* New upstream release (http://www.openssh.org/txt/release-6.0).

- Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections (closes: #643312, #650512). - Add a new privilege separation sandbox implementation for Linux's new seccomp sandbox, automatically enabled on platforms that support it. (Note: privilege separation sandboxing is still experimental.)
author: Colin Watson <cjwatson@debian.org> 2012-05-18 12:16:05 +0100
committer: Colin Watson <cjwatson@debian.org> 2012-05-18 12:16:05 +0100
commit: dabbdfacc9f6995b0739772a47704186dcf34ea5 (patch)
tree: 0a0b306a637bc85eb719261b74884f0b9573ec41 /debian/patches/gssapi.patch
parent: 1e0d51b642cac9a6bfb719e6320905625aa5f943 (diff)
parent: dd5ed53e20d218607260916a6b04d1c8c5b3d88f (diff)
1 files changed, 20 insertions, 20 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index dc293683e..d78835bd6 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -327,7 +327,7 @@ Index: b/clientloop.c
 /* import options */
 extern Options options;
 
-@@ -1508,6 +1512,15 @@
+@@ -1540,6 +1544,15 @@
                /* Do channel operations unless rekeying in progress. */
                if (!rekeying) {
                        channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1441,6 +1441,9 @@
+@@ -1465,6 +1465,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -357,7 +357,7 @@ Index: b/config.h.in
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
-@@ -1456,6 +1459,9 @@
+@@ -1480,6 +1483,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
@@ -371,7 +371,7 @@ Index: b/configure
 ===================================================================
 --- a/configure
 +++ b/configure
-@@ -6521,6 +6521,63 @@
+@@ -6608,6 +6608,63 @@
 
 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
 
@@ -439,7 +439,7 @@ Index: b/configure.ac
 ===================================================================
 --- a/configure.ac
 +++ b/configure.ac
-@@ -515,6 +515,30 @@
+@@ -545,6 +545,30 @@
            [Use tunnel device compatibility to OpenBSD])
        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
            [Prepend the address family to IP tunnel traffic])
@@ -2059,7 +2059,7 @@ Index: b/monitor.c
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1802,6 +1819,13 @@
+@@ -1803,6 +1820,13 @@
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2073,7 @@ Index: b/monitor.c
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
-@@ -2008,6 +2032,9 @@
+@@ -2009,6 +2033,9 @@
        OM_uint32 major;
        u_int len;
 
@@ -2083,7 +2083,7 @@ Index: b/monitor.c
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
 
-@@ -2035,6 +2062,9 @@
+@@ -2036,6 +2063,9 @@
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -2093,7 +2093,7 @@ Index: b/monitor.c
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2052,6 +2082,7 @@
+@@ -2053,6 +2083,7 @@
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2101,7 @@ Index: b/monitor.c
        }
        return (0);
 }
-@@ -2063,6 +2094,9 @@
+@@ -2064,6 +2095,9 @@
        OM_uint32 ret;
        u_int len;
 
@@ -2111,7 +2111,7 @@ Index: b/monitor.c
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
-@@ -2089,7 +2123,11 @@
+@@ -2090,7 +2124,11 @@
 {
        int authenticated;
 
@@ -2124,7 +2124,7 @@ Index: b/monitor.c
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
-@@ -2102,6 +2140,74 @@
+@@ -2103,6 +2141,74 @@
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2326,7 +2326,7 @@ Index: b/readconf.c
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
-@@ -482,10 +493,30 @@
+@@ -483,10 +494,30 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2357,7 +2357,7 @@ Index: b/readconf.c
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1138,7 +1169,12 @@
+@@ -1139,7 +1170,12 @@
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -2370,7 +2370,7 @@ Index: b/readconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -1238,8 +1274,14 @@
+@@ -1239,8 +1275,14 @@
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2389,7 +2389,7 @@ Index: b/readconf.h
 ===================================================================
 --- a/readconf.h
 +++ b/readconf.h
-@@ -47,7 +47,12 @@
+@@ -48,7 +48,12 @@
        int     challenge_response_authentication;
                                        /* Try S/Key or TIS, authentication. */
        int     gss_authentication;     /* Try GSS authentication */
@@ -2893,7 +2893,7 @@ Index: b/sshd.c
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
-@@ -1612,10 +1616,13 @@
+@@ -1616,10 +1620,13 @@
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
@@ -2907,7 +2907,7 @@ Index: b/sshd.c
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
-@@ -1944,6 +1951,60 @@
+@@ -1948,6 +1955,60 @@
        /* Log the connection. */
        verbose("Connection from %.500s port %d", remote_ip, remote_port);
 
