Projects
Mega:23.09
openssh
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:openssh.spec
Changed
@@ -6,10 +6,10 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 2 +%global openssh_release 1 Name: openssh -Version: 9.3p1 +Version: 9.3p2 Release: %{openssh_release} URL: http://www.openssh.com/portable.html License: BSD @@ -86,7 +86,6 @@ Patch58: openssh-8.7p1-ibmca.patch Patch60: openssh-8.7p1-ssh-manpage.patch Patch61: openssh-8.7p1-negotiate-supported-algs.patch -Patch65: openssh-9.3p1-upstream-cve-2023-38408.patch Patch66: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch Patch67: bugfix-openssh-add-option-check-username-splash.patch Patch68: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch @@ -98,6 +97,8 @@ Patch74: add-strict-scp-check-for-CVE-2020-15778.patch Patch75: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch Patch77: set-ssh-config.patch +Patch78: backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch +Patch79: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -229,7 +230,6 @@ %patch58 -p1 -b .ibmca %patch60 -p1 -b .ssh-manpage %patch61 -p1 -b .negotiate-supported-algs -%patch65 -p1 -b .cve-2023-38408 %patch1 -p1 -b .audit %patch2 -p1 -b .audit-race %patch0 -p1 -b .coverity @@ -245,6 +245,8 @@ %patch74 -p1 %patch75 -p1 %patch77 -p1 +%patch78 -p1 +%patch79 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -451,6 +453,18 @@ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Wed Jan 24 2024 renmingshuai<renmingshuai@huawei.com> - 9.3p2-1 +- Type:update +- CVE:NA +- SUG:NA +- DESC:update to 9.3p2 + +* Tue Dec 26 2023 renmingshuai<renmingshuai@huawei.com> - 9.3p1-3 +- Type:CVE +- CVE:CVE-2023-48795,CVE-2023-51385 +- SUG:NA +- DESC:fix CVE-2023-48795 and CVE-2023-51385 + * Fri Aug 25 2023 renmingshuai<renmingshuai@huawei.com> - 9.3p1-2 - Type:bugfix - CVE:NA
View file
_service:tar_scm:backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch
Added
@@ -0,0 +1,499 @@ +From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 18 Dec 2023 14:45:17 +0000 +Subject: PATCH upstream: implement "strict key exchange" in ssh and sshd + +This adds a protocol extension to improve the integrity of the SSH +transport protocol, particular in and around the initial key exchange +(KEX) phase. + +Full details of the extension are in the PROTOCOL file. + +with markus@ + +OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14 + +Reference:https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 +--- + PROTOCOL | 28 +++++++++++++- + kex.c | 84 ++++++++++++++++++++++++++-------------- + kex.h | 3 +- + packet.c | 103 +++++++++++++++++++++++++++++--------------------- + packet.h | 3 +- + sshconnect2.c | 12 ++---- + 6 files changed, 148 insertions(+), 85 deletions(-) + +diff --git a/PROTOCOL b/PROTOCOL +index d453c779b..ded935eb6 100644 +--- a/PROTOCOL ++++ b/PROTOCOL +@@ -137,6 +137,32 @@ than as a named global or channel request to allow pings with very + + This is identical to curve25519-sha256 as later published in RFC8731. + ++1.9 transport: strict key exchange extension ++ ++OpenSSH supports a number of transport-layer hardening measures under ++a "strict KEX" feature. This feature is signalled similarly to the ++RFC8308 ext-info feature: by including a additional algorithm in the ++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append ++"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server ++may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms ++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored ++if they are present in subsequent SSH2_MSG_KEXINIT packets. ++ ++When an endpoint that supports this extension observes this algorithm ++name in a peer's KEXINIT packet, it MUST make the following changes to ++the the protocol: ++ ++a) During initial KEX, terminate the connection if any unexpected or ++ out-of-sequence packet is received. This includes terminating the ++ connection if the first packet received is not SSH2_MSG_KEXINIT. ++ Unexpected packets for the purpose of strict KEX include messages ++ that are otherwise valid at any time during the connection such as ++ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE. ++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the ++ packet sequence number to zero. This behaviour persists for the ++ duration of the connection (i.e. not just the first ++ SSH2_MSG_NEWKEYS). ++ + 2. Connection protocol changes + + 2.1. connection: Channel write close extension "eow@openssh.com" +@@ -745,4 +771,4 @@ master instance and later clients. + OpenSSH extends the usual agent protocol. These changes are documented + in the PROTOCOL.agent file. + +-$OpenBSD: PROTOCOL,v 1.48 2022/11/07 01:53:01 dtucker Exp $ ++$OpenBSD: PROTOCOL,v 1.50 2023/12/18 14:45:17 djm Exp $ +diff --git a/kex.c b/kex.c +index aa5e792dd..d478ff6e7 100644 +--- a/kex.c ++++ b/kex.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */ ++/* $OpenBSD: kex.c,v 1.183 2023/12/18 14:45:17 djm Exp $ */ + /* + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * +@@ -65,7 +65,7 @@ + #endif + + /* prototype */ +-static int kex_choose_conf(struct ssh *); ++static int kex_choose_conf(struct ssh *, uint32_t seq); + static int kex_input_newkeys(int, u_int32_t, struct ssh *); + + static const char * const proposal_namesPROPOSAL_MAX = { +@@ -177,6 +177,18 @@ kex_names_valid(const char *names) + return 1; + } + ++/* returns non-zero if proposal contains any algorithm from algs */ ++static int ++has_any_alg(const char *proposal, const char *algs) ++{ ++ char *cp; ++ ++ if ((cp = match_list(proposal, algs, NULL)) == NULL) ++ return 0; ++ free(cp); ++ return 1; ++} ++ + /* + * Concatenate algorithm names, avoiding duplicates in the process. + * Caller must free returned string. +@@ -184,7 +196,7 @@ kex_names_valid(const char *names) + char * + kex_names_cat(const char *a, const char *b) + { +- char *ret = NULL, *tmp = NULL, *cp, *p, *m; ++ char *ret = NULL, *tmp = NULL, *cp, *p; + size_t len; + + if (a == NULL || *a == '\0') +@@ -201,10 +213,8 @@ kex_names_cat(const char *a, const char *b) + } + strlcpy(ret, a, len); + for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { +- if ((m = match_list(ret, p, NULL)) != NULL) { +- free(m); ++ if (has_any_alg(ret, p)) + continue; /* Algorithm already present */ +- } + if (strlcat(ret, ",", len) >= len || + strlcat(ret, p, len) >= len) { + free(tmp); +@@ -334,15 +344,23 @@ kex_proposal_populate_entries(struct ssh *ssh, char *propPROPOSAL_MAX, + const char *defpropclientPROPOSAL_MAX = { KEX_CLIENT }; + const char **defprop = ssh->kex->server ? defpropserver : defpropclient; + u_int i; ++ char *cp; + + if (prop == NULL) + fatal_f("proposal missing"); + ++ /* Append EXT_INFO signalling to KexAlgorithms */ ++ if (kexalgos == NULL) ++ kexalgos = defpropPROPOSAL_KEX_ALGS; ++ if ((cp = kex_names_cat(kexalgos, ssh->kex->server ? ++ "kex-strict-s-v00@openssh.com" : ++ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) ++ fatal_f("kex_names_cat"); ++ + for (i = 0; i < PROPOSAL_MAX; i++) { + switch(i) { + case PROPOSAL_KEX_ALGS: +- propi = compat_kex_proposal(ssh, +- kexalgos ? kexalgos : defpropi); ++ propi = compat_kex_proposal(ssh, cp); + break; + case PROPOSAL_ENC_ALGS_CTOS: + case PROPOSAL_ENC_ALGS_STOC: +@@ -363,6 +381,7 @@ kex_proposal_populate_entries(struct ssh *ssh, char *propPROPOSAL_MAX, + propi = xstrdup(defpropi); + } + } ++ free(cp); + } + + void +@@ -466,7 +485,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) + { + int r; + +- error("kex protocol error: type %d seq %u", type, seq); ++ /* If in strict mode, any unexpected message is an error */ ++ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) { ++ ssh_packet_disconnect(ssh, "strict KEX violation: " ++ "unexpected packet type %u (seqnr %u)", type, seq); ++ } ++ error_f("type %u seq %u", type, seq); + if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || + (r = sshpkt_put_u32(ssh, seq)) != 0 || + (r = sshpkt_send(ssh)) != 0) +@@ -563,7 +587,7 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) + if (ninfo >= 1024) { + error("SSH2_MSG_EXT_INFO with too many entries, expected " + "<=1024, received %u", ninfo); +- return SSH_ERR_INVALID_FORMAT; ++ return dispatch_protocol_error(type, seq, ssh); + } + for (i = 0; i < ninfo; i++) { + if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) +@@ -681,7 +705,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) + error_f("no kex"); + return SSH_ERR_INTERNAL_ERROR; + } +- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; +@@ -717,7 +741,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) + if (!(kex->flags & KEX_INIT_SENT)) + if ((r = kex_send_kexinit(ssh)) != 0) + return r; +- if ((r = kex_choose_conf(ssh)) != 0) ++ if ((r = kex_choose_conf(ssh, seq)) != 0)
