct passwd *pwcopy(struct passwd *); typedef struct arglist arglist; ---- openssh-4.4p1/ssh.c -+++ openssh-4.4p1/ssh.c +--- openssh-4.5p1/ssh.c ++++ openssh-4.5p1/ssh.c @@ -249,7 +249,7 @@ } #endif ++++++ openssh-4.4p1-saveargv-fix.diff -> openssh-4.5p1-saveargv-fix.diff ++++++ ++++++ openssh-4.4p1-send_locale.diff -> openssh-4.5p1-send_locale.diff ++++++ ++++++ openssh-4.4p1-strict-aliasing-fix.diff -> openssh-4.5p1-strict-aliasing-fix.diff ++++++ ++++++ openssh-4.4p1-tmpdir.diff -> openssh-4.5p1-tmpdir.diff ++++++ ++++++ openssh-4.4p1-xauth.diff -> openssh-4.5p1-xauth.diff ++++++ ++++++ openssh-4.4p1-xauthlocalhostname.diff -> openssh-4.5p1-xauthlocalhostname.diff ++++++ ++++++ openssh-4.4p1-addrlist.dif -> openssh-4.5p1.dif ++++++ --- openssh/openssh-4.4p1-addrlist.dif 2006-11-09 13:57:57.000000000 +0100 +++ /mounts/work_src_done/STABLE/openssh/openssh-4.5p1.dif 2006-12-12 13:56:41.000000000 +0100 @@ -1,87 +1,45 @@ ---- sshd.c -+++ sshd.c -@@ -253,6 +253,62 @@ +--- ssh_config ++++ ssh_config +@@ -17,9 +17,20 @@ + # list of available options, their meanings and defaults, please see the + # ssh_config(5) man page. - static void do_ssh1_kex(void); - static void do_ssh2_kex(void); -+char * isaddr(struct addrinfo *addr, char *name); -+void remove_duplicities(struct addrinfo *addr, char *port); -+ -+/* -+ * returns port if addr equals name -+ */ -+ -+char* -+isaddr(struct addrinfo *addr, char *name) -+{ -+ char ntop[NI_MAXHOST]; -+ char *strport; -+ -+ strport = (char*) malloc(NI_MAXSERV+1); -+ if (getnameinfo(addr->ai_addr, addr->ai_addrlen, -+ ntop, sizeof(ntop), strport, sizeof(strport), -+ NI_NUMERICHOST|NI_NUMERICSERV) != 0) { -+ error("getnameinfo failed"); -+ free(strport); -+ return NULL; -+ } -+ if (!strcmp(ntop,name)) -+ return strport; -+ else{ -+ free(strport); -+ return NULL; -+ } -+ -+} -+ -+/* -+ * it removes all "0.0.0.0" elements with given port -+ * from the list -+ */ -+ -+void -+remove_duplicities(struct addrinfo *ai_start, char *port) -+{ -+ struct addrinfo *ai, *ai1, *aiprev, *ainext; -+ char *port1; -+ -+ aiprev=ai_start; -+ for (ai = ai_start->ai_next; ai; ai = ainext) { -+ ainext = ai->ai_next; -+ port1 = isaddr(ai, "0.0.0.0"); -+ if (port1 && !strcmp(port,port1)){ -+ aiprev->ai_next = ainext; -+ free(ai); -+ free(port1); -+ } else { -+ if (port1) -+ free(port1); -+ aiprev = ai; -+ } -+ } -+} - - /* - * Close all listening sockets -@@ -941,6 +997,7 @@ - int ret, listen_sock, on = 1; - struct addrinfo *ai; - char ntop[NI_MAXHOST], strport[NI_MAXSERV]; -+ char *port; +-# Host * ++Host * + # ForwardAgent no + # ForwardX11 no ++ ++# If you do not trust your remote host (or its administrator), you ++# should not forward X11 connections to your local X11-display for ++# security reasons: Someone stealing the authentification data on the ++# remote side (the "spoofed" X-server by the remote sshd) can read your ++# keystrokes as you type, just like any other X11 client could do. ++# Set this to "no" here for global effect or in your own ~/.ssh/config ++# file if you want to have the remote X11 authentification data to ++# expire after two minutes after remote login. ++ForwardX11Trusted yes ++ + # RhostsRSAAuthentication no + # RSAAuthentication yes + # PasswordAuthentication yes +--- sshd_config ++++ sshd_config +@@ -82,7 +82,7 @@ - for (ai = options.listen_addrs; ai; ai = ai->ai_next) { - if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -986,6 +1043,13 @@ - continue; - } - listen_socks[num_listen_socks] = listen_sock; -+ -+ port = isaddr(ai,"::"); -+ if (port) { -+ remove_duplicities(ai, port); -+ free(port); -+ } -+ - num_listen_socks++; + #AllowTcpForwarding yes + #GatewayPorts no +-#X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PrintMotd yes +--- sshlogin.c ++++ sshlogin.c +@@ -126,6 +126,7 @@ - /* Start listening on the port. */ + li = login_alloc_entry(pid, user, host, tty); + login_set_addr(li, addr, addrlen); ++ li->uid=uid; + login_login(li); + login_free_entry(li); + } ++++++ openssh-4.4p1.tar.bz2 -> openssh-4.5p1.tar.bz2 ++++++ ++++ 7035 lines of diff (skipped) ++++++ openssh-gssapi_krb5-fix.patch ++++++ --- /var/tmp/diff_new_pack.m4HXis/_old 2006-12-13 01:26:00.000000000 +0100 +++ /var/tmp/diff_new_pack.m4HXis/_new 2006-12-13 01:26:00.000000000 +0100 @@ -1,6 +1,6 @@ --- configure.ac +++ configure.ac -@@ -3217,7 +3217,14 @@ +@@ -3220,7 +3220,14 @@ K5LIBS="-lgssapi $K5LIBS" ], [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, [ AC_DEFINE(GSSAPI) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@suse.de