@@ -2968,7 +2968,7 @@ Index: b/sshd.c
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2325,6 +2386,48 @@
+@@ -2329,6 +2390,48 @@
 
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
@@ -3017,7 +3017,7 @@ Index: b/sshd.c
        /* start key exchange */
        kex = kex_setup(myproposal);
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2332,6 +2435,13 @@
+@@ -2336,6 +2439,13 @@
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
author	Colin Watson <cjwatson@debian.org>	2012-05-18 12:16:05 +0100
committer	Colin Watson <cjwatson@debian.org>	2012-05-18 12:16:05 +0100
commit	dabbdfacc9f6995b0739772a47704186dcf34ea5 (patch)
tree	0a0b306a637bc85eb719261b74884f0b9573ec41 /debian/patches/gssapi.patch
parent	1e0d51b642cac9a6bfb719e6320905625aa5f943 (diff)
parent	dd5ed53e20d218607260916a6b04d1c8c5b3d88f (diff)

diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index dc293683e..d78835bd6 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch
@@ -327,7 +327,7 @@ Index: b/clientloop.c
327	/* import options */	327	/* import options */
328	extern Options options;	328	extern Options options;
329		329
330	@@ -1508,6 +1512,15 @@	330	@@ -1540,6 +1544,15 @@
331	/* Do channel operations unless rekeying in progress. */	331	/* Do channel operations unless rekeying in progress. */
332	if (!rekeying) {	332	if (!rekeying) {
333	channel_after_select(readset, writeset);	333	channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
347	===================================================================	347	===================================================================
348	--- a/config.h.in	348	--- a/config.h.in
349	+++ b/config.h.in	349	+++ b/config.h.in
350	@@ -1441,6 +1441,9 @@	350	@@ -1465,6 +1465,9 @@
351	/* Use btmp to log bad logins */	351	/* Use btmp to log bad logins */
352	#undef USE_BTMP	352	#undef USE_BTMP
353		353
@@ -357,7 +357,7 @@ Index: b/config.h.in
357	/* Use libedit for sftp */	357	/* Use libedit for sftp */
358	#undef USE_LIBEDIT	358	#undef USE_LIBEDIT
359		359
360	@@ -1456,6 +1459,9 @@	360	@@ -1480,6 +1483,9 @@
361	/* Use PIPES instead of a socketpair() */	361	/* Use PIPES instead of a socketpair() */
362	#undef USE_PIPES	362	#undef USE_PIPES
363		363
@@ -371,7 +371,7 @@ Index: b/configure
371	===================================================================	371	===================================================================
372	--- a/configure	372	--- a/configure
373	+++ b/configure	373	+++ b/configure
374	@@ -6521,6 +6521,63 @@	374	@@ -6608,6 +6608,63 @@
375		375
376	$as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h	376	$as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
377		377
@@ -439,7 +439,7 @@ Index: b/configure.ac
439	===================================================================	439	===================================================================
440	--- a/configure.ac	440	--- a/configure.ac
441	+++ b/configure.ac	441	+++ b/configure.ac
442	@@ -515,6 +515,30 @@	442	@@ -545,6 +545,30 @@
443	[Use tunnel device compatibility to OpenBSD])	443	[Use tunnel device compatibility to OpenBSD])
444	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],	444	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
445	[Prepend the address family to IP tunnel traffic])	445	[Prepend the address family to IP tunnel traffic])
@@ -2059,7 +2059,7 @@ Index: b/monitor.c
2059	} else {	2059	} else {
2060	mon_dispatch = mon_dispatch_postauth15;	2060	mon_dispatch = mon_dispatch_postauth15;
2061	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	2061	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2062	@@ -1802,6 +1819,13 @@	2062	@@ -1803,6 +1820,13 @@
