From 58d1f877a2337cdfa96a862eadb933da0dffdd35 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sat, 27 Feb 2010 20:40:41 +0000 Subject: DEP-3 tagging of autotools, SELinux, key blacklisting, and keepalive patches --- debian/patches/config-guess-sub.patch | 5 +++++ debian/patches/keepalive-extensions.patch | 16 ++++++++++++++++ debian/patches/selinux-autoconf.patch | 13 +++++++++++++ debian/patches/selinux-fix-chroot-directory.patch | 9 +++++++++ debian/patches/selinux-role.patch | 9 +++++++++ debian/patches/ssh-vulnkey.patch | 12 ++++++++++++ debian/patches/ssh1-keepalive.patch | 5 +++++ 7 files changed, 69 insertions(+) diff --git a/debian/patches/config-guess-sub.patch b/debian/patches/config-guess-sub.patch index d5c016b87..b0a0ada81 100644 --- a/debian/patches/config-guess-sub.patch +++ b/debian/patches/config-guess-sub.patch @@ -1,3 +1,8 @@ +Description: Update config.guess and config.sub from autotools-dev 20090611.1 +From: Bradley Smith +Bug-Debian: http://bugs.debian.org/538301 +Last-Update: 2010-02-27 + Index: b/config.guess =================================================================== --- a/config.guess diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index cb9c2823c..1bfc9c798 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch @@ -1,3 +1,19 @@ +Description: Various keepalive extensions + Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, + supported in previous versions of Debian's OpenSSH package but since + superseded by ServerAliveInterval. (We're probably stuck with this bit for + compatibility.) + . + In batch mode, default ServerAliveInterval to five minutes. + . + Adjust documentation to match and to give some more advice on use of + keepalives. +Author: Richard Kettlewell +Author: Ian Jackson +Author: Matthew Vernon +Author: Colin Watson +Last-Update: 2010-02-27 + Index: b/readconf.c =================================================================== --- a/readconf.c diff --git a/debian/patches/selinux-autoconf.patch b/debian/patches/selinux-autoconf.patch index 934f885c8..9ac4cd435 100644 --- a/debian/patches/selinux-autoconf.patch +++ b/debian/patches/selinux-autoconf.patch @@ -1,3 +1,16 @@ +Description: Fix seusers detection at configure time + configure didn't add -lselinux to LIBS before it checked for the existence + of getseuserbyname and get_default_context_with_level. This resulted in + seusers configuration not being handled correctly. Most policies use the + seusers feature, and without it login security contexts will not be + correct. +Author: Caleb Case +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1713 +Bug-Debian: http://bugs.debian.org/465614 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/188136 +Reviewed-by: Colin Watson +Last-Update: 2010-02-27 + Index: b/configure =================================================================== --- a/configure diff --git a/debian/patches/selinux-fix-chroot-directory.patch b/debian/patches/selinux-fix-chroot-directory.patch index a69ded59b..5c7c3c4a9 100644 --- a/debian/patches/selinux-fix-chroot-directory.patch +++ b/debian/patches/selinux-fix-chroot-directory.patch @@ -1,3 +1,12 @@ +Description: Make ChrootDirectory work with SELinux + After chroot() is called the SE Linux context setting won't work unless + /selinux and /proc are mounted in the chroot environment. Even worse, if + the user has control over the chroot environment then they may be able to + control the context that they get (I haven't verified this). +Author: Russell Coker +Bug-Debian: http://bugs.debian.org/556644 +Last-Update: 2010-02-27 + Index: b/session.c =================================================================== --- a/session.c diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 5e2a9ecb6..ab343b083 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch @@ -1,3 +1,12 @@ +Description: Handle SELinux authorisation roles + Rejected upstream due to discomfort with magic usernames; a better approach + will need an SSH protocol change. In the meantime, this came from Debian's + SELinux maintainer, so we'll keep it until we have something better. +Author: Manoj Srivastava +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 +Bug-Debian: http://bugs.debian.org/394795 +Last-Update: 2010-02-27 + Index: b/auth.h =================================================================== --- a/auth.h diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index 3e4e96493..b33315677 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch @@ -1,3 +1,15 @@ +Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw + In 2008, Debian (and derived distributions such as Ubuntu) shipped an + OpenSSL package with a flawed random number generator, causing OpenSSH to + generate only a very limited set of keys which were subject to private half + precomputation. To mitigate this, this patch checks key authentications + against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey + program which can be used to explicitly check keys against that blacklist. + See CVE-2008-0166. +Author: Colin Watson +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 +Last-Update: 2010-02-27 + Index: b/Makefile.in =================================================================== --- a/Makefile.in diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index 37b8052eb..c82563033 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch @@ -1,3 +1,8 @@ +Description: Partial server keep-alive implementation for SSH1 +Author: Colin Watson +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 +Last-Update: 2010-02-27 + Index: b/clientloop.c =================================================================== --- a/clientloop.c -- cgit v1.2.3