diff --git a/SOURCES/openssh-7.4p1-audit.patch b/SOURCES/openssh-7.4p1-audit.patch
index 4ce694a..5fb3753 100644
--- a/SOURCES/openssh-7.4p1-audit.patch
+++ b/SOURCES/openssh-7.4p1-audit.patch
@@ -1606,6 +1606,20 @@ diff -up openssh-7.4p1/packet.c.audit openssh-7.4p1/packet.c
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
+@@ -510,11 +510,12 @@
+ const char *
+ ssh_remote_ipaddr(struct ssh *ssh)
+ {
+- const int sock = ssh->state->connection_in;
++ int sock;
+
+ /* Check whether we have cached the ipaddr. */
+ if (ssh->remote_ipaddr == NULL) {
+ if (ssh_packet_connection_is_on_socket(ssh)) {
++ sock = ssh->state->connection_in;
+ ssh->remote_ipaddr = get_peer_ipaddr(sock);
+ ssh->remote_port = get_peer_port(sock);
+ ssh->local_ipaddr = get_local_ipaddr(sock);
@@ -562,13 +570,6 @@ ssh_packet_close(struct ssh *ssh)
if (!state->initialized)
return;
diff --git a/SOURCES/openssh-7.4p1-authorized_keys_command.patch b/SOURCES/openssh-7.4p1-authorized_keys_command.patch
new file mode 100644
index 0000000..86f887d
--- /dev/null
+++ b/SOURCES/openssh-7.4p1-authorized_keys_command.patch
@@ -0,0 +1,38 @@
+From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 30 Dec 2016 22:08:02 +0000
+Subject: [PATCH] upstream commit
+
+fix deadlock when keys/principals command produces a lot of
+output and a key is matched early; bz#2655, patch from jboning AT gmail.com
+
+Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
+---
+ auth2-pubkey.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 20f3309e1..70c021589 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
+
+ ok = process_principals(f, NULL, pw, cert);
+
++ fclose(f);
++ f = NULL;
++
+ if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
+ goto out;
+
+@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
+
+ ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+
++ fclose(f);
++ f = NULL;
++
+ if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
+ goto out;
+
+
diff --git a/SOURCES/openssh-7.4p1-fips.patch b/SOURCES/openssh-7.4p1-fips.patch
index 38bd6f8..d325029 100644
--- a/SOURCES/openssh-7.4p1-fips.patch
+++ b/SOURCES/openssh-7.4p1-fips.patch
@@ -80,6 +80,18 @@ diff -up openssh-7.4p1/cipher-ctr.c.fips openssh-7.4p1/cipher-ctr.c
#endif
return (&aes_ctr);
}
+diff -up openssh-7.4p1/clientloop.c.fips openssh-7.4p1/clientloop.c
+--- openssh-7.4p1/clientloop.c.fips 2017-05-30 19:10:26.537505598 +0200
++++ openssh-7.4p1/clientloop.c 2017-05-30 19:10:26.571505583 +0200
+@@ -2452,7 +2452,7 @@ client_input_hostkeys(void)
+ /* Check that the key is accepted in HostkeyAlgorithms */
+ if (match_pattern_list(sshkey_ssh_name(key),
+ options.hostkeyalgorithms ? options.hostkeyalgorithms :
+- KEX_DEFAULT_PK_ALG, 0) != 1) {
++ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), 0) != 1) {
+ debug3("%s: %s key not permitted by HostkeyAlgorithms",
+ __func__, sshkey_ssh_name(key));
+ continue;
diff -up openssh-7.4p1/dh.h.fips openssh-7.4p1/dh.h
--- openssh-7.4p1/dh.h.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/dh.h 2017-02-09 14:53:47.182347441 +0100
@@ -309,9 +321,24 @@ diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
---- openssh-7.4p1/myproposal.h.fips 2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/myproposal.h 2017-02-09 14:53:47.184347440 +0100
-@@ -144,6 +144,37 @@
+--- openssh-7.4p1/myproposal.h.fips 2017-05-30 19:10:26.535505599 +0200
++++ openssh-7.4p1/myproposal.h 2017-05-30 19:10:26.574505582 +0200
+@@ -119,6 +119,14 @@
+ "ssh-rsa," \
+ "ssh-dss"
+
++#define KEX_FIPS_PK_ALG \
++ HOSTKEY_ECDSA_CERT_METHODS \
++ "ssh-rsa-cert-v01@openssh.com," \
++ HOSTKEY_ECDSA_METHODS \
++ "rsa-sha2-512," \
++ "rsa-sha2-256," \
++ "ssh-rsa"
++
+ /* the actual algorithms */
+
+ #define KEX_CLIENT_ENCRYPT \
+@@ -144,6 +152,37 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC
@@ -365,22 +392,39 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.fips op
diff -up openssh-7.4p1/readconf.c.fips openssh-7.4p1/readconf.c
--- openssh-7.4p1/readconf.c.fips 2017-02-09 14:53:47.185347438 +0100
+++ openssh-7.4p1/readconf.c 2017-02-09 14:56:24.840191308 +0100
-@@ -2104,9 +2104,12 @@ fill_default_options(Options * options)
+@@ -2104,12 +2104,17 @@ fill_default_options(Options * options)
}
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
+- kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
+ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
+ : KEX_CLIENT_MAC), &options->macs) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
+ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG),
&options->hostbased_key_types) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
+- kex_assemble_names(KEX_DEFAULT_PK_ALG,
++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG),
+ &options->pubkey_key_types) != 0)
+ fatal("%s: kex_assemble_names failed", __func__);
+
+@@ -2559,7 +2564,8 @@ dump_client_config(Options *o, const cha
+ char buf[8];
+
+ /* This is normally prepared in ssh_kex2 */
+- if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
++ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG), &o->hostkeyalgorithms) != 0)
+ fatal("%s: kex_assemble_names failed", __func__);
+
+ /* Most interesting options first: user, host, port */
diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-seccomp-filter.c
--- openssh-7.4p1/sandbox-seccomp-filter.c.fips 2017-02-09 14:53:47.177347446 +0100
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2017-02-09 14:53:47.185347438 +0100
@@ -395,25 +439,36 @@ diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-secco
SC_DENY(openat, EACCES),
#endif
diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
---- openssh-7.4p1/servconf.c.fips 2017-02-09 14:53:47.169347454 +0100
-+++ openssh-7.4p1/servconf.c 2017-02-09 14:57:24.957131771 +0100
-@@ -184,9 +184,12 @@ option_clear_or_none(const char *o)
+--- openssh-7.4p1/servconf.c.fips 2017-06-07 13:07:28.403983349 +0200
++++ openssh-7.4p1/servconf.c 2017-06-07 13:09:46.710997099 +0200
+@@ -185,14 +185,20 @@ option_clear_or_none(const char *o)
static void
assemble_algorithms(ServerOptions *o)
{
- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
- kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
- kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
+- kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
+ : KEX_SERVER_ENCRYPT), &o->ciphers) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
+ : KEX_SERVER_MAC), &o->macs) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
+ : KEX_SERVER_KEX), &o->kex_algorithms) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG),
&o->hostkeyalgorithms) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
-@@ -2386,8 +2389,10 @@ dump_config(ServerOptions *o)
+- kex_assemble_names(KEX_DEFAULT_PK_ALG,
++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG),
+ &o->hostbased_key_types) != 0 ||
+- kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG), &o->pubkey_key_types) != 0)
+ fatal("kex_assemble_names failed");
+ }
+
+@@ -2390,8 +2396,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
@@ -426,7 +481,7 @@ diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
dump_cfg_string(sBanner, o->banner == NULL ? "none" : o->banner);
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
-@@ -2402,8 +2407,8 @@ dump_config(ServerOptions *o)
+@@ -2406,14 +2414,17 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
@@ -435,8 +490,20 @@ diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
- o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
+- o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
++ o->hostbased_key_types : (FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG));
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
+- o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
++ o->hostkeyalgorithms : (FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG));
+ dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
+- o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
