summaryrefslogtreecommitdiff
path: root/openssh.spec
diff options
context:
space:
mode:
Diffstat (limited to 'openssh.spec')
-rw-r--r--openssh.spec536
1 files changed, 314 insertions, 222 deletions
diff --git a/openssh.spec b/openssh.spec
index 7839045..c87d68a 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,10 +6,10 @@
%{?no_gtk2:%global gtk2 0}
%global sshd_uid 74
-%global openssh_release 2.1
+%global openssh_release 31
Name: openssh
-Version: 9.3p1
+Version: 8.8p1
Release: %{openssh_release}
URL: http://www.openssh.com/portable.html
License: BSD
@@ -18,86 +18,120 @@ Summary: An open source implementation of SSH protocol version 2
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pam
-Source3: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz
-Source4: pam_ssh_agent-rmheaders
-Source5: ssh-keycat.pam
-Source6: sshd.sysconfig
-Source7: sshd@.service
-Source8: sshd.socket
-Source9: sshd.service
-Source10: sshd-keygen@.service
-Source11: sshd-keygen
-Source12: sshd.tmpfiles
-Source13: sshd-keygen.target
-Source14: ssh-agent.service
-Source15: ssh-agent.socket
-Source16: ssh-keygen-bash-completion.sh
-Patch0: openssh-6.7p1-coverity.patch
-Patch1: openssh-7.6p1-audit.patch
-Patch2: openssh-7.1p2-audit-race-condition.patch
-Patch3: pam_ssh_agent_auth-0.9.3-build.patch
-Patch4: pam_ssh_agent_auth-0.10.3-seteuid.patch
-Patch5: pam_ssh_agent_auth-0.9.2-visibility.patch
-Patch6: pam_ssh_agent_auth-0.9.3-agent_structure.patch
-Patch7: pam_ssh_agent_auth-0.10.2-compat.patch
-Patch8: pam_ssh_agent_auth-0.10.2-dereference.patch
-Patch9: pam_ssh_agent_auth-0.10.4-rsasha2.patch
-Patch10: pam_ssh_agent-configure-c99.patch
-Patch11: openssh-7.8p1-role-mls.patch
-Patch12: openssh-6.6p1-privsep-selinux.patch
-Patch14: openssh-6.6p1-keycat.patch
-Patch15: openssh-6.6p1-allow-ip-opts.patch
-Patch17: openssh-5.9p1-ipv6man.patch
-Patch18: openssh-5.8p2-sigpipe.patch
-Patch19: openssh-7.2p2-x11.patch
-Patch21: openssh-5.1p1-askpass-progress.patch
-Patch22: openssh-4.3p2-askpass-grab-info.patch
-Patch23: openssh-7.7p1.patch
-Patch24: openssh-7.8p1-UsePAM-warning.patch
-Patch28: openssh-8.0p1-gssapi-keyex.patch
-Patch29: openssh-6.6p1-force_krb.patch
-Patch30: openssh-6.6p1-GSSAPIEnablek5users.patch
-Patch31: openssh-7.7p1-gssapi-new-unique.patch
-Patch32: openssh-7.2p2-k5login_directory.patch
-Patch33: openssh-6.6p1-kuserok.patch
-Patch34: openssh-6.4p1-fromto-remote.patch
-Patch35: openssh-6.6.1p1-selinux-contexts.patch
-Patch36: openssh-6.6.1p1-log-in-chroot.patch
-Patch37: openssh-6.6.1p1-scp-non-existing-directory.patch
-Patch38: openssh-6.8p1-sshdT-output.patch
-Patch39: openssh-6.7p1-sftp-force-permission.patch
-Patch40: openssh-7.2p2-s390-closefrom.patch
-Patch41: openssh-7.3p1-x11-max-displays.patch
-Patch42: openssh-7.4p1-systemd.patch
-Patch43: openssh-7.6p1-cleanup-selinux.patch
-Patch44: openssh-7.5p1-sandbox.patch
-Patch45: openssh-8.0p1-pkcs11-uri.patch
-Patch46: openssh-7.8p1-scp-ipv6.patch
-Patch48: openssh-8.0p1-crypto-policies.patch
-Patch49: openssh-9.3p1-merged-openssl-evp.patch
-Patch50: openssh-8.0p1-openssl-kdf.patch
-Patch51: openssh-8.2p1-visibility.patch
-Patch52: openssh-8.2p1-x11-without-ipv6.patch
-Patch53: openssh-8.0p1-keygen-strip-doseol.patch
-Patch54: openssh-8.0p1-preserve-pam-errors.patch
-Patch55: openssh-8.7p1-scp-kill-switch.patch
-Patch56: openssh-8.7p1-recursive-scp.patch
-Patch57: openssh-8.7p1-minrsabits.patch
-Patch58: openssh-8.7p1-ibmca.patch
-Patch60: openssh-8.7p1-ssh-manpage.patch
-Patch61: openssh-8.7p1-negotiate-supported-algs.patch
-Patch65: openssh-9.3p1-upstream-cve-2023-38408.patch
-Patch66: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
-Patch67: bugfix-openssh-add-option-check-username-splash.patch
-Patch68: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
-Patch69: bugfix-openssh-fix-sftpserver.patch
