diff --git a/openssh-4.3p2-cve-2007-3102.patch b/openssh-4.3p2-cve-2007-3102.patch deleted file mode 100644 index 9237b62..0000000 --- a/openssh-4.3p2-cve-2007-3102.patch +++ /dev/null @@ -1,62 +0,0 @@ ---- openssh-4.3p2/loginrec.c.inject-fix 2007-06-20 21:18:00.000000000 +0200 -+++ openssh-4.3p2/loginrec.c 2007-07-13 15:25:35.000000000 +0200 -@@ -1389,11 +1389,44 @@ - #endif /* USE_WTMPX */ - - #ifdef HAVE_LINUX_AUDIT -+static void -+_audit_hexscape(const char *what, char *where, unsigned int size) -+{ -+ const char *ptr = what; -+ const char *hex = "0123456789ABCDEF"; -+ -+ while (*ptr) { -+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) { -+ unsigned int i; -+ ptr = what; -+ for (i = 0; *ptr && i+2 < size; i += 2) { -+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */ -+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */ -+ ptr++; -+ } -+ where[i] = '\0'; -+ return; -+ } -+ ptr++; -+ } -+ where[0] = '"'; -+ if ((unsigned)(ptr - what) < size - 3) -+ { -+ size = ptr - what + 3; -+ } -+ strncpy(where + 1, what, size - 3); -+ where[size-2] = '"'; -+ where[size-1] = '\0'; -+} -+ -+#define AUDIT_LOG_SIZE 128 -+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8) -+ - int - linux_audit_record_event(int uid, const char *username, - const char *hostname, const char *ip, const char *ttyn, int success) - { -- char buf[64]; -+ char buf[AUDIT_LOG_SIZE]; - int audit_fd, rc; - - audit_fd = audit_open(); -@@ -1406,8 +1439,11 @@ - } - if (username == NULL) - snprintf(buf, sizeof(buf), "uid=%d", uid); -- else -- snprintf(buf, sizeof(buf), "acct=%s", username); -+ else { -+ char encoded[AUDIT_ACCT_SIZE]; -+ _audit_hexscape(username, encoded, sizeof(encoded)); -+ snprintf(buf, sizeof(buf), "acct=%s", encoded); -+ } - rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, - buf, hostname, ip, ttyn, success); - close(audit_fd); diff --git a/openssh-4.7p1-audit.patch b/openssh-4.7p1-audit.patch index 2c925ef..d561be0 100644 --- a/openssh-4.7p1-audit.patch +++ b/openssh-4.7p1-audit.patch @@ -1,7 +1,7 @@ -diff -up openssh-4.7p1/auth.c.audit openssh-4.7p1/auth.c ---- openssh-4.7p1/auth.c.audit 2007-03-26 18:35:28.000000000 +0200 -+++ openssh-4.7p1/auth.c 2007-09-06 17:07:44.000000000 +0200 -@@ -286,6 +286,12 @@ auth_log(Authctxt *authctxt, int authent +diff -up openssh-5.2p1/auth.c.audit openssh-5.2p1/auth.c +--- openssh-5.2p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100 ++++ openssh-5.2p1/auth.c 2009-08-09 09:22:23.634850536 +0200 +@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif #endif @@ -14,7 +14,7 @@ diff -up openssh-4.7p1/auth.c.audit openssh-4.7p1/auth.c #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) audit_event(audit_classify_auth(method)); -@@ -492,6 +498,10 @@ getpwnamallow(const char *user) +@@ -533,6 +539,10 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif @@ -25,9 +25,113 @@ diff -up openssh-4.7p1/auth.c.audit openssh-4.7p1/auth.c #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ -diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c ---- openssh-4.7p1/loginrec.c.audit 2007-04-29 04:10:58.000000000 +0200 -+++ openssh-4.7p1/loginrec.c 2007-09-06 17:07:44.000000000 +0200 +diff -up openssh-5.2p1/config.h.in.audit openssh-5.2p1/config.h.in +--- openssh-5.2p1/config.h.in.audit 2009-02-23 01:18:12.000000000 +0100 ++++ openssh-5.2p1/config.h.in 2009-08-09 09:22:28.825939998 +0200 +@@ -1,5 +1,8 @@ + /* config.h.in. Generated from