diff --git a/SOURCES/openssh-7.4p1-CVE-2018-15473.patch b/SOURCES/openssh-7.4p1-CVE-2018-15473.patch
new file mode 100644
index 0000000..fb8934c
--- /dev/null
+++ b/SOURCES/openssh-7.4p1-CVE-2018-15473.patch
@@ -0,0 +1,145 @@
+From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 31 Jul 2018 03:10:27 +0000
+Subject: [PATCH] upstream: delay bailout for invalid authentic
+
+=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
+=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
+=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
+---
+ auth2-gss.c | 11 +++++++----
+ auth2-hostbased.c | 11 ++++++-----
+ auth2-pubkey.c | 25 +++++++++++++++----------
+ 3 files changed, 28 insertions(+), 19 deletions(-)
+
+diff --git a/auth2-gss.c b/auth2-gss.c
+index 47308c5ce..9351e0428 100644
+--- a/auth2-gss.c
++++ b/auth2-gss.c
+@@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh)
+ u_int len;
+ u_char *doid = NULL;
+
+- if (!authctxt->valid || authctxt->user == NULL)
+- return (0);
+-
+ mechs = packet_get_int();
+ if (mechs == 0) {
+ debug("Mechanism negotiation is not supported");
+@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh)
+ return (0);
+ }
+
++ if (!authctxt->valid || authctxt->user == NULL) {
++ debug2("%s: disabled because of invalid user", __func__);
++ free(doid);
++ return (0);
++ }
++
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+ if (ctxt != NULL)
+ ssh_gssapi_delete_ctx(&ctxt);
+diff --git a/auth2-hostbased.c b/auth2-hostbased.c
+index 60159a56c..359393291 100644
+--- a/auth2-hostbased.c
++++ b/auth2-hostbased.c
+@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
+ int pktype;
+ int authenticated = 0;
+
+- if (!authctxt->valid) {
+- debug2("userauth_hostbased: disabled because of invalid user");
+- return 0;
+- }
+ pkalg = packet_get_string(&alen);
+ pkblob = packet_get_string(&blen);
+ chost = packet_get_string(NULL);
+@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh)
+ goto done;
+ }
+
++ if (!authctxt->valid || authctxt->user == NULL) {
++ debug2("%s: disabled because of invalid user", __func__);
++ goto done;
++ }
++
+ service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+ authctxt->service;
+ buffer_init(&b);
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index c4d0f7908..e1c150401 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -89,16 +89,12 @@ userauth_pubkey(struct ssh *ssh)
+ {
+ Buffer b;
+ Key *key = NULL;
+- char *pkalg, *userstyle, *pubkey, *fp = NULL;
+- u_char *pkblob, *sig;
++ char *pkalg = NULL, *userstyle = NULL, *pubkey = NULL, *fp = NULL;
++ u_char *pkblob = NULL, *sig = NULL;
+ u_int alen, blen, slen;
+ int have_sig, pktype;
+ int authenticated = 0;
+
+- if (!authctxt->valid) {
+- debug2("%s: disabled because of invalid user", __func__);
+- return 0;
+- }
+ have_sig = packet_get_char();
+ if (datafellows & SSH_BUG_PKAUTH) {
+ debug2("%s: SSH_BUG_PKAUTH", __func__);
+@@ -167,6 +163,12 @@ userauth_pubkey(struct ssh *ssh)
+ } else {
+ buffer_put_string(&b, session_id2, session_id2_len);
+ }
++ if (!authctxt->valid || authctxt->user == NULL) {
++ buffer_free(&b);
++ debug2("%s: disabled because of invalid user",
++ __func__);
++ goto done;
++ }
+ /* reconstruct packet */
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
+@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)
+ #endif
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
+ auth_info(authctxt, "%s", pubkey);
+-
+ /* test for correct signature */
+ authenticated = 0;
+ if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
+@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
+ free(pubkey);
+ }
+ buffer_free(&b);
+- free(sig);
+ } else {
+ debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
+ __func__, sshkey_type(key), fp);
+@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)
+ __func__, sshkey_type(key), fp);
+ packet_check_eom();
+
++ if (!authctxt->valid || authctxt->user == NULL) {
++ debug2("%s: disabled because of invalid user",
++ __func__);
++ goto done;
++ }
+ /* XXX fake reply and always send PK_OK ? */
+ /*
+ * XXX this allows testing whether a user is allowed
+@@ -238,6 +242,7 @@ userauth_pubkey(struct ssh *ssh)
+ free(pkalg);
+ free(pkblob);
+ free(fp);
++ free(sig);
+ return authenticated;
+ }
+
diff --git a/SOURCES/openssh-7.4p1-fips.patch b/SOURCES/openssh-7.4p1-fips.patch
index d325029..81aa300 100644
--- a/SOURCES/openssh-7.4p1-fips.patch
+++ b/SOURCES/openssh-7.4p1-fips.patch
@@ -10,7 +10,7 @@ diff -up openssh-7.4p1/cipher.c.fips openssh-7.4p1/cipher.c
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
-@@ -116,6 +118,20 @@ static const struct sshcipher ciphers[]
+@@ -116,6 +118,24 @@ static const struct sshcipher ciphers[]
