Changelog for
openssh-server-5.3p1-118.1.el6_8.i686.rpm :
Mon Apr 25 14:00:00 2016 Jakub Jelen
- 5.3p1-118.1
- ssh-copy-id: SunOS does not understand ~ (#1327547)
Tue Mar 15 13:00:00 2016 Jakub Jelen 5.3p1-117
- CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317817)
Thu Feb 25 13:00:00 2016 Jakub Jelen 5.3p1-116
- Restore functionallity of pam_ssh_agent_auth in FIPS mode (#1278315)
- Initialize devices_done variable for challenge response (#1281468)
- Update behaviour of X11 forwarding to match upstream (#1299048)
Thu Jan 28 13:00:00 2016 Jakub Jelen 5.3p1-115
- Ammends previous release, fixing typos and behaviour changes
Wed Jan 20 13:00:00 2016 Jakub Jelen 5.3p1-114
- pam_ssh_agent_auth: Provide authorized_keys_command= feature (#1299555)
- CVE-2016-1908: Prevent possible fallback from untrusted X11 forwarding (#1299048)
Mon Dec 7 13:00:00 2015 Jakub Jelen 5.3p1-113
- Fix segfaulting agent during removal of CAC credentials (#1253612)
- Make pam_namespace usage consistent across system-wide (#1250069)
- Add GSSAPIKexAlgorithms option for both server and client (#1253060)
- ECDSA host key not loaded by sshd by default (fix man page) (#1218070)
- Resolve segfault in pam_ssh_agent_auth in FIPS mode (#1278315)
- Backport Match LocalAddress from OpenSSH 6.1 (#1211673)
- Backport security patches from openssh-6.9 and 7.0 (#1281468)
- CVE-2015-5352: XSECURITY restrictions bypass under certain conditions
- CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices
- CVE-2015-6563: Privilege separation weakness related to PAM support
- CVE-2015-6564: Use-after-free bug related to PAM support
- weakness of agent locking (ssh-add -x) to password guessing (#1238238)
- Clarify a keyword that appears in multiple matching Match blocks (#1219820)
- Clarity of TERM variable in AcceptEnv and SendEnv options (#1285003)
- Enhance AllowGroups documentation in man page (#1284997)
Fri Jul 17 14:00:00 2015 Jakub Jelen 5.3p1-112
- SSH2_MSG_DISCONNECT for user initiated disconnect follow RFC 4253 (#1222500)
Mon May 4 14:00:00 2015 Jakub Jelen 5.3p1-111
- Add missing dot in ssh manual page (#1197763)
Mon May 4 14:00:00 2015 Jakub Jelen 5.3p1-110
- Fix minor problems found by covscan/gcc (#1196063)
- Add missing options in man ssh (#1197763)
- Add KbdInteractiveAuthentication documentation to man sshd_config (#1109251)
- Correct freeing newkeys structure when privileged monitor exits (#1208584)
Fri Apr 3 14:00:00 2015 Jakub Jelen 5.3p1-109
- Fix problems with failing persistent connections (#1131585)
- Fix memory leaks in auditing patch (#1208584)
Tue Mar 10 13:00:00 2015 Jakub Jelen 5.3p1-108
- Better approach to logging sftp commands in chroot
Thu Mar 5 13:00:00 2015 Jakub Jelen 5.3p1-107
- Make sshd -T write all config options and add missing Cipher, MAC to man (#1109251)
Tue Mar 3 13:00:00 2015 Jakub Jelen 5.3p1-106
- Add missing ControlPersist option to man ssh (#1197763)
- Add sftp option to force mode of created files (#1191055)
- Do not load RSA1 keys in FIPS mode (#1197072)
- Add missing support for ECDSA in ssh-keyscan (#1196331)
- Fix coverity/gcc issues (#1196063)
- Backport wildcard functionality for PermitOpen in sshd_config file (#1159055)
- Ability to specify an arbitrary LDAP filter in ldap.conf (#1119506)
Thu Feb 19 13:00:00 2015 Jakub Jelen 5.3p1-105
- Fix ControlPersist option with ProxyCommand (#1160487)