View file
_service:tar_scm:backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
Added
@@ -0,0 +1,100 @@ +From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 18 Dec 2023 14:47:44 +0000 +Subject: PATCH upstream: ban user/hostnames with most shell metacharacters + +This makes ssh(1) refuse user or host names provided on the +commandline that contain most shell metacharacters. + +Some programs that invoke ssh(1) using untrusted data do not filter +metacharacters in arguments they supply. This could create +interactions with user-specified ProxyCommand and other directives +that allow shell injection attacks to occur. + +It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, +but getting this stuff right can be tricky, so this should prevent +most obvious ways of creating risky situations. It however is not +and cannot be perfect: ssh(1) has no practical way of interpreting +what shell quoting rules are in use and how they interact with the +user's specified ProxyCommand. + +To allow configurations that use strange user or hostnames to +continue to work, this strictness is applied only to names coming +from the commandline. Names specified using User or Hostname +directives in ssh_config(5) are not affected. + +feedback/ok millert@ markus@ dtucker@ deraadt@ + +OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 + +Reference:https://anongit.mindrot.org/openssh.git/commit?id=7ef3787c84b6b524501211b11a26c742f829af1a +--- + ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/ssh.c b/ssh.c +index 35c48e62d..48d93ddf2 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.585 2023/02/10 04:40:28 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo) + free(cinfo); + } + ++static int ++valid_hostname(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; si != 0; i++) { ++ if (strchr("'`\"$\\;&<>|(){}", si) != NULL || ++ isspace((u_char)si) || iscntrl((u_char)si)) ++ return 0; ++ } ++ return 1; ++} ++ ++static int ++valid_ruser(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; si != 0; i++) { ++ if (strchr("'`\";&<>|(){}", si) != NULL) ++ return 0; ++ /* Disallow '-' after whitespace */ ++ if (isspace((u_char)si) && si + 1 == '-') ++ return 0; ++ /* Disallow \ in last position */ ++ if (si == '\\' && si + 1 == '\0') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Main program for the ssh client. + */ +@@ -1118,6 +1153,10 @@ main(int ac, char **av) + if (!host) + usage(); + ++ if (!valid_hostname(host)) ++ fatal("hostname contains invalid characters"); ++ if (options.user != NULL && !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); + options.host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ +-- +2.23.0 +
View file
_service:tar_scm:openssh-8.0p1-pkcs11-uri.patch
Changed
@@ -1035,7 +1035,7 @@ int r, i, count = 0, success = 0, confirm = 0; u_int seconds = 0; @@ -869,33 +931,28 @@ process_add_smartcard_key(SocketEntry *e - error_f("failed to parse constraints"); + "providers is disabled", provider); goto send; } - if (realpath(provider, canonical_provider) == NULL) { @@ -2157,7 +2157,7 @@ int ret = -1; struct pkcs11_provider *p = NULL; void *handle = NULL; -@@ -1517,164 +1702,298 @@ pkcs11_register_provider(char *provider_ +@@ -1517,162 +1702,296 @@ pkcs11_register_provider(char *provider_ CK_FUNCTION_LIST *f = NULL; CK_TOKEN_INFO *token; CK_ULONG i; @@ -2213,10 +2213,8 @@ + error("dlopen %s failed: %s", provider_module, dlerror()); goto fail; } - if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { - error("dlsym(C_GetFunctionList) failed: %s", dlerror()); - goto fail; - } + if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) + fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); - p = xcalloc(1, sizeof(*p)); - p->name = xstrdup(provider_id); - p->handle = handle;
View file
_service:tar_scm:openssh-9.3p1-upstream-cve-2023-38408.patch
Deleted