2063	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	2063	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2064	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	2064	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2065	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;	2065	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2073,7 @@ Index: b/monitor.c
2073	kex->server = 1;	2073	kex->server = 1;
2074	kex->hostkey_type = buffer_get_int(m);	2074	kex->hostkey_type = buffer_get_int(m);
2075	kex->kex_type = buffer_get_int(m);	2075	kex->kex_type = buffer_get_int(m);
2076	@@ -2008,6 +2032,9 @@	2076	@@ -2009,6 +2033,9 @@
2077	OM_uint32 major;	2077	OM_uint32 major;
2078	u_int len;	2078	u_int len;
2079		2079
@@ -2083,7 +2083,7 @@ Index: b/monitor.c
2083	goid.elements = buffer_get_string(m, &len);	2083	goid.elements = buffer_get_string(m, &len);
2084	goid.length = len;	2084	goid.length = len;
2085		2085
2086	@@ -2035,6 +2062,9 @@	2086	@@ -2036,6 +2063,9 @@
2087	OM_uint32 flags = 0; /* GSI needs this */	2087	OM_uint32 flags = 0; /* GSI needs this */
2088	u_int len;	2088	u_int len;
2089		2089
@@ -2093,7 +2093,7 @@ Index: b/monitor.c
2093	in.value = buffer_get_string(m, &len);	2093	in.value = buffer_get_string(m, &len);
2094	in.length = len;	2094	in.length = len;
2095	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);	2095	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2096	@@ -2052,6 +2082,7 @@	2096	@@ -2053,6 +2083,7 @@
2097	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	2097	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2098	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	2098	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2099	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	2099	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2101,7 @@ Index: b/monitor.c
2101	}	2101	}
2102	return (0);	2102	return (0);
2103	}	2103	}
2104	@@ -2063,6 +2094,9 @@	2104	@@ -2064,6 +2095,9 @@
2105	OM_uint32 ret;	2105	OM_uint32 ret;
2106	u_int len;	2106	u_int len;
2107		2107
@@ -2111,7 +2111,7 @@ Index: b/monitor.c
2111	gssbuf.value = buffer_get_string(m, &len);	2111	gssbuf.value = buffer_get_string(m, &len);
2112	gssbuf.length = len;	2112	gssbuf.length = len;
2113	mic.value = buffer_get_string(m, &len);	2113	mic.value = buffer_get_string(m, &len);
2114	@@ -2089,7 +2123,11 @@	2114	@@ -2090,7 +2124,11 @@
2115	{	2115	{
2116	int authenticated;	2116	int authenticated;
2117		2117
@@ -2124,7 +2124,7 @@ Index: b/monitor.c
2124		2124
2125	buffer_clear(m);	2125	buffer_clear(m);
2126	buffer_put_int(m, authenticated);	2126	buffer_put_int(m, authenticated);
2127	@@ -2102,6 +2140,74 @@	2127	@@ -2103,6 +2141,74 @@
2128	/* Monitor loop will terminate if authenticated */	2128	/* Monitor loop will terminate if authenticated */
2129	return (authenticated);	2129	return (authenticated);
2130	}	2130	}
@@ -2326,7 +2326,7 @@ Index: b/readconf.c
2326	#endif	2326	#endif
2327	{ "fallbacktorsh", oDeprecated },	2327	{ "fallbacktorsh", oDeprecated },
2328	{ "usersh", oDeprecated },	2328	{ "usersh", oDeprecated },
2329	@@ -482,10 +493,30 @@	2329	@@ -483,10 +494,30 @@
2330	intptr = &options->gss_authentication;	2330	intptr = &options->gss_authentication;
2331	goto parse_flag;	2331	goto parse_flag;
2332		2332
@@ -2357,7 +2357,7 @@ Index: b/readconf.c
2357	case oBatchMode:	2357	case oBatchMode:
2358	intptr = &options->batch_mode;	2358	intptr = &options->batch_mode;
2359	goto parse_flag;	2359	goto parse_flag;
2360	@@ -1138,7 +1169,12 @@	2360	@@ -1139,7 +1170,12 @@
2361	options->pubkey_authentication = -1;	2361	options->pubkey_authentication = -1;