++ o->pubkey_key_types : (FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG));
+
+ /* string arguments requiring a lookup */
+ dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-7.4p1/ssh.c.fips openssh-7.4p1/ssh.c
--- openssh-7.4p1/ssh.c.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh.c 2017-02-09 14:53:47.185347438 +0100
@@ -518,7 +585,17 @@ diff -up openssh-7.4p1/sshconnect2.c.fips openssh-7.4p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
-@@ -172,21 +174,26 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct soc
+ for (i = 0; i < options.num_system_hostfiles; i++)
+ load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+
+- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
++ oavail = avail = xstrdup((FIPS_mode()
++ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
+ maxlen = strlen(avail) + 1;
+ first = xmalloc(maxlen);
+ last = xmalloc(maxlen);
+@@ -172,21 +175,26 @@ ssh_kex2(char *host, struct sockaddr *ho
#ifdef GSSAPI
if (options.gss_keyex) {
@@ -560,6 +637,25 @@ diff -up openssh-7.4p1/sshconnect2.c.fips openssh-7.4p1/sshconnect2.c
}
}
#endif
+@@ -204,14 +212,16 @@ ssh_kex2(char *host, struct sockaddr *ho
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ if (options.hostkeyalgorithms != NULL) {
+- if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
++ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
++ : KEX_DEFAULT_PK_ALG),
+ &options.hostkeyalgorithms) != 0)
+ fatal("%s: kex_assemble_namelist", __func__);
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+ compat_pkalg_proposal(options.hostkeyalgorithms);
+ } else {
+ /* Enforce default */
+- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
++ options.hostkeyalgorithms = xstrdup((FIPS_mode()
++ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
+ /* Prefer algorithms that we already have keys for */
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+ compat_pkalg_proposal(
diff -up openssh-7.4p1/sshd.c.fips openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.fips 2017-02-09 14:53:47.178347445 +0100
+++ openssh-7.4p1/sshd.c 2017-02-09 14:53:47.186347437 +0100
diff --git a/SOURCES/openssh-7.4p1-rekeying-timeouts.patch b/SOURCES/openssh-7.4p1-rekeying-timeouts.patch
new file mode 100644
index 0000000..50e4257
--- /dev/null
+++ b/SOURCES/openssh-7.4p1-rekeying-timeouts.patch
@@ -0,0 +1,18 @@
+diff --git a/serverloop.c b/serverloop.c
+index b5eb3440..1535eeb2 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -225,9 +225,10 @@ wait_until_can_do_something(int connection_in, int connection_out,
+ uint64_t keepalive_ms =
+ (uint64_t)options.client_alive_interval * 1000;
+
+- client_alive_scheduled = 1;
+- if (max_time_ms == 0 || max_time_ms > keepalive_ms)
++ if (max_time_ms == 0 || max_time_ms > keepalive_ms) {
+ max_time_ms = keepalive_ms;
++ client_alive_scheduled = 1;
++ }
+ }
+
+ #if 0
+
diff --git a/SOURCES/openssh-7.4p1-sandbox-ibmca.patch b/SOURCES/openssh-7.4p1-sandbox-ibmca.patch
index 5479c65..c5a3d28 100644
--- a/SOURCES/openssh-7.4p1-sandbox-ibmca.patch
+++ b/SOURCES/openssh-7.4p1-sandbox-ibmca.patch
@@ -147,3 +147,65 @@ index 6e7de31..e86aa2c 100644
#endif
--
1.9.1
+
+The EP11 crypto card needs to make an ioctl call, which receives an
+specific argument. This crypto card is for s390 only.
+
+Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
+---
+ sandbox-seccomp-filter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e86aa2c..98062f1 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
++ /* Allow ioctls for EP11 crypto card on s390 */
++ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
+ #endif /* defined(__NR_ioctl) && defined(__s390__) */
+
+ /* Default deny */
+--
+1.9.1
+
+In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
+and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
+implementation) which calls the libraries that will communicate with the
+crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
+this is only need on s390 architecture.