configure.ac by autoheader. */ + ++/* Define if building universal (internal helper macro) */ ++#undef AC_APPLE_UNIVERSAL_BUILD ++ + /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address + */ + #undef AIX_GETNAMEINFO_HACK +@@ -521,6 +524,9 @@ + /* Define to 1 if you have the header file. */ + #undef HAVE_LASTLOG_H + ++/* Define to 1 if you have the header file. */ ++#undef HAVE_LIBAUDIT_H ++ + /* Define to 1 if you have the `bsm' library (-lbsm). */ + #undef HAVE_LIBBSM + +@@ -560,6 +566,9 @@ + /* Define to 1 if you have the header file. */ + #undef HAVE_LIMITS_H + ++/* Define if you want Linux audit support. */ ++#undef HAVE_LINUX_AUDIT ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_LINUX_IF_TUN_H + +@@ -756,6 +765,9 @@ + /* Define to 1 if you have the `setgroups' function. */ + #undef HAVE_SETGROUPS + ++/* Define to 1 if you have the `setkeycreatecon' function. */ ++#undef HAVE_SETKEYCREATECON ++ + /* Define to 1 if you have the `setlogin' function. */ + #undef HAVE_SETLOGIN + +@@ -1330,6 +1342,10 @@ + /* Prepend the address family to IP tunnel traffic */ + #undef SSH_TUN_PREPEND_AF + ++/* Define to your vendor patch level, if it has been modified from the ++ upstream source release. */ ++#undef SSH_VENDOR_PATCHLEVEL ++ + /* Define to 1 if you have the ANSI C header files. */ + #undef STDC_HEADERS + +@@ -1397,9 +1413,17 @@ + /* Define if you want SELinux support. */ + #undef WITH_SELINUX + +-/* Define to 1 if your processor stores words with the most significant byte +- first (like Motorola and SPARC, unlike Intel and VAX). */ +-#undef WORDS_BIGENDIAN ++/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most ++ significant byte first (like Motorola and SPARC, unlike Intel). */ ++#if defined AC_APPLE_UNIVERSAL_BUILD ++# if defined __BIG_ENDIAN__ ++# define WORDS_BIGENDIAN 1 ++# endif ++#else ++# ifndef WORDS_BIGENDIAN ++# undef WORDS_BIGENDIAN ++# endif ++#endif + + /* Define if xauth is found in your path */ + #undef XAUTH_PATH +diff -up openssh-5.2p1/configure.ac.audit openssh-5.2p1/configure.ac +--- openssh-5.2p1/configure.ac.audit 2009-08-09 09:22:23.608877833 +0200 ++++ openssh-5.2p1/configure.ac 2009-08-09 09:22:23.646244409 +0200 +@@ -3342,6 +3342,18 @@ AC_ARG_WITH(selinux, + fi ] + ) + ++# Check whether user wants Linux audit support ++LINUX_AUDIT_MSG="no" ++AC_ARG_WITH(linux-audit, ++ [ --with-linux-audit Enable Linux audit support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) ++ LINUX_AUDIT_MSG="yes" ++ AC_CHECK_HEADERS(libaudit.h) ++ SSHDLIBS="$SSHDLIBS -laudit" ++ fi ] ++) ++ + # Check whether user wants Kerberos 5 support + KRB5_MSG="no" + AC_ARG_WITH(kerberos5, +@@ -4170,6 +4182,7 @@ echo " PAM support + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" + echo " SELinux support: $SELINUX_MSG" ++echo " Linux audit support: $LINUX_AUDIT_MSG" + echo " Smartcard support: $SCARD_MSG" + echo " S/KEY support: $SKEY_MSG" + echo " TCP Wrappers support: $TCPW_MSG" +diff -up openssh-5.2p1/loginrec.c.audit openssh-5.2p1/loginrec.c +--- openssh-5.2p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100 ++++ openssh-5.2p1/loginrec.c 2009-08-09 09:22:23.667199702 +0200 @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" @@ -60,16 +164,49 @@ diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c #ifdef USE_LOGIN syslogin_write_entry(li); #endif -@@ -1394,6 +1405,51 @@ wtmpx_get_entry(struct logininfo *li) +@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li) } #endif /* USE_WTMPX */ +#ifdef HAVE_LINUX_AUDIT ++static void ++_audit_hexscape(const char *what, char *where, unsigned int size) ++{ ++ const char *ptr = what; ++ const char *hex = "0123456789ABCDEF"; ++ ++ while (*ptr) { ++ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) { ++ unsigned int i; ++ ptr = what; ++ for (i = 0; *ptr && i+2 < size; i += 2) { ++ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */ ++ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */ ++ ptr++; ++ } ++ where[i] = '\0'; ++ return; ++ } ++ ptr++; ++ } ++ where[0] = '"'; ++ if ((unsigned)(ptr - what) < size - 3) ++ { ++ size = ptr - what + 3; ++ } ++ strncpy(where + 1, what, size - 3); ++ where[size-2] = '"'; ++ where[size-1] = '\0'; ++} ++ ++#define AUDIT_LOG_SIZE 128 ++#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8) ++ +int +linux_audit_record_event(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success) +{ -+ char buf[64]; ++ char buf[AUDIT_LOG_SIZE]; + int audit_fd, rc; + + audit_fd = audit_open(); @@ -82,8 +219,11 @@ diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c + } + if (username == NULL) + snprintf(buf, sizeof(buf), "uid=%d", uid); -+ else -+ snprintf(buf, sizeof(buf), "acct=%s", username); ++ else { ++ char encoded[AUDIT_ACCT_SIZE]; ++ _audit_hexscape(username, encoded, sizeof(encoded)); ++ snprintf(buf, sizeof(buf), "acct=%s", encoded); ++ } + rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, + buf, hostname, ip, ttyn, success); + close(audit_fd); @@ -112,22 +252,9 @@ diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c /** ** Low-level libutil login() functions **/ -diff -up openssh-4.7p1/config.h.in.audit openssh-4.7p1/config.h.in ---- openssh-4.7p1/config.h.in.audit 2007-09-04 08:50:04.000000000 +0200 -+++ openssh-4.7p1/config.h.in 2007-09-06 17:07:44.000000000 +0200 -@@ -1334,6 +1334,9 @@ - /* Define if you want SELinux support. */ - #undef WITH_SELINUX - -+/* Define if you want Linux audit support. */ -+#undef HAVE_LINUX_AUDIT -+ - /* Define to 1 if your processor stores words with the most significant byte - first (like Motorola and SPARC, unlike Intel and VAX). */ - #undef WORDS_BIGENDIAN -diff -up openssh-4.7p1/loginrec.h.audit openssh-4.7p1/loginrec.h ---- openssh-4.7p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-4.7p1/loginrec.h 2007-09-06 17:07:44.000000000 +0200 +diff -up openssh-5.2p1/loginrec.h.audit openssh-5.2p1/loginrec.h +--- openssh-5.2p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200 ++++ openssh-5.2p1/loginrec.h 2009-08-09 09:22:23.641175349 +0200 @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch char *line_abbrevname(char *dst, const char *src, int dstsize); @@ -138,33 +265,3 @@ diff -up openssh-4.7p1/loginrec.h.audit openssh-4.7p1/loginrec.h +#endif /* HAVE_LINUX_AUDIT */ #endif /* _HAVE_LOGINREC_H_ */ -diff -up openssh-4.7p1/configure.ac.audit openssh-4.7p1/configure.ac ---- openssh-4.7p1/configure.ac.audit 2007-09-06 17:07:44.000000000 +0200 -+++ openssh-4.7p1/configure.ac 2007-09-06 17:15:23.000000000 +0200 -@@ -3216,6 +3216,18 @@ AC_ARG_WITH(selinux, - fi ] - ) - -+# Check whether user wants Linux audit support -+LINUX_AUDIT_MSG="no" -+AC_ARG_WITH(linux-audit, -+ [ --with-linux-audit Enable Linux audit support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) -+ LINUX_AUDIT_MSG="yes" -+ AC_CHECK_HEADERS(libaudit.h) -+ SSHDLIBS="$SSHDLIBS -laudit" -+ fi ] -+) -+ - # Check whether