Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked in at 2018-02-02 22:19:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Fri Feb 2 22:19:52 2018 rev:114 rq:571577 version:7.6p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2016-07-28 23:45:14.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-askpass-gnome.changes 2018-02-02 22:19:53.864554713 +0100
@@ -1,0 +2,11 @@
+Wed Jan 31 22:54:55 UTC 2018 - pcerny@suse.com
+
+- .spec file cleanup
+
+-------------------------------------------------------------------
+Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
+
+- upgrade to 7.6p1
+ see main package changelog for details
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2018-01-22 15:56:42.935142459 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes 2018-02-02 22:19:53.908552659 +0100
@@ -1,0 +2,11 @@
+Wed Jan 31 13:31:41 UTC 2018 - pcerny@suse.com
+
+- Add missing crypto hardware enablement patches for IBM mainframes
+ (FATE#323902)
+
+-------------------------------------------------------------------
+Wed Jan 24 21:42:35 UTC 2018 - pcerny@suse.com
+
+- add missing part of systemd integration (unit type)
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.F1pRlK/_old 2018-02-02 22:19:54.832509524 +0100
+++ /var/tmp/diff_new_pack.F1pRlK/_new 2018-02-02 22:19:54.836509338 +0100
@@ -16,26 +16,18 @@
#
+%define _name openssh
Name: openssh-askpass-gnome
-BuildRequires: autoconf
-BuildRequires: automake
BuildRequires: gtk2-devel
-BuildRequires: krb5-devel
-BuildRequires: openssh
-BuildRequires: openssl-devel
-BuildRequires: pam-devel
-BuildRequires: tcpd-devel
-BuildRequires: update-desktop-files
Version: 7.6p1
Release: 0
-Requires: openssh = %{version}
+Requires: %{_name} = %{version}
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
Group: Productivity/Networking/SSH
Url: http://www.openssh.com/
-%define _name openssh
-Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
-Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
+Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
+Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
++++++ openssh-7.6p1-SUSE_patches.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SUSE_patches/openssh-7.6p1-seccomp_ioctl_s390_EP11.patch new/SUSE_patches/openssh-7.6p1-seccomp_ioctl_s390_EP11.patch
--- old/SUSE_patches/openssh-7.6p1-seccomp_ioctl_s390_EP11.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/SUSE_patches/openssh-7.6p1-seccomp_ioctl_s390_EP11.patch 2018-01-30 00:18:17.000000000 +0100
@@ -0,0 +1,36 @@
+# HG changeset patch
+# Parent a64f36149cef8579bcca3c9207219603d5d3da48
+Patch from IBM enabling use of EP11 hw crypto accelerator, submitted upstreams:
+
+From: Eduardo Barretto
+To: openssh-unix-dev@mindrot.org
+Subject: [PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390)
+Date: Tue, 9 May 2017 14:27:15 -0300
+
+The EP11 crypto card needs to make an ioctl call, which receives an
+specific argument. This crypto card is for s390 only.
+
+Signed-off-by: Eduardo Barretto
+
+diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
+--- a/openssh-7.6p1/sandbox-seccomp-filter.c
++++ b/openssh-7.6p1/sandbox-seccomp-filter.c
+@@ -248,16 +248,18 @@ static const struct sock_filter preauth_
+ SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
+ SC_DENY(__NR_socketcall, EACCES),
+ #endif
+ #if defined(__NR_ioctl) && defined(__s390__)
+ /* Allow ioctls for ICA crypto card on s390 */
+ SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
+ SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
+ SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
++ /* Allow ioctls for EP11 crypto card on s390 */
++ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
+ #endif
+ #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
+ /*
+ * On Linux x32, the clock_gettime VDSO falls back to the
+ * x86-64 syscall under some circumstances, e.g.
+ * https://bugs.debian.org/849923
+ */
+ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SUSE_patches/openssh-7.6p1-seccomp_ipc_flock.patch new/SUSE_patches/openssh-7.6p1-seccomp_ipc_flock.patch
--- old/SUSE_patches/openssh-7.6p1-seccomp_ipc_flock.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/SUSE_patches/openssh-7.6p1-seccomp_ipc_flock.patch 2018-01-30 00:14:40.000000000 +0100
@@ -0,0 +1,60 @@
+# HG changeset patch
+# Parent 089f89e036e8d906db26a1e538c879ebc9c0f830
+Patch from IBM enabling the use of OpenCryptoki, submitted upstreams:
+
+From: Eduardo Barretto
+To: openssh-unix-dev@mindrot.org
+Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture
+Date: Tue, 9 May 2017 14:27:13 -0300
+
+In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
+and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
+implementation) which calls the libraries that will communicate with the
+crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
+this is only need on s390 architecture.
+
+Signed-off-by: Eduardo Barretto
+
+diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
+--- a/openssh-7.6p1/sandbox-seccomp-filter.c
++++ b/openssh-7.6p1/sandbox-seccomp-filter.c
+@@ -167,16 +167,19 @@ static const struct sock_filter preauth_
+ SC_ALLOW(__NR_exit_group),
+ #endif
+ #ifdef __NR_geteuid
+ SC_ALLOW(__NR_geteuid),
+ #endif
+ #ifdef __NR_geteuid32
+ SC_ALLOW(__NR_geteuid32),
+ #endif
++#if defined(__NR_flock) && defined(__s390__)
++ SC_ALLOW(__NR_flock),
++#endif
+ #ifdef __NR_getpgid
+ SC_ALLOW(__NR_getpgid),
+ #endif
+ #ifdef __NR_getpid
+ SC_ALLOW(__NR_getpid),
+ #endif
+ #ifdef __NR_getrandom
+ SC_ALLOW(__NR_getrandom),
+@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
+ SC_ALLOW(__NR_gettimeofday),
+ #endif
+ #ifdef __NR_getuid
+ SC_ALLOW(__NR_getuid),
+ #endif
+ #ifdef __NR_getuid32
+ SC_ALLOW(__NR_getuid32),
+ #endif
++#if defined(__NR_ipc) && defined(__s390__)
++ SC_ALLOW(__NR_ipc),
++#endif
+ #ifdef __NR_madvise
+ SC_ALLOW(__NR_madvise),
+ #endif
+ #ifdef __NR_mmap
+ SC_ALLOW(__NR_mmap),
+ #endif
+ #ifdef __NR_mmap2
+ SC_ALLOW(__NR_mmap2),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SUSE_patches/patch.series new/SUSE_patches/patch.series
--- old/SUSE_patches/patch.series 2018-01-11 23:02:18.000000000 +0100
+++ new/SUSE_patches/patch.series 2018-01-30 00:54:43.000000000 +0100
@@ -13,6 +13,8 @@
openssh-7.6p1-seccomp_getuid.patch
openssh-7.6p1-seccomp_geteuid.patch
openssh-7.6p1-seccomp_stat.patch
+openssh-7.6p1-seccomp_ipc_flock.patch
+openssh-7.6p1-seccomp_ioctl_s390_EP11.patch
openssh-7.6p1-fips.patch
openssh-7.6p1-cavstest-ctr.patch
openssh-7.6p1-cavstest-kdf.patch
++++++ sshd.service ++++++
--- /var/tmp/diff_new_pack.F1pRlK/_old 2018-02-02 22:19:55.068498507 +0100
+++ /var/tmp/diff_new_pack.F1pRlK/_new 2018-02-02 22:19:55.068498507 +0100
@@ -3,8 +3,10 @@
After=network.target
[Service]
+Type=notify
EnvironmentFile=-/etc/sysconfig/ssh
ExecStartPre=/usr/sbin/sshd-gen-keys-start
+ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process