diff options
35 files changed, 99 insertions, 64 deletions
@@ -1,3 +1,17 @@ | |||
1 | commit 5c35450a0c901d9375fb23343a8dc82397da5f75 | ||
2 | Author: Damien Miller <djm@mindrot.org> | ||
3 | Date: Thu Mar 10 05:04:48 2016 +1100 | ||
4 | |||
5 | update versions for release | ||
6 | |||
7 | commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56 | ||
8 | Author: Damien Miller <djm@mindrot.org> | ||
9 | Date: Thu Mar 10 05:03:39 2016 +1100 | ||
10 | |||
11 | sanitise characters destined for xauth(1) | ||
12 | |||
13 | reported by github.com/tintinweb | ||
14 | |||
1 | commit 72b061d4ba0f909501c595d709ea76e06b01e5c9 | 15 | commit 72b061d4ba0f909501c595d709ea76e06b01e5c9 |
2 | Author: Darren Tucker <dtucker@zip.com.au> | 16 | Author: Darren Tucker <dtucker@zip.com.au> |
3 | Date: Fri Feb 26 14:40:04 2016 +1100 | 17 | Date: Fri Feb 26 14:40:04 2016 +1100 |
@@ -8889,19 +8903,3 @@ Author: Damien Miller <djm@mindrot.org> | |||
8889 | Date: Thu Mar 13 13:14:21 2014 +1100 | 8903 | Date: Thu Mar 13 13:14:21 2014 +1100 |
8890 | 8904 | ||
8891 | - (djm) Release OpenSSH 6.6 | 8905 | - (djm) Release OpenSSH 6.6 |
8892 | |||
8893 | commit 8569eba5d7f7348ce3955eeeb399f66f25c52ece | ||
8894 | Author: Damien Miller <djm@mindrot.org> | ||
8895 | Date: Tue Mar 4 09:35:17 2014 +1100 | ||
8896 | |||
8897 | - djm@cvs.openbsd.org 2014/03/03 22:22:30 | ||
8898 | [session.c] | ||
8899 | ignore enviornment variables with embedded '=' or '\0' characters; | ||
8900 | spotted by Jann Horn; ok deraadt@ | ||
8901 | |||
8902 | commit 2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7 | ||
8903 | Author: Damien Miller <djm@mindrot.org> | ||
8904 | Date: Sun Mar 2 04:01:00 2014 +1100 | ||
8905 | |||
8906 | - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when | ||
8907 | no moduli file exists at the expected location. | ||
@@ -1,4 +1,4 @@ | |||
1 | See http://www.openssh.com/txt/release-7.2p1 for the release notes. | 1 | See http://www.openssh.com/txt/release-7.2p2 for the release notes. |
2 | 2 | ||
3 | Please read http://www.openssh.com/report.html for bug reporting | 3 | Please read http://www.openssh.com/report.html for bug reporting |
4 | instructions and note that we do not use Github for bug reporting or | 4 | instructions and note that we do not use Github for bug reporting or |
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 2a55f454e..eefe82df0 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -1,4 +1,4 @@ | |||
1 | %define ver 7.2p1 | 1 | %define ver 7.2p2 |
2 | %define rel 1 | 2 | %define rel 1 |
3 | 3 | ||
4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 53264c1fb..f20a78656 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
@@ -13,7 +13,7 @@ | |||
13 | 13 | ||
14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
15 | Name: openssh | 15 | Name: openssh |
16 | Version: 7.2p1 | 16 | Version: 7.2p2 |
17 | URL: http://www.openssh.com/ | 17 | URL: http://www.openssh.com/ |
18 | Release: 1 | 18 | Release: 1 |
19 | Source0: openssh-%{version}.tar.gz | 19 | Source0: openssh-%{version}.tar.gz |
diff --git a/debian/.git-dpm b/debian/.git-dpm index 65e3d5e54..a06ce86e7 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,8 +1,8 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 85e40e87a75fb80a0bf893ac05a417d6c353537d | 2 | 27a3937bf51447024527168a510d7f9b21542b1c |
3 | 85e40e87a75fb80a0bf893ac05a417d6c353537d | 3 | 27a3937bf51447024527168a510d7f9b21542b1c |
4 | c52a95cc4754e6630c96fe65ae0c65eb41d2c590 | 4 | f0329aac23c61e1a5197d6d57349a63f459bccb0 |
5 | c52a95cc4754e6630c96fe65ae0c65eb41d2c590 | 5 | f0329aac23c61e1a5197d6d57349a63f459bccb0 |
6 | openssh_7.2p1.orig.tar.gz | 6 | openssh_7.2p2.orig.tar.gz |
7 | d30a6fd472199ab5838a7668c0c5fd885fb8d371 | 7 | 70e35d7d6386fe08abbd823b3a12a3ca44ac6d38 |
8 | 1499707 | 8 | 1499808 |
diff --git a/debian/changelog b/debian/changelog index 20c8059f2..27b46428e 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,12 @@ | |||
1 | openssh (1:7.2p2-1) UNRELEASED; urgency=high | ||
2 | |||
3 | * New upstream release (http://www.openssh.com/txt/release-7.2p2): | ||
4 | - SECURITY: sshd(8): Sanitise X11 authentication credentials to avoid | ||
