From 7b76af52921158f3c3ed902129c4e4fd5522333c Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Nov 29 2021 13:37:28 +0000 Subject: OpenSSH 8.8p1 rebase Related: rhbz#2007967 --- diff --git a/.gitignore b/.gitignore index 0a1fd60..b0394a7 100644 --- a/.gitignore +++ b/.gitignore @@ -52,3 +52,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-8.6p1.tar.gz.asc /openssh-8.7p1.tar.gz /openssh-8.7p1.tar.gz.asc +/openssh-8.8p1.tar.gz +/openssh-8.8p1.tar.gz.asc diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index 1831f27..f3231f9 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -196,11 +196,11 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, -- sKerberosGetAFSToken, sKerberosUniqueCCache, -+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, - sChallengeResponseAuthentication, - sPasswordAuthentication, sKbdInteractiveAuthentication, - sListenAddress, sAddressFamily, +- sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication, ++ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication, + sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, + sPrintMotd, sPrintLastLog, sIgnoreRhosts, + sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, @@ -478,12 +481,14 @@ static struct { { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif diff --git a/openssh-7.3p1-x11-max-displays.patch b/openssh-7.3p1-x11-max-displays.patch index c8a147b..5af3e3b 100644 --- a/openssh-7.3p1-x11-max-displays.patch +++ b/openssh-7.3p1-x11-max-displays.patch @@ -110,9 +110,9 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c options->x11_use_localhost = 1; if (options->xauth_location == NULL) @@ -419,7 +422,7 @@ typedef enum { - sPasswordAuthentication, sKbdInteractiveAuthentication, - sListenAddress, sAddressFamily, - sPrintMotd, sPrintLastLog, sIgnoreRhosts, + sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication, + sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, + sPrintMotd, sPrintLastLog, sIgnoreRhosts, - sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, + sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost, sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index d2c5592..72bceb1 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -117,9 +117,9 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h --- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/myproposal.h 2021-04-19 16:53:03.065577869 +0200 -@@ -57,6 +57,20 @@ - "rsa-sha2-256," \ - "ssh-rsa" +@@ -57,6 +57,19 @@ + "rsa-sha2-512," \ + "rsa-sha2-256" +#define KEX_FIPS_PK_ALG \ + "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ @@ -132,8 +132,7 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h + "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp521," \ + "rsa-sha2-512," \ -+ "rsa-sha2-256," \ -+ "ssh-rsa" ++ "rsa-sha2-256," + #define KEX_SERVER_ENCRYPT \ "chacha20-poly1305@openssh.com," \ diff --git a/openssh-7.7p1-gssapi-new-unique.patch b/openssh-7.7p1-gssapi-new-unique.patch index c130022..544932b 100644 --- a/openssh-7.7p1-gssapi-new-unique.patch +++ b/openssh-7.7p1-gssapi-new-unique.patch @@ -503,16 +503,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_keyex == -1) -@@ -506,7 +509,8 @@ typedef enum { +@@ -506,7 +509,7 @@ typedef enum { sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, -- sKerberosGetAFSToken, sChallengeResponseAuthentication, -+ sKerberosGetAFSToken, sKerberosUniqueCCache, -+ sChallengeResponseAuthentication, - sPasswordAuthentication, sKbdInteractiveAuthentication, - sListenAddress, sAddressFamily, +- sKerberosGetAFSToken, sPasswordAuthentication, ++ sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication, + sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, + sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, @@ -593,11 +597,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, diff --git a/openssh-8.0p1-crypto-policies.patch b/openssh-8.0p1-crypto-policies.patch index 762825e..2ad438c 100644 --- a/openssh-8.0p1-crypto-policies.patch +++ b/openssh-8.0p1-crypto-policies.patch @@ -2,8 +2,8 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5 --- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200 +++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200 @@ -373,17 +373,13 @@ or - .Qq *.c.example.com - domains. + causes no CNAMEs to be considered for canonicalization. + This is the default behaviour. .It Cm CASignatureAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . @@ -105,18 +105,18 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5 Multiple algorithms must be comma-separated. If the specified list begins with a .Sq + --character, then the specified