- Backport fix of ssh-keygen with error : gethostname: File name too long (#1161454)
- Backport show remote address instead of UNKNOWN after timeout at password prompt (#1161449)
- Fix printing of extensions in v01 certificates (#1093869)
- Fix confusing audit trail for unsuccessful logins (#1127312)
- Don\'t close fds for internal sftp sessions (#1085710)
- Fix config parsing quotes (backport) (#1134938)
- Enable logging in chroot into separate file (#1172224)
- Fix auditing when using combination of ForcedCommand and PTY (#1131585)
- Fix ssh-copy-id on non-sh remote shells (#1135521)
Wed Aug 27 14:00:00 2014 Petr Lautrbach 5.3p1-104
- ignore SIGXFSZ in postauth monitor child (#1133906)
Thu Jul 31 14:00:00 2014 Petr Lautrbach 5.3p1-103
- don\'t try to generate DSA keys in the init script in FIPS mode (#1118735)
Wed Jul 2 14:00:00 2014 Petr Lautrbach 5.3p1-102
- ignore SIGPIPE in ssh-keyscan (#1108836)
Wed Jul 2 14:00:00 2014 Petr Lautrbach 5.3p1-101
- ssh-add: fix fatal exit when removing card (#1042519)
Mon Jun 30 14:00:00 2014 Petr Lautrbach 5.3p1-100
- fix race in backported ControlPersist patch (#953088)
Tue Jun 24 14:00:00 2014 Petr Lautrbach 5.3p1-99.2
- skip requesting smartcard PIN when removing keys from agent (#1042519)
Fri Jun 20 14:00:00 2014 Petr Lautrbach 5.3p1-98
- add possibility to autocreate only RSA key into initscript (#1111568)
- fix several issues reported by coverity
Thu Jun 19 14:00:00 2014 Petr Lautrbach 5.3p1-97
- x11 forwarding - be less restrictive when can\'t bind to one of available addresses
(#1027197)
- better fork error detection in audit patch (#1028643)
- fix openssh-5.3p1-x11.patch for non-linux platforms (#1100913)
Wed Jun 18 14:00:00 2014 Petr Lautrbach 5.3p1-96
- prevent a server from skipping SSHFP lookup (#1081338) CVE-2014-2653
- ignore environment variables with embedded \'=\' or \'\\0\' characters CVE-2014-2532
- backport ControlPersist option (#953088)
- log when a client requests an interactive session and only sftp is allowed (#997377)
- don\'t try to load RSA1 host key in FIPS mode (#1009959)
- restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over restart
(#1010429)
- ssh-keygen -V - relative-specified certificate expiry time should be relative to current time
(#1022459)
Wed Dec 4 13:00:00 2013 Petr Lautrbach 5.3p1-95
- adjust the key echange DH groups and ssh-keygen according to SP800-131A (#993580)
- log failed integrity test if /etc/system-fips exists (#1020803)
- backport ECDSA and ECDH support (#1028335)
Fri Sep 27 14:00:00 2013 Petr Lautrbach 5.3p1-94
- use dracut-fips package to determine if a FIPS module is installed (#1001565)
Fri Sep 20 14:00:00 2013 Petr Lautrbach 5.3p1-93
- use dist tag in suffixes for hmac checksum files (#1001565)
Thu Sep 12 14:00:00 2013 Petr Lautrbach 5.3p1-92
- use hmac_suffix for ssh{,d} hmac checksums (#1001565)
Fri Sep 6 14:00:00 2013 Petr Lautrbach 5.3p1-91
- fix NSS keys support (#1004763)
Thu Aug 29 14:00:00 2013 Petr Lautrbach 5.3p1-90
- change default value of MaxStartups - CVE-2010-5107 - #908707
- add -fips subpackages that contains the FIPS module files (#1001565)
Tue Aug 20 14:00:00 2013 Petr Lautrbach 5.3p1-89
- don\'t use SSH_FP_MD5 for fingerprints in FIPS mode (#998835)
Wed Aug 14 14:00:00 2013 Petr Lautrbach 5.3p1-88
- do ssh_gssapi_krb5_storecreds() twice - before and after pam sesssion (#974096)
