| Age | Commit message (Collapse) | Author |
|---|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
Last-Update: 2013-09-14
Patch-Name: ssh1-keepalive.patch
|
|
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Last-Update: 2014-02-09
Patch-Name: ssh-vulnkey-compat.patch
|
|
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2013-09-14
Patch-Name: selinux-role.patch
|
|
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: restore-tcp-wrappers.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2014-10-07
Patch-Name: gssapi.patch
|
|
|
|
|
|
|
|
|
|
[openbsd-compat/openbsd-compat.h] Kludge around bad glibc
_FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets;
ok dtucker@
|
|
patch from Felix von Leitner; ok dtucker
|
|
- (dtucker) [INSTALL] Update info about egd. ok djm@
|
|
|
|
permissions/ACLs; from Corinna Vinschen
|
|
conditionalise to avoid duplicate definition.
|
|
|
|
|
|
|
|
OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
|
|
using memset_s() where possible; improve fallback to indirect bzero
via a volatile pointer to give it more of a chance to avoid being
optimised away.
|
|
monitor, not preauth; bz#2263
|
|
[regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
[regress/unittests/sshkey/common.c]
[regress/unittests/sshkey/test_file.c]
[regress/unittests/sshkey/test_fuzz.c]
[regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h
on !ECC OpenSSL systems
|
|
update OpenSSL version requirement.
|
|
|
|
PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen
|
|
just for systems that lack asprintf); check for it always and extend
test to catch more brokenness. Fixes builds on Solaris <= 9
|
|
lastlog writing on platforms with high UIDs; bz#2263
|
|
|
|
definition mismatch) and warning for broken/missing snprintf case.
|
|
|
|
number; fixes test for unsupported versions
|
|
don't set __progname. Diagnosed by Tom Christensen.
|
|
|
|
|
|
|
|
|
|
-L/-l; fixes linking problems on some platforms
|
|
suggested by Kevin Brott
|
|
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions
of TCP wrappers.
|
|
|
|
|
|
HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
|
|
|
|
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions
|
|
nc from stdin, it's more portable
|
|
is closed; avoid regress failures when stdin is /dev/null
|
|
a better solution, but this will have to do for now.
|
|
[sftp-server.8 sshd_config.5]
some systems no longer need /dev/log;
issue noticed by jirib;
ok deraadt
|
|
[ssh-agent.c]
Clear buffer used for handling messages. This prevents keys being
left in memory after they have been expired or deleted in some cases
(but note that ssh-agent is setgid so you would still need root to
access them). Pointed out by Kevin Burns, ok deraadt
|
|
- millert@cvs.openbsd.org 2014/07/24 22:57:10
[ssh.1]
Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@
|
