Bug#865986: stretch-pu: package openssh/1:7.4p1-10+deb9u2
Control: tag -1 - moreinfo
On Mon, Jun 26, 2017 at 01:57:25PM +0200, Cyril Brulebois wrote:
> Colin Watson <cjwatson@debian.org> (2017-06-26):
> > I've committed this patch to master, but it isn't in unstable yet
> > because I'm waiting for openssh-ssh1 to clear NEW before I upload
> > openssh to unstable again, in order to avoid confusion with versions.
> > However, point release dates are close enough that I wanted to seek
> > approval for this sooner rather than later.
>
> I was surprised by the double ExecReload entry at first, but that seems
> to be allowed. Moreover, that keeps sshd alive when a typo is willingly
> introduced in sshd_config.
>
> (Granted: Tested on a jessie system only.)
>
> This looks good to me. I'll wait until the bug fix clears NEW, and until
> you post a final debdiff, targetting stretch, to tag this request with
> the "confirmed" tag.
I got kind of distracted and forgot about this, and in the meantime a
few more bugs have become evident that ought to be fixed in stable, so
here's an extended debdiff for approval.
* #877800 causes current versions of WinSCP to be unable to connect due
to overly-general version patterns in sshd's bug-compatibility code.
* #873201 was implicated in a few CVEs a while back in packages using
ssh; I'm not sure whether it *quite* counts as a security
vulnerability in and of itself, but we should fix it anyway.
(And yes, I'll deal with these in jessie too as necessary as soon as I
summon the energy for oldstable updates.)
A current version of git introduced a small amount of noise into the
diff, but it's small enough that I don't think it's worth brutalising
the tools to avoid it.
diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm 2017-06-18 01:08:18.000000000 +0100
+++ openssh-7.4p1/debian/.git-dpm 2017-10-06 20:03:26.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-1fbd56e33d641c08a8f573406cf27f9adf667763
-1fbd56e33d641c08a8f573406cf27f9adf667763
+39d60bbd309be74d337685c2da524233652513f4
+39d60bbd309be74d337685c2da524233652513f4
971a7653746a6972b907dfe0ce139c06e4a6f482
971a7653746a6972b907dfe0ce139c06e4a6f482
openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog 2017-06-18 01:11:26.000000000 +0100
+++ openssh-7.4p1/debian/changelog 2017-10-06 20:03:40.000000000 +0100
@@ -1,3 +1,15 @@
+openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium
+
+ * Test configuration before starting or reloading sshd under systemd
+ (closes: #865770).
+ * Adjust compatibility patterns for WinSCP to correctly identify versions
+ that implement only the legacy DH group exchange scheme (closes:
+ #877800).
+ * Make "--" before the hostname terminate argument processing after the
+ hostname too (closes: #873201).
+
+ -- Colin Watson <cjwatson@debian.org> Fri, 06 Oct 2017 20:03:40 +0100
+
openssh (1:7.4p1-10+deb9u1) stretch; urgency=medium
* Fix incoming compression statistics (thanks, Russell Coker; closes:
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.service openssh-7.4p1/debian/openssh-server.ssh.service
--- openssh-7.4p1/debian/openssh-server.ssh.service 2017-06-18 01:08:12.000000000 +0100
+++ openssh-7.4p1/debian/openssh-server.ssh.service 2017-10-06 20:03:26.000000000 +0100
@@ -5,7 +5,9 @@
[Service]
EnvironmentFile=-/etc/default/ssh
+ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
diff -Nru openssh-7.4p1/debian/patches/auth-log-verbosity.patch openssh-7.4p1/debian/patches/auth-log-verbosity.patch
--- openssh-7.4p1/debian/patches/auth-log-verbosity.patch 2017-06-18 01:08:11.000000000 +0100
+++ openssh-7.4p1/debian/patches/auth-log-verbosity.patch 2017-10-06 20:03:26.000000000 +0100
@@ -18,7 +18,7 @@
index 57b49f7f..7eb87b35 100644
--- a/auth-options.c
+++ b/auth-options.c
-@@ -59,9 +59,20 @@ int forced_tun_device = -1;
+@@ -59,8 +59,19 @@ int forced_tun_device = -1;
/* "principals=" option. */
char *authorized_principals = NULL;
@@ -28,17 +28,16 @@
+
extern ServerOptions options;
- void
++void
+auth_start_parse_options(void)
+{
+ logged_from_hostip = 0;
+ logged_cert_hostip = 0;
+}
+
-+void
+ void
auth_clear_options(void)
{
- no_agent_forwarding_flag = 0;
@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
/* FALLTHROUGH */
case 0:
diff -Nru openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch
--- openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/dash-dash-before-hostname.patch 2017-10-06 20:03:26.000000000 +0100
@@ -0,0 +1,63 @@
+From 39d60bbd309be74d337685c2da524233652513f4 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 12 Aug 2017 06:46:01 +0000
+Subject: Make "--" before hostname end option processing
+
+make "--" before the hostname terminate command-line
+option processing completely; previous behaviour would not prevent further
+options appearing after the hostname (ssh has a supported options after the
+hostname for >20 years, so that's too late to change).
+
+ok deraadt@
+
+Upstream-ID: ef5ee50571b98ad94dcdf8282204e877ec88ad89
+
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=643c2ad82910691b2240551ea8b14472f60b5078
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2766
+Bug-Debian: https://bugs.debian.org/873201
+Last-Update: 2017-10-06
+
+Patch-Name: dash-dash-before-hostname.patch
+---
+ ssh.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index 39609e79..1ed44b6f 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -511,13 +511,13 @@ int
+ main(int ac, char **av)
+ {
+ struct ssh *ssh = NULL;
+- int i, r, opt, exit_status, use_syslog, direct, config_test = 0;
++ int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
++ int config_test = 0, opt_terminated = 0;
+ char *p, *cp, *line, *argv0, buf[PATH_MAX], *host_arg, *logfile;
+ char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
+ char cname[NI_MAXHOST], uidstr[32], *conn_hash_hex;
+ struct stat st;
+ struct passwd *pw;
+- int timeout_ms;
+ extern int optind, optreset;
+ extern char *optarg;
+ struct Forward fwd;
+@@ -936,6 +936,9 @@ main(int ac, char **av)
+ }
+ }
+
++ if (optind > 1 && strcmp(av[optind - 1], "--") == 0)
++ opt_terminated = 1;
++
+ ac -= optind;
+ av += optind;
+
+@@ -950,7 +953,7 @@ main(int ac, char **av)
+ host = xstrdup(++cp);
+ } else
+ host = xstrdup(*av);
+- if (ac > 1) {
++ if (ac > 1 && !opt_terminated) {
+ optind = optreset = 1;
+ goto again;
+ }
diff -Nru openssh-7.4p1/debian/patches/gssapi.patch openssh-7.4p1/debian/patches/gssapi.patch
--- openssh-7.4p1/debian/patches/gssapi.patch 2017-06-18 01:08:11.000000000 +0100
+++ openssh-7.4p1/debian/patches/gssapi.patch 2017-10-06 20:03:26.000000000 +0100
@@ -266,10 +266,11 @@
return 1;
break;
case PERMIT_FORCED_ONLY:
-@@ -795,99 +796,6 @@ fakepw(void)
+@@ -794,99 +795,6 @@ fakepw(void)
+ return (&fake);
}
- /*
+-/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
@@ -362,10 +363,9 @@
- return strdup(name);
-}
-
--/*
+ /*
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
- * several times.
diff --git a/auth2-gss.c b/auth2-gss.c
index 1ca83577..3b5036df 100644
--- a/auth2-gss.c
@@ -875,10 +875,11 @@
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
-@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
+@@ -227,9 +382,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
+ return (ctx->major);
}
- OM_uint32
++OM_uint32
+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
+{
+ gss_buffer_desc gssbuf;
@@ -909,7 +910,7 @@
+ return(ctx->major);
+}
+
-+OM_uint32
+ OM_uint32
ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
{
+ if (ctx == NULL)
@@ -1199,10 +1200,11 @@
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -142,6 +147,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+@@ -141,6 +146,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+ return (ssh_gssapi_acquire_cred(*ctx));
}
- /* Unprivileged */
++/* Unprivileged */
+char *
+ssh_gssapi_server_mechanisms(void) {
+ if (supported_oids == NULL)
@@ -1224,10 +1226,9 @@
+ return (res);
+}
+
-+/* Unprivileged */
+ /* Unprivileged */
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
- {
@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
gss_OID_set supported;
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series 2017-06-18 01:08:18.000000000 +0100
+++ openssh-7.4p1/debian/patches/series 2017-10-06 20:03:26.000000000 +0100
@@ -35,3 +35,5 @@
ssh-keygen-null-deref.patch
unbreak-unix-forwarding-for-root.patch
fix-incoming-compression-statistics.patch
+winscp-dhgex-compat.patch
+dash-dash-before-hostname.patch
diff -Nru openssh-7.4p1/debian/patches/winscp-dhgex-compat.patch openssh-7.4p1/debian/patches/winscp-dhgex-compat.patch
--- openssh-7.4p1/debian/patches/winscp-dhgex-compat.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/winscp-dhgex-compat.patch 2017-10-06 20:03:26.000000000 +0100
@@ -0,0 +1,40 @@
+From 2e0fa28e7b3a0fb1fdd28ecc636ba608e7ae9ebe Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Tue, 25 Jul 2017 09:22:25 +0000
+Subject: Fix DH group exchange compat with current WinSCP
+
+Make WinSCP patterns for SSH_OLD_DHGEX more specific to
+exclude WinSCP 5.10.x and up. bz#2748, from martin at winscp.net, ok djm@
+
+Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a
+
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=2985d4062ebf4204bbd373456a810d558698f9f5
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2748
+Bug-Debian: https://bugs.debian.org/877800
+Last-Update: 2017-10-06
+
+Patch-Name: winscp-dhgex-compat.patch
+---
+ compat.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/compat.c b/compat.c
+index 69a104fb..58b63f7b 100644
+--- a/compat.c
++++ b/compat.c
+@@ -192,9 +192,12 @@ compat_datafellows(const char *version)
+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS },
+ { "WinSCP_release_4*,"
+ "WinSCP_release_5.0*,"
+- "WinSCP_release_5.1*,"
+- "WinSCP_release_5.5*,"
+- "WinSCP_release_5.6*,"
++ "WinSCP_release_5.1,"
++ "WinSCP_release_5.1.*,"
++ "WinSCP_release_5.5,"
++ "WinSCP_release_5.5.*,"
++ "WinSCP_release_5.6,"
++ "WinSCP_release_5.6.*,"
+ "WinSCP_release_5.7,"
+ "WinSCP_release_5.7.1,"
+ "WinSCP_release_5.7.2,"
diff -Nru openssh-7.4p1/debian/systemd/ssh.service openssh-7.4p1/debian/systemd/ssh.service
--- openssh-7.4p1/debian/systemd/ssh.service 2017-06-18 01:08:12.000000000 +0100
+++ openssh-7.4p1/debian/systemd/ssh.service 2017-10-06 20:03:26.000000000 +0100
@@ -5,7 +5,9 @@
[Service]
EnvironmentFile=-/etc/default/ssh
+ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: