| Age | Commit message (Collapse) | Author |
|---|
|
In 2008, Debian (and derived distributions such as Ubuntu) shipped an
OpenSSL package with a flawed random number generator, causing OpenSSH to
generate only a very limited set of keys which were subject to private half
precomputation. To mitigate this, this patch checks key authentications
against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
program which can be used to explicitly check keys against that blacklist.
See CVE-2008-0166.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
Last-Update: 2013-09-14
Patch-Name: ssh-vulnkey.patch
|
|
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2013-09-14
Patch-Name: selinux-role.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2013-11-09
Patch-Name: gssapi.patch
|
|
|
|
|
|
[version.h]
openssh-6.4
|
|
[contrib/suse/openssh.spec] update version numbers
|
|
[auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
[clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
[sftp-client.c sftp-glob.c]
use calloc for all structure allocations; from markus@
|
|
[monitor_wrap.c]
fix rekeying for AES-GCM modes; ok deraadt
|
|
|
|
|
|
ok dtucker@
|
|
|
|
until we have configure support.
|
|
'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we
start to use them in the future.
|
|
[ssh.1 ssh_config.5]
some proxyusefdpass tweaks;
|
|
[readconf.c readconf.h ssh_config.5 sshconnect.c]
Add a ssh_config ProxyUseFDPass option that supports the use of
ProxyCommands that establish a connection and then pass a connected
file descriptor back to ssh(1). This allows the ProxyCommand to exit
rather than have to shuffle data back and forth and enables ssh to use
getpeername, etc. to obtain address information just like it does with
regular directly-connected sockets. ok markus@
|
|
[scp.1 ssh.1]
some Bx/Ox conversion;
From: Jan Stary
|
|
[ssh-keygen.c]
another of the same typo
|
|
[ssh-keygen.c]
typo in error message; from Stephan Rickauer
|
|
[sftp.c]
enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word;
matching ksh's relatively recent change.
|
|
[sftp-client.c]
two problems found by a to-be-committed regress test: 1) msg_id was not
being initialised so was starting at a random value from the heap
(harmless, but confusing). 2) some error conditions were not being
propagated back to the caller
|
|
[sftp.c]
do getopt parsing for all sftp commands (with an empty optstring for
commands without arguments) to ensure consistent behaviour
|
|
[sftp-client.c sftp-client.h sftp.c]
add a "-l" flag for the rename command to force it to use the silly
standard SSH_FXP_RENAME command instead of the POSIX-rename- like
posix-rename@openssh.com extension.
intended for use in regress tests, so no documentation.
|
|
[sftp.c]
fix two year old regression: symlinking a file would incorrectly
canonicalise the target path. bz#2129 report from delphij AT freebsd.org
|
|
[sftp.1 sftp.c]
sort -a;
|
|
[servconf.c]
add cast to avoid format warning; from portable
|
|
[sftp.1]
document top-level -a option (the -a option to 'get' was already
documented)
|
|
[sftp.c]
fix some whitespace at EOL
make list of commands an enum rather than a long list of defines
add -a to usage()
|
|
removal. The "make clean" removes modpipe which is built by the top-level
directory before running the tests. Spotted by tim@
|
|
mistakenly included in the previous commit.
|
|
CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the
CLOCK_MONOTONIC define but don't actually support it. Found and tested
by Kevin Brott, ok djm.
|
|
since some platforms (eg really old FreeBSD) don't have it. Instead,
run "make clean" before a complete regress run. ok djm.
|
|
for building with older Heimdal versions. ok djm.
|
|
|
|
blocking connecting socket will clear any stored errno that might
otherwise have been retrievable via getsockopt(). A hack to limit writes
to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap
it in an #ifdef. Diagnosis and patch from Ivo Raisr.
|
|
|
|
|
|
Solaris and UnixWare. Feedback and OK djm@
|
|
[contrib/suse/openssh.spec] Update version numbers
|
|
[regress/sftp-cmds.sh regress/test-exec.sh]
unbreak sftp-cmds for renamed test data (s/ls/data/)
|
|
[regress/forwarding.sh]
Add test for forward config parsing
|
|
[regress/test-exec.sh]
use ssh and sshd as testdata since it needs to be >256k for the rekey test
|
|
[version.h]
openssh-6.3 for release
|
|
[sftp-client.c sftp-client.h sftp.1 sftp.c]
sftp support for resuming partial downloads; patch mostly by Loganaden
Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
|
|
[ssh.c]
daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
it is fully detached from its controlling terminal. based on debugging
|
|
[umac.h]
oops, forgot to commit corresponding header change;
spotted by jsg and jasper
|
|
[umac.c]
make MAC key, data to be hashed and nonce for final hash const;
checked with -Wcast-qual
|
|
[krl.c]
fix verification error in (as-yet usused) KRL signature checking path
|
|
[auth-krb5.c gss-serv-krb5.c gss-serv.c]
fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@
|