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
@@ -25,6 +25,10 @@ diff -up openssh-7.4p1/cipher.c.fips openssh-7.4p1/cipher.c
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
++ { "aes128-gcm@openssh.com",
++ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
++ { "aes256-gcm@openssh.com",
++ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+};
+
@@ -338,12 +342,13 @@ diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
/* the actual algorithms */
#define KEX_CLIENT_ENCRYPT \
-@@ -144,6 +152,37 @@
+@@ -144,6 +152,38 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC
+#define KEX_FIPS_ENCRYPT \
-+ "aes128-ctr,aes192-ctr,aes256-ctr," \
++ "aes128-ctr,aes192-ctr,aes256-ctr" \
++ AESGCM_CIPHER_MODES "," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
+#ifdef HAVE_EVP_SHA256
diff --git a/SOURCES/openssh-7.4p1-uidswap.patch b/SOURCES/openssh-7.4p1-uidswap.patch
new file mode 100644
index 0000000..2ca18b5
--- /dev/null
+++ b/SOURCES/openssh-7.4p1-uidswap.patch
@@ -0,0 +1,50 @@
+From 26f96ca10ad0ec5da9b05b99de1e1ccea15a11be Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 15 Jun 2018 07:01:11 +0000
+Subject: [PATCH] upstream: invalidate supplemental group cache used by
+
+temporarily_use_uid() when the target uid differs; could cause failure to
+read authorized_keys under some configurations. patch by Jakub Jelen via
+bz2873; ok dtucker, markus
+
+OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1
+---
+ uidswap.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/uidswap.c b/uidswap.c
+index 8bf6b244e..1430b822a 100644
+--- a/uidswap.c
++++ b/uidswap.c
+@@ -49,6 +49,7 @@ static gid_t saved_egid = 0;
+ /* Saved effective uid. */
+ static int privileged = 0;
+ static int temporarily_use_uid_effective = 0;
++static uid_t user_groups_uid;
+ static gid_t *saved_egroups = NULL, *user_groups = NULL;
+ static int saved_egroupslen = -1, user_groupslen = -1;
+
+@@ -92,10 +93,11 @@ temporarily_use_uid(struct passwd *pw)
+ fatal("getgroups: %.100s", strerror(errno));
+ } else { /* saved_egroupslen == 0 */
+ free(saved_egroups);
++ saved_egroups = NULL;
+ }
+
+ /* set and save the user's groups */
+- if (user_groupslen == -1) {
++ if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
+ if (initgroups(pw->pw_name, pw->pw_gid) < 0)
+ fatal("initgroups: %s: %.100s", pw->pw_name,
+ strerror(errno));
+@@ -110,7 +112,9 @@ temporarily_use_uid(struct passwd *pw)
+ fatal("getgroups: %.100s", strerror(errno));
+ } else { /* user_groupslen == 0 */
+ free(user_groups);
++ user_groups = NULL;
+ }
++ user_groups_uid = pw->pw_uid;
+ }
+ /* Set the effective uid to the given (unprivileged) uid. */
+ if (setgroups(user_groupslen, user_groups) < 0)
+
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index 5c030bc..e1f50a5 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -64,7 +64,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 7.4p1
-%define openssh_rel 16
+%define openssh_rel 21
%define pam_ssh_agent_ver 0.10.3
%define pam_ssh_agent_rel 2
@@ -250,6 +250,10 @@ Patch958: openssh-7.4p1-winscp-compat.patch
Patch959: openssh-7.4p1-authorized_keys_command.patch
# Fix for CVE-2017-15906 (#1517226)
Patch960: openssh-7.5p1-sftp-empty-files.patch
+# Fix for CVE-2018-15473 (#1619079)
+Patch961: openssh-7.4p1-CVE-2018-15473.patch
+# invalidate supplemental group cache used by temporarily_use_uid() (#1619079)
+Patch962: openssh-7.4p1-uidswap.patch
License: BSD
Group: Applications/Internet
@@ -504,6 +508,8 @@ popd
%patch958 -p1 -b .winscp
%patch959 -p1 -b .large-command
%patch960 -p1 -b .sftp-empty
+%patch961 -p1 -b .CVE-2018-15473
+%patch962 -p1 -b .uidswap
%patch200 -p1 -b .audit
%patch202 -p1 -b .audit-race
@@ -829,6 +835,23 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
+* Tue Jun 25 2019 Jakub Jelen <jjelen@redhat.com> - 7.4p1-21 + 0.10.3-2
+- Avoid double comma in the default cipher list in FIPS mode (#1722446)
+
+* Tue May 21 2019 Jakub Jelen <jjelen@redhat.com> - 7.4p1-20 + 0.10.3-2
+- Revert the updating of cached passwd structure (#1712053)
+
+* Mon Mar 04 2019 Jakub Jelen <jjelen@redhat.com> - 7.4p1-19 + 0.10.3-2
+- Update cached passwd structure after PAM authentication (#1674541)
+
+* Wed Feb 13 2019 Jakub Jelen <jjelen@redhat.com> - 7.4p1-18 + 0.10.3-2
+- invalidate supplemental group cache used by temporarily_use_uid()
+ when the target uid differs (#1583735)
+
+* Mon Jan 14 2019 Jakub Jelen <jjelen@redhat.com> - 7.4p1-17 + 0.10.3-2
+- Fix for CVE-2018-15473 (#1619079)
+- Enable GCM mode for AES ciphers in FIPS mode (#1600869)
+
* Fri Nov 24 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-16 + 0.10.3-2
- Fix for CVE-2017-15906 (#1517226)