From: Marcin Krol Date: Mon, 9 Apr 2018 15:40:06 +0000 (+0000) Subject: - merged 7.7p1 from PLD, updated patches X-Git-Url: https://git.tld-linux.org/?a=commitdiff_plain;h=fe68750dac41a6c7dcc6bb1d9ae8d778ca22ff10;p=packages%2Fopenssh.git - merged 7.7p1 from PLD, updated patches --- diff --git a/openssh-kuserok.patch b/openssh-kuserok.patch index 9778dbb..077484c 100644 --- a/openssh-kuserok.patch +++ b/openssh-kuserok.patch @@ -1,6 +1,6 @@ -diff -urNpa openssh-7.6p1.orig/auth-krb5.c openssh-7.6p1/auth-krb5.c ---- openssh-7.6p1.orig/auth-krb5.c 2017-10-02 19:34:26.000000000 +0000 -+++ openssh-7.6p1/auth-krb5.c 2017-11-07 07:46:03.640125509 +0000 +diff -urpa openssh-7.7p1.orig/auth-krb5.c openssh-7.7p1/auth-krb5.c +--- openssh-7.7p1.orig/auth-krb5.c 2018-04-02 05:38:28.000000000 +0000 ++++ openssh-7.7p1/auth-krb5.c 2018-04-09 14:22:27.146431415 +0000 @@ -54,6 +54,20 @@ extern ServerOptions options; @@ -31,9 +31,9 @@ diff -urNpa openssh-7.6p1.orig/auth-krb5.c openssh-7.6p1/auth-krb5.c authctxt->pw->pw_name)) { problem = -1; goto out; -diff -urNpa openssh-7.6p1.orig/gss-serv-krb5.c openssh-7.6p1/gss-serv-krb5.c ---- openssh-7.6p1.orig/gss-serv-krb5.c 2017-10-02 19:34:26.000000000 +0000 -+++ openssh-7.6p1/gss-serv-krb5.c 2017-11-07 07:46:03.640125509 +0000 +diff -urpa openssh-7.7p1.orig/gss-serv-krb5.c openssh-7.7p1/gss-serv-krb5.c +--- openssh-7.7p1.orig/gss-serv-krb5.c 2018-04-02 05:38:28.000000000 +0000 ++++ openssh-7.7p1/gss-serv-krb5.c 2018-04-09 14:22:27.146431415 +0000 @@ -57,6 +57,7 @@ extern ServerOptions options; #endif @@ -51,10 +51,10 @@ diff -urNpa openssh-7.6p1.orig/gss-serv-krb5.c openssh-7.6p1/gss-serv-krb5.c retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", name, (char *)client->displayname.value); -diff -urNpa openssh-7.6p1.orig/servconf.c openssh-7.6p1/servconf.c ---- openssh-7.6p1.orig/servconf.c 2017-11-07 07:44:54.000000000 +0000 -+++ openssh-7.6p1/servconf.c 2017-11-07 07:48:00.014118573 +0000 -@@ -152,6 +152,7 @@ initialize_server_options(ServerOptions +diff -urpa openssh-7.7p1.orig/servconf.c openssh-7.7p1/servconf.c +--- openssh-7.7p1.orig/servconf.c 2018-04-09 14:19:20.369433518 +0000 ++++ openssh-7.7p1/servconf.c 2018-04-09 14:23:35.581430645 +0000 +@@ -162,6 +162,7 @@ initialize_server_options(ServerOptions options->num_accept_env = 0; options->permit_tun = -1; options->permitted_opens = NULL; @@ -62,7 +62,7 @@ diff -urNpa openssh-7.6p1.orig/servconf.c openssh-7.6p1/servconf.c options->adm_forced_command = NULL; options->chroot_directory = NULL; options->authorized_keys_command = NULL; -@@ -377,6 +378,8 @@ fill_default_server_options(ServerOption +@@ -429,6 +430,8 @@ fill_default_server_options(ServerOption options->num_auth_methods = 0; } @@ -71,16 +71,16 @@ diff -urNpa openssh-7.6p1.orig/servconf.c openssh-7.6p1/servconf.c #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " -@@ -399,7 +402,7 @@ typedef enum { +@@ -451,7 +454,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, -- sKerberosGetAFSToken, -+ sKerberosGetAFSToken, sKerberosUseKuserok, - sKerberosTgtPassing, sChallengeResponseAuthentication, +- sKerberosGetAFSToken, sChallengeResponseAuthentication, ++ sKerberosGetAFSToken, sKerberosUseKuserok, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -484,11 +487,13 @@ static struct { + sPrintMotd, sPrintLastLog, sIgnoreRhosts, +@@ -535,11 +538,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -94,7 +94,7 @@ diff -urNpa openssh-7.6p1.orig/servconf.c openssh-7.6p1/servconf.c #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1674,6 +1679,10 @@ process_server_config_line(ServerOptions +@@ -1815,6 +1820,10 @@ process_server_config_line(ServerOptions *activep = value; break; @@ -105,7 +105,7 @@ diff -urNpa openssh-7.6p1.orig/servconf.c openssh-7.6p1/servconf.c case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -2055,6 +2064,7 @@ copy_set_server_options(ServerOptions *d +@@ -2193,6 +2202,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); M_CP_INTOPT(log_level); @@ -113,7 +113,7 @@ diff -urNpa openssh-7.6p1.orig/servconf.c openssh-7.6p1/servconf.c /* * The bind_mask is a mode_t that may be unsigned, so we can't use -@@ -2346,6 +2356,7 @@ dump_config(ServerOptions *o) +@@ -2498,6 +2508,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); @@ -121,10 +121,10 @@ diff -urNpa openssh-7.6p1.orig/servconf.c openssh-7.6p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -urNpa openssh-7.6p1.orig/servconf.h openssh-7.6p1/servconf.h ---- openssh-7.6p1.orig/servconf.h 2017-11-07 07:44:54.000000000 +0000 -+++ openssh-7.6p1/servconf.h 2017-11-07 07:46:03.642125509 +0000 -@@ -180,6 +180,7 @@ typedef struct { +diff -urpa openssh-7.7p1.orig/servconf.h openssh-7.7p1/servconf.h +--- openssh-7.7p1.orig/servconf.h 2018-04-09 14:18:20.148434196 +0000 ++++ openssh-7.7p1/servconf.h 2018-04-09 14:22:27.147431415 +0000 +@@ -191,6 +191,7 @@ typedef struct { char **permitted_opens; u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */ @@ -132,10 +132,10 @@ diff -urNpa openssh-7.6p1.orig/servconf.h openssh-7.6p1/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -urNpa openssh-7.6p1.orig/sshd_config openssh-7.6p1/sshd_config ---- openssh-7.6p1.orig/sshd_config 2017-11-07 07:44:54.000000000 +0000 -+++ openssh-7.6p1/sshd_config 2017-11-07 07:46:03.642125509 +0000 -@@ -69,6 +69,7 @@ AuthorizedKeysFile .ssh/authorized_keys +diff -urpa openssh-7.7p1.orig/sshd_config openssh-7.7p1/sshd_config +--- openssh-7.7p1.orig/sshd_config 2018-04-09 14:18:20.149434196 +0000 ++++ openssh-7.7p1/sshd_config 2018-04-09 14:22:27.147431415 +0000 +@@ -68,6 +68,7 @@ AuthorizedKeysFile .ssh/authorized_keys #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no @@ -143,10 +143,10 @@ diff -urNpa openssh-7.6p1.orig/sshd_config openssh-7.6p1/sshd_config # GSSAPI options #GSSAPIAuthentication no -diff -urNpa openssh-7.6p1.orig/sshd_config.5 openssh-7.6p1/sshd_config.5 ---- openssh-7.6p1.orig/sshd_config.5 2017-11-07 07:44:54.000000000 +0000 -+++ openssh-7.6p1/sshd_config.5 2017-11-07 07:48:44.118115944 +0000 -@@ -854,6 +854,10 @@ Specifies whether to automatically destr +diff -urpa openssh-7.7p1.orig/sshd_config.5 openssh-7.7p1/sshd_config.5 +--- openssh-7.7p1.orig/sshd_config.5 2018-04-09 14:18:20.149434196 +0000 ++++ openssh-7.7p1/sshd_config.5 2018-04-09 14:22:27.148431415 +0000 +@@ -856,6 +856,10 @@ Specifies whether to automatically destr file on logout. The default is .Cm yes . @@ -157,7 +157,7 @@ diff -urNpa openssh-7.6p1.orig/sshd_config.5 openssh-7.6p1/sshd_config.5 .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -1087,6 +1091,7 @@ Available keywords are +@@ -1119,6 +1123,7 @@ Available keywords are .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , .Cm LogLevel , diff --git a/openssh-ldap.patch b/openssh-ldap.patch index 741b5b5..3626558 100644 --- a/openssh-ldap.patch +++ b/openssh-ldap.patch @@ -1996,9 +1996,9 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ @@ -61,8 +63,9 @@ - LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ + MKDIR_P=@MKDIR_P@ +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) diff --git a/openssh-ldns.patch b/openssh-ldns.patch deleted file mode 100644 index 367c5e8..0000000 --- a/openssh-ldns.