2362	options->challenge_response_authentication = -1;	2362	options->challenge_response_authentication = -1;
2363	options->gss_authentication = -1;	2363	options->gss_authentication = -1;
@@ -2370,7 +2370,7 @@ Index: b/readconf.c
2370	options->password_authentication = -1;	2370	options->password_authentication = -1;
2371	options->kbd_interactive_authentication = -1;	2371	options->kbd_interactive_authentication = -1;
2372	options->kbd_interactive_devices = NULL;	2372	options->kbd_interactive_devices = NULL;
2373	@@ -1238,8 +1274,14 @@	2373	@@ -1239,8 +1275,14 @@
2374	options->challenge_response_authentication = 1;	2374	options->challenge_response_authentication = 1;
2375	if (options->gss_authentication == -1)	2375	if (options->gss_authentication == -1)
2376	options->gss_authentication = 0;	2376	options->gss_authentication = 0;
@@ -2389,7 +2389,7 @@ Index: b/readconf.h
2389	===================================================================	2389	===================================================================
2390	--- a/readconf.h	2390	--- a/readconf.h
2391	+++ b/readconf.h	2391	+++ b/readconf.h
2392	@@ -47,7 +47,12 @@	2392	@@ -48,7 +48,12 @@
2393	int challenge_response_authentication;	2393	int challenge_response_authentication;
2394	/* Try S/Key or TIS, authentication. */	2394	/* Try S/Key or TIS, authentication. */
2395	int gss_authentication; /* Try GSS authentication */	2395	int gss_authentication; /* Try GSS authentication */
@@ -2893,7 +2893,7 @@ Index: b/sshd.c
2893	#ifdef LIBWRAP	2893	#ifdef LIBWRAP
2894	#include <tcpd.h>	2894	#include <tcpd.h>
2895	#include <syslog.h>	2895	#include <syslog.h>
2896	@@ -1612,10 +1616,13 @@	2896	@@ -1616,10 +1620,13 @@
2897	logit("Disabling protocol version 1. Could not load host key");	2897	logit("Disabling protocol version 1. Could not load host key");
2898	options.protocol &= ~SSH_PROTO_1;	2898	options.protocol &= ~SSH_PROTO_1;
2899	}	2899	}
@@ -2907,7 +2907,7 @@ Index: b/sshd.c
2907	if (!(options.protocol & (SSH_PROTO_1\|SSH_PROTO_2))) {	2907	if (!(options.protocol & (SSH_PROTO_1\|SSH_PROTO_2))) {
2908	logit("sshd: no hostkeys available -- exiting.");	2908	logit("sshd: no hostkeys available -- exiting.");
2909	exit(1);	2909	exit(1);
2910	@@ -1944,6 +1951,60 @@	2910	@@ -1948,6 +1955,60 @@
2911	/* Log the connection. */	2911	/* Log the connection. */
2912	verbose("Connection from %.500s port %d", remote_ip, remote_port);	2912	verbose("Connection from %.500s port %d", remote_ip, remote_port);
2913		2913
@@ -2968,7 +2968,7 @@ Index: b/sshd.c
2968	/*	2968	/*
2969	* We don't want to listen forever unless the other side	2969	* We don't want to listen forever unless the other side
2970	* successfully authenticates itself. So we set up an alarm which is	2970	* successfully authenticates itself. So we set up an alarm which is
2971	@@ -2325,6 +2386,48 @@	2971	@@ -2329,6 +2390,48 @@
2972		2972
2973	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();	2973	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2974		2974
@@ -3017,7 +3017,7 @@ Index: b/sshd.c
3017	/* start key exchange */	3017	/* start key exchange */
3018	kex = kex_setup(myproposal);	3018	kex = kex_setup(myproposal);
3019	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;	3019	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3020	@@ -2332,6 +2435,13 @@	3020	@@ -2336,6 +2439,13 @@
3021	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	3021	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3022	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	3022	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3023	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;	3023	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;