-Patch70: set-sshd-config.patch
-Patch71: feature-add-SMx-support.patch
-Patch72: add-loongarch.patch
-Patch73: openssh-Add-sw64-architecture.patch
+Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz
+Source5: pam_ssh_agent-rmheaders
+Source6: ssh-keycat.pam
+Source7: sshd.sysconfig
+Source9: sshd@.service
+Source10: sshd.socket
+Source11: sshd.service
+Source12: sshd-keygen@.service
+Source13: sshd-keygen
+Source14: sshd.tmpfiles
+Source15: sshd-keygen.target
+Source16: ssh-agent.service
+Source17: ssh-keygen-bash-completion.sh
+Patch0: backport-openssh-6.7p1-coverity.patch
+Patch1: backport-openssh-7.6p1-audit.patch
+Patch2: backport-openssh-7.1p2-audit-race-condition.patch
+Patch3: backport-pam_ssh_agent_auth-0.9.3-build.patch
+Patch4: backport-pam_ssh_agent_auth-0.10.3-seteuid.patch
+Patch5: backport-pam_ssh_agent_auth-0.9.2-visibility.patch
+Patch6: backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch
+Patch7: backport-pam_ssh_agent_auth-0.10.2-compat.patch
+Patch8: backport-pam_ssh_agent_auth-0.10.2-dereference.patch
+Patch9: backport-openssh-7.8p1-role-mls.patch
+Patch10: backport-openssh-6.6p1-privsep-selinux.patch
+Patch12: backport-openssh-6.6p1-keycat.patch
+Patch13: backport-openssh-6.6p1-allow-ip-opts.patch
+Patch14: backport-openssh-6.6p1-keyperm.patch
+Patch15: backport-openssh-5.9p1-ipv6man.patch
+Patch16: backport-openssh-5.8p2-sigpipe.patch
+Patch17: backport-openssh-7.2p2-x11.patch
+Patch18: backport-openssh-7.7p1-fips.patch
+Patch19: backport-openssh-5.1p1-askpass-progress.patch
+Patch20: backport-openssh-4.3p2-askpass-grab-info.patch
+Patch21: backport-openssh-7.7p1.patch
+Patch22: backport-openssh-7.8p1-UsePAM-warning.patch
+Patch23: backport-openssh-6.3p1-ctr-evp-fast.patch
+Patch26: backport-openssh-8.0p1-gssapi-keyex.patch
+Patch27: backport-openssh-6.6p1-force_krb.patch
+Patch28: backport-openssh-6.6p1-GSSAPIEnablek5users.patch
+Patch29: backport-openssh-7.7p1-gssapi-new-unique.patch
+Patch30: backport-openssh-7.2p2-k5login_directory.patch
+Patch31: backport-openssh-6.6p1-kuserok.patch
+Patch32: backport-openssh-6.4p1-fromto-remote.patch
+Patch33: backport-openssh-6.6.1p1-selinux-contexts.patch
+Patch34: backport-openssh-6.6.1p1-log-in-chroot.patch
+Patch35: backport-openssh-6.6.1p1-scp-non-existing-directory.patch
+Patch36: backport-openssh-6.8p1-sshdT-output.patch
+Patch37: backport-openssh-6.7p1-sftp-force-permission.patch
+Patch38: backport-openssh-7.2p2-s390-closefrom.patch
+Patch39: backport-openssh-7.3p1-x11-max-displays.patch
+Patch40: backport-openssh-7.4p1-systemd.patch
+Patch41: backport-openssh-7.6p1-cleanup-selinux.patch
+Patch42: backport-openssh-7.5p1-sandbox.patch
+Patch43: backport-openssh-8.0p1-pkcs11-uri.patch
+Patch44: backport-openssh-7.8p1-scp-ipv6.patch
+Patch46: backport-openssh-8.0p1-crypto-policies.patch
+Patch47: backport-openssh-8.0p1-openssl-evp.patch
+Patch48: backport-openssh-8.0p1-openssl-kdf.patch
+Patch49: backport-openssh-8.2p1-visibility.patch
+Patch50: backport-openssh-8.2p1-x11-without-ipv6.patch
+Patch51: backport-openssh-8.0p1-keygen-strip-doseol.patch
+Patch53: backport-openssh-8.7p1-scp-kill-switch.patch
+Patch54: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
+Patch55: bugfix-openssh-6.6p1-log-usepam-no.patch
+Patch56: bugfix-openssh-add-option-check-username-splash.patch
+Patch57: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
+Patch58: bugfix-openssh-fix-sftpserver.patch
+Patch59: set-sshd-config.patch
+Patch60: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
+Patch61: feature-add-SMx-support.patch
+Patch62: backport-upstream-a-little-extra-debugging.patch
+Patch63: backport-upstream-better-debugging-for-connect_next.patch
+Patch64: openssh-Add-sw64-architecture.patch
+Patch65: add-loongarch.patch
