rpms/openssh/devel openssh-4.7p1-audit.patch, 1.1, 1.2 openssh-5.2p1-redhat.patch, 1.2, 1.3 openssh-5.2p1-selinux.patch, 1.2, 1.3 openssh.spec, 1.157, 1.158 openssh-4.3p2-cve-2007-3102.patch, 1.1, NONE openssh-5.1p1-gssapi-role.patch, 1.1, NONE openssh-5.2p1-xmodifiers.patch, 1.1, NONE
Jan F. Chadima
jfch2222 at fedoraproject.org
Fri Aug 28 21:46:27 UTC 2009
Author: jfch2222
Update of /cvs/pkgs/rpms/openssh/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13902
Modified Files:
openssh-4.7p1-audit.patch openssh-5.2p1-redhat.patch
openssh-5.2p1-selinux.patch openssh.spec
Removed Files:
openssh-4.3p2-cve-2007-3102.patch
openssh-5.1p1-gssapi-role.patch openssh-5.2p1-xmodifiers.patch
Log Message:
rearange patches
openssh-4.7p1-audit.patch:
auth.c | 10 ++++++
config.h.in | 30 +++++++++++++++++--
configure.ac | 13 ++++++++
loginrec.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
loginrec.h | 4 ++
5 files changed, 146 insertions(+), 3 deletions(-)
Index: openssh-4.7p1-audit.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-4.7p1-audit.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- openssh-4.7p1-audit.patch 6 Sep 2007 19:49:16 -0000 1.1
+++ openssh-4.7p1-audit.patch 28 Aug 2009 21:46:27 -0000 1.2
@@ -1,7 +1,7 @@
-diff -up openssh-4.7p1/auth.c.audit openssh-4.7p1/auth.c
---- openssh-4.7p1/auth.c.audit 2007-03-26 18:35:28.000000000 +0200
-+++ openssh-4.7p1/auth.c 2007-09-06 17:07:44.000000000 +0200
-@@ -286,6 +286,12 @@ auth_log(Authctxt *authctxt, int authent
+diff -up openssh-5.2p1/auth.c.audit openssh-5.2p1/auth.c
+--- openssh-5.2p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
++++ openssh-5.2p1/auth.c 2009-08-09 09:22:23.634850536 +0200
+@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif
@@ -14,7 +14,7 @@ diff -up openssh-4.7p1/auth.c.audit open
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
-@@ -492,6 +498,10 @@ getpwnamallow(const char *user)
+@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
@@ -25,9 +25,113 @@ diff -up openssh-4.7p1/auth.c.audit open
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c
---- openssh-4.7p1/loginrec.c.audit 2007-04-29 04:10:58.000000000 +0200
-+++ openssh-4.7p1/loginrec.c 2007-09-06 17:07:44.000000000 +0200
+diff -up openssh-5.2p1/config.h.in.audit openssh-5.2p1/config.h.in
+--- openssh-5.2p1/config.h.in.audit 2009-02-23 01:18:12.000000000 +0100
++++ openssh-5.2p1/config.h.in 2009-08-09 09:22:28.825939998 +0200
+@@ -1,5 +1,8 @@
+ /* config.h.in. Generated from configure.ac by autoheader. */
+
++/* Define if building universal (internal helper macro) */
++#undef AC_APPLE_UNIVERSAL_BUILD
++
+ /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
+ */
+ #undef AIX_GETNAMEINFO_HACK
+@@ -521,6 +524,9 @@
+ /* Define to 1 if you have the <lastlog.h> header file. */
+ #undef HAVE_LASTLOG_H
+
++/* Define to 1 if you have the <libaudit.h> header file. */
++#undef HAVE_LIBAUDIT_H
++
+ /* Define to 1 if you have the `bsm' library (-lbsm). */
+ #undef HAVE_LIBBSM
+
+@@ -560,6 +566,9 @@
+ /* Define to 1 if you have the <limits.h> header file. */
+ #undef HAVE_LIMITS_H
+
++/* Define if you want Linux audit support. */
++#undef HAVE_LINUX_AUDIT
++
+ /* Define to 1 if you have the <linux/if_tun.h> header file. */
+ #undef HAVE_LINUX_IF_TUN_H
+
+@@ -756,6 +765,9 @@
+ /* Define to 1 if you have the `setgroups' function. */
+ #undef HAVE_SETGROUPS
+
++/* Define to 1 if you have the `setkeycreatecon' function. */
++#undef HAVE_SETKEYCREATECON
++
+ /* Define to 1 if you have the `setlogin' function. */
+ #undef HAVE_SETLOGIN
+
+@@ -1330,6 +1342,10 @@
+ /* Prepend the address family to IP tunnel traffic */
+ #undef SSH_TUN_PREPEND_AF
+
++/* Define to your vendor patch level, if it has been modified from the
++ upstream source release. */
++#undef SSH_VENDOR_PATCHLEVEL
++
+ /* Define to 1 if you have the ANSI C header files. */
+ #undef STDC_HEADERS
+
+@@ -1397,9 +1413,17 @@
+ /* Define if you want SELinux support. */
+ #undef WITH_SELINUX
+
+-/* Define to 1 if your processor stores words with the most significant byte
+- first (like Motorola and SPARC, unlike Intel and VAX). */
+-#undef WORDS_BIGENDIAN
++/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
++ significant byte first (like Motorola and SPARC, unlike Intel). */
++#if defined AC_APPLE_UNIVERSAL_BUILD
++# if defined __BIG_ENDIAN__
++# define WORDS_BIGENDIAN 1
++# endif
++#else
++# ifndef WORDS_BIGENDIAN
++# undef WORDS_BIGENDIAN
++# endif
++#endif
+
+ /* Define if xauth is found in your path */
+ #undef XAUTH_PATH
+diff -up openssh-5.2p1/configure.ac.audit openssh-5.2p1/configure.ac
+--- openssh-5.2p1/configure.ac.audit 2009-08-09 09:22:23.608877833 +0200
++++ openssh-5.2p1/configure.ac 2009-08-09 09:22:23.646244409 +0200
+@@ -3342,6 +3342,18 @@ AC_ARG_WITH(selinux,
+ fi ]
+ )
+
++# Check whether user wants Linux audit support
++LINUX_AUDIT_MSG="no"
++AC_ARG_WITH(linux-audit,
++ [ --with-linux-audit Enable Linux audit support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
++ LINUX_AUDIT_MSG="yes"
++ AC_CHECK_HEADERS(libaudit.h)
++ SSHDLIBS="$SSHDLIBS -laudit"
++ fi ]
++)
++
+ # Check whether user wants Kerberos 5 support
+ KRB5_MSG="no"
+ AC_ARG_WITH(kerberos5,
+@@ -4170,6 +4182,7 @@ echo " PAM support
+ echo " OSF SIA support: $SIA_MSG"
+ echo " KerberosV support: $KRB5_MSG"
+ echo " SELinux support: $SELINUX_MSG"
++echo " Linux audit support: $LINUX_AUDIT_MSG"
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
+ echo " TCP Wrappers support: $TCPW_MSG"
+diff -up openssh-5.2p1/loginrec.c.audit openssh-5.2p1/loginrec.c
+--- openssh-5.2p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
++++ openssh-5.2p1/loginrec.c 2009-08-09 09:22:23.667199702 +0200
@@ -176,6 +176,10 @@
#include "auth.h"
#include "buffer.h"
@@ -60,16 +164,49 @@ diff -up openssh-4.7p1/loginrec.c.audit
#ifdef USE_LOGIN
syslogin_write_entry(li);
#endif
-@@ -1394,6 +1405,51 @@ wtmpx_get_entry(struct logininfo *li)
+@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
}
#endif /* USE_WTMPX */
+#ifdef HAVE_LINUX_AUDIT
++static void
++_audit_hexscape(const char *what, char *where, unsigned int size)
++{
++ const char *ptr = what;
++ const char *hex = "0123456789ABCDEF";
++
++ while (*ptr) {
++ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
++ unsigned int i;
++ ptr = what;
++ for (i = 0; *ptr && i+2 < size; i += 2) {
++ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
++ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
++ ptr++;
++ }
++ where[i] = '\0';
++ return;
++ }
++ ptr++;
++ }
++ where[0] = '"';
++ if ((unsigned)(ptr - what) < size - 3)
++ {
++ size = ptr - what + 3;
++ }
++ strncpy(where + 1, what, size - 3);
++ where[size-2] = '"';
++ where[size-1] = '\0';
++}
++
++#define AUDIT_LOG_SIZE 128
++#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
++
+int
+linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success)
+{
-+ char buf[64];
++ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, rc;
+
+ audit_fd = audit_open();
@@ -82,8 +219,11 @@ diff -up openssh-4.7p1/loginrec.c.audit
+ }
+ if (username == NULL)
+ snprintf(buf, sizeof(buf), "uid=%d", uid);
-+ else
-+ snprintf(buf, sizeof(buf), "acct=%s", username);
++ else {
++ char encoded[AUDIT_ACCT_SIZE];
++ _audit_hexscape(username, encoded, sizeof(encoded));
++ snprintf(buf, sizeof(buf), "acct=%s", encoded);
++ }
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+ buf, hostname, ip, ttyn, success);
+ close(audit_fd);
@@ -112,22 +252,9 @@ diff -up openssh-4.7p1/loginrec.c.audit
/**
** Low-level libutil login() functions
**/
-diff -up openssh-4.7p1/config.h.in.audit openssh-4.7p1/config.h.in
---- openssh-4.7p1/config.h.in.audit 2007-09-04 08:50:04.000000000 +0200
-+++ openssh-4.7p1/config.h.in 2007-09-06 17:07:44.000000000 +0200
-@@ -1334,6 +1334,9 @@
- /* Define if you want SELinux support. */
- #undef WITH_SELINUX
-
-+/* Define if you want Linux audit support. */
-+#undef HAVE_LINUX_AUDIT
-+
- /* Define to 1 if your processor stores words with the most significant byte
- first (like Motorola and SPARC, unlike Intel and VAX). */
- #undef WORDS_BIGENDIAN
-diff -up openssh-4.7p1/loginrec.h.audit openssh-4.7p1/loginrec.h
---- openssh-4.7p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
-+++ openssh-4.7p1/loginrec.h 2007-09-06 17:07:44.000000000 +0200
+diff -up openssh-5.2p1/loginrec.h.audit openssh-5.2p1/loginrec.h
+--- openssh-5.2p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
++++ openssh-5.2p1/loginrec.h 2009-08-09 09:22:23.641175349 +0200
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
char *line_abbrevname(char *dst, const char *src, int dstsize);
@@ -138,33 +265,3 @@ diff -up openssh-4.7p1/loginrec.h.audit
+#endif /* HAVE_LINUX_AUDIT */
#endif /* _HAVE_LOGINREC_H_ */
-diff -up openssh-4.7p1/configure.ac.audit openssh-4.7p1/configure.ac
---- openssh-4.7p1/configure.ac.audit 2007-09-06 17:07:44.000000000 +0200
-+++ openssh-4.7p1/configure.ac 2007-09-06 17:15:23.000000000 +0200
-@@ -3216,6 +3216,18 @@ AC_ARG_WITH(selinux,
- fi ]
- )
-
-+# Check whether user wants Linux audit support
-+LINUX_AUDIT_MSG="no"
-+AC_ARG_WITH(linux-audit,
-+ [ --with-linux-audit Enable Linux audit support],
-+ [ if test "x$withval" != "xno" ; then
-+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
-+ LINUX_AUDIT_MSG="yes"
-+ AC_CHECK_HEADERS(libaudit.h)
-+ SSHDLIBS="$SSHDLIBS -laudit"
-+ fi ]
-+)
-+
- # Check whether user wants Kerberos 5 support
- KRB5_MSG="no"
- AC_ARG_WITH(kerberos5,
-@@ -4037,6 +4049,7 @@ echo " PAM support
- echo " OSF SIA support: $SIA_MSG"
- echo " KerberosV support: $KRB5_MSG"
- echo " SELinux support: $SELINUX_MSG"
-+echo " Linux audit support: $LINUX_AUDIT_MSG"
- echo " Smartcard support: $SCARD_MSG"
- echo " S/KEY support: $SKEY_MSG"
- echo " TCP Wrappers support: $TCPW_MSG"
openssh-5.2p1-redhat.patch:
ssh_config | 11 +++++++++++
sshd_config | 13 +++++++++++++
sshd_config.0 | 6 +++---
sshd_config.5 | 2 +-
4 files changed, 28 insertions(+), 4 deletions(-)
Index: openssh-5.2p1-redhat.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.2p1-redhat.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- openssh-5.2p1-redhat.patch 10 Mar 2009 13:39:03 -0000 1.2
+++ openssh-5.2p1-redhat.patch 28 Aug 2009 21:46:27 -0000 1.3
@@ -1,6 +1,52 @@
+diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
+--- openssh-5.2p1/ssh_config.redhat 2009-02-21 02:45:02.000000000 +0100
++++ openssh-5.2p1/ssh_config 2009-08-09 08:45:11.302092427 +0200
+@@ -44,3 +44,14 @@
+ # TunnelDevice any:any
+ # PermitLocalCommand no
+ # VisualHostKey no
++Host *
++ GSSAPIAuthentication yes
++# If this option is set to yes then remote X11 clients will have full access
++# to the original X11 display. As virtually no X11 client supports the untrusted
++# mode correctly we set this to yes.
++ ForwardX11Trusted yes
++# Send locale-related environment variables
++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
++ SendEnv XMODIFIERS
+diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
+--- openssh-5.2p1/sshd_config.0.redhat 2009-02-23 01:18:15.000000000 +0100
++++ openssh-5.2p1/sshd_config.0 2009-08-09 08:45:11.276555108 +0200
+@@ -491,9 +491,9 @@ DESCRIPTION
+
+ SyslogFacility
+ Gives the facility code that is used when logging messages from
+- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
+- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
+- fault is AUTH.
++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
++ The default is AUTH.
+
+ TCPKeepAlive
+ Specifies whether the system should send TCP keepalive messages
+diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
+--- openssh-5.2p1/sshd_config.5.redhat 2009-02-23 01:00:24.000000000 +0100
++++ openssh-5.2p1/sshd_config.5 2009-08-09 08:45:11.278927203 +0200
+@@ -848,7 +848,7 @@ Note that this option applies to protoco
+ .It Cm SyslogFacility
+ Gives the facility code that is used when logging messages from
+ .Xr sshd 8 .
+-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
+ LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
+ .It Cm TCPKeepAlive
diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
--- openssh-5.2p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200
-+++ openssh-5.2p1/sshd_config 2008-07-23 14:11:12.000000000 +0200
++++ openssh-5.2p1/sshd_config 2009-08-09 08:47:40.850857227 +0200
@@ -33,6 +33,7 @@ Protocol 2
# Logging
# obsoletes QuietMode and FascistLogging
@@ -31,7 +77,7 @@ diff -up openssh-5.2p1/sshd_config.redha
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-@@ -84,11 +89,18 @@ Protocol 2
+@@ -84,11 +89,19 @@ Protocol 2
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
@@ -41,6 +87,7 @@ diff -up openssh-5.2p1/sshd_config.redha
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
++AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
@@ -50,48 +97,3 @@ diff -up openssh-5.2p1/sshd_config.redha
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
-diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
---- openssh-5.2p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200
-+++ openssh-5.2p1/ssh_config 2008-07-23 14:07:29.000000000 +0200
-@@ -44,3 +44,13 @@
- # TunnelDevice any:any
- # PermitLocalCommand no
- # VisualHostKey no
-+Host *
-+ GSSAPIAuthentication yes
-+# If this option is set to yes then remote X11 clients will have full access
-+# to the original X11 display. As virtually no X11 client supports the untrusted
-+# mode correctly we set this to yes.
-+ ForwardX11Trusted yes
-+# Send locale-related environment variables
-+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
-diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
---- openssh-5.2p1/sshd_config.0.redhat 2008-07-21 10:30:51.000000000 +0200
-+++ openssh-5.2p1/sshd_config.0 2008-07-23 14:07:29.000000000 +0200
-@@ -490,9 +490,9 @@ DESCRIPTION
-
- SyslogFacility
- Gives the facility code that is used when logging messages from
-- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
-- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
-- fault is AUTH.
-+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
-+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
-+ The default is AUTH.
-
- TCPKeepAlive
- Specifies whether the system should send TCP keepalive messages
-diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
---- openssh-5.2p1/sshd_config.5.redhat 2008-07-02 14:35:43.000000000 +0200
-+++ openssh-5.2p1/sshd_config.5 2008-07-23 14:07:29.000000000 +0200
-@@ -846,7 +846,7 @@ Note that this option applies to protoco
- .It Cm SyslogFacility
- Gives the facility code that is used when logging messages from
- .Xr sshd 8 .
--The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
-+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
- LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
- The default is AUTH.
- .It Cm TCPKeepAlive
openssh-5.2p1-selinux.patch:
openssh-5.1p1/auth2-gss.c | 9 +++++++-
openssh-5.2p1/auth.h | 1
openssh-5.2p1/auth1.c | 10 ++++++++-
openssh-5.2p1/auth2-hostbased.c | 9 +++++++-
openssh-5.2p1/auth2-pubkey.c | 9 +++++++-
openssh-5.2p1/auth2.c | 10 +++++++--
openssh-5.2p1/configure.ac | 1
openssh-5.2p1/monitor.c | 28 ++++++++++++++++++++++++--
openssh-5.2p1/monitor.h | 2 -
openssh-5.2p1/monitor_wrap.c | 17 +++++++++++++++
openssh-5.2p1/monitor_wrap.h | 1
openssh-5.2p1/openbsd-compat/port-linux.c | 32 +++++++++++++++++++++++-------
12 files changed, 113 insertions(+), 16 deletions(-)
Index: openssh-5.2p1-selinux.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.2p1-selinux.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- openssh-5.2p1-selinux.patch 10 Mar 2009 13:39:03 -0000 1.2
+++ openssh-5.2p1-selinux.patch 28 Aug 2009 21:46:27 -0000 1.3
@@ -326,3 +326,36 @@ diff -up openssh-5.2p1/monitor.c.selinux
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
+diff -up openssh-5.1p1/auth2-gss.c.gssapi-role openssh-5.1p1/auth2-gss.c
+--- openssh-5.1p1/auth2-gss.c.gssapi-role 2007-12-02 12:59:45.000000000 +0100
++++ openssh-5.1p1/auth2-gss.c 2008-07-23 19:18:15.000000000 +0200
+@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
+ Authctxt *authctxt = ctxt;
+ Gssctxt *gssctxt;
+ int authenticated = 0;
++ char *micuser;
+ Buffer b;
+ gss_buffer_desc mic, gssbuf;
+ u_int len;
+@@ -270,7 +271,11 @@ input_gssapi_mic(int type, u_int32_t ple
+ mic.value = packet_get_string(&len);
+ mic.length = len;
+
+- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
++ if (authctxt->role && (strlen(authctxt->role) > 0))
++ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
++ else
++ micuser = authctxt->user;
++ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
+ "gssapi-with-mic");
+
+ gssbuf.value = buffer_ptr(&b);
+@@ -282,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
+ logit("GSSAPI MIC check failed");
+
+ buffer_free(&b);
++ if (micuser != authctxt->user)
++ xfree(micuser);
+ xfree(mic.value);
+
+ authctxt->postponed = 0;
Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.157
retrieving revision 1.158
diff -u -p -r1.157 -r1.158
--- openssh.spec 26 Aug 2009 11:01:42 -0000 1.157
+++ openssh.spec 28 Aug 2009 21:46:27 -0000 1.158
@@ -63,7 +63,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.2p1
-Release: 19%{?dist}%{?rescue_rel}
+Release: 20%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -81,8 +81,8 @@ Patch4: openssh-5.2p1-vendor.patch
Patch12: openssh-5.2p1-selinux.patch
Patch13: openssh-5.1p1-mls.patch
Patch16: openssh-4.7p1-audit.patch
-Patch17: openssh-4.3p2-cve-2007-3102.patch
Patch18: openssh-5.0p1-pam_selinux.patch
+Patch19: openssh-5.2p1-sesftp.patch
Patch22: openssh-3.9p1-askpass-keep-above.patch
Patch24: openssh-4.3p1-fromto-remote.patch
Patch27: openssh-5.1p1-log-in-chroot.patch
@@ -93,15 +93,12 @@ Patch39: openssh-4.3p2-no-v6only.patch
Patch44: openssh-4.3p2-allow-ip-opts.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch
Patch51: openssh-5.2p1-nss-keys.patch
-Patch54: openssh-5.1p1-gssapi-role.patch
Patch55: openssh-5.1p1-cloexec.patch
Patch62: openssh-5.1p1-scp-manpage.patch
Patch65: openssh-5.2p1-fips.patch
Patch66: openssh-5.2p1-homechroot.patch
-Patch67: openssh-5.2p1-xmodifiers.patch
Patch68: openssh-5.2p1-pathmax.patch
Patch69: openssh-5.2p1-selabel.patch
-Patch70: openssh-5.2p1-sesftp.patch
Patch71: openssh-5.2p1-edns.patch
License: BSD
@@ -216,8 +213,8 @@ an X11 passphrase dialog for OpenSSH.
%patch12 -p1 -b .selinux
%patch13 -p1 -b .mls
%patch16 -p1 -b .audit
-%patch17 -p1 -b .inject-fix
%patch18 -p1 -b .pam_selinux
+%patch19 -p1 -b .sesftp
%endif
%patch22 -p1 -b .keep-above
@@ -230,15 +227,12 @@ an X11 passphrase dialog for OpenSSH.
%patch44 -p1 -b .ip-opts
%patch49 -p1 -b .canohost
%patch51 -p1 -b .nss-keys
-%patch54 -p1 -b .gssapi-role
%patch55 -p1 -b .cloexec
%patch62 -p1 -b .manpage
%patch65 -p1 -b .fips
%patch66 -p1 -b .homechroot
-%patch67 -p1 -b .xmodifiers
%patch68 -p1 -b .pathmax
%patch69 -p1 -b .selabel
-%patch70 -p1 -b .sesftp
%patch71 -p1 -b .edns
autoreconf
@@ -474,6 +468,12 @@ fi
%endif
%changelog
+* Fri Aug 28 2009 Jan F. Chadima <jchadima at redhat.com> - 5.2p1-20
+- merged xmodifiers to redhat patch
+- merged gssapi-role to selinux patch
+- merged cve-2007_3102 to audit patch
+- sesftp patch only with WITH_SELINUX flag
+
* Wed Aug 26 2009 Jan F. Chadima <jchadima at redhat.com> - 5.2p1-19
- minor change in sesftp patch
--- openssh-4.3p2-cve-2007-3102.patch DELETED ---
--- openssh-5.1p1-gssapi-role.patch DELETED ---
--- openssh-5.2p1-xmodifiers.patch DELETED ---
More information about the scm-commits
mailing list