Wed Aug 14 14:00:00 2013 Petr Lautrbach 5.3p1-87
- bump the minimum value of SSH_USE_STRONG_RNG to 14 according to SP800-131A (#993577)
- fixed an issue with broken \'ssh -I pkcs11\' (#908038)
- abort non-subsystem sessions to forced internal sftp-server (#993509)
- reverted \'store krb5 credentials after a pam session is created (#974096)\'
Fri Jul 19 14:00:00 2013 Petr Lautrbach 5.3p1-86
- Add support for certificate key types for users and hosts (#906872)
- Apply RFC3454 stringprep to banners when possible (#955792)
Thu Jul 18 14:00:00 2013 Petr Lautrbach 5.3p1-85
- fix chroot logging issue (#872169)
- change the bad key permissions error message (#880575)
- fix a race condition in ssh-agent (#896561)
- backport support for PKCS11 from openssh-5.4p1 (#908038)
- add a KexAlgorithms knob to the client and server configuration (#951704)
- fix parsing logic of ldap.conf file (#954094)
- Add HMAC-SHA2 algorithm support (#969565)
- store krb5 credentials after a pam session is created (#974096)
Thu Dec 13 13:00:00 2012 Petr Lautrbach 5.3p1-84.1
- Add a \'netcat mode\' (ssh -W) (#860809)
Mon Nov 12 13:00:00 2012 Petr Lautrbach 5.3p1-83
- fix the required authentications patch (#869903)
Fri Oct 12 14:00:00 2012 Petr Lautrbach 5.3p1-82
- check return value of PK11_Authenticate in ssh-add -n (#782912)
- document available methods to RequiredAuthentications[12] (#821641)
- fix ssh-copy-id (#836650)
- fix segmentation fault in ssh client (#836655)
- update pam_ssh_agent_auth to 0.9.3 upstream version
- fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent
is not running (#834404)
Tue May 15 14:00:00 2012 Petr Lautrbach 5.3p1-81
- fixes in openssh-5.3p1-required-authentications.patch (#657378)
Thu Apr 26 14:00:00 2012 Petr Lautrbach 5.3p1-79
- fix forward on non-localhost ports with IPv6 (#732955)
Mon Apr 23 14:00:00 2012 Petr Lautrbach 5.3p1-78
- clear SELinux exec context before exec passwd (#814691)
Wed Apr 18 14:00:00 2012 Petr Lautrbach 5.3p1-77
- prevent post-auth resource exhaustion (#809938)
Wed Apr 4 14:00:00 2012 Petr Lautrbach 5.3p1-76
- don\'t escape backslah in a banner (#809619)
Wed Mar 28 14:00:00 2012 Petr Lautrbach 5.3p1-75
- fix various issues in openssh-5.3p1-required-authentications.patch (#805901)
Wed Mar 14 13:00:00 2012 Petr Lautrbach 5.3p1-74
- fix out-of-memory killer patch (#744236)
Wed Feb 29 13:00:00 2012 Petr Lautrbach 5.3p1-73
- remove openssh-4.3p2-no-v6only.patch (#732955)
- adjust Linux out-of-memory killer (#744236)
- fix sshd init script - check existence of crypto (#797384)
- add RequiredAuthentications[12] (#657378)
- run privsep slave process as the users SELinux context (#798241)
Wed Jan 18 13:00:00 2012 Petr Lautrbach 5.3p1-72
- drop CAVS test driver (#782091)
Mon Jan 16 13:00:00 2012 Petr Lautrbach 5.3p1-71
- enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI (#756929)
- add CAVS test driver for the aes-ctr ciphers (#782091)
Wed Sep 7 14:00:00 2011 Jan F. Chadima - 5.5p1-70
- mention IPv6 in scp and sftp man pages (#695781)
Fri Aug 26 14:00:00 2011 Jan F. Chadima - 5.5p1-69
- enable another context when run in chroot (#685060)
Mon Aug 22 14:00:00 2011 Jan F. Chadima - 5.5p1-67
- enable big uid logs for 32bit archs (#731939)
Mon Aug 22 14:00:00 2011 Jan F. Chadima - 5.5p1-66
- save ssh-askpass\'s debuginfo (#729021)
Mon Aug 8 14:00:00 2011 Jan F. Chadima - 5.5p1-65
- repair man pages (#728459)
