- 31 Jan, 2020 1 commit
-
-
Colin Watson authored
-
- 12 Jan, 2020 2 commits
-
-
Colin Watson authored
Closes: #946242
-
As noted in openssh/openssh-portable#149, i386 does not have have _NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc, https://linux.die.net/man/2/ipc). Add this syscall, if present, to the list of syscalls that seccomp will deny non-fatally. [cjwatson: For backporting to buster, I've dropped the previous change to allow ipc on s390. Upstream refused that since it opens security weaknesses and doesn't currently seem to be needed, so I'd already dropped that for bullseye.] Bug-Debian: https://bugs.debian.org/946242 Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89 Last-Update: 2020-01-11 Patch-Name: sandbox-seccomp-ipc.patch
-
- 06 Oct, 2019 1 commit
-
-
Colin Watson authored
-
- 05 Oct, 2019 2 commits
-
-
Colin Watson authored
This copes with changes in OpenSSL 1.1.1d that broke OpenSSH on Linux kernels before 3.19. Closes: #941663
-
New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. Bug: https://github.com/openssh/openssh-portable/pull/149 Bug-Debian: https://bugs.debian.org/941663 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602 Last-Update: 2019-10-05 Patch-Name: seccomp-handle-shm.patch
-
- 08 Apr, 2019 3 commits
-
-
Colin Watson authored
-
Colin Watson authored
This is just until issues with "iptables -m tos" and VMware have been fixed. Closes: #923879, #926229 LP: #1822370
-
Colin Watson authored
This reverts commit 5ee8448a. The IPQoS default changes have some unfortunate interactions with iptables (see https://bugs.debian.org/923880) and VMware, so I'm temporarily reverting them until those have been fixed. Bug-Debian: https://bugs.debian.org/923879 Bug-Debian: https://bugs.debian.org/926229 Bug-Ubuntu: https://bugs.launchpad.net/1822370 Last-Update: 2019-04-08 Patch-Name: revert-ipqos-defaults.patch
-
- 01 Mar, 2019 3 commits
-
-
Colin Watson authored
-
Colin Watson authored
-
match what the client requested, be prepared to handle shell-style brace alternations, e.g. "{foo,bar}". "looks good to me" millert@ + in snaps for the last week courtesy deraadt@ OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874 Bug-Debian: https://bugs.debian.org/923486 Last-Update: 2019-03-01 Patch-Name: scp-handle-braces.patch
-
- 28 Feb, 2019 7 commits
-
-
Colin Watson authored
-
Colin Watson authored
This goes with /etc/ssh/moduli; forgotten in 1:7.9p1-5.
-
Closes: #919344
-
Colin Watson authored
Closes: #923419
-
rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@ OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=f429c1b2ef631f2855e51a790cf71761d752bbca Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2944 Bug-Debian: https://bugs.debian.org/923419 Last-Update: 2019-02-28 Patch-Name: request-rsa-sha2-cert-signatures.patch -
Colin Watson authored
-
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2 Last-Update: 2019-02-28 Patch-Name: fix-key-type-check.patch
-
- 26 Feb, 2019 1 commit
-
-
Colin Watson authored
-
- 25 Feb, 2019 2 commits
-
-
Colin Watson authored
Pass "--exec /usr/sbin/sshd" to start-stop-daemon on stop as well as start and pass "--chuid 0:0" on start, to avoid problems with non-root groups leaking into the ownership of /run/sshd.pid. Closes: #922365
-
Colin Watson authored
Recommend "default-logind | logind | libpam-systemd" rather than just libpam-systemd. (I've retained libpam-systemd as an alternative for a while to avoid backporting accidents, although it can be removed later.) Thanks, Adam Borowski. Closes: #923199
-
- 08 Feb, 2019 6 commits
-
-
Colin Watson authored
-
Colin Watson authored
CVE-2019-6111
-
remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda CVE-2019-6111 Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc Last-Update: 2019-02-08 Patch-Name: check-filenames-in-scp-client.patch
-
Colin Watson authored
CVE-2019-6109 Closes: #793412
-
end of each transfer. Fixes the problem recently introduces where very quick transfers do not display the progressmeter at all. Spotted by naddy@ OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb Last-Update: 2019-02-08 Patch-Name: have-progressmeter-force-update-at-beginning-and-end-transfer.patch
-
the progressmeter formatting outside of signal handler context and have the atomicio callback called for EINTR too. bz#2434 with contributions from djm and jjelen at redhat.com, ok djm@ OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8 CVE-2019-6109 Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c Bug-Debian: https://bugs.debian.org/793412 Last-Update: 2019-02-08 Patch-Name: sanitize-scp-filenames-via-snmprintf.patch
-
- 13 Jan, 2019 1 commit
-
-
Colin Watson authored
-
- 12 Jan, 2019 2 commits
-
-
Colin Watson authored
Closes: #919101
-
current directory; based on report/patch from Harry Sintonen OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Bug-Debian: https://bugs.debian.org/919101 Last-Update: 2019-01-12 Patch-Name: scp-disallow-dot-or-empty-filename.patch
-
- 26 Dec, 2018 1 commit
-
-
Colin Watson authored
Closes: #917342
-
- 06 Dec, 2018 1 commit
-
-
Colin Watson authored
It's reasonably large and only used by sshd. Closes: #858050
-
- 16 Nov, 2018 2 commits
-
-
Colin Watson authored
-
Colin Watson authored
This time with syntax that works.
-
- 15 Nov, 2018 5 commits
-
-
Colin Watson authored
The documentation comment for dpkg_vendor_derives_from is wrong (thanks, Jeremy Bicha; see #913816).
-
Colin Watson authored
-
Colin Watson authored
Restore direct test dependencies on openssl, putty-tools, and python-twisted-conch; these are really only indirect dependencies via openssh-tests, but including them means that this package will be retested when they change.
-
Colin Watson authored
-
Colin Watson authored
-