From 1a3722d42e31f59879e4e37163fa1dc7f9c5ff82 Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: Sep 20 2022 19:07:14 +0000 Subject: Merge remote-tracking branch 'upstream/c9s' into c9s-sig-hyperscale --- diff --git a/openssh-8.7p1-ibmca.patch b/openssh-8.7p1-ibmca.patch new file mode 100644 index 0000000..c9c12ee --- /dev/null +++ b/openssh-8.7p1-ibmca.patch @@ -0,0 +1,12 @@ +--- openssh-8.7p1/openbsd-compat/bsd-closefrom.c.orig 2022-04-12 15:47:03.815044607 +0200 ++++ openssh-8.7p1/openbsd-compat/bsd-closefrom.c 2022-04-12 15:48:12.464963511 +0200 +@@ -16,7 +16,7 @@ + + #include "includes.h" + +-#ifndef HAVE_CLOSEFROM ++#if (!defined HAVE_CLOSEFROM) || (defined __s390__) + + #include + #include + diff --git a/openssh-8.7p1-minimize-sha1-use.patch b/openssh-8.7p1-minimize-sha1-use.patch index cbaba49..fc517da 100644 --- a/openssh-8.7p1-minimize-sha1-use.patch +++ b/openssh-8.7p1-minimize-sha1-use.patch @@ -87,6 +87,19 @@ diff --color -ru a/clientloop.c b/clientloop.c error_fr(r, "server gave bad signature for %s key %zu", sshkey_type(ctx->keys[i]), i); goto out; +diff --git a/hostfile.c b/hostfile.c +index a035b381..bd49e3ac 100644 +--- a/hostfile.c ++++ b/hostfile.c +@@ -642,7 +642,7 @@ hostfile_replace_entries(const char *filename, const char *host, const char *ip, + /* Re-add the requested keys */ + want = HKF_MATCH_HOST | (ip == NULL ? 0 : HKF_MATCH_IP); + for (i = 0; i < nkeys; i++) { +- if ((want & ctx.match_keys[i]) == want) ++ if (keys[i] == NULL || (want & ctx.match_keys[i]) == want) + continue; + if ((fp = sshkey_fingerprint(keys[i], hash_alg, + SSH_FP_DEFAULT)) == NULL) { diff --color -ru a/kex.c b/kex.c --- a/kex.c 2022-06-29 16:35:06.775599179 +0200 +++ b/kex.c 2022-06-29 16:42:00.839710940 +0200 diff --git a/openssh-8.7p1-minrsabits.patch b/openssh-8.7p1-minrsabits.patch index 57019b6..107fe70 100644 --- a/openssh-8.7p1-minrsabits.patch +++ b/openssh-8.7p1-minrsabits.patch @@ -262,6 +262,19 @@ index 67f8e0309..d050c1656 100644 if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, xxx_conn_info) == -1) fatal("Host key verification failed."); +@@ -1762,6 +1762,12 @@ load_identity_file(Identity *id) + private = NULL; + quit = 1; + } ++ if (r = sshkey_check_rsa_length(private, options.rsa_min_size) != 0) { ++ debug_fr(r, "Skipping key %s", id->filename); ++ sshkey_free(private); ++ private = NULL; ++ quit = 1; ++ } + if (!quit && private != NULL && id->agent_fd == -1 && + !(id->key && id->isprivate)) + maybe_add_key_to_agent(id->filename, private, comment, @@ -1747,6 +1751,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt) close(agent_fd); } else { diff --git a/openssh-8.7p1-scp-clears-file.patch b/openssh-8.7p1-scp-clears-file.patch index d49b66d..4c033da 100644 --- a/openssh-8.7p1-scp-clears-file.patch +++ b/openssh-8.7p1-scp-clears-file.patch @@ -1,7 +1,7 @@ -diff --color -ru a/scp.c b/scp.c ---- a/scp.c 2022-06-30 09:47:39.529662574 +0200 -+++ b/scp.c 2022-06-30 09:51:05.740719310 +0200 -@@ -1324,12 +1324,12 @@ +diff --color -rup a/scp.c b/scp.c +--- a/scp.c 2022-07-26 14:51:40.560120817 +0200 ++++ b/scp.c 2022-07-26 14:52:37.118213004 +0200 +@@ -1324,12 +1324,12 @@ source_sftp(int argc, char *src, char *t if (src_is_dir && iamrecursive) { if (upload_dir(conn, src, abs_dst, pflag, @@ -16,7 +16,7 @@ diff --color -ru a/scp.c b/scp.c error("failed to upload file %s to %s", src, abs_dst); errs = 1; } -@@ -1566,11 +1566,11 @@ +@@ -1566,11 +1566,11 @@ sink_sftp(int argc, char *dst, const cha debug("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); if (globpath_is_dir(g.gl_pathv[i]) && iamrecursive) { if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, @@ -30,10 +30,10 @@ diff --color -ru a/scp.c b/scp.c err = -1; } free(abs_dst); -diff --color -ru a/sftp.c b/sftp.c ---- a/sftp.c 2022-06-30 09:47:39.530662594 +0200 -+++ b/sftp.c 2022-06-30 09:52:05.118887441 +0200 -@@ -666,12 +666,12 @@ +diff --color -rup a/sftp.c b/sftp.c +--- a/sftp.c 2022-07-26 14:51:40.561120836 +0200 ++++ b/sftp.c 2022-07-26 14:52:37.119213023 +0200 +@@ -666,12 +666,12 @@ process_get(struct sftp_conn *conn, cons if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, pflag || global_pflag, 1, resume, @@ -48,7 +48,7 @@ diff --color -ru a/sftp.c b/sftp.c err = -1; } free(abs_dst); -@@ -760,12 +760,12 @@ +@@ -760,12 +760,12 @@ process_put(struct sftp_conn *conn, cons if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { if (upload_dir(conn, g.gl_pathv[i], abs_dst, pflag || global_pflag, 1, resume, @@ -63,10 +63,10 @@ diff --color -ru a/sftp.c b/sftp.c err = -1; } } -diff --color -ru a/sftp-client.c b/sftp-client.c ---- a/sftp-client.c 2022-06-30 09:47:39.530662594 +0200 -+++ b/sftp-client.c 2022-06-30 10:03:36.608473570 +0200 -@@ -1454,7 +1454,7 @@ +diff --color -rup a/sftp-client.c b/sftp-client.c +--- a/sftp-client.c 2022-07-26 14:51:40.561120836 +0200 ++++ b/sftp-client.c 2022-07-26 15:09:54.825295533 +0200 +@@ -1454,7 +1454,7 @@ progress_meter_path(const char *path) int do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path, Attrib *a, int preserve_flag, int resume_flag, @@ -75,7 +75,18 @@ diff --color -ru a/sftp-client.c b/sftp-client.c { struct sshbuf *msg; u_char *handle; -@@ -1661,8 +1661,11 @@ +@@ -1498,8 +1498,8 @@ do_download(struct sftp_conn *conn, cons + &handle, &handle_len) != 0) + return -1; + +- local_fd = open(local_path, +- O_WRONLY | O_CREAT | (resume_flag ? 0 : O_TRUNC), mode | S_IWUSR); ++ local_fd = open(local_path, O_WRONLY | O_CREAT | ++ ((resume_flag || inplace_flag) ? 0 : O_TRUNC), mode | S_IWUSR); + if (local_fd == -1) { + error("Couldn't open local file \"%s\" for writing: %s", + local_path, strerror(errno)); +@@ -1661,8 +1661,11 @@ do_download(struct sftp_conn *conn, cons /* Sanity check */ if (TAILQ_FIRST(&requests) != NULL) fatal("Transfer complete, but requests still in queue"); @@ -89,7 +100,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c if (reordered && resume_flag) { error("Unable to resume download of \"%s\": " "server reordered requests", local_path); -@@ -1724,7 +1727,7 @@ +@@ -1724,7 +1727,7 @@ do_download(struct sftp_conn *conn, cons static int download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth, Attrib *dirattrib, int preserve_flag, int print_flag, @@ -98,7 +109,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c { int i, ret = 0; SFTP_DIRENT **dir_entries; -@@ -1781,7 +1784,7 @@ +@@ -1781,7 +1784,7 @@ download_dir_internal(struct sftp_conn * if (download_dir_internal(conn, new_src, new_dst, depth + 1, &(dir_entries[i]->a), preserve_flag, print_flag, resume_flag, @@ -107,7 +118,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c ret = -1; } else if (S_ISREG(dir_entries[i]->a.perm) || (follow_link_flag && S_ISLNK(dir_entries[i]->a.perm))) { -@@ -1793,7 +1796,8 @@ +@@ -1793,7 +1796,8 @@ download_dir_internal(struct sftp_conn * if (do_download(conn, new_src, new_dst, S_ISLNK(dir_entries[i]->a.perm) ? NULL : &(dir_entries[i]->a), @@ -117,7 +128,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c error("Download of file %s to %s failed", new_src, new_dst); ret = -1; -@@ -1831,7 +1835,7 @@ +@@ -1831,7 +1835,7 @@ download_dir_internal(struct sftp_conn * int download_dir(struct sftp_conn *conn, const char *src, const char *dst, Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag, @@ -126,7 +137,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c { char *src_canon; int ret; -@@ -1843,26 +1847,25 @@ +@@ -1843,26 +1847,25 @@ download_dir(struct sftp_conn *conn, con ret = download_dir_internal(conn, src_canon, dst, 0, dirattrib, preserve_flag, print_flag, resume_flag, fsync_flag, @@ -161,7 +172,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c struct request *ack = NULL; struct requests acks; size_t handle_len; -@@ -1913,10 +1916,15 @@ +@@ -1913,10 +1916,15 @@ do_upload(struct sftp_conn *conn, const } } @@ -180,7 +191,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c close(local_fd); return -1; } -@@ -1999,6 +2007,12 @@ +@@ -1999,6 +2007,12 @@ do_upload(struct sftp_conn *conn, const ack->id, ack->len, (unsigned long long)ack->offset); ++ackid; progress_counter += ack->len; @@ -193,7 +204,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c free(ack); } offset += len; -@@ -2017,6 +2031,14 @@ +@@ -2017,6 +2031,14 @@ do_upload(struct sftp_conn *conn, const status = SSH2_FX_FAILURE; } @@ -208,7 +219,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c if (close(local_fd) == -1) { error("Couldn't close local file \"%s\": %s", local_path, strerror(errno)); -@@ -2041,7 +2063,7 @@ +@@ -2041,7 +2063,7 @@ do_upload(struct sftp_conn *conn, const static int upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth, int preserve_flag, int print_flag, int resume, int fsync_flag, @@ -217,7 +228,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c { int ret = 0; DIR *dirp; -@@ -2119,12 +2141,13 @@ +@@ -2119,12 +2141,13 @@ upload_dir_internal(struct sftp_conn *co if (upload_dir_internal(conn, new_src, new_dst, depth + 1, preserve_flag, print_flag, resume, @@ -233,7 +244,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c error("Uploading of file %s to %s failed!", new_src, new_dst); ret = -1; -@@ -2144,7 +2167,7 @@ +@@ -2144,7 +2167,7 @@ upload_dir_internal(struct sftp_conn *co int upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int preserve_flag, int print_flag, int resume, int fsync_flag, @@ -242,7 +253,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c { char *dst_canon; int ret; -@@ -2155,7 +2178,7 @@ +@@ -2155,7 +2178,7 @@ upload_dir(struct sftp_conn *conn, const } ret = upload_dir_internal(conn, src, dst_canon, 0, preserve_flag, @@ -251,10 +262,10 @@ diff --color -ru a/sftp-client.c b/sftp-client.c free(dst_canon); return ret; -diff --color -ru a/sftp-client.h b/sftp-client.h ---- a/sftp-client.h 2022-06-30 09:47:39.530662594 +0200 -+++ b/sftp-client.h 2022-06-30 10:05:50.835107759 +0200 -@@ -138,28 +138,29 @@ +diff --color -rup a/sftp-client.h b/sftp-client.h +--- a/sftp-client.h 2022-07-26 14:51:40.561120836 +0200 ++++ b/sftp-client.h 2022-07-26 14:52:37.120213042 +0200 +@@ -138,28 +138,29 @@ int do_fsync(struct sftp_conn *conn, u_c * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set */ diff --git a/openssh.spec b/openssh.spec index d7d36e1..872df66 100644 --- a/openssh.spec +++ b/openssh.spec @@ -55,8 +55,8 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 19 -%global hyperscale_rel 3 +%global openssh_rel 22 +%global hyperscale_rel 1 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -227,11 +227,16 @@ Patch981: openssh-8.7p1-recursive-scp.patch Patch982: openssh-8.7p1-minrsabits.patch # downstream only Patch983: openssh-8.7p1-evpgenkey.patch +# downstream only, IBMCA tentative fix +# From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14 +Patch984: openssh-8.7p1-ibmca.patch # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868) # upstream commits: # 291721bc7c840d113a49518f3fca70e86248b8e8 # 0fa33683223c76289470a954404047bc762be84c +# Avoid dubious diagnostics on update known hosts (#2115246) +# 8832402bd500d1661ccc80a476fd563335ef6cdc Patch1000: openssh-8.7p1-minimize-sha1-use.patch # Fix for scp clearing file when src and dest are the same (#2056884) # upstream commits: @@ -480,6 +485,7 @@ popd # This patch results in build failures on el8 %patch983 -p1 -b .evpgenrsa %endif +%patch984 -p1 -b .ibmca %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -797,6 +803,20 @@ test -f %{sysconfig_anaconda} && \ * Wed Aug 24 2022 Kent Peacock 8.7p1-19.3 + 0.10.4-5.3 - Set up local developer strategy using quilt and incorporate Meta patches +* Tue Aug 16 2022 Dmitry Belyavskiy - 8.7p1-22 +- Avoid spirous message on connecting to the machine with ssh-rsa keys + Related: rhbz#2115246 +- Set minimal value of RSA key length via configuration option + Related: rhbz#2066882 + +* Thu Aug 04 2022 Dmitry Belyavskiy - 8.7p1-21 +- IBMCA workaround + Related: rhbz#1976202 + +* Tue Jul 26 2022 Zoltan Fridrich - 8.7p1-20 + 0.10.4-5 +- Fix openssh-8.7p1-scp-clears-file.patch + Related: rhbz#2056884 + * Wed Jul 20 2022 Davide Cavalca - 8.7p1-19.2 + 0.10.4-5.2 - Refactor and reinstate FIPS patch for el8