5 | xauth command injection when X11Forwarding is enabled | ||
6 | (http://www.openssh.com/txt/x11fwd.adv). | ||
7 | |||
8 | -- Colin Watson <cjwatson@debian.org> Thu, 10 Mar 2016 13:01:22 +0000 | ||
9 | |||
1 | openssh (1:7.2p1-1) unstable; urgency=medium | 10 | openssh (1:7.2p1-1) unstable; urgency=medium |
2 | 11 | ||
3 | * New upstream release (http://www.openssh.com/txt/release-7.2): | 12 | * New upstream release (http://www.openssh.com/txt/release-7.2): |
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index 549570c5c..482ca97bd 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d104554289d524d6f8c97cc93a8ff5aabbfcdd6c Mon Sep 17 00:00:00 2001 | 1 | From 33f7235ca187f62f44734c6caca95e54c3cf7232 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 |
4 | Subject: Quieten logs when multiple from= restrictions are used | 4 | Subject: Quieten logs when multiple from= restrictions are used |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 5a0dcd806..a6e5019e4 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 88659ca2f10e2401f887b9dd58f6361d7bfa08e4 Mon Sep 17 00:00:00 2001 | 1 | From 4f28c3fcf778105bbbb3a2144d1d46bee93b48b7 Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 7f8cdb172..64e7bcae9 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3c79e49a4fbd8e4c84f6af6f1173563bda8b273b Mon Sep 17 00:00:00 2001 | 1 | From ae6ba56387f97086bb50273e1c80ba5cbaba2adc Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 24f1a77ec..3bc6c1303 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 85e40e87a75fb80a0bf893ac05a417d6c353537d Mon Sep 17 00:00:00 2001 | 1 | From 27a3937bf51447024527168a510d7f9b21542b1c Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index 8b33364e4..a6d108d64 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 094cc9bf1c7f873542a6c8dc25d0f8e61aa23318 Mon Sep 17 00:00:00 2001 | 1 | From 9c255ad5c677682eb99e1d45dbd5328cef732036 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 2b203f5dc..20d25b04e 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3aede5a89ef203b53ef86435fe4af709a39379c2 Mon Sep 17 00:00:00 2001 | 1 | From e28df965f5f36a83bba58549a216fba78277585f Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch index 3266c4707..698236ca7 100644 --- a/debian/patches/doc-upstart.patch +++ b/debian/patches/doc-upstart.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2c7520d8d6245868704cf01dd572cce744663173 Mon Sep 17 00:00:00 2001 | 1 | From d0f5716ccb267efa3178ee03c2fc5a45d024c465 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 |
4 | Subject: Refer to ssh's Upstart job as well as its init script | 4 | Subject: Refer to ssh's Upstart job as well as its init script |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index ba2c684fd..7d0c14d5b 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5e5d8faea814efa9368ccec343580b6dcd440d5e Mon Sep 17 00:00:00 2001 | 1 | From bd1efc3a46d0253b5d3c44e7d881d7ac0af87549 Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index aa9f25848..6ce8a62bf 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 374db1757fc18bd6647539b80977e6907a2cecd4 Mon Sep 17 00:00:00 2001 | 1 | From 6dfd41bb6858c6446c1da47449e2108fbabf220e Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch index 935235b27..d8a12a26f 100644 --- a/debian/patches/helpful-wait-terminate.patch +++ b/debian/patches/helpful-wait-terminate.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5c2c0e042d57cee75528686f47b4c47db434ad8b Mon Sep 17 00:00:00 2001 | 1 | From 6165757b14648f66150a0b5b45790b117f562790 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 |
4 | Subject: Mention ~& when waiting for forwarded connections to terminate | 4 | Subject: Mention ~& when waiting for forwarded connections to terminate |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index de0f73c59..f184bb41e 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a9c7a3f8b035fe820fd32283460b1a28e696d2fe Mon Sep 17 00:00:00 2001 | 1 | From ce1a5718a57d2d1c0d9e59cfac81c2f6401780a0 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index 7e6ad3996..77fd9dd81 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cbec84cf05e5dbd6d8a739a7d01e1d242a006d20 Mon Sep 17 00:00:00 2001 | 1 | From 86be635e17e81da5e0dc39498724a5c37a52753d Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index 42463eed7..58a39a95b 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c2f77b15d182a5399d4548a57a471d6be7b25a87 Mon Sep 17 00:00:00 2001 | 1 | From 37fa6804403a83d98a796f417544104996f3c4a8 Mon Sep 17 00:00:00 2001 |