user wants Kerberos 5 support - KRB5_MSG="no" - AC_ARG_WITH(kerberos5, -@@ -4037,6 +4049,7 @@ echo " PAM support - echo " OSF SIA support: $SIA_MSG" - echo " KerberosV support: $KRB5_MSG" - echo " SELinux support: $SELINUX_MSG" -+echo " Linux audit support: $LINUX_AUDIT_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" diff --git a/openssh-5.1p1-gssapi-role.patch b/openssh-5.1p1-gssapi-role.patch deleted file mode 100644 index cb18897..0000000 --- a/openssh-5.1p1-gssapi-role.patch +++ /dev/null @@ -1,35 +0,0 @@ -Written-by: Nalin Dahyabhai -Reviewed-by: Tomas Mraz -diff -up openssh-5.1p1/auth2-gss.c.gssapi-role openssh-5.1p1/auth2-gss.c ---- openssh-5.1p1/auth2-gss.c.gssapi-role 2007-12-02 12:59:45.000000000 +0100 -+++ openssh-5.1p1/auth2-gss.c 2008-07-23 19:18:15.000000000 +0200 -@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple - Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; - int authenticated = 0; -+ char *micuser; - Buffer b; - gss_buffer_desc mic, gssbuf; - u_int len; -@@ -270,7 +271,11 @@ input_gssapi_mic(int type, u_int32_t ple - mic.value = packet_get_string(&len); - mic.length = len; - -- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, -+ if (authctxt->role && (strlen(authctxt->role) > 0)) -+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role); -+ else -+ micuser = authctxt->user; -+ ssh_gssapi_buildmic(&b, micuser, authctxt->service, - "gssapi-with-mic"); - - gssbuf.value = buffer_ptr(&b); -@@ -282,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple - logit("GSSAPI MIC check failed"); - - buffer_free(&b); -+ if (micuser != authctxt->user) -+ xfree(micuser); - xfree(mic.value); - - authctxt->postponed = 0; diff --git a/openssh-5.2p1-redhat.patch b/openssh-5.2p1-redhat.patch index 1e1a579..4304065 100644 --- a/openssh-5.2p1-redhat.patch +++ b/openssh-5.2p1-redhat.patch @@ -1,6 +1,52 @@ +diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config +--- openssh-5.2p1/ssh_config.redhat 2009-02-21 02:45:02.000000000 +0100 ++++ openssh-5.2p1/ssh_config 2009-08-09 08:45:11.302092427 +0200 +@@ -44,3 +44,14 @@ + # TunnelDevice any:any + # PermitLocalCommand no + # VisualHostKey no ++Host * ++ GSSAPIAuthentication yes ++# If this option is set to yes then remote X11 clients will have full access ++# to the original X11 display. As virtually no X11 client supports the untrusted ++# mode correctly we set this to yes. ++ ForwardX11Trusted yes ++# Send locale-related environment variables ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++ SendEnv XMODIFIERS +diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0 +--- openssh-5.2p1/sshd_config.0.redhat 2009-02-23 01:18:15.000000000 +0100 ++++ openssh-5.2p1/sshd_config.0 2009-08-09 08:45:11.276555108 +0200 +@@ -491,9 +491,9 @@ DESCRIPTION + + SyslogFacility + Gives the facility code that is used when logging messages from +- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, +- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- +- fault is AUTH. ++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, ++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++ The default is AUTH. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages +diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5 +--- openssh-5.2p1/sshd_config.5.redhat 2009-02-23 01:00:24.000000000 +0100 ++++ openssh-5.2p1/sshd_config.5 2009-08-09 08:45:11.278927203 +0200 +@@ -848,7 +848,7 @@ Note that this option applies to protoco + .It Cm SyslogFacility + Gives the facility code that is used when logging messages from + .Xr sshd 8 . +-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, ++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. + .It Cm TCPKeepAlive diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config --- openssh-5.2p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200 -+++ openssh-5.2p1/sshd_config 2008-07-23 14:11:12.000000000 +0200 ++++ openssh-5.2p1/sshd_config 2009-08-09 08:47:40.850857227 +0200 @@ -33,6 +33,7 @@ Protocol 2 # Logging # obsoletes QuietMode and FascistLogging @@ -31,7 +77,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -@@ -84,11 +89,18 @@ Protocol 2 +@@ -84,11 +89,19 @@ Protocol 2 # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no @@ -41,6 +87,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes @@ -50,48 +97,3 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes -diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config ---- openssh-5.2p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200 -+++ openssh-5.2p1/ssh_config 2008-07-23 14:07:29.000000000 +0200 -@@ -44,3 +44,13 @@ - # TunnelDevice any:any - # PermitLocalCommand no - # VisualHostKey no -+Host * -+ GSSAPIAuthentication yes -+# If this option is set to yes then remote X11 clients will have full access -+# to the original X11 display. As virtually no X11 client supports the untrusted -+# mode correctly we set this to yes. -+ ForwardX11Trusted yes -+# Send locale-related environment variables -+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0 ---- openssh-5.2p1/sshd_config.0.redhat 2008-07-21 10:30:51.000000000 +0200 -+++ openssh-5.2p1/sshd_config.0 2008-07-23 14:07:29.000000000 +0200 -@@ -490,9 +490,9 @@ DESCRIPTION - - SyslogFacility - Gives the facility code that is used when logging messages from -- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, -- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- -- fault is AUTH. -+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, -+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -+ The default is AUTH. - - TCPKeepAlive - Specifies whether the system should send TCP keepalive messages -diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5 ---- openssh-5.2p1/sshd_config.5.redhat 2008-07-02 14:35:43.000000000 +0200 -+++ openssh-5.2p1/sshd_config.5 2008-07-23 14:07:29.000000000 +0200 -@@ -846,7 +846,7 @@ Note that this option applies to protoco - .It Cm SyslogFacility - Gives the facility code that is used when logging messages from - .Xr sshd 8 . --The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, - LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. - The default is AUTH. - .It Cm TCPKeepAlive diff --git a/openssh-5.2p1-selinux.patch b/openssh-5.2p1-selinux.patch index d669ff8..84dfbc7 100644 --- a/openssh-5.2p1-selinux.patch +++ b/openssh-5.2p1-selinux.patch @@ -326,3 +326,36 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c if (strcmp(authctxt->user, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", authctxt->user, p); +diff -up openssh-5.1p1/auth2-gss.c.gssapi-role openssh-5.1p1/auth2-gss.c +--- openssh-5.1p1/auth2-gss.c.gssapi-role 2007-12-02 12:59:45.000000000 +0100 ++++ openssh-5.1p1/auth2-gss.c 2008-07-23 19:18:15.000000000 +0200 +@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + int authenticated = 0; ++ char *micuser; + Buffer b; + gss_buffer_desc