@@ -1,130 +0,0 @@ -diff --git a/ssh-agent.c b/ssh-agent.c -index 618bb198..8ea831f4 100644 -diff -up openssh-9.3p1/ssh-agent.c.cve openssh-9.3p1/ssh-agent.c ---- openssh-9.3p1/ssh-agent.c.cve 2023-07-21 15:38:13.237276580 +0200 -+++ openssh-9.3p1/ssh-agent.c 2023-07-21 15:41:30.269943569 +0200 -@@ -169,6 +169,12 @@ char socket_dirPATH_MAX; - /* Pattern-list of allowed PKCS#11/Security key paths */ - static char *allowed_providers; - -+/* -+ * Allows PKCS11 providers or SK keys that use non-internal providers to -+ * be added over a remote connection (identified by session-bind@openssh.com). -+ */ -+static int remote_add_provider; -+ - /* locking */ - #define LOCK_SIZE 32 - #define LOCK_SALT_SIZE 16 -@@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e) - if (strcasecmp(sk_provider, "internal") == 0) { - debug_f("internal provider"); - } else { -+ if (e->nsession_ids != 0 && !remote_add_provider) { -+ verbose("failed add of SK provider \"%.100s\": " -+ "remote addition of providers is disabled", -+ sk_provider); -+ goto out; -+ } - if (realpath(sk_provider, canonical_provider) == NULL) { - verbose("failed provider \"%.100s\": " - "realpath: %s", sk_provider, -@@ -1368,7 +1380,7 @@ no_identities(SocketEntry *e) - - #ifdef ENABLE_PKCS11 - static char * --sanitize_pkcs11_provider(const char *provider) -+sanitize_pkcs11_provider(SocketEntry *e, const char *provider) - { - struct pkcs11_uri *uri = NULL; - char *sane_uri, *module_path = NULL; /* default path */ -@@ -1399,6 +1411,11 @@ sanitize_pkcs11_provider(const char *pro - module_path = strdup(provider); /* simple path */ - - if (module_path != NULL) { /* do not validate default NULL path in URI */ -+ if (e->nsession_ids != 0 && !remote_add_provider) { -+ verbose("failed PKCS#11 add of \"%.100s\": remote addition of " -+ "providers is disabled", provider); -+ return NULL; -+ } - if (realpath(module_path, canonical_provider) == NULL) { - verbose("failed PKCS#11 provider \"%.100s\": realpath: %s", - module_path, strerror(errno)); -@@ -1455,7 +1472,7 @@ process_add_smartcard_key(SocketEntry *e - goto send; - } - -- sane_uri = sanitize_pkcs11_provider(provider); -+ sane_uri = sanitize_pkcs11_provider(e, provider); - if (sane_uri == NULL) - goto send; - -@@ -1516,7 +1533,7 @@ process_remove_smartcard_key(SocketEntry - } - free(pin); - -- sane_uri = sanitize_pkcs11_provider(provider); -+ sane_uri = sanitize_pkcs11_provider(e, provider); - if (sane_uri == NULL) - goto send; - -@@ -2108,7 +2125,9 @@ main(int ac, char **av) - break; - case 'O': - if (strcmp(optarg, "no-restrict-websafe") == 0) -- restrict_websafe = 0; -+ restrict_websafe = 0; -+ else if (strcmp(optarg, "allow-remote-pkcs11") == 0) -+ remote_add_provider = 1; - else - fatal("Unknown -O option"); - break; -diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c -index 6be647ec..ebddf6c3 100644 ---- a/ssh-pkcs11.c -+++ b/ssh-pkcs11.c -@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin, - error("dlopen %s failed: %s", provider_module, dlerror()); - goto fail; - } -- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { -- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); -- goto fail; -- } -+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) -+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); - - p->module->handle = handle; - /* setup the pkcs11 callbacks */ ---- a/ssh-agent.1 2023-03-15 22:28:19.000000000 +0100 -+++ b/ssh-agent.1 2023-07-19 21:39:17.981406432 +0200 -@@ -107,9 +107,27 @@ - .It Fl O Ar option - Specify an option when starting - .Nm . --Currently only one option is supported: -+Currently two options are supported: -+.Cm allow-remote-pkcs11 -+and - .Cm no-restrict-websafe . --This instructs -+.Pp -+The -+.Cm allow-remote-pkcs11 -+option allows clients of a forwarded -+.Nm -+to load PKCS#11 or FIDO provider libraries. -+By default only local clients may perform this operation. -+Note that signalling that a -+.Nm -+client remote is performed by -+.Xr ssh 1 , -+and use of other tools to forward access to the agent socket may circumvent -+this restriction. -+.Pp -+The -+.Cm no-restrict-websafe , -+instructs - .Nm - to permit signatures using FIDO keys that might be web authentication - requests.