+
+Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
+---
+ sandbox-seccomp-filter.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index ca75cc7..6e7de31 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_exit_group
+ SC_ALLOW(exit_group),
+ #endif
++#if defined(__NR_flock) && defined(__s390__)
++ SC_ALLOW(flock),
++#endif
+ #ifdef __NR_getpgid
+ SC_ALLOW(getpgid),
+ #endif
+@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_gettimeofday
+ SC_ALLOW(gettimeofday),
+ #endif
++#if defined(__NR_ipc) && defined(__s390__)
++ SC_ALLOW(ipc),
++#endif
+ #ifdef __NR_madvise
+ SC_ALLOW(madvise),
+ #endif
+--
+1.9.1
diff --git a/SOURCES/openssh-7.4p1-winscp-compat.patch b/SOURCES/openssh-7.4p1-winscp-compat.patch
new file mode 100644
index 0000000..55fa6fc
--- /dev/null
+++ b/SOURCES/openssh-7.4p1-winscp-compat.patch
@@ -0,0 +1,31 @@
+commit 2985d4062ebf4204bbd373456a810d558698f9f5
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Jul 25 09:22:25 2017 +0000
+
+ upstream commit
+
+ Make WinSCP patterns for SSH_OLD_DHGEX more specific to
+ exclude WinSCP 5.10.x and up. bz#2748, from martin at winscp.net, ok djm@
+
+ Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a
+
+diff --git a/compat.c b/compat.c
+index 156a5ea8..d82135e2 100644
+--- a/compat.c
++++ b/compat.c
+@@ -177,9 +177,12 @@ compat_datafellows(const char *version)
+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS },
+ { "WinSCP_release_4*,"
+ "WinSCP_release_5.0*,"
+- "WinSCP_release_5.1*,"
+- "WinSCP_release_5.5*,"
+- "WinSCP_release_5.6*,"
++ "WinSCP_release_5.1,"
++ "WinSCP_release_5.1.*,"
++ "WinSCP_release_5.5,"
++ "WinSCP_release_5.5.*,"
++ "WinSCP_release_5.6,"
++ "WinSCP_release_5.6.*,"
+ "WinSCP_release_5.7,"
+ "WinSCP_release_5.7.1,"
+ "WinSCP_release_5.7.2,"
diff --git a/SOURCES/openssh-7.5p1-sftp-empty-files.patch b/SOURCES/openssh-7.5p1-sftp-empty-files.patch
new file mode 100644
index 0000000..c32ad20
--- /dev/null
+++ b/SOURCES/openssh-7.5p1-sftp-empty-files.patch
@@ -0,0 +1,35 @@
+From 4d827f0d75a53d3952288ab882efbddea7ffadfe Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 4 Apr 2017 00:24:56 +0000
+Subject: [PATCH] upstream commit
+
+disallow creation (of empty files) in read-only mode;
+reported by Michal Zalewski, feedback & ok deraadt@
+
+Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
+---
+ sftp-server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sftp-server.c b/sftp-server.c
+index 3619cdfc0..df0fb5068 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
+ /*
+ * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
+ *
+@@ -691,8 +691,8 @@ process_open(u_int32_t id)
+ logit("open \"%s\" flags %s mode 0%o",
+ name, string_from_portable(pflags), mode);
+ if (readonly &&
+- ((flags & O_ACCMODE) == O_WRONLY ||
+- (flags & O_ACCMODE) == O_RDWR)) {
++ ((flags & O_ACCMODE) != O_RDONLY ||
++ (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ verbose("Refusing open request in read-only mode");
+ status = SSH2_FX_PERMISSION_DENIED;
+ } else {
+
diff --git a/SOURCES/pam_ssh_agent_auth-0.10.3-agent_structure.patch b/SOURCES/pam_ssh_agent_auth-0.10.3-agent_structure.patch
index 91e1c3d..e9822ac 100644
--- a/SOURCES/pam_ssh_agent_auth-0.10.3-agent_structure.patch
+++ b/SOURCES/pam_ssh_agent_auth-0.10.3-agent_structure.patch
@@ -633,7 +633,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
/* extern u_char *session_id2;
extern uint8_t session_id_len;
*/
-@@ -58,7 +60,8 @@ userauth_pubkey_from_id(const char *ruse
+@@ -58,40 +60,41 @@ userauth_pubkey_from_id(const char *ruse
Buffer b = { 0 };
char *pkalg = NULL;
u_char *pkblob = NULL, *sig = NULL;
@@ -643,7 +643,11 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
int authenticated = 0;
pkalg = (char *) key_ssh_name(id->key);
-@@ -67,31 +70,31 @@ userauth_pubkey_from_id(const char *ruse
+
++ /* construct packet to sign and test */
++ buffer_init(&b);
++
+ /* first test if this key is even allowed */
if(! pam_user_key_allowed(ruser, id->key))
goto user_auth_clean_exit;
@@ -651,10 +655,9 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
+ if(key_to_blob(id->key, &pkblob, &blen) == 0)
goto user_auth_clean_exit;
- /* construct packet to sign and test */
+- /* construct packet to sign and test */
- pamsshagentauth_buffer_init(&b);
-+ buffer_init(&b);
-
+-
- pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset);
- pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
- pamsshagentauth_buffer_put_cstring(&b, ruser);
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index c2ce291..5c030bc 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -64,9 +64,9 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 7.4p1
-%define openssh_rel 13
+%define openssh_rel 16
%define pam_ssh_agent_ver 0.10.3
-%define pam_ssh_agent_rel 1
+%define pam_ssh_agent_rel 2
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
@@ -242,6 +242,14 @@ Patch954: openssh-7.4p1-ControlPath_too_long.patch
Patch955: openssh-7.4p1-sandbox-ibmca.patch
# Back to UseDNS=yes by default (#1478175)
Patch956: openssh-7.4p1-usedns-yes.patch
+# Clatch between ClientAlive timeouts and rekeying (#1480510)
+Patch957: openssh-7.4p1-rekeying-timeouts.patch
+# WinSCP 5.10+ compatibility (#1496808)
+Patch958: openssh-7.4p1-winscp-compat.patch
+# SSH AuthorizedKeysCommand hangs when output is too large (#1496467)
+Patch959: openssh-7.4p1-authorized_keys_command.patch
+# Fix for CVE-2017-15906 (#1517226)
+Patch960: openssh-7.5p1-sftp-empty-files.patch
License: BSD
Group: Applications/Internet
@@ -492,6 +500,10 @@ popd
%patch954 -p1 -b .ControlPath
%patch955 -p1 -b .ibmca
%patch956 -p1 -b .usedns
+%patch957 -p1 -b .rekey-timeout
+%patch958 -p1 -b .winscp
+%patch959 -p1 -b .large-command
+%patch960 -p1 -b .sftp-empty
%patch200 -p1 -b .audit
%patch202 -p1 -b .audit-race
@@ -817,6 +829,21 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
+* Fri Nov 24 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-16 + 0.10.3-2
+- Fix for CVE-2017-15906 (#1517226)
+
+* Mon Nov 06 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-15 + 0.10.3-2
+- Do not hang if SSH AuthorizedKeysCommand output is too large (#1496467)
+- Do not segfault pam_ssh_agent_auth if keyfile is missing (#1494268)
+- Do not segfault in audit code during cleanup (#1488083)
+- Add WinSCP 5.10+ compatibility (#1496808)
+- Clatch between ClientAlive and rekeying timeouts (#1480510)
+- Exclude dsa and ed25519 from default proposed keys in FIPS mode (#1456853)
+- Add enablement for openssl-ibmca and openssl-ibmpkcs11 (#1478035)
+
+* Fri Nov 3 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 7.4p1-14 + 0.10.3-2
+- Rebuilt for RHEL-7.5
+
* Wed Sep 13 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-13 + 0.10.3-1
- Revert default of GSSAPIStrictAcceptorCheck=no back to yes (#1488982)