DEP-3 tagging of autotools, SELinux, key blacklisting, and keepalive patches

7 files changed, 69 insertions, 0 deletions

diff --git a/debian/patches/config-guess-sub.patch b/debian/patches/config-guess-sub.patch
index d5c016b87..b0a0ada81 100644
--- a/debian/patches/config-guess-sub.patch
+++ b/debian/patches/config-guess-sub.patch
@@ -1,3 +1,8 @@
+Description: Update config.guess and config.sub from autotools-dev 20090611.1
+From: Bradley Smith <bradsmith@debian.org>
+Bug-Debian: http://bugs.debian.org/538301
+Last-Update: 2010-02-27
+
 Index: b/config.guess
 ===================================================================
 --- a/config.guess
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index cb9c2823c..1bfc9c798 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,3 +1,19 @@
+Description: Various keepalive extensions
+ Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut,
+ supported in previous versions of Debian's OpenSSH package but since
+ superseded by ServerAliveInterval.  (We're probably stuck with this bit for
+ compatibility.)
+ .
+ In batch mode, default ServerAliveInterval to five minutes.
+ .
+ Adjust documentation to match and to give some more advice on use of
+ keepalives.
+Author: Richard Kettlewell <rjk@greenend.org.uk>
+Author: Ian Jackson <ian@chiark.greenend.org.uk>
+Author: Matthew Vernon <matthew@debian.org>
+Author: Colin Watson <cjwatson@debian.org>
+Last-Update: 2010-02-27
+
 Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
diff --git a/debian/patches/selinux-autoconf.patch b/debian/patches/selinux-autoconf.patch
index 934f885c8..9ac4cd435 100644
--- a/debian/patches/selinux-autoconf.patch
+++ b/debian/patches/selinux-autoconf.patch
@@ -1,3 +1,16 @@
+Description: Fix seusers detection at configure time
+ configure didn't add -lselinux to LIBS before it checked for the existence
+ of getseuserbyname and get_default_context_with_level.  This resulted in
+ seusers configuration not being handled correctly.  Most policies use the
+ seusers feature, and without it login security contexts will not be
+ correct.
+Author: Caleb Case <calebcase@gmail.com>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1713
+Bug-Debian: http://bugs.debian.org/465614
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/188136
+Reviewed-by: Colin Watson <cjwatson@debian.org>
+Last-Update: 2010-02-27
+
 Index: b/configure
 ===================================================================
 --- a/configure
diff --git a/debian/patches/selinux-fix-chroot-directory.patch b/debian/patches/selinux-fix-chroot-directory.patch
index a69ded59b..5c7c3c4a9 100644
--- a/debian/patches/selinux-fix-chroot-directory.patch
+++ b/debian/patches/selinux-fix-chroot-directory.patch
@@ -1,3 +1,12 @@
+Description: Make ChrootDirectory work with SELinux
+ After chroot() is called the SE Linux context setting won't work unless
+ /selinux and /proc are mounted in the chroot environment.  Even worse, if
+ the user has control over the chroot environment then they may be able to
+ control the context that they get (I haven't verified this).
+Author: Russell Coker <russell@coker.com.au>
+Bug-Debian: http://bugs.debian.org/556644
+Last-Update: 2010-02-27
+
 Index: b/session.c
 ===================================================================
 --- a/session.c
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 5e2a9ecb6..ab343b083 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,3 +1,12 @@
+Description: Handle SELinux authorisation roles
+ Rejected upstream due to discomfort with magic usernames; a better approach
+ will need an SSH protocol change.  In the meantime, this came from Debian's
+ SELinux maintainer, so we'll keep it until we have something better.
+Author: Manoj Srivastava <srivasta@debian.org>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
+Bug-Debian: http://bugs.debian.org/394795
+Last-Update: 2010-02-27
+
 Index: b/auth.h
 ===================================================================
 --- a/auth.h
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 3e4e96493..b33315677 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1,3 +1,15 @@
+Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
+ In 2008, Debian (and derived distributions such as Ubuntu) shipped an
+ OpenSSL package with a flawed random number generator, causing OpenSSH to
+ generate only a very limited set of keys which were subject to private half
+ precomputation.  To mitigate this, this patch checks key authentications
+ against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
+ program which can be used to explicitly check keys against that blacklist.
+ See CVE-2008-0166.
+Author: Colin Watson <cjwatson@ubuntu.com>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
+Last-Update: 2010-02-27
+
 Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 37b8052eb..c82563033 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,3 +1,8 @@
+Description: Partial server keep-alive implementation for SSH1
+Author: Colin Watson <cjwatson@debian.org>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
+Last-Update: 2010-02-27
+
 Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c