rpms / openssh

Clone
Source Code
GIT

#3 Merge remote-tracking branch 'upstream/c9s' into c9s-sig-hyperscale
Merged 2 years ago by dcavalca. Opened 2 years ago by rcolebaugh.
rpms/ rcolebaugh/openssh c9s-sig-hyperscale  into  c9s-sig-hyperscale

file added
+12 
@@ -0,0 +1,12 @@ 
 

+ --- openssh-8.7p1/openbsd-compat/bsd-closefrom.c.orig	2022-04-12 15:47:03.815044607 +0200
 

+ +++ openssh-8.7p1/openbsd-compat/bsd-closefrom.c	2022-04-12 15:48:12.464963511 +0200
 

+ @@ -16,7 +16,7 @@
 

+  

+  #include "includes.h"
 

+  

+ -#ifndef HAVE_CLOSEFROM
 

+ +#if (!defined HAVE_CLOSEFROM) || (defined __s390__)
 

+  

+  #include <sys/types.h>
 

+  #include <sys/param.h>
 

+

file modified
+13 
@@ -87,6 +87,19 @@ 
 

   			error_fr(r, "server gave bad signature for %s key %zu",
 

   			    sshkey_type(ctx->keys[i]), i);
 

   			goto out;
 

+ diff --git a/hostfile.c b/hostfile.c
 

+ index a035b381..bd49e3ac 100644
 

+ --- a/hostfile.c
 

+ +++ b/hostfile.c
 

+ @@ -642,7 +642,7 @@ hostfile_replace_entries(const char *filename, const char *host, const char *ip,
 

+  	/* Re-add the requested keys */
 

+  	want = HKF_MATCH_HOST | (ip == NULL ? 0 : HKF_MATCH_IP);
 

+  	for (i = 0; i < nkeys; i++) {
 

+ -		if ((want & ctx.match_keys[i]) == want)
 

+ +		if (keys[i] == NULL || (want & ctx.match_keys[i]) == want)
 

+  			continue;
 

+  		if ((fp = sshkey_fingerprint(keys[i], hash_alg,
 

+  		    SSH_FP_DEFAULT)) == NULL) {
 

  diff --color -ru a/kex.c b/kex.c
 

  --- a/kex.c	2022-06-29 16:35:06.775599179 +0200
 

  +++ b/kex.c	2022-06-29 16:42:00.839710940 +0200

file modified
+13 
@@ -262,6 +262,19 @@ 
 

   	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
 

   	    xxx_conn_info) == -1)
 

   		fatal("Host key verification failed.");
 

+ @@ -1762,6 +1762,12 @@ load_identity_file(Identity *id)
 

+  			private = NULL;
 

+  			quit = 1;
 

+  		}
 

+ +		if (r = sshkey_check_rsa_length(private, options.rsa_min_size) != 0) {
 

+ +			debug_fr(r, "Skipping key %s", id->filename);
 

+ +			sshkey_free(private);
 

+ +			private = NULL;
 

+ +			quit = 1;
 

+ +		}
 

+  		if (!quit && private != NULL && id->agent_fd == -1 &&
 

+  		    !(id->key && id->isprivate))
 

+  			maybe_add_key_to_agent(id->filename, private, comment,
 

  @@ -1747,6 +1751,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt)
 

  		close(agent_fd);
 

  	} else {

file modified
+42 -31 
@@ -1,7 +1,7 @@ 
 

- diff --color -ru a/scp.c b/scp.c
 

- --- a/scp.c	2022-06-30 09:47:39.529662574 +0200
 

- +++ b/scp.c	2022-06-30 09:51:05.740719310 +0200
 

- @@ -1324,12 +1324,12 @@
 

+ diff --color -rup a/scp.c b/scp.c
 

+ --- a/scp.c	2022-07-26 14:51:40.560120817 +0200
 

+ +++ b/scp.c	2022-07-26 14:52:37.118213004 +0200
 

+ @@ -1324,12 +1324,12 @@ source_sftp(int argc, char *src, char *t
 

   

   	if (src_is_dir && iamrecursive) {
 

   		if (upload_dir(conn, src, abs_dst, pflag,
 
@@ -16,7 +16,7 @@ 
 

   		error("failed to upload file %s to %s", src, abs_dst);
 

   		errs = 1;
 

   	}
 

- @@ -1566,11 +1566,11 @@
 

+ @@ -1566,11 +1566,11 @@ sink_sftp(int argc, char *dst, const cha
 

   		debug("Fetching %s to %s\n", g.gl_pathv[i], abs_dst);
 

   		if (globpath_is_dir(g.gl_pathv[i]) && iamrecursive) {
 

   			if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL,
 
@@ -30,10 +30,10 @@ 
 

   				err = -1;
 

   		}
 

   		free(abs_dst);
 

- diff --color -ru a/sftp.c b/sftp.c
 

- --- a/sftp.c	2022-06-30 09:47:39.530662594 +0200
 

- +++ b/sftp.c	2022-06-30 09:52:05.118887441 +0200
 

- @@ -666,12 +666,12 @@
 

+ diff --color -rup a/sftp.c b/sftp.c
 

+ --- a/sftp.c	2022-07-26 14:51:40.561120836 +0200
 

+ +++ b/sftp.c	2022-07-26 14:52:37.119213023 +0200
 

+ @@ -666,12 +666,12 @@ process_get(struct sftp_conn *conn, cons
 

   		if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
 

   			if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL,
 

   			    pflag || global_pflag, 1, resume,
 
@@ -48,7 +48,7 @@ 
 

   				err = -1;
 

   		}
 

   		free(abs_dst);
 

- @@ -760,12 +760,12 @@
 

+ @@ -760,12 +760,12 @@ process_put(struct sftp_conn *conn, cons
 

   		if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
 

   			if (upload_dir(conn, g.gl_pathv[i], abs_dst,
 

   			    pflag || global_pflag, 1, resume,
 
@@ -63,10 +63,10 @@ 
 

   				err = -1;
 

   		}
 

   	}
 

- diff --color -ru a/sftp-client.c b/sftp-client.c
 

- --- a/sftp-client.c	2022-06-30 09:47:39.530662594 +0200
 

- +++ b/sftp-client.c	2022-06-30 10:03:36.608473570 +0200
 

- @@ -1454,7 +1454,7 @@
 

+ diff --color -rup a/sftp-client.c b/sftp-client.c
 

+ --- a/sftp-client.c	2022-07-26 14:51:40.561120836 +0200
 

+ +++ b/sftp-client.c	2022-07-26 15:09:54.825295533 +0200
 

+ @@ -1454,7 +1454,7 @@ progress_meter_path(const char *path)
 

   int
 

   do_download(struct sftp_conn *conn, const char *remote_path,
 

       const char *local_path, Attrib *a, int preserve_flag, int resume_flag,
 
@@ -75,7 +75,18 @@ 
 

   {
 

   	struct sshbuf *msg;
 

   	u_char *handle;
 

- @@ -1661,8 +1661,11 @@
 

+ @@ -1498,8 +1498,8 @@ do_download(struct sftp_conn *conn, cons
 

+  	    &handle, &handle_len) != 0)
 

+  		return -1;
 

+  

+ -	local_fd = open(local_path,
 

+ -	    O_WRONLY | O_CREAT | (resume_flag ? 0 : O_TRUNC), mode | S_IWUSR);
 

+ +	local_fd = open(local_path, O_WRONLY | O_CREAT |
 

+ +	((resume_flag || inplace_flag) ? 0 : O_TRUNC), mode | S_IWUSR);
 

+  	if (local_fd == -1) {
 

+  		error("Couldn't open local file \"%s\" for writing: %s",
 

+  		    local_path, strerror(errno));
 

+ @@ -1661,8 +1661,11 @@ do_download(struct sftp_conn *conn, cons
 

   	/* Sanity check */
 

   	if (TAILQ_FIRST(&requests) != NULL)
 

   		fatal("Transfer complete, but requests still in queue");
 
@@ -89,7 +100,7 @@ 
 

   		if (reordered && resume_flag) {
 

   			error("Unable to resume download of \"%s\": "
 

   			    "server reordered requests", local_path);
 

- @@ -1724,7 +1727,7 @@
 

+ @@ -1724,7 +1727,7 @@ do_download(struct sftp_conn *conn, cons
 

   static int
 

   download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
 

       int depth, Attrib *dirattrib, int preserve_flag, int print_flag,
 
@@ -98,7 +109,7 @@ 
 

   {
 

   	int i, ret = 0;
 

   	SFTP_DIRENT **dir_entries;
 

- @@ -1781,7 +1784,7 @@
 

+ @@ -1781,7 +1784,7 @@ download_dir_internal(struct sftp_conn *
 

   			if (download_dir_internal(conn, new_src, new_dst,
 

   			    depth + 1, &(dir_entries[i]->a), preserve_flag,
 

   			    print_flag, resume_flag,
 
@@ -107,7 +118,7 @@ 
 

   				ret = -1;
 

   		} else if (S_ISREG(dir_entries[i]->a.perm) ||
 

   		    (follow_link_flag && S_ISLNK(dir_entries[i]->a.perm))) {
 

- @@ -1793,7 +1796,8 @@
 

+ @@ -1793,7 +1796,8 @@ download_dir_internal(struct sftp_conn *
 

   			if (do_download(conn, new_src, new_dst,
 

   			    S_ISLNK(dir_entries[i]->a.perm) ? NULL :
 