methods will be appended to the default set +-character, then the specified algorithms will be appended to the default set -instead of replacing them. -+character, then the specified methods will be appended to the built-in ++character, then the specified algorithms will be appended to the built-in +openssh default set instead of replacing them. If the specified list begins with a .Sq - - character, then the specified methods (including wildcards) will be removed + character, then the specified algorithms (including wildcards) will be removed -from the default set instead of replacing them. +from the built-in openssh default set instead of replacing them. If the specified list begins with a .Sq ^ - character, then the specified methods will be placed at the head of the + character, then the specified algorithms will be placed at the head of the -default set. -The default is: -.Bd -literal -offset indent @@ -178,7 +178,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5 The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm NoHostAuthenticationForLocalhost -@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas +@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas The default is .Cm no . .It Cm PubkeyAcceptedAlgorithms @@ -214,12 +214,11 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com, --ssh-rsa-cert-v01@openssh.com, -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com, --rsa-sha2-512,rsa-sha2-256,ssh-rsa +-rsa-sha2-512,rsa-sha2-256 -.Ed +built-in openssh default set. .Pp @@ -373,18 +372,18 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5 Multiple algorithms must be comma-separated. Alternately if the specified list begins with a .Sq + --character, then the specified methods will be appended to the default set +-character, then the specified algorithms will be appended to the default set -instead of replacing them. -+character, then the specified methods will be appended to the built-in ++character, then the specified algorithms will be appended to the built-in +openssh default set instead of replacing them. If the specified list begins with a .Sq - - character, then the specified methods (including wildcards) will be removed + character, then the specified algorithms (including wildcards) will be removed -from the default set instead of replacing them. +from the built-in openssh default set instead of replacing them. If the specified list begins with a .Sq ^ - character, then the specified methods will be placed at the head of the + character, then the specified algorithms will be placed at the head of the -default set. +built-in openssh default set. The supported algorithms are: diff --git a/openssh-8.7p1-sftp-default-protocol.patch b/openssh-8.7p1-sftp-default-protocol.patch index ec25944..c3527b1 100644 --- a/openssh-8.7p1-sftp-default-protocol.patch +++ b/openssh-8.7p1-sftp-default-protocol.patch @@ -2,18 +2,6 @@ diff --git a/scp.1 b/scp.1 index 68aac04b..a96e95ad 100644 --- a/scp.1 +++ b/scp.1 -@@ -8,9 +8,9 @@ - .\" - .\" Created: Sun May 7 00:14:37 1995 ylo - .\" --.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $ -+.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $ - .\" --.Dd $Mdocdate: August 11 2021 $ -+.Dd $Mdocdate: September 8 2021 $ - .Dt SCP 1 - .Os - .Sh NAME @@ -18,7 +18,7 @@ .Nd OpenSSH secure file copy .Sh SYNOPSIS @@ -23,55 +11,31 @@ index 68aac04b..a96e95ad 100644 .Op Fl c Ar cipher .Op Fl D Ar sftp_server_path .Op Fl F Ar ssh_config -@@ -37,9 +37,6 @@ It uses - .Xr ssh 1 - for data transfer, and uses the same authentication and provides the - same security as a login session. --The scp protocol requires execution of the remote user's shell to perform --.Xr glob 3 --pattern matching. - .Pp - .Nm - will ask for passwords or passphrases if they are needed for @@ -79,7 +76,9 @@ The options are as follows: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. --Note that, when using the legacy SCP protocol (the default), this option -+Note that, when using the legacy SCP protocol (via the +-Note that, when using the original SCP protocol (the default), this option ++Note that, when using the original SCP protocol (via the +.Fl O +flag), this option selects batch mode for the second host as .Nm cannot ask for passwords or passphrases for both hosts. -@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s. - .It Fl O - Use the legacy SCP protocol for file transfers instead of the SFTP protocol. - Forcing the use of the SCP protocol may be necessary for servers that do --not implement SFTP or for backwards-compatibility for particular filename --wildcard patterns. +@@ -146,7 +145,6 @@ Limits the used bandwidth, specified in Kbit/s. + wildcard patterns and for expanding paths with a + .Sq ~ + prefix for older SFTP servers. -This mode is the default. -+not implement SFTP, for backwards-compatibility for particular filename -+wildcard patterns and for expanding paths with a -+.Sq ~ -+prefix for older SFTP servers. .It Fl o Ar ssh_option Can be used to pass options to .Nm ssh -@@ -258,16 +258,6 @@ to use for the encrypted connection. +@@ -258,8 +258,6 @@ to use for the encrypted connection. The program must understand .Xr ssh 1 options. -.It Fl s --Use the SFTP protocol for file transfers instead of the legacy SCP protocol. --Using SFTP avoids invoking a shell on the remote side and provides --more predictable filename handling, as the SCP protocol --relied on the remote shell for expanding --.Xr glob 3 --wildcards. --.Pp --A near-future release of OpenSSH will make the SFTP protocol the default. --This option will be deleted before the end of 2022. +-Use the SFTP protocol for transfers rather than the original scp protocol. .It Fl T Disable strict filename checking. By default when copying files from a remote host to a local directory @@ -103,12 +67,6 @@ diff --git a/scp.c b/scp.c index e039350c..c7cf7529 100644 --- a/scp.c +++ b/scp.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */ -+/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */ - /* - * scp - secure remote copy. This is basically patched BSD rcp which - * uses ssh to do the data transfer (instead of using rcmd). @@ -448,7 +448,7 @@ main(int argc, char **argv) const char *errstr; extern char *optarg; diff --git a/openssh-8.7p1-upstream-cve-2021-41617.patch b/openssh-8.7p1-upstream-cve-2021-41617.patch deleted file mode 100644 index 0bca544..0000000 --- a/openssh-8.7p1-upstream-cve-2021-41617.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/misc.c b/misc.c -index b8d1040d..0134d694 100644 ---- a/misc.c -+++ b/misc.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */ -+/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */ - /* - * Copyright (c) 2000 Markus Friedl. All rights reserved. - * Copyright (c) 2005-2020 Damien Miller. All rights reserved. -@@ -56,6 +56,7 @@ - #ifdef HAVE_PATHS_H - # include - #include -+#include - #endif - #ifdef SSH_TUN_OPENBSD - #include -@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command, - } - closefrom(STDERR_FILENO + 1); - -+ if (geteuid() == 0 && -+ initgroups(pw->pw_name, pw->pw_gid) == -1) { -+ error("%s: initgroups(%s, %u): %s", tag, -+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); -+ _exit(1); -+ } - if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { - error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, - strerror(errno)); diff --git a/openssh.spec b/openssh.spec index aead574..5b0a8ec 100644 --- a/openssh.spec +++ b/openssh.spec @@ -50,10 +50,10 @@ %{?static_openssl:%global static_libcrypto 1} # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 8.7p1 -%global openssh_rel 3 +%global openssh_ver 8.8p1 +%global openssh_rel 1 %global pam_ssh_agent_ver 0.10.4 -%global pam_ssh_agent_rel 4 +%global pam_ssh_agent_rel 5 Summary: An open source implementation of SSH protocol version 2 Name: openssh @@ -197,8 +197,6 @@ Patch975: openssh-8.0p1-preserve-pam-errors.patch Patch976: openssh-8.7p1-sftp-default-protocol.patch # Implement kill switch for SCP protocol Patch977: openssh-8.7p1-scp-kill-switch.patch -# CVE-2021-41617 -Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch License: BSD Requires: /sbin/nologin @@ -377,7 +375,6 @@ popd %patch975 -p1 -b .preserve-pam-errors %patch976 -p1 -b .sftp-by-default %patch977 -p1 -b .kill-scp -%patch978 -p1 -b .cve-2021-41617 %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -663,6 +660,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Mon Nov 29 2021 Dmitry Belyavskiy - 8.8p1-1 + 0.10.4-5 +- New upstream release (#2007967) + * Wed Sep 29 2021 Dmitry Belyavskiy - 8.7p1-3 - CVE-2021-41617 fix (#2008292) diff --git a/sources b/sources index 6fe759c..89b2b55 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (openssh-8.7p1.tar.gz) = 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2 -SHA512 (openssh-8.7p1.tar.gz.asc) = 08b4bda855ca3ef202c271f1c0e3486082b93d1009a794d020e7ba223978bc87bf34b1fbccaae3379a47639bd849935fdaaf63bdb781d0a44625066ccf00fbfc +SHA512 (openssh-8.8p1.tar.gz) = d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df +SHA512 (openssh-8.8p1.tar.gz.asc) = 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4 +SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2 -SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21