summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-02-10Partial server keep-alive implementation for SSH1Colin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 Last-Update: 2013-09-14 Patch-Name: ssh1-keepalive.patch
2014-02-10Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2014-02-10Handle SELinux authorisation rolesManoj Srivastava
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2013-09-14 Patch-Name: selinux-role.patch
2014-02-10GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-02-10 Patch-Name: gssapi.patch
2014-02-10Import openssh_6.5p1.orig.tar.gzColin Watson
2014-01-30 - (djm) Release openssh-6.5p1Damien Miller
2014-01-30trim entries prior to openssh-6.0p1Damien Miller
2014-01-30 - (djm) [configure.ac atomicio.c] Kludge around NetBSD offeringDamien Miller
different symbols for 'read' when various compiler flags are in use, causing atomicio.c comparisons against it to break and read/write operations to hang; ok dtucker
2014-01-30 - (djm) [configure.ac] Only check for width-specified integer typesDamien Miller
in headers that actually exist. patch from Tom G. Christensen; ok dtucker@
2014-01-29 - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch fromDamien Miller
Tom G. Christensen
2014-01-28 - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variableTim Rice
when used as an error message inside an if statement so we display the correct into. agent.sh patch from Petr Lautrbach.
2014-01-28 - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); theDamien Miller
latter being specified to have undefined behaviour in SUSv3; ok dtucker
2014-01-28 - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;Damien Miller
ok dtucker
2014-01-27 - (dtucker) [Makefile.in] Remove trailing backslash which some makeDarren Tucker
implementations (eg older Solaris) do not cope with.
2014-01-27Welcome to 2014Darren Tucker
2014-01-26 - (djm) [configure.ac] correct AC_DEFINE for previous.Damien Miller
2014-01-26 - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] DisableDamien Miller
RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations, libc will attempt to open additional file descriptors for crypto offload and crash if they cannot be opened.
2014-01-26 - markus@cvs.openbsd.org 2014/01/25 20:35:37Damien Miller
[kex.c] dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
2014-01-26 - dtucker@cvs.openbsd.org 2014/01/25 10:12:50Damien Miller
[cipher.c cipher.h kex.c kex.h kexgexc.c] Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
2014-01-25 - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so testDamien Miller
against the correct thing.
2014-01-25 - (djm) [configure.ac] Do not attempt to use capsicum sandbox unlessDamien Miller
sys/capability.h exists and cap_rights_limit is in libc. Fixes build on FreeBSD9x which provides the header but not the libc support.
2014-01-25 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSDDamien Miller
2014-01-24 - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] MakeDamien Miller
the scp regress test actually test the built scp rather than the one in $PATH. ok dtucker@
2014-01-23 - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitouslyDarren Tucker
incompatible with OpenBSD's despite post-dating it by more than a decade. Declare it as broken, and document FreeBSD's as the same. ok djm@
2014-01-22 - (tim) [session.c] Improve error reporting on set_id().Tim Rice
2014-01-22 - (djm) [configure.ac aclocal.m4] More tests to detect fallout fromDamien Miller
platform hardening options: include some long long int arithmatic to detect missing support functions for -ftrapv in libgcc and equivalents, actually test linking when -ftrapv is supplied and set either both -pie/-fPIE or neither. feedback and ok dtucker@
2014-01-22 - (djm) [configure.ac] Unless specifically requested, only attemptDamien Miller
to build Position Independent Executables on gcc >= 4.x; ok dtucker
2014-01-22 - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if aDamien Miller
platform that is expected to use the reuse-argv style setproctitle hack surprises us by providing a setproctitle in libc; ok dtucker
2014-01-21 - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILEDamien Miller
and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of detecting toolchain-related problems; ok dtucker
2014-01-20 - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introducedTim Rice
with sftp chroot support. Move set_id call after chroot.
2014-01-21 - (dtucker) [aclocal.m4] Differentiate between compile-time and link-timeDarren Tucker
tests in the configure output. ok djm.
2014-01-21 - (dtucker) [configure.ac] Make PIE a configure-time option which defaultsDarren Tucker
to on platforms where it's known to be reliably detected and off elsewhere. Works around platforms such as FreeBSD 9.1 where it does not interop with -ftrapv (it seems to work but fails when trying to link ssh). ok djm@
2014-01-20 - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms thatDamien Miller
skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
2014-01-20- (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the KerberosDarren Tucker
implementation does not have krb5_cc_new_unique, similar to what we do in auth-krb5.c.
2014-01-20 - djm@cvs.openbsd.org 2014/01/20 00:08:48Damien Miller
[digest.c] memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@
2014-01-19 - dtucker@cvs.openbsd.org 2014/01/19 11:21:51Darren Tucker
[addrmatch.c] Cast the sizeof to socklen_t so it'll work even if the supplied len is negative. Suggested by and ok djm, ok deraadt.
2014-01-19 - djm@cvs.openbsd.org 2014/01/19 04:48:08Darren Tucker
[ssh_config.5] fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
2014-01-19 - dtucker@cvs.openbsd.org 2014/01/19 04:17:29Darren Tucker
[canohost.c addrmatch.c] Cast socklen_t when comparing to size_t and use socklen_t to iterate over the ip options, both to prevent signed/unsigned comparison warnings. Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
2014-01-19 - dtucker@cvs.openbsd.org 2014/01/18 09:36:26Darren Tucker
[session.c] explicitly define USE_PIPES to 1 to prevent redefinition warnings in portable on platforms that use pipes for everything. From redhat @ redhat.
2014-01-19 - dtucker@cvs.openbsd.org 2014/01/17 06:23:24Darren Tucker
[sftp-server.c] fix log message statvfs. ok djm
2014-01-18 - (dtucker) [sandbox-capsicum.c] Correct some error messages and make theDarren Tucker
return value check for cap_enter() consistent with the other uses in FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140.
2014-01-18 - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs,Darren Tucker
optind) are defined in getopt.h already. Unfortunately they are defined as "declspec(dllimport)" for historical reasons, because the GNU linker didn't allow auto-import on PE/COFF targets way back when. The problem is the dllexport attributes collide with the definitions in the various source files in OpenSSH, which obviousy define the variables without declspec(dllimport). The least intrusive way to get rid of these warnings is to disable warnings for GCC compiler attributes when building on Cygwin. Patch from vinschen at redhat.com.
2014-01-18 - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing functionDarren Tucker
declarations that stopped being included when we stopped including <windows.h> from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at redhat.com.
2014-01-18 - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. PatchDarren Tucker
from vinschen at redhat.com
2014-01-18 - (dtucker) [defines.h] Move our definitions of uintXX_t types down to afterDarren Tucker
they're defined if we have to define them ourselves. Fixes builds on old AIX.
2014-01-18 - (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building onDarren Tucker
Solaris.
2014-01-17 - (dtucker) [configure.ac] Have --without-toolchain-hardening not turn offDarren Tucker
stack-protector since that has a separate flag that's been around a while.
2014-01-17 - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types.Darren Tucker
2014-01-17 - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if weDarren Tucker
need them to cut down on the name collisions.
2014-01-17 - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.cDarren Tucker
openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs to be useful (and for the regression tests to pass) on platforms that have statfs and fstatfs. ok djm@