+Patch66: backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
+Patch67: backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
+Patch68: backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
+Patch69: backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
+Patch70: backport-upstream-Always-return-allocated-strings-from-the-ke.patch
+Patch71: backport-Don-t-leak-the-strings-allocated-by-order_h.patch
+Patch72: backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
+Patch73: backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
Patch74: add-strict-scp-check-for-CVE-2020-15778.patch
-Patch75: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
-Patch77: set-ssh-config.patch
+Patch75: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
+Patch76: backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch
+Patch77: backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch
+Patch78: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
+Patch79: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
+Patch80: set-ssh-config.patch
+Patch81: backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch
+Patch82: backport-upstream-use-correct-type-with-sizeof-ok-djm.patch
+Patch83: backport-Defer-seed_rng-until-after-closefrom-call.patch
+Patch84: backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch
+Patch85: backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch
+Patch86: backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch
+Patch87: backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch
+Patch88: backport-upstream-regression-test-for-PermitRemoteOpen.patch
+Patch89: backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch
+Patch90: backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch
+Patch91: backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch
+Patch92: backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch
+Patch93: backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch
+Patch94: backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch
+Patch95: backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch
+Patch96: backport-Allow-writev-is-seccomp-sandbox.patch
+Patch97: backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch
+Patch98: backport-upstream-test-compat_kex_proposal-by-dtucker.patch
+Patch99: backport-adapt-compat_kex_proposal-test-to-portable.patch
+Patch100: backport-fix-CVE-2023-38408-upstream-terminate-process.patch
+Patch101: backport-upstream-In-channel_request_remote_forwarding-the-pa.patch
+Patch102: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
+Patch103: backport-CVE-2023-48795.patch
+Patch104: fix-memory-leak-in-kex-exchange.patch
+Patch105: backport-fix-CVE-2024-6387.patch
Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -105,7 +139,7 @@ Requires: openssh-server = %{version}-%{release}
BuildRequires: gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators
BuildRequires: zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel
-BuildRequires: openssl3 perl-podlators systemd-devel gcc p11-kit-devel krb5-devel
+BuildRequires: openssl-devel >= 0.9.8j perl-podlators systemd-devel gcc p11-kit-devel krb5-devel
BuildRequires: libedit-devel ncurses-devel libselinux-devel >= 2.3-5 audit-libs >= 1.0.8 xauth gnupg2
Recommends: p11-kit
@@ -114,7 +148,6 @@ Recommends: p11-kit
Summary: An open source SSH client applications
Requires: openssh = %{version}-%{release}
Requires: crypto-policies >= 20180306-1
-Requires: openssl3
%package server
Summary: An open source SSH server daemon
@@ -122,7 +155,6 @@ Requires: openssh = %{version}-%{release}
Requires(pre): shadow
Requires: pam >= 1.0.1-3
Requires: crypto-policies >= 20180306-1
-Requires: openssl3
%{?systemd_requires}
%package keycat
@@ -173,7 +205,7 @@ instance. The module is most useful for su and sudo service stacks.
