diff --git a/openssh-5.2p1-edns.patch b/openssh-5.2p1-edns.patch deleted file mode 100644 index f3e431e..0000000 --- a/openssh-5.2p1-edns.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff -up openssh-5.2p1/dns.c.rh205842 openssh-5.2p1/dns.c ---- openssh-5.2p1/dns.c.rh205842 2009-07-27 16:25:28.000000000 +0200 -+++ openssh-5.2p1/dns.c 2009-07-27 16:40:59.000000000 +0200 -@@ -176,6 +176,7 @@ verify_host_key_dns(const char *hostname - { - u_int counter; - int result; -+ unsigned int rrset_flags = 0; - struct rrsetinfo *fingerprints = NULL; - - u_int8_t hostkey_algorithm; -@@ -199,8 +200,19 @@ verify_host_key_dns(const char *hostname - return -1; - } - -+ /* -+ * Original getrrsetbyname function, found on OpenBSD for example, -+ * doesn't accept any flag and prerequisite for obtaining AD bit in -+ * DNS response is set by "options edns0" in resolv.conf. -+ * -+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag. -+ */ -+#ifndef HAVE_GETRRSETBYNAME -+ rrset_flags |= RRSET_FORCE_EDNS0; -+#endif - result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, -- DNS_RDATATYPE_SSHFP, 0, &fingerprints); -+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); -+ - if (result) { - verbose("DNS lookup error: %s", dns_result_totext(result)); - return -1; -diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 openssh-5.2p1/openbsd-compat/getrrsetbyname.c ---- openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 2009-07-27 16:22:23.000000000 +0200 -+++ openssh-5.2p1/openbsd-compat/getrrsetbyname.c 2009-07-27 16:41:55.000000000 +0200 -@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns - goto fail; - } - -- /* don't allow flags yet, unimplemented */ -- if (flags) { -+ /* Allow RRSET_FORCE_EDNS0 flag only. */ -+ if ((flags & !RRSET_FORCE_EDNS0) != 0) { - result = ERRSET_INVAL; - goto fail; - } -@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, uns - #endif /* DEBUG */ - - #ifdef RES_USE_DNSSEC -- /* turn on DNSSEC if EDNS0 is configured */ -- if (_resp->options & RES_USE_EDNS0) -- _resp->options |= RES_USE_DNSSEC; -+ /* turn on DNSSEC if required */ -+ if (flags & RRSET_FORCE_EDNS0) -+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); - #endif /* RES_USE_DNSEC */ - - /* make query */ -diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.h.rh205842 openssh-5.2p1/openbsd-compat/getrrsetbyname.h ---- openssh-5.2p1/openbsd-compat/getrrsetbyname.h.rh205842 2009-07-27 16:35:02.000000000 +0200 -+++ openssh-5.2p1/openbsd-compat/getrrsetbyname.h 2009-07-27 16:36:09.000000000 +0200 -@@ -72,6 +72,9 @@ - #ifndef RRSET_VALIDATED - # define RRSET_VALIDATED 1 - #endif -+#ifndef RRSET_FORCE_EDNS0 -+# define RRSET_FORCE_EDNS0 0x0001 -+#endif - - /* - * Return codes for getrrsetbyname() diff --git a/openssh-5.9p1-akc.patch b/openssh-5.9p1-akc.patch index 0abc256..3737981 100644 --- a/openssh-5.9p1-akc.patch +++ b/openssh-5.9p1-akc.patch @@ -1,6 +1,6 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c ---- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-09 17:26:31.000000000 +0200 -+++ openssh-5.9p1/auth2-pubkey.c 2011-09-09 17:28:15.000000000 +0200 +--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-09 19:27:15.369501615 +0200 ++++ openssh-5.9p1/auth2-pubkey.c 2011-09-09 19:30:32.958509941 +0200 @@ -27,6 +27,7 @@ #include @@ -47,7 +47,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c key_free(found); if (!found_key) debug2("key not found"); -@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw, +@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw, return ret; } @@ -242,7 +242,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac --- openssh-5.9p1/configure.ac.akc 2011-08-18 06:48:24.000000000 +0200 -+++ openssh-5.9p1/configure.ac 2011-09-09 17:26:31.000000000 +0200 ++++ openssh-5.9p1/configure.ac 2011-09-09 19:27:17.548440048 +0200 @@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit], esac ] ) @@ -271,9 +271,9 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c ---- openssh-5.9p1/servconf.c.akc 2011-09-09 17:26:30.000000000 +0200 -+++ openssh-5.9p1/servconf.c 2011-09-09 17:26:31.000000000 +0200 -@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions +--- openssh-5.9p1/servconf.c.akc 2011-09-09 19:27:03.490455245 +0200 ++++ openssh-5.9p1/servconf.c 2011-09-09 19:27:17.666565662 +0200 +@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; @@ -344,8 +344,8 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h ---- openssh-5.9p1/servconf.h.akc 2011-09-09 17:26:30.000000000 +0200 -+++ openssh-5.9p1/servconf.h 2011-09-09 17:26:31.000000000 +0200 +--- openssh-5.9p1/servconf.h.akc 2011-09-09 19:27:03.614494286 +0200 ++++ openssh-5.9p1/servconf.h 2011-09-09 19:27:18.043502934 +0200 @@ -174,6 +174,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; @@ -355,22 +355,9 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h } ServerOptions; /* -diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config ---- openssh-5.9p1/sshd_config.akc 2011-09-09 17:26:30.000000000 +0200 -+++ openssh-5.9p1/sshd_config 2011-09-09 17:26:31.000000000 +0200 -@@ -49,6 +49,9 @@ - # but this is overridden so installations will only check .ssh/authorized_keys - AuthorizedKeysFile .ssh/authorized_keys - -+#AuthorizedKeysCommand none -+#AuthorizedKeysCommandRunAs nobody -+ - # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts - #RhostsRSAAuthentication no - # similar for protocol version 2 diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0 --- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200 -+++ openssh-5.9p1/sshd_config.0 2011-09-09 17:26:31.000000000 +0200 ++++ openssh-5.9p1/sshd_config.0 2011-09-09 19:27:18.168626976 +0200 @@ -71,6 +71,23 @@ DESCRIPTION See PATTERNS in ssh_config(5) for more information on patterns. @@ -406,8 +393,8 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0 GSSAPIAuthentication, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5 ---- openssh-5.9p1/sshd_config.5.akc 2011-09-09 17:26:30.000000000 +0200 -+++ openssh-5.9p1/sshd_config.5 2011-09-09 17:26:31.000000000 +0200 +--- openssh-5.9p1/sshd_config.5.akc 2011-09-09 19:27:03.912515059 +0200 ++++ openssh-5.9p1/sshd_config.5 2011-09-09 19:27:18.292494317 +0200 @@ -706,6 +706,8 @@ Available keywords are .Cm AllowAgentForwarding , .Cm AllowTcpForwarding , @@ -446,3 +433,16 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5 .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. +diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config +--- openssh-5.9p1/sshd_config.akc 2011-09-09 19:27:03.754502770 +0200 ++++ openssh-5.9p1/sshd_config 2011-09-09 19:27:18.446471121 +0200 +@@ -49,6 +49,9 @@ + # but this is overridden so installations will only check .ssh/authorized_keys + AuthorizedKeysFile .ssh/authorized_keys + ++#AuthorizedKeysCommand none ++#AuthorizedKeysCommandRunAs nobody ++ + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts + #RhostsRSAAuthentication no + # similar for protocol version 2 diff --git a/openssh-5.9p1-coverity.patch b/openssh-5.9p1-coverity.patch index 5b1a4d3..5b9c2d7 100644 --- a/openssh-5.9p1-coverity.patch +++ b/openssh-5.9p1-coverity.patch @@ -1,6 +1,6 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c --- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200 -+++ openssh-5.9p1/auth-pam.c 2011-09-08 14:13:59.596485750 +0200 ++++ openssh-5.9p1/auth-pam.c 2011-09-09 15:13:32.820565436 +0200 @@ -216,7 +216,7 @@ pthread_join(sp_pthread_t thread, void * if (sshpam_thread_status != -1) return (sshpam_thread_status); @@ -12,7 +12,7 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c #endif diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c --- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200 -+++ openssh-5.9p1/channels.c 2011-09-08 14:13:59.724564062 +0200 ++++ openssh-5.9p1/channels.c 2011-09-09 15:13:32.911439569 +0200 @@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd channel_max_fd = MAX(channel_max_fd, wfd); channel_max_fd = MAX(channel_max_fd, efd); @@ -45,7 +45,7 @@ diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c } diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c --- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200 -+++ openssh-5.9p1/clientloop.c 2011-09-08 14:13:59.829450205 +0200 ++++ openssh-5.9p1/clientloop.c 2011-09-09 15:13:33.017564323 +0200 @@ -1970,6 +1970,7 @@ client_input_global_request(int type, u_ char *rtype; int want_reply; @@ -56,7 +56,7 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c want_reply = packet_get_char(); diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c --- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200 -+++ openssh-5.9p1/key.c 2011-09-08 14:13:59.959563856 +0200 ++++ openssh-5.9p1/key.c 2011-09-09 15:13:33.145442605 +0200 @@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp) success = 1; /*XXXX*/ @@ -68,9 +68,45 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c /* advance cp: skip whitespace and data */ while (*cp == ' ' || *cp == '\t') cp++; +diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c +--- openssh-5.9p1/monitor.c.coverity 2011-09-09 17:13:15.937439833 +0200 ++++ openssh-5.9p1/monitor.c 2011-09-09 17:15:18.625466696 +0200 +@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m + break; + } + } ++ ++ debug3("%s: key %p is %s", ++ __func__, key, allowed ? "allowed" : "not allowed"); ++ + if (key != NULL) + key_free(key); + +@@ -1182,9 +1186,6 @@ mm_answer_keyallowed(int sock, Buffer *m + xfree(chost); + } + +- debug3("%s: key %p is %s", +- __func__, key, allowed ? "allowed" : "not allowed"); +- + buffer_clear(m); + buffer_put_int(m, allowed); + buffer_put_int(m, forced_command != NULL); +diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c +--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2011-09-09 17:29:14.709442881 +0200 ++++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-09 17:32:48.770563974 +0200 +@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr + struct sockaddr_in6 *in6; + u_int16_t *portp; + u_int16_t port; +- socklen_t salen; ++ socklen_t salen = sizeof(struct sockaddr_storage); + int i; + + if (sa == NULL) { diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c --- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200 -+++ openssh-5.9p1/packet.c 2011-09-08 14:14:00.075501777 +0200 ++++ openssh-5.9p1/packet.c 2011-09-09 15:13:33.263447887 +0200 @@ -1177,6 +1177,7 @@ packet_read_poll1(void) case DEATTACK_DETECTED: packet_disconnect("crc32 compensation attack: " @@ -90,7 +126,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c --- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-5.9p1/progressmeter.c 2011-09-08 14:14:00.186620217 +0200 ++++ openssh-5.9p1/progressmeter.c 2011-09-09 15:13:33.382566039 +0200 @@ -65,7 +65,7 @@ static void update_progress_meter(int); static time_t start; /* start progress */ @@ -111,7 +147,7 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c file = f; diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h --- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200 -+++ openssh-5.9p1/progressmeter.h 2011-09-08 14:14:00.299626834 +0200 ++++ openssh-5.9p1/progressmeter.h 2011-09-09 15:13:33.501438992 +0200 @@ -23,5 +23,5 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ @@ -121,7 +157,7 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h void stop_progress_meter(void); diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c --- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100 -+++ openssh-5.9p1/scp.c 2011-09-08 14:14:00.404502349 +0200 ++++ openssh-5.9p1/scp.c 2011-09-09 15:13:33.607564009 +0200 @@ -155,7 +155,7 @@ killchild(int signo) { if (do_cmd_pid > 1) { @@ -131,9 +167,21 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c } if (signo) +diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c +--- openssh-5.9p1/servconf.c.coverity 2011-09-09 17:24:09.333561142 +0200 ++++ openssh-5.9p1/servconf.c 2011-09-09 17:26:41.488502345 +0200 +@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions + fatal("%s line %d: Missing subsystem name.", + filename, linenum); + if (!*activep) { +- arg = strdelim(&cp); ++ /*arg =*/ (void) strdelim(&cp); + break; + } + for (i = 0; i < options->num_subsystems; i++) diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c --- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200 -+++ openssh-5.9p1/serverloop.c 2011-09-08 14:14:00.516501505 +0200 ++++ openssh-5.9p1/serverloop.c 2011-09-09 15:13:33.723564433 +0200 @@ -147,13 +147,13 @@ notify_setup(void) static void notify_parent(void) @@ -245,7 +293,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c tun = forced_tun_device; diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c --- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100 -+++ openssh-5.9p1/sftp-client.c 2011-09-08 14:14:00.640502358 +0200 ++++ openssh-5.9p1/sftp-client.c 2011-09-09 15:13:33.845564522 +0200 @@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer * } @@ -470,7 +518,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c size_t len = strlen(p1) + strlen(p2) + 2; diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h --- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100 -+++ openssh-5.9p1/sftp-client.h 2011-09-08 14:14:00.750502818 +0200 ++++ openssh-5.9p1/sftp-client.h 2011-09-09 15:13:33.954567073 +0200 @@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in u_int sftp_proto_version(struct sftp_conn *); @@ -570,7 +618,16 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h #endif diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c --- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100 -+++ openssh-5.9p1/sftp.c 2011-09-08 14:25:08.647440423 +0200 ++++ openssh-5.9p1/sftp.c 2011-09-09 15:13:34.086441893 +0200 +@@ -206,7 +206,7 @@ killchild(int signo) + { + if (sshpid > 1) { + kill(sshpid, SIGTERM); +- waitpid(sshpid, NULL, 0); ++ (void) waitpid(sshpid, NULL, 0); + } + + _exit(1); @@ -316,7 +316,7 @@ local_do_ls(const char *args) /* Strip one path (usually the pwd) from the start of another */ @@ -674,9 +731,23 @@ diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c { struct sftp_statvfs st; char s_used[FMT_SCALED_STRSIZE]; +diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c +--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200 ++++ openssh-5.9p1/ssh-agent.c 2011-09-09 15:13:34.203567987 +0200 +@@ -1147,8 +1147,8 @@ main(int ac, char **av) + sanitise_stdfd(); + + /* drop */ +- setegid(getgid()); +- setgid(getgid()); ++ (void) setegid(getgid()); ++ (void) setgid(getgid()); + + #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c --- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200 -+++ openssh-5.9p1/sshd.c 2011-09-08 14:14:01.018565321 +0200 ++++ openssh-5.9p1/sshd.c 2011-09-09 15:13:34.317564195 +0200 @@ -1302,6 +1302,9 @@ server_accept_loop(int *sock_in, int *so if (num_listen_socks < 0) break; diff --git a/openssh-5.9p1-edns.patch b/openssh-5.9p1-edns.patch new file mode 100644 index 0000000..34f3851 --- /dev/null +++ b/openssh-5.9p1-edns.patch @@ -0,0 +1,72 @@ +diff -up openssh-5.9p1/dns.c.edns openssh-5.9p1/dns.c +--- openssh-5.9p1/dns.c.edns 2010-08-31 14:41:14.000000000 +0200 ++++ openssh-5.9p1/dns.c 2011-09-09 08:05:27.782440497 +0200 +@@ -177,6 +177,7 @@ verify_host_key_dns(const char *hostname + { + u_int counter; + int result; ++ unsigned int rrset_flags = 0; + struct rrsetinfo *fingerprints = NULL; + + u_int8_t hostkey_algorithm; +@@ -200,8 +201,19 @@ verify_host_key_dns(const char *hostname + return -1; + } + ++ /* ++ * Original getrrsetbyname function, found on OpenBSD for example, ++ * doesn't accept any flag and prerequisite for obtaining AD bit in ++ * DNS response is set by "options edns0" in resolv.conf. ++ * ++ * Our version is more clever and use RRSET_FORCE_EDNS0 flag. ++ */ ++#ifndef HAVE_GETRRSETBYNAME ++ rrset_flags |= RRSET_FORCE_EDNS0; ++#endif + result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, +- DNS_RDATATYPE_SSHFP, 0, &fingerprints); ++ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); ++ + if (result) { + verbose("DNS lookup error: %s", dns_result_totext(result)); + return -1; +diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.c +--- openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns 2009-07-13 03:38:23.000000000 +0200 ++++ openssh-5.9p1/openbsd-compat/getrrsetbyname.c 2011-09-09 15:03:39.930500801 +0200 +@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns + goto fail; + } + +- /* don't allow flags yet, unimplemented */ +- if (flags) { ++ /* Allow RRSET_FORCE_EDNS0 flag only. */ ++ if ((flags & ~RRSET_FORCE_EDNS0) != 0) { + result = ERRSET_INVAL; + goto fail; + } +@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, uns + #endif /* DEBUG */ + + #ifdef RES_USE_DNSSEC +- /* turn on DNSSEC if EDNS0 is configured */ +- if (_resp->options & RES_USE_EDNS0) +- _resp->options |= RES_USE_DNSSEC; ++ /* turn on DNSSEC if required */ ++ if (flags & RRSET_FORCE_EDNS0) ++ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); + #endif /* RES_USE_DNSEC */ + + /* make query */ +diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.h +--- openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns 2007-10-26 08:26:50.000000000 +0200 ++++ openssh-5.9p1/openbsd-compat/getrrsetbyname.h 2011-09-09 08:05:27.965438689 +0200 +@@ -72,6 +72,9 @@ + #ifndef RRSET_VALIDATED + # define RRSET_VALIDATED 1 + #endif ++#ifndef RRSET_FORCE_EDNS0 ++# define RRSET_FORCE_EDNS0 0x0001 ++#endif + + /* + * Return codes for getrrsetbyname() diff --git a/openssh.spec b/openssh.spec index 98d9e82..e24eb9f 100644 --- a/openssh.spec +++ b/openssh.spec @@ -79,7 +79,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.9p1 -%define openssh_rel 2 +%define openssh_rel 3 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 32 @@ -183,7 +183,7 @@ Patch702: openssh-5.1p1-askpass-progress.patch #? Patch703: openssh-4.3p2-askpass-grab-info.patch #? -Patch704: openssh-5.2p1-edns.patch +Patch704: openssh-5.9p1-edns.patch #? Patch705: openssh-5.1p1-scp-manpage.patch #? @@ -785,6 +785,10 @@ fi %endif %changelog +* Fri Sep 9 2011 Jan F. Chadima - 5.9p1-3 + 0.9.2-32 +- Coverity second pass +- Reenable akc patch + * Thu Sep 8 2011 Jan F. Chadima - 5.9p1-2 + 0.9.2-32 - Coverity first pass