2 | From: Kurt Roeckx <kurt@roeckx.be> | 2 | From: Kurt Roeckx <kurt@roeckx.be> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Don't check the status field of the OpenSSL version | 4 | Subject: Don't check the status field of the OpenSSL version |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index abeaad7a5..72f946fec 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5a19d59c0b76162929545ad1bc92e7de69ce9a7b Mon Sep 17 00:00:00 2001 | 1 | From a94344bdb2f8499dd6370f53f41d46bd5a6fc045 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index b41c066e3..3fd57a043 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f7587633dc374db82455fe7a3fa921de5c4a897b Mon Sep 17 00:00:00 2001 | 1 | From fa63bc351c67842b687d94a24afa1d7fd1d8c94f Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -49,13 +49,13 @@ index bb093cc..c762190 100644 | |||
49 | options.version_addendum, newline); | 49 | options.version_addendum, newline); |
50 | 50 | ||
51 | diff --git a/version.h b/version.h | 51 | diff --git a/version.h b/version.h |
52 | index 4189982..236dd87 100644 | 52 | index eb4e948..0840a1a 100644 |
53 | --- a/version.h | 53 | --- a/version.h |
54 | +++ b/version.h | 54 | +++ b/version.h |
55 | @@ -3,4 +3,9 @@ | 55 | @@ -3,4 +3,9 @@ |
56 | #define SSH_VERSION "OpenSSH_7.2" | 56 | #define SSH_VERSION "OpenSSH_7.2" |
57 | 57 | ||
58 | #define SSH_PORTABLE "p1" | 58 | #define SSH_PORTABLE "p2" |
59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
60 | +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | 60 | +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE |
61 | +#ifdef SSH_EXTRAVERSION | 61 | +#ifdef SSH_EXTRAVERSION |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index 51d5c09d0..5eaab4036 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 754544297b321ab1ce1923e6aa9987bb82dd4fc5 Mon Sep 17 00:00:00 2001 | 1 | From 2ebca9787f92efa5d3fa1a1a47547f5ed1d31ca0 Mon Sep 17 00:00:00 2001 |
2 | From: Peter Samuelson <peter@p12n.org> | 2 | From: Peter Samuelson <peter@p12n.org> |
3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 |
4 | Subject: Reduce severity of "Killed by signal %d" | 4 | Subject: Reduce severity of "Killed by signal %d" |
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index 47ccdda3c..dbb66f10f 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9496f70a8203592158275489519996476b2356af Mon Sep 17 00:00:00 2001 | 1 | From 1b820bd5376b5b04403f0489b2e135566cedd4e6 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | 3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 |
4 | Subject: Restore TCP wrappers support | 4 | Subject: Restore TCP wrappers support |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index cd2685e3a..fbaaa92ec 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c2c79a52f66eee7b85b5241d08a70b2593a9bc9e Mon Sep 17 00:00:00 2001 | 1 | From 9788125fd5b4541ebeae6028b9e911c5aeb43d9f Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index c632f0349..de4384b03 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a00cba810338ce920de432e7797a45794bf280ba Mon Sep 17 00:00:00 2001 | 1 | From 16caff9bcfbc638ed7d2e01a338db678f138faa5 Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -396,10 +396,10 @@ index e687c99..823901b 100644 | |||
396 | char *platform_krb5_get_principal_name(const char *); | 396 | char *platform_krb5_get_principal_name(const char *); |
397 | int platform_sys_dir_uid(uid_t); | 397 | int platform_sys_dir_uid(uid_t); |
398 | diff --git a/session.c b/session.c | 398 | diff --git a/session.c b/session.c |
399 | index 7a02500..99ec6f3 100644 | 399 | index 87fddfc..f246b8a 100644 |
400 | --- a/session.c | 400 | --- a/session.c |
401 | +++ b/session.c | 401 | +++ b/session.c |