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="url">git@gitee.com:src-openeuler/openssh.git</param> <param name="scm">git</param> - <param name="revision">openEuler-23.09</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:openssh-9.3p1.tar.gz.asc
Deleted
@@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg -YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i -iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB -OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0 -EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa -ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf -ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0 -CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg -jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu -f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa -NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU -k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k= -=deVJ ------END PGP SIGNATURE-----
View file
_service:tar_scm:openssh-9.3p2.tar.gz.asc
Added
@@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg +YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3 +pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH +8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa +jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5 +8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4 +PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl +iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/ +kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh +LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w +VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/ +jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg= +=yVD2 +-----END PGP SIGNATURE-----
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ChangeLog -> _service:tar_scm:openssh-9.3p2.tar.gz/ChangeLog
Changed
@@ -1,3 +1,36 @@ +commit 9795c4016ae35162072144df032c8b262433b462 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Jul 19 16:27:12 2023 +1000 + + OpenSSH 9.3p2 + +commit bde3635f3c9324bad132cf9ed917813d6abb599e +Author: Damien Miller <djm@mindrot.org> +Date: Wed Jul 19 16:31:09 2023 +1000 + + update version in README + +commit f673f2f3e5f67099018fc281a6b5fb918142472e +Author: Damien Miller <djm@mindrot.org> +Date: Wed Jul 19 16:31:00 2023 +1000 + + update RPM spec versions + +commit d7790cdce72a1b6982795baa2b4d6f0bdbb0100d +Author: Damien Miller <djm@mindrot.org> +Date: Fri Jul 7 13:30:15 2023 +1000 + + disallow remote addition of FIDO/PKCS11 keys + + Depends on the local client performing the session-bind@openssh.com + operation, so non-OpenSSH local client may circumvent this. + +commit b23fe83f06ee7e721033769cfa03ae840476d280 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Jul 13 12:09:34 2023 +1000 + + terminate pkcs11 process for bad libraries + commit cb30fbdbee869f1ce11f06aa97e1cb8717a0b645 Author: Damien Miller <djm@mindrot.org> Date: Thu Mar 16 08:28:19 2023 +1100 @@ -9402,1837 +9435,3 @@ reliability on very heavily loaded hosts. OpenBSD-Regress-ID: 4c28a0fce3ea89ebde441d7091464176e9730533 - -commit 7953e1bfce9e76bec41c1331a29bc6cff9d416b8 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Mon Jul 19 13:47:51 2021 +1000 - - Add sshfp-connect.sh file missed in previous. - -commit b75a80fa8369864916d4c93a50576155cad4df03 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jul 19 03:13:28 2021 +0000 - - upstream: Ensure that all returned SSHFP records for the specified host - - name and hostkey type match instead of only one. While there, simplify the - code somewhat and add some debugging. Based on discussion in bz#3322, ok - djm@. - - OpenBSD-Commit-ID: 0a6a0a476eb7f9dfe8fe2c05a1a395e3e9b22ee4 - -commit 1cc1fd095393663cd72ddac927d82c6384c622ba -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jul 19 02:21:50 2021 +0000 - - upstream: Id sync only, -portable already has this. - - Put dh_set_moduli_file call inside ifdef WITH_OPENSSL. Fixes - build with OPENSSL=no. - - OpenBSD-Commit-ID: af54abbebfb12bcde6219a44d544e18204defb15 - -commit 33abbe2f4153f5ca5c874582f6a7cc91ae167485 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jul 19 02:46:34 2021 +0000 - - upstream: Add test for host key verification via SSHFP records. This - - requires some external setup to operate so is disabled by default (see - comments in sshfp-connect.sh). - - OpenBSD-Regress-ID: c52c461bd1df3a803d17498917d156ef64512fd9 - -commit f0cd000d8e3afeb0416dce1c711c3d7c28d89bdd -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jul 19 02:29:28 2021 +0000 - - upstream: Add ed25519 key and test SSHFP export of it. Only test - - RSA SSHFP export if we have RSA functionality compiled in. - - OpenBSD-Regress-ID: b4ff5181b8c9a5862e7f0ecdd96108622333a9af - -commit 0075511e27e5394faa28edca02bfbf13b9a6693e -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jul 19 00:16:26 2021 +0000 - - upstream: Group keygen tests together. - - OpenBSD-Regress-ID: 07e2d25c527bb44f03b7c329d893a1f2d6c5c40c - -commit 034828820c7e62652e7c48f9ee6b67fb7ba6fa26 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sun Jul 18 23:10:10 2021 +0000 - - upstream: Add test for ssh-keygen printing of SSHFP records. - - OpenBSD-Regress-ID: fde9566b56eeb980e149bbe157a884838507c46b - -commit 52c3b6985ef1d5dadb4c4fe212f8b3a78ca96812 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Jul 17 00:38:11 2021 +0000 - - upstream: wrap some long lines - - OpenBSD-Commit-ID: 4f5186b1466656762dae37d3e569438d900c350d - -commit 43ec991a782791d0b3f42898cd789f99a07bfaa4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Jul 17 00:36:53 2021 +0000 - - upstream: fix sftp on ControlPersist connections, broken by recent - - SessionType change; spotted by sthen@ - - OpenBSD-Commit-ID: 4c5ddc5698790ae6ff50d2a4f8f832f0eeeaa234 - -commit 073f45c236550f158c9a94003e4611c07dea5279 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jul 16 09:00:23 2021 +0000 - - upstream: Explicitly check for and start time-based rekeying in the - - client and server mainloops. - - Previously the rekey timeout could expire but rekeying would not start - until a packet was sent or received. This could cause us to spin in - select() on the rekey timeout if the connection was quiet. - - ok markus@ - - OpenBSD-Commit-ID: 4356cf50d7900f3df0a8f2117d9e07c91b9ff987 - -commit ef7c4e52d5d840607f9ca3a302a4cbb81053eccf -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Wed Jul 14 06:46:38 2021 +0000 - - upstream: reorder SessionType; ok djm - - OpenBSD-Commit-ID: c7dd0b39e942b1caf4976a0b1cf0fed33d05418c - -commit 8aa2f9aeb56506dca996d68ab90ab9c0bebd7ec3 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Jul 14 11:26:50 2021 +1000 - - Make whitespace consistent. - -commit 4f4297ee9b8a39f4dfd243a74c5f51f9e7a05723 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Jul 14 11:26:12 2021 +1000 - - Add ARM64 Linux self-hosted runner. - -commit eda8909d1b0a85b9c3804a04d03ec6738fd9dc7f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 13 23:48:36 2021 +0000 - - upstream: add a SessionType directive to ssh_config, allowing the - - configuration file to offer equivalent control to the -N (no session) and -s - (subsystem) command-line flags. - - Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks; - feedback and ok dtucker@ - - OpenBSD-Commit-ID: 726ee931dd4c5cc7f1d7a187b26f41257f9a2d12 - -commit 7ae69f2628e338ba6e0eae7ee8a63bcf8fea7538 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jul 12 02:12:22 2021 +0000 - - upstream: fix some broken tests; clean up output - - OpenBSD-Regress-ID: 1d5038edb511dc4ce1622344c1e724626a253566 - -commit f5fc6a4c3404bbf65c21ca6361853b33d78aa87e -Author: Darren Tucker <dtucker@dtucker.net> -Date: Mon Jul 12 18:00:05 2021 +1000 - - Add configure-time detection for SSH_TIME_T_MAX. - - Should fix printing cert times exceeding INT_MAX (bz#3329) on platforms - were time_t is a long long. The limit used is for the signed type, so if - some system has a 32bit unsigned time_t then the lower limit will still - be imposed and we would need to add some way to detect this. Anyone using - an unsigned 64bit can let us know when it starts being a problem. - -commit fd2d06ae4442820429d634c0a8bae11c8e40c174 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jul 12 06:22:57 2021 +0000 -
View file
_service:tar_scm:openssh-9.3p1.tar.gz/README -> _service:tar_scm:openssh-9.3p2.tar.gz/README
Changed
@@ -1,4 +1,4 @@ -See https://www.openssh.com/releasenotes.html#9.3p1 for the release +See https://www.openssh.com/releasenotes.html#9.3p2 for the release notes. Please read https://www.openssh.com/report.html for bug reporting
View file
_service:tar_scm:openssh-9.3p1.tar.gz/contrib/redhat/openssh.spec -> _service:tar_scm:openssh-9.3p2.tar.gz/contrib/redhat/openssh.spec
Changed
@@ -1,4 +1,4 @@ -%global ver 9.3p1 +%global ver 9.3p2 %global rel 1%{?dist} # OpenSSH privilege separation requires a user & group ID
View file
_service:tar_scm:openssh-9.3p1.tar.gz/contrib/suse/openssh.spec -> _service:tar_scm:openssh-9.3p2.tar.gz/contrib/suse/openssh.spec