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/configure.ac~ 2017-10-02 21:34:26.000000000 +0200 -+++ b/configure.ac 2017-10-06 08:35:16.756080761 +0200 -@@ -1487,7 +1487,7 @@ AC_ARG_WITH(ldns, - ldns="" - if test "x$withval" = "xyes" ; then - AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no]) -- if test "x$PKGCONFIG" = "xno"; then -+ if test "x$LDNSCONFIG" = "xno"; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - LIBS="-lldns $LIBS" - diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch index 742640c..3d60ddf 100644 --- a/openssh-sigpipe.patch +++ b/openssh-sigpipe.patch @@ -22,31 +22,31 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 --- openssh-3.9p1.org/ssh.0 2004-08-17 19:03:29.327565840 +0200 +++ openssh-3.9p1/ssh.0 2004-08-17 19:03:41.809668272 +0200 -@@ -235,6 +235,8 @@ - that enable them to authenticate using the identities loaded into - the agent. +@@ -433,6 +433,8 @@ DESCRIPTION + -y Send log information using the syslog(3) system module. By + default this information is sent to stderr. -+ -B Enable SIGPIPE processing. ++ -Z Enable SIGPIPE processing. + - -a Disables forwarding of the authentication agent connection. - - -b bind_address + ssh may additionally obtain configuration data from a per-user + configuration file and a system-wide configuration file. The file format + and configuration options are described in ssh_config(5). --- openssh-5.6p1/ssh.1~ 2010-08-24 14:05:48.000000000 +0300 +++ openssh-5.6p1/ssh.1 2010-08-24 14:06:57.879253682 +0300 -@@ -43,7 +43,7 @@ +@@ -42,7 +42,7 @@ + .Nd OpenSSH SSH client (remote login program) .Sh SYNOPSIS .Nm ssh - .Bk -words -.Op Fl 46AaCfGgKkMNnqsTtVvXxYy -+.Op Fl 46AaBCfGgKkMNnqsTtVvXxYy ++.Op Fl 46AaCfGgKkMNnqsTtVvXxYyZ + .Op Fl B Ar bind_interface .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec - .Op Fl D Oo Ar bind_address : Oc Ns Ar port @@ -138,6 +138,11 @@ on the local machine as the source addre of the connection. Only useful on systems with more than one address. .Pp -+.It Fl B ++.It Fl Z +Enables processing of SIGPIPE. Useful when using ssh output as input for +another process, for example in a shell script. Be careful - it may break +port/X11 forwarding when used. @@ -66,31 +66,32 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 /* # of replies received for global requests */ static int client_global_request_id = 0; -@@ -200,7 +200,7 @@ static void +@@ -204,7 +204,7 @@ static void usage(void) { fprintf(stderr, --"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -+"usage: ssh [-46AaBCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" - " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" - " [-F configfile] [-I pkcs11] [-i identity_file]\n" - " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" -@@ -330,7 +330,7 @@ main(int ac, char **av) +-"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]\n" ++"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYyZ] [-B bind_interface]\n" + " [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]\n" + " [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]\n" + " [-i identity_file] [-J [user@]host[:port]] [-L address]\n" +@@ -666,7 +666,7 @@ main(int ac, char **av) again: while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" -- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+ "ABCD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { +- "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++ "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYyZ")) != -1) { switch (opt) { case '1': - options.protocol = SSH_PROTO_1; -@@ -291,6 +294,9 @@ - case 'A': - options.forward_agent = 1; + fatal("SSH protocol v.1 is no longer supported"); +@@ -985,6 +985,9 @@ main(int ac, char **av) + case 'F': + config = optarg; break; -+ case 'B': ++ case 'Z': + enable_sigpipe = 1; + break; - case 'k': - options.gss_deleg_creds = 0; - break; + default: + usage(); + } + diff --git a/openssh-tests-reuseport.patch b/openssh-tests-reuseport.patch index 4b9c856..6dfc2a7 100644 --- a/openssh-tests-reuseport.patch +++ b/openssh-tests-reuseport.patch @@ -1,11 +1,12 @@ --- openssh-6.9p1/regress/netcat.c.orig 2015-07-01 04:35:31.000000000 +0200 +++ openssh-6.9p1/regress/netcat.c 2015-07-03 17:23:33.544777525 +0200 -@@ -775,7 +775,7 @@ +@@ -738,7 +738,7 @@ local_listen(char *host, char *port, str #ifdef SO_REUSEPORT ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x)); if (ret == -1) -- err(1, "setsockopt"); +- err(1, "setsockopt SO_REUSEPORT"); + warn("setsockopt SO_REUSEPORT"); #endif - set_common_sockopts(s); - + #ifdef SO_REUSEADDR + ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x)); + diff --git a/openssh-vulnkey-compat.patch b/openssh-vulnkey-compat.patch index 6faf184..6ed3e83 100644 --- a/openssh-vulnkey-compat.patch +++ b/openssh-vulnkey-compat.patch @@ -20,7 +20,7 @@ diff --git a/readconf.c b/readconf.c index 7613ff2..bcd8cad 100644 --- a/readconf.c +++ b/readconf.c -@@ -226,6 +226,7 @@ static struct { +@@ -226,6 +226,7 @@ { "passwordauthentication", oPasswordAuthentication }, { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, { "kbdinteractivedevices", oKbdInteractiveDevices }, @@ -32,11 +32,11 @@ diff --git a/servconf.c b/servconf.c index 0083cf8..90de888 100644 --- a/servconf.c +++ b/servconf.c -@@ -521,6 +521,7 @@ static struct { +@@ -572,6 +572,7 @@ { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, + { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL }, { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, - { "uselogin", sUseLogin, SSHCFG_GLOBAL }, + { "uselogin", sDeprecated, SSHCFG_GLOBAL }, diff --git a/openssh.spec b/openssh.spec index dcb2155..640811d 100644 --- a/openssh.spec +++ b/openssh.spec @@ -42,13 +42,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 7.6p1 +Version: 7.7p1 Release: 1 Epoch: 2 License: BSD Group: Applications/Networking Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 06a88699018e5fef13d4655abfed1f63 +# Source0-md5: 68ba883aff6958297432e5877e9a0fe2 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -57,8 +57,7 @@ Source4: %{name}.sysconfig Source5: ssh-agent.sh Source6: ssh-agent.conf Source7: %{name}-lpk.schema -Source8: sshd-keygen -Patch0: %{name}-ldns.patch +Source10: sshd-keygen Patch1: %{name}-tests-reuseport.patch Patch2: %{name}-pam_misc.patch Patch3: %{name}-sigpipe.patch @@ -520,7 +519,7 @@ openldap-a. %prep %setup -q -%patch0 -p1 + %patch1 -p1 %patch2 -p1 %patch3 -p1 @@ -529,6 +528,7 @@ openldap-a. %patch6 -p1 %patch7 -p1 %patch8 -p1 + %{?with_hpn:%patch9 -p1} %patch10 -p1 %patch11 -p1 @@ -610,7 +610,7 @@ ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-a cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir} cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir} -install -p %{SOURCE8} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen +install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen %{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \ $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \ @@ -683,7 +683,7 @@ if [ "$1" = "0" ]; then %userremove sshd fi -%triggerpostun server -- %{name}-server < %{epoch}:7.0p1-2 +%triggerpostun server -- %{name}-server < 2:7.0p1-2 %banner %{name}-server -e << EOF !!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!! ! Starting from openssh 7.0 DSA keys are disabled !