summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog8
-rw-r--r--debian/patches/conch-old-privkey-format.patch2
-rw-r--r--debian/patches/revert-ipqos-defaults.patch2
-rw-r--r--debian/patches/seccomp-s390-flock-ipc.patch47
-rw-r--r--debian/patches/series1
-rw-r--r--sandbox-seccomp-filter.c6
7 files changed, 12 insertions, 58 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 422e4036b..261adc808 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2660f35293504f04d744d2d6ab6276a83fff305a3 2cfa01c635debb10e05f5ac34d269809c77c582dc
3660f35293504f04d744d2d6ab6276a83fff305a3 3cfa01c635debb10e05f5ac34d269809c77c582dc
44213eec74e74de6310c27a40c3e9759a08a73996 44213eec74e74de6310c27a40c3e9759a08a73996
54213eec74e74de6310c27a40c3e9759a08a73996 54213eec74e74de6310c27a40c3e9759a08a73996
6openssh_8.1p1.orig.tar.gz 6openssh_8.1p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 53ad2d699..4a3c8e3f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1openssh (1:8.1p1-2) UNRELEASED; urgency=medium
2
3 * Drop "Allow flock and ipc syscall for s390 architecture" patch for now;
4 upstream has security concerns with it and it doesn't currently seem to
5 be needed.
6
7 -- Colin Watson <cjwatson@debian.org> Tue, 22 Oct 2019 11:08:23 +0100
8
1openssh (1:8.1p1-1) unstable; urgency=medium 9openssh (1:8.1p1-1) unstable; urgency=medium
2 10
3 * New upstream release (https://www.openssh.com/txt/release-8.1): 11 * New upstream release (https://www.openssh.com/txt/release-8.1):
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
index 25c16526b..e018ac639 100644
--- a/debian/patches/conch-old-privkey-format.patch
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -1,4 +1,4 @@
1From 46352085d71fe406537828a1cee3c2ce896eccb9 Mon Sep 17 00:00:00 2001 1From bbce4380e516e8bfed1ae09af0bc3661e427794a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Thu, 30 Aug 2018 00:58:56 +0100 3Date: Thu, 30 Aug 2018 00:58:56 +0100
4Subject: Work around conch interoperability failure 4Subject: Work around conch interoperability failure
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 844b736d7..7fdfe246c 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
1From 660f35293504f04d744d2d6ab6276a83fff305a3 Mon Sep 17 00:00:00 2001 1From cfa01c635debb10e05f5ac34d269809c77c582dc Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Mon, 8 Apr 2019 10:46:29 +0100 3Date: Mon, 8 Apr 2019 10:46:29 +0100
4Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP 4Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
deleted file mode 100644
index aaefa9ed4..000000000
--- a/debian/patches/seccomp-s390-flock-ipc.patch
+++ /dev/null
@@ -1,47 +0,0 @@
1From cfc30ca51eba79f9f725c22528e3bfec036aa927 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 10:53:04 -0300
4Subject: Allow flock and ipc syscall for s390 architecture
5
6In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
7and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
8implementation) which calls the libraries that will communicate with the
9crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
10this is only need on s390 architecture.
11
12Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
13
14Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
16Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
17Last-Update: 2018-10-19
18
19Patch-Name: seccomp-s390-flock-ipc.patch
20---
21 sandbox-seccomp-filter.c | 6 ++++++
22 1 file changed, 6 insertions(+)
23
24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
25index b5cda70bb..2f6b0d55b 100644
26--- a/sandbox-seccomp-filter.c
27+++ b/sandbox-seccomp-filter.c
28@@ -194,6 +194,9 @@ static const struct sock_filter preauth_insns[] = {
29 #ifdef __NR_exit_group
30 SC_ALLOW(__NR_exit_group),
31 #endif
32+#if defined(__NR_flock) && defined(__s390__)
33+ SC_ALLOW(__NR_flock),
34+#endif
35 #ifdef __NR_futex
36 SC_ALLOW(__NR_futex),
37 #endif
38@@ -221,6 +224,9 @@ static const struct sock_filter preauth_insns[] = {
39 #ifdef __NR_getuid32
40 SC_ALLOW(__NR_getuid32),
41 #endif
42+#if defined(__NR_ipc) && defined(__s390__)
43+ SC_ALLOW(__NR_ipc),
44+#endif
45 #ifdef __NR_madvise
46 SC_ALLOW(__NR_madvise),
47 #endif
diff --git a/debian/patches/series b/debian/patches/series
index 74cdd2ce3..8c1046a74 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,6 +21,5 @@ gnome-ssh-askpass2-icon.patch
21systemd-readiness.patch 21systemd-readiness.patch
22debian-config.patch 22debian-config.patch
23restore-authorized_keys2.patch 23restore-authorized_keys2.patch
24seccomp-s390-flock-ipc.patch
25conch-old-privkey-format.patch 24conch-old-privkey-format.patch
26revert-ipqos-defaults.patch 25revert-ipqos-defaults.patch
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2f6b0d55b..b5cda70bb 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -194,9 +194,6 @@ static const struct sock_filter preauth_insns[] = {
194#ifdef __NR_exit_group 194#ifdef __NR_exit_group
195 SC_ALLOW(__NR_exit_group), 195 SC_ALLOW(__NR_exit_group),
196#endif 196#endif
197#if defined(__NR_flock) && defined(__s390__)
198 SC_ALLOW(__NR_flock),
199#endif
200#ifdef __NR_futex 197#ifdef __NR_futex
201 SC_ALLOW(__NR_futex), 198 SC_ALLOW(__NR_futex),
202#endif 199#endif
@@ -224,9 +221,6 @@ static const struct sock_filter preauth_insns[] = {
224#ifdef __NR_getuid32 221#ifdef __NR_getuid32
225 SC_ALLOW(__NR_getuid32), 222 SC_ALLOW(__NR_getuid32),
226#endif 223#endif
227#if defined(__NR_ipc) && defined(__s390__)
228 SC_ALLOW(__NR_ipc),
229#endif
230#ifdef __NR_madvise 224#ifdef __NR_madvise
231 SC_ALLOW(__NR_madvise), 225 SC_ALLOW(__NR_madvise),
232#endif 226#endif