%package_help
%prep
-%setup -q -a 3
+%setup -q -a 4
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
%patch3 -p2 -b .psaa-build
@@ -182,60 +214,66 @@ pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
%patch7 -p2 -b .psaa-compat
%patch6 -p2 -b .psaa-agent
%patch8 -p2 -b .psaa-deref
-%patch9 -p2 -b .rsasha2
-%patch10 -p1 -b .psaa-configure-c99
# Remove duplicate headers and library files
-rm -f $(cat %{SOURCE4})
+rm -f $(cat %{SOURCE5})
popd
-%patch11 -p1 -b .role-mls
-%patch12 -p1 -b .privsep-selinux
-%patch14 -p1 -b .keycat
-%patch15 -p1 -b .ip-opts
-%patch17 -p1 -b .ipv6man
-%patch18 -p1 -b .sigpipe
-%patch19 -p1 -b .x11
-%patch21 -p1 -b .progress
-%patch22 -p1 -b .grab-info
-%patch23 -p1
-%patch24 -p1 -b .log-usepam-no
-%patch28 -p1 -b .gsskex
-%patch29 -p1 -b .force_krb
-%patch31 -p1 -b .ccache_name
-%patch32 -p1 -b .k5login
-%patch33 -p1 -b .kuserok
-%patch34 -p1 -b .fromto-remote
-%patch35 -p1 -b .contexts
-%patch36 -p1 -b .log-in-chroot
-%patch37 -p1 -b .scp
-%patch30 -p1 -b .GSSAPIEnablek5users
-%patch38 -p1 -b .sshdt
-%patch39 -p1 -b .sftp-force-mode
-%patch40 -p1 -b .s390-dev
-%patch41 -p1 -b .x11max
-%patch42 -p1 -b .systemd
-%patch43 -p1 -b .refactor
-%patch44 -p1 -b .sandbox
-%patch45 -p1 -b .pkcs11-uri
-%patch46 -p1 -b .scp-ipv6
-%patch48 -p1 -b .crypto-policies
-%patch49 -p1 -b .openssl-evp
-%patch50 -p1 -b .openssl-kdf
-%patch51 -p1 -b .visibility
-%patch52 -p1 -b .x11-ipv6
-%patch53 -p1 -b .keygen-strip-doseol
-%patch54 -p1 -b .preserve-pam-errors
-%patch55 -p1 -b .kill-scp
-%patch56 -p1 -b .scp-sftpdirs
-%patch57 -p1 -b .minrsabits
-%patch58 -p1 -b .ibmca
-%patch60 -p1 -b .ssh-manpage
-%patch61 -p1 -b .negotiate-supported-algs
-%patch65 -p1 -b .cve-2023-38408
+%patch9 -p1 -b .role-mls
+%patch10 -p1 -b .privsep-selinux
+%patch12 -p1 -b .keycat
+%patch13 -p1 -b .ip-opts
+%patch14 -p1 -b .keyperm
+%patch15 -p1 -b .ipv6man
+%patch16 -p1 -b .sigpipe
+%patch17 -p1 -b .x11
+%patch19 -p1 -b .progress
+%patch20 -p1 -b .grab-info
+%patch21 -p1
+%patch22 -p1 -b .log-usepam-no
+%patch23 -p1 -b .evp-ctr
+%patch26 -p1 -b .gsskex
+%patch27 -p1 -b .force_krb
+%patch29 -p1 -b .ccache_name
+%patch30 -p1 -b .k5login
+%patch31 -p1 -b .kuserok
+%patch32 -p1 -b .fromto-remote
+%patch33 -p1 -b .contexts
+%patch34 -p1 -b .log-in-chroot
+%patch35 -p1 -b .scp
+%patch28 -p1 -b .GSSAPIEnablek5users
+%patch36 -p1 -b .sshdt
+%patch37 -p1 -b .sftp-force-mode
+%patch38 -p1 -b .s390-dev
+%patch39 -p1 -b .x11max
+%patch40 -p1 -b .systemd
+%patch41 -p1 -b .refactor
+%patch42 -p1 -b .sandbox
+%patch43 -p1 -b .pkcs11-uri
+%patch44 -p1 -b .scp-ipv6
+%patch46 -p1 -b .crypto-policies
+%patch47 -p1 -b .openssl-evp
+%patch48 -p1 -b .openssl-kdf
+%patch49 -p1 -b .visibility
+%patch50 -p1 -b .x11-ipv6
+%patch51 -p1 -b .keygen-strip-doseol
+%patch53 -p1 -b .kill-scp
%patch1 -p1 -b .audit
%patch2 -p1 -b .audit-race
+%patch18 -p1 -b .fips
%patch0 -p1 -b .coverity
+%patch54 -p1
+%patch55 -p1
+%patch56 -p1
+%patch57 -p1
+%patch58 -p1
+%patch59 -p1
+%patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
+%patch64 -p1
+%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch68 -p1
@@ -246,7 +284,36 @@ popd
%patch73 -p1
%patch74 -p1
%patch75 -p1
+%patch76 -p1
%patch77 -p1
+%patch78 -p1
+%patch79 -p1
+%patch80 -p1
+%patch81 -p1
+%patch82 -p1
+%patch83 -p1
+%patch84 -p1
+%patch85 -p1
+%patch86 -p1
+%patch87 -p1
+%patch88 -p1
+%patch89 -p1
+%patch90 -p1
+%patch91 -p1
+%patch92 -p1
+%patch93 -p1
+%patch94 -p1
+%patch95 -p1
+%patch96 -p1
+%patch97 -p1
+%patch98 -p1
+%patch99 -p1
+%patch100 -p1
+%patch101 -p1
+%patch102 -p1
+%patch103 -p1
+%patch104 -p1
+%patch105 -p1
autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -282,10 +349,7 @@ else
CFLAGS="$CFLAGS -I%{_includedir}/gssapi"
fi
-LDFLAGS="$LDFLAGS -L/opt/openssl3/%{_lib} -Wl,-rpath=/opt/openssl3/%{_lib}"
-CFLAGS="$CFLAGS -I/opt/openssl3/include"
%configure \
- --with-ssl-dir=/opt/openssl3 \
--sysconfdir=%{_sysconfdir}/ssh --libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh --with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
@@ -293,10 +357,11 @@ CFLAGS="$CFLAGS -I/opt/openssl3/include"
--without-zlib-version-check --with-ssl-engine --with-ipaddr-display \
--with-pie=no --without-hardening --with-systemd --with-default-pkcs11-provider=yes \
--with-pam --with-selinux --with-audit=linux --with-security-key-buildin=yes \
-%ifnarch riscv64 loongarch64 sw_64
+%ifnarch riscv64 sw_64 loongarch64
--with-sandbox=seccomp_filter \
%endif
- --with-kerberos5${krb5_prefix:+=${krb5_prefix}} --with-libedit || cat config.log
+ --with-kerberos5${krb5_prefix:+=${krb5_prefix}} --with-libedit
+
make
gtk2=yes
@@ -320,7 +385,17 @@ make
popd
%check
+if [ -e /sys/fs/selinux/enforce ]; then
+ # Store the SElinux state
+ cat /sys/fs/selinux/enforce > selinux.tmp
+ setenforce 0
+fi
make tests
+if [ -e /sys/fs/selinux/enforce ]; then
+ # Restore the SElinux state
+ cat selinux.tmp > /sys/fs/selinux/enforce
+ rm -rf selinux.tmp
+fi
%install
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
@@ -335,23 +410,22 @@ install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/sysconfig/
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
-install -m644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
-install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/sysconfig/sshd
+install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
+install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
-install -m644 %{SOURCE7} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
-install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
-install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
-install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
-install -m644 %{SOURCE13} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
+install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
+install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
+install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
+install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
+install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
-install -m644 %{SOURCE14} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
-install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.socket
-install -m744 %{SOURCE11} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
+install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
+install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
-install -m644 -D %{SOURCE12} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
+install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
-install -m644 %{SOURCE16} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
+install -m644 %{SOURCE17} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@@ -382,14 +456,6 @@ getent passwd sshd >/dev/null || \
%postun server
%systemd_postun_with_restart sshd.service
-%post clients
-%systemd_user_post ssh-agent.service
-%systemd_user_post ssh-agent.socket
-
-%preun clients
-%systemd_user_preun ssh-agent.service
-%systemd_user_preun ssh-agent.socket
-
%files
%license LICENCE
%doc CREDITS README.platform
@@ -411,8 +477,7 @@ getent passwd sshd >/dev/null || \
%attr(0755,root,root) %{_bindir}/ssh-copy-id
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
-%attr(0644,root,root) %{_userunitdir}/ssh-agent.service
-%attr(0644,root,root) %{_userunitdir}/ssh-agent.socket
+%attr(0755,root,root) %{_userunitdir}/ssh-agent.service
%files server
%dir %attr(0711,root,root) %{_var}/empty/sshd
@@ -441,6 +506,7 @@ getent passwd sshd >/dev/null || \
%files -n pam_ssh_agent_auth
%license pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/OPENSSH_LICENSE
%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
+%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
%files help
%doc ChangeLog OVERVIEW PROTOCOL* README README.privsep README.tun README.dns TODO
@@ -451,175 +517,201 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man5/ssh*.5*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man8/ssh*.8*
-%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog
-* Mon Oct 02 2023 Funda Wang <fundawang@yeah.net> - 9.3p1-2.1
-- Try building with openssl3
+* Tue Jul 2 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-31
+- Type:CVE
+- CVE:CVE-2024-6387
+- SUG:NA
+- DESC:Fix CVE-2024-6387
-* Fri Aug 25 2023 renmingshuai<renmingshuai@huawei.com> - 9.3p1-2
+* Mon Apr 29 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-30
- Type:bugfix
-- CVE:NA
+- CVE:
- SUG:NA
-- DESC:use correct ssh-agent.socket name
+- DESC:Disable SElinux when make tests
-* Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.com> - 9.3p1-1
-- Type:requirement
+* Thu Mar 14 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-29
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:fix setting the number of authentication attempts failed
+
+* Fri Feb 2 2024 songjuntao<songjuntao@kylinos.cn> - 8.8p1-28
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC: fix memory leak in kex2 exchange function
+
+* Wed Jan 31 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-27
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:move pam_ssh_agent_auth man page to sub-package
+
+* Wed Jan 10 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-26
+- Type:CVE
+- CVE:CVE-2023-48795
+- SUG:NA
+- DESC:fix CVE-2023-48795 by using the other patch instead
+
+* Sat Dec 23 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-25
+- Type:CVE
+- CVE:CVE-2023-48795,CVE-2023-51385
+- SUG:NA
+- DESC:fix CVE-2023-48795 and CVE-2023-51385
+
+* Tue Aug 15 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-24
+- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:update to 9.3p1
+- DESC:In channel_request_remote_forwarding the parameters
-* Tue Jun 13 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-6
+* Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-23
+- Type:CVE
+- CVE:CVE-2023-38408
+- SUG:NA
+- DESC:fix CVE-2023-38408
+
+* Wed Jun 7 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-22
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix misspelling
-* Sat May 27 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-5
+* Sat May 27 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-21
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix environment variable
-* Sat Mar 18 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-4
+* Thu Mar 23 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-20
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:backport some upstreams patches and delete unused patches
+- DESC:backport some upstream patches and modify some patches numbers
-* Tue Feb 28 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-3
+* Thu Mar 09 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-19
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:set default ssh_config
+- DESC:set default ssh config
-* Mon Feb 06 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-2
+* Mon Feb 06 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-18
- Type:CVE
- CVE:CVE-2023-25136
- SUG:NA
- DESC:fix CVE-2023-25136
-* Mon Jan 30 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-1
+* Fri Jan 06 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-17
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:update to openssh-9.1p1
+- DESC:fix test failure and enable make tests
-* Mon Jan 9 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-17
+* Tue Jan 03 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-16
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:fix possible NULL deref when built without FIDO
+- DESC:always make tests
-* Tue Jan 3 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-16
+* Thu Dec 29 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-15
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:fix test failure and always make tests
+- DESC:avoid integer overflow of auth attempts har
-* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-15
+* Fri Dec 16 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-14
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:avoid integer overflow of auth attempts
+- DESC:Fix ssh-keygen -Y check novalidate requires name
-* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-14
+* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-13
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:PubkeyAcceptedKeyTypes has been renamed to PubkeyAcceptedAlgorithms in openssh-8.5p1
+- DESC:add strict scp check for CVE-2020-15778
-* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-13
+* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-12
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:add strict scp check for CVE-2020-15778
+- DESC:backport some upstream patches
-* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-12
-- Type:bugfix
+* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-11
+- Type:feature
- CVE:NA
- SUG:NA
-- DESC:backport some upstream patches
+- DESC:Add loongarch64 architecture
-* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-11
-- Type:requirement
+* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-10
+- Type:feature
- CVE:NA
- SUG:NA
-- DESC:add sw_64
+- DESC:Add sw64 architecture
-* Fri Dec 16 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-10
+* Wed Dec 7 2022 duyiwei<duyiwei@kylinos.cn> - 8.8P1-9
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:Fix ssh-keygen -Y check novalidate requires name
+- DESC:enable "include /etc/ssh/sshd_config.d/*.config" again
-* Mon Nov 28 2022 zhaozhen <zhaozhen@loongson.cn> - 8.8p1-9
-- Type:feature
+* Mon Nov 28 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-8
+- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:Add loongarch64 support
+- DESC:PubkeyAcceptedKeyTypes has been renamed to PubkeyAcceptedAlgorithms in openssh-8.5p1
-* Mon Nov 28 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-8
+* Mon Nov 28 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-7
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:add better debugging
-* Wed Nov 2 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-7
+* Wed Nov 2 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-6
- Type:requirement
- CVE:NA
- SUG:NA
- DESC:add ssh-keygen bash completion
-* Thu Sep 01 2022 duyiwei<duyiwei@kylinos.cn> - 8.8P1-6
+* Tue Oct 18 2022 majun<majun65@huawei.com> - 8.8p1-5
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:enable "include /etc/ssh/sshd_config.d/*.config" again
-
-* Fri Jul 29 2022 kircher<majun65@huawei.com> - 8.8p1-5
-- Type:bugfix
-- CVE:Na
-- SUG:NA
-- DESC:add SMx support in openssh
+- DESC:add smx support in openssh
-* Thu May 05 2022 seuzw<930zhaowei@163.com> - 8.8p1-4
+* Sat Jun 25 2022 Rimsky<349157738@qq.com> - 8.8p1-4
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:fix incorrect sftp-server binary path in /etc/ssh/sshd_config
+- DESC:fix possible NULL deref when built without FIDO
-* Wed Mar 09 2022 duyiwei<duyiwei@kylinos.cn> - 8.8P1-3
+* Thu May 05 2022 seuzw<930zhaowei@163.com> - 8.8p1-3
- Type:bugfix
- CVE:NA
- SUG:NA
-- DESC:enable "include /etc/ssh/sshd_config.d/*.config"
+- DESC:fix incorrect sftp-server binary path in /etc/ssh/sshd_config
-* Mon Mar 07 2022 kircher<majun65@huawei.com> - 8.8P1-2
+* Tue Mar 08 2022 kircher<majun65@huawei.com> - 8.8P1-2
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:add sshd.tmpfiles
-* Thu Oct 28 2021 kircher<kircherlike@outlook.com> - 8.8P1-1
+* Wed Dec 8 2021 renmingshuai<renmingshuai@huawei.com> - 8.8P1-1
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:update to openssh-8.8p1
-* Fri Oct 8 2021 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-15
-- Type:cves
+* Fri Oct 29 2021 kircher<majun65@huawei.com> - 8.2P1-14
+- Type:CVE
- CVE:CVE-2021-41617
- SUG:NA
- DESC:fix CVE-2021-41617
-* Sat Sep 18 2021 kircher<kircherlike@outlook.com> - 8.2P1-14
-- Type:bugfix
-- CVE:NA
-- SUG:NA
-- DESC:backport patch from github to fix NULL ref
-
* Fri Jul 30 2021 kircher<majun65@huawei.com> - 8.2P1-13
- Type:bugfix
- CVE:NA
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-30 01:04:36 +0000