Changed
@@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 9.3p1 +Version: 9.3p2 URL: https://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz
View file
_service:tar_scm:openssh-9.3p1.tar.gz/moduli.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/moduli.0
Changed
@@ -71,4 +71,4 @@ M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. -OpenBSD 7.2 April 16, 2022 OpenBSD 7.2 +OpenBSD 7.3 April 16, 2022 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/scp.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/scp.0
Changed
@@ -229,4 +229,4 @@ requires careful quoting of any characters that have special meaning to the remote shell, such as quote characters. -OpenBSD 7.2 December 16, 2022 OpenBSD 7.2 +OpenBSD 7.3 December 16, 2022 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/sftp-server.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/sftp-server.0
Changed
@@ -95,4 +95,4 @@ AUTHORS Markus Friedl <markus@openbsd.org> -OpenBSD 7.2 July 27, 2021 OpenBSD 7.2 +OpenBSD 7.3 July 27, 2021 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/sftp.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/sftp.0
Changed
@@ -435,4 +435,4 @@ T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. -OpenBSD 7.2 December 16, 2022 OpenBSD 7.2 +OpenBSD 7.3 December 16, 2022 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-add.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-add.0
Changed
@@ -200,4 +200,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.2 February 4, 2022 OpenBSD 7.2 +OpenBSD 7.3 February 4, 2022 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-agent.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-agent.0
Changed
@@ -40,16 +40,24 @@ variable). -O option - Specify an option when starting ssh-agent. Currently only one - option is supported: no-restrict-websafe. This instructs - ssh-agent to permit signatures using FIDO keys that might be web - authentication requests. By default, ssh-agent refuses signature - requests for FIDO keys where the key application string does not - start with M-bM-^@M-^\ssh:M-bM-^@M-^ and when the data to be signed does not appear - to be a ssh(1) user authentication request or a ssh-keygen(1) - signature. The default behaviour prevents forwarded access to a - FIDO key from also implicitly forwarding the ability to - authenticate to websites. + Specify an option when starting ssh-agent. Currently two options + are supported: allow-remote-pkcs11 and no-restrict-websafe. + + The allow-remote-pkcs11 option allows clients of a forwarded + ssh-agent to load PKCS#11 or FIDO provider libraries. By default + only local clients may perform this operation. Note that + signalling that a ssh-agent client remote is performed by ssh(1), + and use of other tools to forward access to the agent socket may + circumvent this restriction. + + The no-restrict-websafe, instructs ssh-agent to permit signatures + using FIDO keys that might be web authentication requests. By + default, ssh-agent refuses signature requests for FIDO keys where + the key application string does not start with M-bM-^@M-^\ssh:M-bM-^@M-^ and when + the data to be signed does not appear to be a ssh(1) user + authentication request or a ssh-keygen(1) signature. The default + behaviour prevents forwarded access to a FIDO key from also + implicitly forwarding the ability to authenticate to websites. -P allowed_providers Specify a pattern-list of acceptable paths for PKCS#11 provider @@ -128,4 +136,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.2 October 7, 2022 OpenBSD 7.2 +OpenBSD 7.3 October 7, 2022 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-agent.1 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-agent.1
Changed
@@ -107,9 +107,27 @@ .It Fl O Ar option Specify an option when starting .Nm . -Currently only one option is supported: +Currently two options are supported: +.Cm allow-remote-pkcs11 +and .Cm no-restrict-websafe . -This instructs +.Pp +The +.Cm allow-remote-pkcs11 +option allows clients of a forwarded +.Nm +to load PKCS#11 or FIDO provider libraries. +By default only local clients may perform this operation. +Note that signalling that a +.Nm +client remote is performed by +.Xr ssh 1 , +and use of other tools to forward access to the agent socket may circumvent +this restriction. +.Pp +The +.Cm no-restrict-websafe , +instructs .Nm to permit signatures using FIDO keys that might be web authentication requests.