mic, gssbuf; + u_int len; +@@ -270,7 +271,11 @@ input_gssapi_mic(int type, u_int32_t ple + mic.value = packet_get_string(&len); + mic.length = len; + +- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, ++ if (authctxt->role && (strlen(authctxt->role) > 0)) ++ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role); ++ else ++ micuser = authctxt->user; ++ ssh_gssapi_buildmic(&b, micuser, authctxt->service, + "gssapi-with-mic"); + + gssbuf.value = buffer_ptr(&b); +@@ -282,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple + logit("GSSAPI MIC check failed"); + + buffer_free(&b); ++ if (micuser != authctxt->user) ++ xfree(micuser); + xfree(mic.value); + + authctxt->postponed = 0; diff --git a/openssh-5.2p1-xmodifiers.patch b/openssh-5.2p1-xmodifiers.patch deleted file mode 100644 index c6e636d..0000000 --- a/openssh-5.2p1-xmodifiers.patch +++ /dev/null @@ -1,8 +0,0 @@ -diff -up openssh-5.2p1/ssh_config.xmodifiers openssh-5.2p1/ssh_config ---- openssh-5.2p1/ssh_config.xmodifiers 2009-06-12 13:32:36.000000000 +0200 -+++ openssh-5.2p1/ssh_config 2009-06-12 13:39:12.365582705 +0200 -@@ -54,3 +54,4 @@ Host * - SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES - SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+ SendEnv XMODIFIERS diff --git a/openssh.spec b/openssh.spec index 56cb9de..25c3ded 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.2p1 -Release: 19%{?dist}%{?rescue_rel} +Release: 20%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -81,8 +81,8 @@ Patch4: openssh-5.2p1-vendor.patch Patch12: openssh-5.2p1-selinux.patch Patch13: openssh-5.1p1-mls.patch Patch16: openssh-4.7p1-audit.patch -Patch17: openssh-4.3p2-cve-2007-3102.patch Patch18: openssh-5.0p1-pam_selinux.patch +Patch19: openssh-5.2p1-sesftp.patch Patch22: openssh-3.9p1-askpass-keep-above.patch Patch24: openssh-4.3p1-fromto-remote.patch Patch27: openssh-5.1p1-log-in-chroot.patch @@ -93,15 +93,12 @@ Patch39: openssh-4.3p2-no-v6only.patch Patch44: openssh-4.3p2-allow-ip-opts.patch Patch49: openssh-4.3p2-gssapi-canohost.patch Patch51: openssh-5.2p1-nss-keys.patch -Patch54: openssh-5.1p1-gssapi-role.patch Patch55: openssh-5.1p1-cloexec.patch Patch62: openssh-5.1p1-scp-manpage.patch Patch65: openssh-5.2p1-fips.patch Patch66: openssh-5.2p1-homechroot.patch -Patch67: openssh-5.2p1-xmodifiers.patch Patch68: openssh-5.2p1-pathmax.patch Patch69: openssh-5.2p1-selabel.patch -Patch70: openssh-5.2p1-sesftp.patch Patch71: openssh-5.2p1-edns.patch License: BSD @@ -216,8 +213,8 @@ an X11 passphrase dialog for OpenSSH. %patch12 -p1 -b .selinux %patch13 -p1 -b .mls %patch16 -p1 -b .audit -%patch17 -p1 -b .inject-fix %patch18 -p1 -b .pam_selinux +%patch19 -p1 -b .sesftp %endif %patch22 -p1 -b .keep-above @@ -230,15 +227,12 @@ an X11 passphrase dialog for OpenSSH. %patch44 -p1 -b .ip-opts %patch49 -p1 -b .canohost %patch51 -p1 -b .nss-keys -%patch54 -p1 -b .gssapi-role %patch55 -p1 -b .cloexec %patch62 -p1 -b .manpage %patch65 -p1 -b .fips %patch66 -p1 -b .homechroot -%patch67 -p1 -b .xmodifiers %patch68 -p1 -b .pathmax %patch69 -p1 -b .selabel -%patch70 -p1 -b .sesftp %patch71 -p1 -b .edns autoreconf @@ -474,6 +468,12 @@ fi %endif %changelog +* Fri Aug 28 2009 Jan F. Chadima - 5.2p1-20 +- merged xmodifiers to redhat patch +- merged gssapi-role to selinux patch +- merged cve-2007_3102 to audit patch +- sesftp patch only with WITH_SELINUX flag + * Wed Aug 26 2009 Jan F. Chadima - 5.2p1-19 - minor change in sesftp patch