[gsi-openssh/f15] Based on openssh-5.6p1-35.fc15

Mattias Ellert ellert at fedoraproject.org
Tue Feb 28 07:29:46 UTC 2012 

commit f69a9589df2b611ff000251cc0e077ca22e52f7f
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date:   Tue Feb 28 06:42:34 2012 +0100

    Based on openssh-5.6p1-35.fc15

 gsi-openssh.spec                       |   10 ++++++++--
 openssh-5.6p1-getaddrinfo.patch        |   21 +++++++++++++++++----
 openssh-5.6p1-legacy-certificate.patch |   14 ++++++++++++++
 3 files changed, 39 insertions(+), 6 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 0e3ded8..0c847d5 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -32,7 +32,7 @@
 %global nologin 1
 
 %global openssh_ver 5.6p1
-%global openssh_rel 4
+%global openssh_rel 5
 
 Summary: An implementation of the SSH protocol with GSI authentication
 Name: gsi-openssh
@@ -100,6 +100,8 @@ Patch81: openssh-5.6p1-clientloop.patch
 Patch82:openssh-5.6p1-getaddrinfo.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1838
 Patch83:openssh-5.6p1-linux-oomkiller.patch
+#https://bugzilla.redhat.com//show_bug.cgi?id=784641
+Patch84:openssh-5.6p1-legacy-certificate.patch
 
 # This is the patch that adds GSI support
 # Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-5.6p1.patch
@@ -132,7 +134,7 @@ BuildRequires: krb5-devel
 %if %{gsi}
 BuildRequires: globus-gss-assist-devel >= 8
 BuildRequires: globus-gssapi-gsi >= 10
-BuildRequires: globus-common >=	 14
+BuildRequires: globus-common >= 14
 BuildRequires: globus-usage-devel >= 3
 %endif
 
@@ -243,6 +245,7 @@ This version of OpenSSH has been modified to support GSI authentication.
 %patch81 -p1 -b .clientloop
 %patch82 -p1 -b .getaddrinfo
 %patch83 -p0 -b .oomkiller
+%patch84 -p1 -b .legacy
 %patch98 -p1 -b .gsi
 
 sed 's/sshd.pid/gsisshd.pid/' -i pathnames.h
@@ -442,6 +445,9 @@ fi
 %attr(0640,root,root) %config(noreplace) /etc/sysconfig/gsisshd
 
 %changelog
+* Tue Feb 28 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.6p1-5
+- Based on openssh-5.6p1-35.fc15
+
 * Sun Jan 22 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.6p1-4
 - Drop openssh-5.8p2-unblock-signals.patch - not needed for GT >= 5.2
 - Based on openssh-5.6p1-34.fc15.1
diff --git a/openssh-5.6p1-getaddrinfo.patch b/openssh-5.6p1-getaddrinfo.patch
index 6f64067..76deaef 100644
--- a/openssh-5.6p1-getaddrinfo.patch
+++ b/openssh-5.6p1-getaddrinfo.patch
@@ -1,7 +1,20 @@
-diff -up openssh-5.8p1/sshconnect.c.getaddrinfo openssh-5.8p1/sshconnect.c
---- openssh-5.8p1/sshconnect.c.getaddrinfo	2011-04-27 09:51:44.521384633 +0200
-+++ openssh-5.8p1/sshconnect.c	2011-04-27 09:53:21.224443308 +0200
-@@ -355,6 +355,7 @@ ssh_connect(const char *host, struct soc
+diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
+--- openssh-5.6p1/channels.c.getaddrinfo	2012-02-14 16:12:54.427852524 +0100
++++ openssh-5.6p1/channels.c	2012-02-14 16:13:22.818928690 +0100
+@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
+ 		memset(&hints, 0, sizeof(hints));
+ 		hints.ai_family = IPv4or6;
+ 		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif
+ 		hints.ai_socktype = SOCK_STREAM;
+ 		snprintf(strport, sizeof strport, "%d", port);
+ 		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
+diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
+--- openssh-5.6p1/sshconnect.c.getaddrinfo	2012-02-14 16:09:25.057964291 +0100
++++ openssh-5.6p1/sshconnect.c	2012-02-14 16:09:25.106047007 +0100
+@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
  	memset(&hints, 0, sizeof(hints));
  	hints.ai_family = family;
  	hints.ai_socktype = SOCK_STREAM;
diff --git a/openssh-5.6p1-legacy-certificate.patch b/openssh-5.6p1-legacy-certificate.patch
new file mode 100644
index 0000000..57c512c
--- /dev/null
+++ b/openssh-5.6p1-legacy-certificate.patch
@@ -0,0 +1,14 @@
+diff --git a/key.c b/key.c
+index 57ad9fd..5886d44 100644
+--- a/key.c
++++ b/key.c
+@@ -1517,8 +1517,8 @@ key_certify(Key *k, Key *ca)
+ 	buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
+ 
+ 	/* -v01 certs put nonce first */
++	arc4random_buf(&nonce, sizeof(nonce));
+ 	if (k->type == KEY_DSA_CERT || k->type == KEY_RSA_CERT) {
+-		arc4random_buf(&nonce, sizeof(nonce));
+ 		buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
+ 	}
+

More information about the scm-commits mailing list