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-agent.c -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-agent.c
Changed
@@ -169,6 +169,12 @@ /* Pattern-list of allowed PKCS#11/Security key paths */ static char *allowed_providers; +/* + * Allows PKCS11 providers or SK keys that use non-internal providers to + * be added over a remote connection (identified by session-bind@openssh.com). + */ +static int remote_add_provider; + /* locking */ #define LOCK_SIZE 32 #define LOCK_SALT_SIZE 16 @@ -1228,6 +1234,12 @@ if (strcasecmp(sk_provider, "internal") == 0) { debug_f("internal provider"); } else { + if (e->nsession_ids != 0 && !remote_add_provider) { + verbose("failed add of SK provider \"%.100s\": " + "remote addition of providers is disabled", + sk_provider); + goto out; + } if (realpath(sk_provider, canonical_provider) == NULL) { verbose("failed provider \"%.100s\": " "realpath: %s", sk_provider, @@ -1391,6 +1403,11 @@ error_f("failed to parse constraints"); goto send; } + if (e->nsession_ids != 0 && !remote_add_provider) { + verbose("failed PKCS#11 add of \"%.100s\": remote addition of " + "providers is disabled", provider); + goto send; + } if (realpath(provider, canonical_provider) == NULL) { verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", provider, strerror(errno)); @@ -2050,7 +2067,9 @@ break; case 'O': if (strcmp(optarg, "no-restrict-websafe") == 0) - restrict_websafe = 0; + restrict_websafe = 0; + else if (strcmp(optarg, "allow-remote-pkcs11") == 0) + remote_add_provider = 1; else fatal("Unknown -O option"); break;
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-keygen.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-keygen.0
Changed
@@ -907,4 +907,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.2 February 10, 2023 OpenBSD 7.2 +OpenBSD 7.3 February 10, 2023 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-keyscan.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-keyscan.0
Changed
@@ -118,4 +118,4 @@ Davison <wayned@users.sourceforge.net> added support for protocol version 2. -OpenBSD 7.2 February 10, 2023 OpenBSD 7.2 +OpenBSD 7.3 February 10, 2023 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-keysign.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-keysign.0
Changed
@@ -49,4 +49,4 @@ AUTHORS Markus Friedl <markus@openbsd.org> -OpenBSD 7.2 March 31, 2022 OpenBSD 7.2 +OpenBSD 7.3 March 31, 2022 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-pkcs11-helper.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-pkcs11-helper.0
Changed
@@ -32,4 +32,4 @@ AUTHORS Markus Friedl <markus@openbsd.org> -OpenBSD 7.2 April 29, 2022 OpenBSD 7.2 +OpenBSD 7.3 April 29, 2022 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-pkcs11.c -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-pkcs11.c
Changed
@@ -1537,10 +1537,8 @@ error("dlopen %s failed: %s", provider_id, dlerror()); goto fail; } - if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { - error("dlsym(C_GetFunctionList) failed: %s", dlerror()); - goto fail; - } + if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) + fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); p = xcalloc(1, sizeof(*p)); p->name = xstrdup(provider_id); p->handle = handle;
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh-sk-helper.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh-sk-helper.0
Changed
@@ -31,4 +31,4 @@ AUTHORS Damien Miller <djm@openbsd.org> -OpenBSD 7.2 April 29, 2022 OpenBSD 7.2 +OpenBSD 7.3 April 29, 2022 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh.0
Changed
@@ -1015,4 +1015,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.2 November 28, 2022 OpenBSD 7.2 +OpenBSD 7.3 November 28, 2022 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/ssh_config.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/ssh_config.0
Changed
@@ -1323,4 +1323,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.2 March 10, 2023 OpenBSD 7.2 +OpenBSD 7.3 March 10, 2023 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/sshd.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/sshd.0
Changed
@@ -683,4 +683,4 @@ versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.2 February 10, 2023 OpenBSD 7.2 +OpenBSD 7.3 February 10, 2023 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/sshd_config.0 -> _service:tar_scm:openssh-9.3p2.tar.gz/sshd_config.0
Changed
@@ -1283,4 +1283,4 @@ versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.2 March 3, 2023 OpenBSD 7.2 +OpenBSD 7.3 March 3, 2023 OpenBSD 7.3
View file
_service:tar_scm:openssh-9.3p1.tar.gz/version.h -> _service:tar_scm:openssh-9.3p2.tar.gz/version.h
Changed
@@ -2,5 +2,5 @@ #define SSH_VERSION "OpenSSH_9.3" -#define SSH_PORTABLE "p1" +#define SSH_PORTABLE "p2" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2