   			    &(dir_entries[i]->a),
 
@@ -117,7 +128,7 @@ 
 

   				error("Download of file %s to %s failed",
 

   				    new_src, new_dst);
 

   				ret = -1;
 

- @@ -1831,7 +1835,7 @@
 

+ @@ -1831,7 +1835,7 @@ download_dir_internal(struct sftp_conn *
 

   int
 

   download_dir(struct sftp_conn *conn, const char *src, const char *dst,
 

       Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag,
 
@@ -126,7 +137,7 @@ 
 

   {
 

   	char *src_canon;
 

   	int ret;
 

- @@ -1843,26 +1847,25 @@
 

+ @@ -1843,26 +1847,25 @@ download_dir(struct sftp_conn *conn, con
 

   

   	ret = download_dir_internal(conn, src_canon, dst, 0,
 

   	    dirattrib, preserve_flag, print_flag, resume_flag, fsync_flag,
 
@@ -161,7 +172,7 @@ 
 

   	struct request *ack = NULL;
 

   	struct requests acks;
 

   	size_t handle_len;
 

- @@ -1913,10 +1916,15 @@
 

+ @@ -1913,10 +1916,15 @@ do_upload(struct sftp_conn *conn, const
 

   		}
 

   	}
 

   
@@ -180,7 +191,7 @@ 
 

   		close(local_fd);
 

   		return -1;
 

   	}
 

- @@ -1999,6 +2007,12 @@
 

+ @@ -1999,6 +2007,12 @@ do_upload(struct sftp_conn *conn, const
 

   			    ack->id, ack->len, (unsigned long long)ack->offset);
 

   			++ackid;
 

   			progress_counter += ack->len;
 
@@ -193,7 +204,7 @@ 
 

   			free(ack);
 

   		}
 

   		offset += len;
 

- @@ -2017,6 +2031,14 @@
 

+ @@ -2017,6 +2031,14 @@ do_upload(struct sftp_conn *conn, const
 

   		status = SSH2_FX_FAILURE;
 

   	}
 

   
@@ -208,7 +219,7 @@ 
 

   	if (close(local_fd) == -1) {
 

   		error("Couldn't close local file \"%s\": %s", local_path,
 

   		    strerror(errno));
 

- @@ -2041,7 +2063,7 @@
 

+ @@ -2041,7 +2063,7 @@ do_upload(struct sftp_conn *conn, const
 

   static int
 

   upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
 

       int depth, int preserve_flag, int print_flag, int resume, int fsync_flag,
 
@@ -217,7 +228,7 @@ 
 

   {
 

   	int ret = 0;
 

   	DIR *dirp;
 

- @@ -2119,12 +2141,13 @@
 

+ @@ -2119,12 +2141,13 @@ upload_dir_internal(struct sftp_conn *co
 

   

   			if (upload_dir_internal(conn, new_src, new_dst,
 

   			    depth + 1, preserve_flag, print_flag, resume,
 
@@ -233,7 +244,7 @@ 
 

   				error("Uploading of file %s to %s failed!",
 

   				    new_src, new_dst);
 

   				ret = -1;
 

- @@ -2144,7 +2167,7 @@
 

+ @@ -2144,7 +2167,7 @@ upload_dir_internal(struct sftp_conn *co
 

   int
 

   upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
 

       int preserve_flag, int print_flag, int resume, int fsync_flag,
 
@@ -242,7 +253,7 @@ 
 

   {
 

   	char *dst_canon;
 

   	int ret;
 

- @@ -2155,7 +2178,7 @@
 

+ @@ -2155,7 +2178,7 @@ upload_dir(struct sftp_conn *conn, const
 

   	}
 

   

   	ret = upload_dir_internal(conn, src, dst_canon, 0, preserve_flag,
 
@@ -251,10 +262,10 @@ 
 

   

   	free(dst_canon);
 

   	return ret;
 

- diff --color -ru a/sftp-client.h b/sftp-client.h
 

- --- a/sftp-client.h	2022-06-30 09:47:39.530662594 +0200
 

- +++ b/sftp-client.h	2022-06-30 10:05:50.835107759 +0200
 

- @@ -138,28 +138,29 @@
 

+ diff --color -rup a/sftp-client.h b/sftp-client.h
 

+ --- a/sftp-client.h	2022-07-26 14:51:40.561120836 +0200
 

+ +++ b/sftp-client.h	2022-07-26 14:52:37.120213042 +0200
 

+ @@ -138,28 +138,29 @@ int do_fsync(struct sftp_conn *conn, u_c
 

    * Download 'remote_path' to 'local_path'. Preserve permissions and times
 

    * if 'pflag' is set
 

    */

file modified
+26 -3 
@@ -55,8 +55,8 @@ 
 

  

  # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 

  %global openssh_ver 8.7p1
 

- %global openssh_rel 19
 

- %global hyperscale_rel 3
 

+ %global openssh_rel 22
 

+ %global hyperscale_rel 4
 

  %global pam_ssh_agent_ver 0.10.4
 

  %global pam_ssh_agent_rel 5
 

  
@@ -227,11 +227,16 @@ 
 

  Patch982: openssh-8.7p1-minrsabits.patch
 

  # downstream only
 

  Patch983: openssh-8.7p1-evpgenkey.patch
 

+ # downstream only, IBMCA tentative fix
 

+ # From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
 

+ Patch984: openssh-8.7p1-ibmca.patch
 

  

  # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868)
 

  # upstream commits:
 

  # 291721bc7c840d113a49518f3fca70e86248b8e8
 

  # 0fa33683223c76289470a954404047bc762be84c
 

+ # Avoid dubious diagnostics on update known hosts (#2115246)
 

+ # 8832402bd500d1661ccc80a476fd563335ef6cdc
 

  Patch1000: openssh-8.7p1-minimize-sha1-use.patch
 

  # Fix for scp clearing file when src and dest are the same (#2056884)
 

  # upstream commits:
 
@@ -480,6 +485,7 @@ 
 

  # This patch results in build failures on el8
 

  %patch983 -p1 -b .evpgenrsa
 

  %endif
 

+ %patch984 -p1 -b .ibmca
 

  

  %patch200 -p1 -b .audit
 

  %patch201 -p1 -b .audit-race
 
@@ -794,9 +800,26 @@ 
 

  %endif
 

  

  %changelog
 

- * Wed Aug 24 2022 Kent Peacock <kentp@fb.com> 8.7p1-19.3 + 0.10.4-5.3
 

+ * Wed Sep 21 2022 Raymond Colebaugh <raymondcolebaugh@gmail.com> - 8.7p1-22.4 + 0.10.4-5.4
 

+ - Merge new changes from upstream
 

+ 

+ * Wed Aug 24 2022 Kent Peacock <kentp@fb.com> - 8.7p1-19.3 + 0.10.4-5.3
 

  - Set up local developer strategy using quilt and incorporate Meta patches
 

  

+ * Tue Aug 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-22
 

+ - Avoid spirous message on connecting to the machine with ssh-rsa keys
 

+   Related: rhbz#2115246
 

+ - Set minimal value of RSA key length via configuration option
 

+   Related: rhbz#2066882
 

+ 

+ * Thu Aug 04 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-21
 

+ - IBMCA workaround
 

+   Related: rhbz#1976202
 

+ 

+ * Tue Jul 26 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-20 + 0.10.4-5
 

+ - Fix openssh-8.7p1-scp-clears-file.patch
 

+   Related: rhbz#2056884
 

+ 

  * Wed Jul 20 2022 Davide Cavalca <dcavalca@centosproject.org> - 8.7p1-19.2 + 0.10.4-5.2
 

  - Refactor and reinstate FIPS patch for el8

lgtm, but please add a changelog entry to document what you did

While this would normally be the right thing to do, in the case of openssh we can't reset hyperscale_rel as otherwise we'll end up with duplicate/conflicting versions for the pam-ssh-agent subpackage, which has a fixed version/release independent of the main package (see the two lines below).

Also for the record, Pagure here seems to be only displaying the merge commit instead of the whole stack, see https://pagure.io/pagure/issue/953

1 new commit added

  • Add changelog entry and bump hyperscale_ref instead of reset
2 years ago

The correct version would be 8.7p1-22.4 + 0.10.4-5.4 (i.e. 4 instead of 3 for extraver for the pam subpackage to match hyperscale_rel). Also, you need a dash between the email and the version (I just noticed the previous entry is also wrong, not a big deal but we should fix it).

1 new commit added

  • Also bump extra_ver for pam subpackage and fix recent changelog format
2 years ago

Pull-Request has been merged by dcavalca
2 years ago
Metadata
None
No Tags
Changes Summary 5
+12
file added
openssh-8.7p1-ibmca.patch
+13 -0
file changed
openssh-8.7p1-minimize-sha1-use.patch
+13 -0
file changed
openssh-8.7p1-minrsabits.patch
+42 -31
file changed
openssh-8.7p1-scp-clears-file.patch
+26 -3
file changed
openssh.spec

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation