diff --git a/openssh-8.7p1-ibmca.patch b/openssh-8.7p1-ibmca.patch
new file mode 100644
index 0000000..c9c12ee
--- /dev/null
+++ b/openssh-8.7p1-ibmca.patch
@@ -0,0 +1,12 @@
+--- openssh-8.7p1/openbsd-compat/bsd-closefrom.c.orig 2022-04-12 15:47:03.815044607 +0200
++++ openssh-8.7p1/openbsd-compat/bsd-closefrom.c 2022-04-12 15:48:12.464963511 +0200
+@@ -16,7 +16,7 @@
+
+ #include "includes.h"
+
+-#ifndef HAVE_CLOSEFROM
++#if (!defined HAVE_CLOSEFROM) || (defined __s390__)
+
+ #include <sys/types.h>
+ #include <sys/param.h>
+
diff --git a/openssh-8.7p1-minimize-sha1-use.patch b/openssh-8.7p1-minimize-sha1-use.patch
index cbaba49..fc517da 100644
--- a/openssh-8.7p1-minimize-sha1-use.patch
+++ b/openssh-8.7p1-minimize-sha1-use.patch
@@ -87,6 +87,19 @@ diff --color -ru a/clientloop.c b/clientloop.c
error_fr(r, "server gave bad signature for %s key %zu",
sshkey_type(ctx->keys[i]), i);
goto out;
+diff --git a/hostfile.c b/hostfile.c
+index a035b381..bd49e3ac 100644
+--- a/hostfile.c
++++ b/hostfile.c
+@@ -642,7 +642,7 @@ hostfile_replace_entries(const char *filename, const char *host, const char *ip,
+ /* Re-add the requested keys */
+ want = HKF_MATCH_HOST | (ip == NULL ? 0 : HKF_MATCH_IP);
+ for (i = 0; i < nkeys; i++) {
+- if ((want & ctx.match_keys[i]) == want)
++ if (keys[i] == NULL || (want & ctx.match_keys[i]) == want)
+ continue;
+ if ((fp = sshkey_fingerprint(keys[i], hash_alg,
+ SSH_FP_DEFAULT)) == NULL) {
diff --color -ru a/kex.c b/kex.c
--- a/kex.c 2022-06-29 16:35:06.775599179 +0200
+++ b/kex.c 2022-06-29 16:42:00.839710940 +0200
diff --git a/openssh-8.7p1-minrsabits.patch b/openssh-8.7p1-minrsabits.patch
index 57019b6..107fe70 100644
--- a/openssh-8.7p1-minrsabits.patch
+++ b/openssh-8.7p1-minrsabits.patch
@@ -262,6 +262,19 @@ index 67f8e0309..d050c1656 100644
if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
xxx_conn_info) == -1)
fatal("Host key verification failed.");
+@@ -1762,6 +1762,12 @@ load_identity_file(Identity *id)
+ private = NULL;
+ quit = 1;
+ }
++ if (r = sshkey_check_rsa_length(private, options.rsa_min_size) != 0) {
++ debug_fr(r, "Skipping key %s", id->filename);
++ sshkey_free(private);
++ private = NULL;
++ quit = 1;
++ }
+ if (!quit && private != NULL && id->agent_fd == -1 &&
+ !(id->key && id->isprivate))
+ maybe_add_key_to_agent(id->filename, private, comment,
@@ -1747,6 +1751,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt)
close(agent_fd);
} else {
diff --git a/openssh-8.7p1-scp-clears-file.patch b/openssh-8.7p1-scp-clears-file.patch
index d49b66d..4c033da 100644
--- a/openssh-8.7p1-scp-clears-file.patch
+++ b/openssh-8.7p1-scp-clears-file.patch
@@ -1,7 +1,7 @@
-diff --color -ru a/scp.c b/scp.c
---- a/scp.c 2022-06-30 09:47:39.529662574 +0200
-+++ b/scp.c 2022-06-30 09:51:05.740719310 +0200
-@@ -1324,12 +1324,12 @@
+diff --color -rup a/scp.c b/scp.c
+--- a/scp.c 2022-07-26 14:51:40.560120817 +0200
++++ b/scp.c 2022-07-26 14:52:37.118213004 +0200
+@@ -1324,12 +1324,12 @@ source_sftp(int argc, char *src, char *t
if (src_is_dir && iamrecursive) {
if (upload_dir(conn, src, abs_dst, pflag,
@@ -16,7 +16,7 @@ diff --color -ru a/scp.c b/scp.c
error("failed to upload file %s to %s", src, abs_dst);
errs = 1;
}
-@@ -1566,11 +1566,11 @@
+@@ -1566,11 +1566,11 @@ sink_sftp(int argc, char *dst, const cha
debug("Fetching %s to %s\n", g.gl_pathv[i], abs_dst);
if (globpath_is_dir(g.gl_pathv[i]) && iamrecursive) {
if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL,
@@ -30,10 +30,10 @@ diff --color -ru a/scp.c b/scp.c
err = -1;
}
free(abs_dst);
-diff --color -ru a/sftp.c b/sftp.c
---- a/sftp.c 2022-06-30 09:47:39.530662594 +0200
-+++ b/sftp.c 2022-06-30 09:52:05.118887441 +0200
-@@ -666,12 +666,12 @@
+diff --color -rup a/sftp.c b/sftp.c
+--- a/sftp.c 2022-07-26 14:51:40.561120836 +0200
++++ b/sftp.c 2022-07-26 14:52:37.119213023 +0200
+@@ -666,12 +666,12 @@ process_get(struct sftp_conn *conn, cons
if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL,
pflag || global_pflag, 1, resume,
@@ -48,7 +48,7 @@ diff --color -ru a/sftp.c b/sftp.c
err = -1;
}
free(abs_dst);
-@@ -760,12 +760,12 @@
+@@ -760,12 +760,12 @@ process_put(struct sftp_conn *conn, cons
if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
if (upload_dir(conn, g.gl_pathv[i], abs_dst,
pflag || global_pflag, 1, resume,
@@ -63,10 +63,10 @@ diff --color -ru a/sftp.c b/sftp.c
err = -1;
}
}
-diff --color -ru a/sftp-client.c b/sftp-client.c
---- a/sftp-client.c 2022-06-30 09:47:39.530662594 +0200
-+++ b/sftp-client.c 2022-06-30 10:03:36.608473570 +0200
-@@ -1454,7 +1454,7 @@
+diff --color -rup a/sftp-client.c b/sftp-client.c
+--- a/sftp-client.c 2022-07-26 14:51:40.561120836 +0200
++++ b/sftp-client.c 2022-07-26 15:09:54.825295533 +0200
+@@ -1454,7 +1454,7 @@ progress_meter_path(const char *path)
int
do_download(struct sftp_conn *conn, const char *remote_path,
const char *local_path, Attrib *a, int preserve_flag, int resume_flag,
@@ -75,7 +75,18 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
{
struct sshbuf *msg;
u_char *handle;
-@@ -1661,8 +1661,11 @@
+@@ -1498,8 +1498,8 @@ do_download(struct sftp_conn *conn, cons
+ &handle, &handle_len) != 0)
+ return -1;
+
+- local_fd = open(local_path,
+- O_WRONLY | O_CREAT | (resume_flag ? 0 : O_TRUNC), mode | S_IWUSR);
++ local_fd = open(local_path, O_WRONLY | O_CREAT |
++ ((resume_flag || inplace_flag) ? 0 : O_TRUNC), mode | S_IWUSR);
+ if (local_fd == -1) {
+ error("Couldn't open local file \"%s\" for writing: %s",
+ local_path, strerror(errno));
+@@ -1661,8 +1661,11 @@ do_download(struct sftp_conn *conn, cons
/* Sanity check */
if (TAILQ_FIRST(&requests) != NULL)
fatal("Transfer complete, but requests still in queue");
@@ -89,7 +100,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
if (reordered && resume_flag) {
error("Unable to resume download of \"%s\": "
"server reordered requests", local_path);
-@@ -1724,7 +1727,7 @@
+@@ -1724,7 +1727,7 @@ do_download(struct sftp_conn *conn, cons
static int
download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
int depth, Attrib *dirattrib, int preserve_flag, int print_flag,
@@ -98,7 +109,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
{
int i, ret = 0;
SFTP_DIRENT **dir_entries;
-@@ -1781,7 +1784,7 @@
+@@ -1781,7 +1784,7 @@ download_dir_internal(struct sftp_conn *
if (download_dir_internal(conn, new_src, new_dst,
depth + 1, &(dir_entries[i]->a), preserve_flag,
print_flag, resume_flag,
@@ -107,7 +118,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
ret = -1;
} else if (S_ISREG(dir_entries[i]->a.perm) ||
(follow_link_flag && S_ISLNK(dir_entries[i]->a.perm))) {
-@@ -1793,7 +1796,8 @@
+@@ -1793,7 +1796,8 @@ download_dir_internal(struct sftp_conn *
if (do_download(conn, new_src, new_dst,
S_ISLNK(dir_entries[i]->a.perm) ? NULL :
&(dir_entries[i]->a),
@@ -117,7 +128,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
error("Download of file %s to %s failed",
new_src, new_dst);
ret = -1;
-@@ -1831,7 +1835,7 @@
+@@ -1831,7 +1835,7 @@ download_dir_internal(struct sftp_conn *
int
download_dir(struct sftp_conn *conn, const char *src, const char *dst,
Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag,
@@ -126,7 +137,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
{
char *src_canon;
int ret;
-@@ -1843,26 +1847,25 @@
+@@ -1843,26 +1847,25 @@ download_dir(struct sftp_conn *conn, con
ret = download_dir_internal(conn, src_canon, dst, 0,
dirattrib, preserve_flag, print_flag, resume_flag, fsync_flag,
@@ -161,7 +172,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
struct request *ack = NULL;
struct requests acks;
size_t handle_len;
-@@ -1913,10 +1916,15 @@
+@@ -1913,10 +1916,15 @@ do_upload(struct sftp_conn *conn, const
}
}
@@ -180,7 +191,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
close(local_fd);
return -1;
}
-@@ -1999,6 +2007,12 @@
+@@ -1999,6 +2007,12 @@ do_upload(struct sftp_conn *conn, const
ack->id, ack->len, (unsigned long long)ack->offset);
++ackid;
progress_counter += ack->len;
@@ -193,7 +204,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
free(ack);
}
offset += len;
-@@ -2017,6 +2031,14 @@
+@@ -2017,6 +2031,14 @@ do_upload(struct sftp_conn *conn, const
status = SSH2_FX_FAILURE;
}
@@ -208,7 +219,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
if (close(local_fd) == -1) {
error("Couldn't close local file \"%s\": %s", local_path,
strerror(errno));
-@@ -2041,7 +2063,7 @@
+@@ -2041,7 +2063,7 @@ do_upload(struct sftp_conn *conn, const
static int
upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
int depth, int preserve_flag, int print_flag, int resume, int fsync_flag,
@@ -217,7 +228,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
{
int ret = 0;
DIR *dirp;
-@@ -2119,12 +2141,13 @@
+@@ -2119,12 +2141,13 @@ upload_dir_internal(struct sftp_conn *co
if (upload_dir_internal(conn, new_src, new_dst,
depth + 1, preserve_flag, print_flag, resume,
@@ -233,7 +244,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
error("Uploading of file %s to %s failed!",
new_src, new_dst);
ret = -1;
-@@ -2144,7 +2167,7 @@
+@@ -2144,7 +2167,7 @@ upload_dir_internal(struct sftp_conn *co
int
upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
int preserve_flag, int print_flag, int resume, int fsync_flag,
@@ -242,7 +253,7 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
{
char *dst_canon;
int ret;
-@@ -2155,7 +2178,7 @@
+@@ -2155,7 +2178,7 @@ upload_dir(struct sftp_conn *conn, const
}
ret = upload_dir_internal(conn, src, dst_canon, 0, preserve_flag,
@@ -251,10 +262,10 @@ diff --color -ru a/sftp-client.c b/sftp-client.c
free(dst_canon);
return ret;
-diff --color -ru a/sftp-client.h b/sftp-client.h
---- a/sftp-client.h 2022-06-30 09:47:39.530662594 +0200
-+++ b/sftp-client.h 2022-06-30 10:05:50.835107759 +0200
-@@ -138,28 +138,29 @@
+diff --color -rup a/sftp-client.h b/sftp-client.h
+--- a/sftp-client.h 2022-07-26 14:51:40.561120836 +0200
++++ b/sftp-client.h 2022-07-26 14:52:37.120213042 +0200
+@@ -138,28 +138,29 @@ int do_fsync(struct sftp_conn *conn, u_c
* Download 'remote_path' to 'local_path'. Preserve permissions and times
* if 'pflag' is set
*/
diff --git a/openssh.spec b/openssh.spec
index d7d36e1..872df66 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -55,8 +55,8 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1
-%global openssh_rel 19
-%global hyperscale_rel 3
+%global openssh_rel 22
+%global hyperscale_rel 1
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 5
@@ -227,11 +227,16 @@ Patch981: openssh-8.7p1-recursive-scp.patch
Patch982: openssh-8.7p1-minrsabits.patch
# downstream only
Patch983: openssh-8.7p1-evpgenkey.patch
+# downstream only, IBMCA tentative fix
+# From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
+Patch984: openssh-8.7p1-ibmca.patch
# Minimize the use of SHA1 as a proof of possession for RSA key (#2031868)
# upstream commits:
# 291721bc7c840d113a49518f3fca70e86248b8e8
# 0fa33683223c76289470a954404047bc762be84c
+# Avoid dubious diagnostics on update known hosts (#2115246)
+# 8832402bd500d1661ccc80a476fd563335ef6cdc
Patch1000: openssh-8.7p1-minimize-sha1-use.patch
# Fix for scp clearing file when src and dest are the same (#2056884)
# upstream commits:
@@ -480,6 +485,7 @@ popd
# This patch results in build failures on el8
%patch983 -p1 -b .evpgenrsa
%endif
+%patch984 -p1 -b .ibmca
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race
@@ -797,6 +803,20 @@ test -f %{sysconfig_anaconda} && \
* Wed Aug 24 2022 Kent Peacock <kentp@fb.com> 8.7p1-19.3 + 0.10.4-5.3
- Set up local developer strategy using quilt and incorporate Meta patches
+* Tue Aug 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-22
+- Avoid spirous message on connecting to the machine with ssh-rsa keys
+ Related: rhbz#2115246
+- Set minimal value of RSA key length via configuration option
+ Related: rhbz#2066882
+
+* Thu Aug 04 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-21
+- IBMCA workaround
+ Related: rhbz#1976202
+
+* Tue Jul 26 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-20 + 0.10.4-5
+- Fix openssh-8.7p1-scp-clears-file.patch
+ Related: rhbz#2056884
+
* Wed Jul 20 2022 Davide Cavalca <dcavalca@centosproject.org> - 8.7p1-19.2 + 0.10.4-5.2
- Refactor and reinstate FIPS patch for el8