402 | @@ -1489,7 +1489,7 @@ safely_chroot(const char *path, uid_t uid) | 402 | @@ -1511,7 +1511,7 @@ safely_chroot(const char *path, uid_t uid) |
403 | 403 | ||
404 | /* Set login name, uid, gid, and groups. */ | 404 | /* Set login name, uid, gid, and groups. */ |
405 | void | 405 | void |
@@ -408,7 +408,7 @@ index 7a02500..99ec6f3 100644 | |||
408 | { | 408 | { |
409 | char *chroot_path, *tmp; | 409 | char *chroot_path, *tmp; |
410 | 410 | ||
411 | @@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw) | 411 | @@ -1539,7 +1539,7 @@ do_setusercontext(struct passwd *pw) |
412 | endgrent(); | 412 | endgrent(); |
413 | #endif | 413 | #endif |
414 | 414 | ||
@@ -417,7 +417,7 @@ index 7a02500..99ec6f3 100644 | |||
417 | 417 | ||
418 | if (!in_chroot && options.chroot_directory != NULL && | 418 | if (!in_chroot && options.chroot_directory != NULL && |
419 | strcasecmp(options.chroot_directory, "none") != 0) { | 419 | strcasecmp(options.chroot_directory, "none") != 0) { |
420 | @@ -1674,7 +1674,7 @@ do_child(Session *s, const char *command) | 420 | @@ -1696,7 +1696,7 @@ do_child(Session *s, const char *command) |
421 | 421 | ||
422 | /* Force a password change */ | 422 | /* Force a password change */ |
423 | if (s->authctxt->force_pwchange) { | 423 | if (s->authctxt->force_pwchange) { |
@@ -426,7 +426,7 @@ index 7a02500..99ec6f3 100644 | |||
426 | child_close_fds(); | 426 | child_close_fds(); |
427 | do_pwchange(s); | 427 | do_pwchange(s); |
428 | exit(1); | 428 | exit(1); |
429 | @@ -1701,7 +1701,7 @@ do_child(Session *s, const char *command) | 429 | @@ -1723,7 +1723,7 @@ do_child(Session *s, const char *command) |
430 | /* When PAM is enabled we rely on it to do the nologin check */ | 430 | /* When PAM is enabled we rely on it to do the nologin check */ |
431 | if (!options.use_pam) | 431 | if (!options.use_pam) |
432 | do_nologin(pw); | 432 | do_nologin(pw); |
@@ -435,7 +435,7 @@ index 7a02500..99ec6f3 100644 | |||
435 | /* | 435 | /* |
436 | * PAM session modules in do_setusercontext may have | 436 | * PAM session modules in do_setusercontext may have |
437 | * generated messages, so if this in an interactive | 437 | * generated messages, so if this in an interactive |
438 | @@ -2112,7 +2112,7 @@ session_pty_req(Session *s) | 438 | @@ -2134,7 +2134,7 @@ session_pty_req(Session *s) |
439 | tty_parse_modes(s->ttyfd, &n_bytes); | 439 | tty_parse_modes(s->ttyfd, &n_bytes); |
440 | 440 | ||
441 | if (!use_privsep) | 441 | if (!use_privsep) |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 953bae5d0..ea8f2d685 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 434f7bc6f37b86a449d3d975fad53233f4c141f2 Mon Sep 17 00:00:00 2001 | 1 | From a8c208a1f6b234a3bf0206c7bce2aaa27b88b46a Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch index e022fa53f..590f55539 100644 --- a/debian/patches/sigstop.patch +++ b/debian/patches/sigstop.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e66add5020e18f6dd9b942b46e02d9b20e24edcc Mon Sep 17 00:00:00 2001 | 1 | From 2b25784cfb29177fe9e19546981ab698eb422b9f Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 |
4 | Subject: Support synchronisation with service supervisor using SIGSTOP | 4 | Subject: Support synchronisation with service supervisor using SIGSTOP |
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index a2f23396e..5d64655e5 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d7698edca3667ffacae051582028eb3971928edc Mon Sep 17 00:00:00 2001 | 1 | From 3e0e43c3840d4df2e44435a41981fd1eef5030b4 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index f830f2cf2..6cb4a8472 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 30dfe2ed8df15c27b53c883c1b718b13416299d5 Mon Sep 17 00:00:00 2001 | 1 | From af8f74e50c8b6f49d85bd03c64e92260ae95ef59 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index f2bb35326..7ff30093a 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 68e8163d9209f731c582fe5350002c51c9551983 Mon Sep 17 00:00:00 2001 | 1 | From 50201dd1c0a38e8a26d614b1679981610a8effc5 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index 5ac2fc593..fe72ff7ba 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c87856cd1b99bc4188b145b0689af5e1d1babe24 Mon Sep 17 00:00:00 2001 | 1 | From b8c3ad59100fedf8aaab9986b55c9307c599ec61 Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch index 3c2c67cda..ae66bee27 100644 --- a/debian/patches/systemd-readiness.patch +++ b/debian/patches/systemd-readiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a7c8a6babe3b4c47fd00bdbefc22fc10d97b9a26 Mon Sep 17 00:00:00 2001 | 1 | From 8eec1f49bed1e85e4534067c4290662b7bcc3f34 Mon Sep 17 00:00:00 2001 |
2 | From: Michael Biebl <biebl@debian.org> | 2 | From: Michael Biebl <biebl@debian.org> |
3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 | 3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 |
4 | Subject: Add systemd readiness notification support | 4 | Subject: Add systemd readiness notification support |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 456944f6b..79536fd47 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6f05f80017871238b4e50fc4e09d57d722416743 Mon Sep 17 00:00:00 2001 | 1 | From 4176718757a83a831028f468ff66cedd291c24b9 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -46,6 +46,7 @@ | |||
46 | 46 | ||
47 | #include <arpa/inet.h> | 47 | #include <arpa/inet.h> |
48 | 48 | ||
49 | #include <ctype.h> | ||
49 | #include <errno.h> | 50 | #include <errno.h> |
50 | #include <fcntl.h> | 51 | #include <fcntl.h> |
51 | #include <grp.h> | 52 | #include <grp.h> |
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt) | |||
274 | do_cleanup(authctxt); | 275 | do_cleanup(authctxt); |
275 | } | 276 | } |
276 | 277 | ||
278 | /* Check untrusted xauth strings for metacharacters */ | ||
279 | static int | ||
280 | xauth_valid_string(const char *s) | ||
281 | { | ||
282 | size_t i; | ||
283 | |||
284 | for (i = 0; s[i] != '\0'; i++) { | ||
285 | if (!isalnum((u_char)s[i]) && | ||
286 | s[i] != '.' && s[i] != ':' && s[i] != '/' && | ||
287 | s[i] != '-' && s[i] != '_') | ||
288 | return 0; | ||
289 | } | ||
290 | return 1; | ||
291 | } | ||
292 | |||
277 | /* | 293 | /* |
278 | * Prepares for an interactive session. This is called after the user has | 294 | * Prepares for an interactive session. This is called after the user has |
279 | * been successfully authenticated. During this message exchange, pseudo | 295 | * been successfully authenticated. During this message exchange, pseudo |
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt) | |||
347 | s->screen = 0; | 363 | s->screen = 0; |
348 | } | 364 | } |
349 | packet_check_eom(); | 365 | packet_check_eom(); |
350 | success = session_setup_x11fwd(s); | 366 | if (xauth_valid_string(s->auth_proto) && |
367 | xauth_valid_string(s->auth_data)) | ||
368 | success = session_setup_x11fwd(s); | ||
369 | else { | ||
370 | success = 0; | ||
371 | error("Invalid X11 forwarding data"); | ||
372 | } | ||
351 | if (!success) { | 373 | if (!success) { |
352 | free(s->auth_proto); | 374 | free(s->auth_proto); |
353 | free(s->auth_data); | 375 | free(s->auth_data); |
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s) | |||
2178 | s->screen = packet_get_int(); | 2200 | s->screen = packet_get_int(); |
2179 | packet_check_eom(); | 2201 | packet_check_eom(); |
2180 | 2202 | ||
2181 | success = session_setup_x11fwd(s); | 2203 | if (xauth_valid_string(s->auth_proto) && |
2204 | xauth_valid_string(s->auth_data)) | ||
2205 | success = session_setup_x11fwd(s); | ||
2206 | else { | ||
2207 | success = 0; | ||
2208 | error("Invalid X11 forwarding data"); | ||
2209 | } | ||
2182 | if (!success) { | 2210 | if (!success) { |
2183 | free(s->auth_proto); | 2211 | free(s->auth_proto); |
2184 | free(s->auth_data); | 2212 | free(s->auth_data); |
@@ -2,7 +2,7 @@ | |||
2 | 2 | ||
3 | #define SSH_VERSION "OpenSSH_7.2" | 3 | #define SSH_VERSION "OpenSSH_7.2" |
4 | 4 | ||
5 | #define SSH_PORTABLE "p1" | 5 | #define SSH_PORTABLE "p2" |
6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | 6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE |
7 | #ifdef SSH_EXTRAVERSION | 7 | #ifdef SSH_EXTRAVERSION |
8 | #define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION | 8 | #define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION |