From d8b51e8341a7c8b9b4bc1b85ef89eff72c339af7 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Oct 23 2023 10:59:46 +0000 Subject: Relax OpenSSH checks for OpenSSL version Resolves: RHEL-4734 --- diff --git a/openssh-9.3p1-openssl-compat.patch b/openssh-9.3p1-openssl-compat.patch new file mode 100644 index 0000000..cf512ef --- /dev/null +++ b/openssh-9.3p1-openssl-compat.patch @@ -0,0 +1,40 @@ +--- openssh-9.3p1/openbsd-compat/openssl-compat.c 2023-03-15 22:28:19.000000000 +0100 ++++ /home/dbelyavs/work/upstream/openssh-portable/openbsd-compat/openssl-compat.c 2023-05-25 14:19:42.870841944 +0200 +@@ -33,10 +33,10 @@ + + /* + * OpenSSL version numbers: MNNFFPPS: major minor fix patch status +- * We match major, minor, fix and status (not patch) for <1.0.0. +- * After that, we acceptable compatible fix versions (so we +- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed +- * within a patch series. ++ * Versions >=3 require only major versions to match. ++ * For versions <3, we accept compatible fix versions (so we allow 1.0.1 ++ * to work with 1.0.0). Going backwards is only allowed within a patch series. ++ * See https://www.openssl.org/policies/releasestrat.html + */ + + int +@@ -48,15 +48,17 @@ + if (headerver == libver) + return 1; + +- /* for versions < 1.0.0, major,minor,fix,status must match */ +- if (headerver < 0x1000000f) { +- mask = 0xfffff00fL; /* major,minor,fix,status */ ++ /* ++ * For versions >= 3.0, only the major and status must match. ++ */ ++ if (headerver >= 0x3000000f) { ++ mask = 0xf000000fL; /* major,status */ + return (headerver & mask) == (libver & mask); + } + + /* +- * For versions >= 1.0.0, major,minor,status must match and library +- * fix version must be equal to or newer than the header. ++ * For versions >= 1.0.0, but <3, major,minor,status must match and ++ * library fix version must be equal to or newer than the header. + */ + mask = 0xfff0000fL; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; diff --git a/openssh.spec b/openssh.spec index aa68685..f89feac 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 34 +%global openssh_rel 35 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -282,6 +282,8 @@ Patch1014: openssh-8.7p1-UTC-time-parse.patch # upsream commit # b23fe83f06ee7e721033769cfa03ae840476d280 Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch +#upstream commit b7afd8a4ecaca8afd3179b55e9db79c0ff210237 +Patch1016: openssh-9.3p1-openssl-compat.patch License: BSD Requires: /sbin/nologin @@ -501,6 +503,7 @@ popd %patch1013 -p1 -b .man-hostkeyalgos %patch1014 -p1 -b .utc_parse %patch1015 -p1 -b .cve-2023-38408 +%patch1016 -p1 -b .openssl3compat autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -787,6 +790,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Mon Oct 23 2023 Dmitry Belyavskiy - 8.7p1-35 +- Relax OpenSSH checks for OpenSSL version + Resolves: RHEL-4734 + * Thu Jul 20 2023 Dmitry Belyavskiy - 8.7p1-34 - Avoid remote code execution in ssh-agent PKCS#11 support Resolves: CVE-2023-38408