Tue Jul 26 14:00:00 2011 Jan F. Chadima - 5.5p1-63
- restore init script (#698777)
Thu Jun 23 14:00:00 2011 Jan F. Chadima - 5.5p1-62
- fix hang on exit (#714554)
Tue Jun 21 14:00:00 2011 Jan F. Chadima - 5.5p1-60
- mention IPv6 in man pages (#695781)
Mon Jun 20 14:00:00 2011 Jan F. Chadima - 5.5p1-59
- repair access to chroted sftp directory (#685060)
Thu Jun 16 14:00:00 2011 Jan F. Chadima - 5.5p1-57
- make it possible to build openssh without downstream patches (#708389)
Tue May 31 14:00:00 2011 Jan F. Chadima - 5.5p1-56
- improve reseed documentation (#708056)
Fri May 27 14:00:00 2011 Jan F. Chadima - 5.5p1-54
- improve ldap backend documentation (#705397)
Fri May 27 14:00:00 2011 Jan F. Chadima - 5.5p1-53
- improve reseed (#708056)
Mon Apr 4 14:00:00 2011 Jan F. Chadima - 5.5p1-52
- do not crash when reporting cannot bind a port (#691320)
- improve documentation
Wed Mar 30 14:00:00 2011 Jan F. Chadima - 5.5p1-51
- do not crash when got double SIGHUP (#690391)
- add /etc/sysconfig/sshd
Mon Mar 28 14:00:00 2011 Jan F. Chadima - 5.5p1-50
- improve reseed (#681296)
Thu Mar 24 13:00:00 2011 Jan F. Chadima - 5.5p1-49
- merge keycat to servers
- add reseed (#681296)
Tue Mar 15 13:00:00 2011 Jan F. Chadima - 5.5p1-48
- improve sftp option to set umask (#657059)
Mon Mar 14 13:00:00 2011 Jan F. Chadima - 5.5p1-47
- improve audit (#642792)
Thu Mar 10 13:00:00 2011 Jan F. Chadima - 5.5p1-46
- improve ldap backend (#455350)
Tue Mar 8 13:00:00 2011 Jan F. Chadima - 5.5p1-45
- improve keycat (#676665)
Thu Mar 3 13:00:00 2011 Jan F. Chadima - 5.5p1-42
- resolve chroot problem (#681202)
Mon Feb 28 13:00:00 2011 Jan F. Chadima - 5.5p1-41
- add keycat support (#676665)
- improve audit (#680722)
Thu Feb 24 13:00:00 2011 Jan F. Chadima - 5.5p1-40
- add rello to ppc64 (#642927)
Thu Feb 24 13:00:00 2011 Jan F. Chadima - 5.5p1-39
- improve audit (#642792)
Tue Feb 15 13:00:00 2011 Jan F. Chadima - 5.5p1-38
- improve ldap backend (#455350)
Tue Feb 8 13:00:00 2011 Jan F. Chadima - 5.5p1-37
- improve audit session key destroy (#642792)
Thu Jan 27 13:00:00 2011 Jan F. Chadima - 5.5p1-36
- add ldap backend (#455350)
- skip sshd init\'s rsa1 creation in fips mode (#672870)
- improve audit session key destroy (#642792)
Thu Jan 20 13:00:00 2011 Jan F. Chadima - 5.5p1-35
- add documentation for nss keys (#670515)
Fri Jan 14 13:00:00 2011 Jan F. Chadima - 5.5p1-34
- add audit server key destroy (#642792)
Thu Jan 13 13:00:00 2011 Jan F. Chadima - 5.5p1-32
- turn off relro and new on ppc64 (#642927)
Wed Jan 12 13:00:00 2011 Jan F. Chadima - 5.5p1-31
- add audit session key destroy (#642792)
Fri Dec 10 13:00:00 2010 Jan F. Chadima - 5.5p1-30
- improove clientloop (#656844)
Thu Dec 9 13:00:00 2010 Jan F. Chadima - 5.5p1-29
- add sftp option to set umask (#657059)
Thu Nov 25 13:00:00 2010 Jan F. Chadima - 5.5p1-28
- add option to switch out krb5_kuserok (#577998)
Thu Nov 25 13:00:00 2010 Jan F. Chadima - 5.5p1-27
- properly restore euid in case connect to the ssh-agent socket fails (#656415)
Tue Nov 23 13:00:00 2010 Jan F. Chadima - 5.5p1-26
- Repaired the problem with puting entries with very big uid into lastlog (#631787)
Tue Nov 23 13:00:00 2010 Jan F. Chadima - 5.5p1-25
- Added README.nss (#652249)
Tue Nov 23 13:00:00 2010 Jan F. Chadima - 5.5p1-24
- Added -z relro -z now to LDFLAGS (#642927)
Fri Nov 19 13:00:00 2010 Jan F. Chadima - 5.5p1-23
- repair gsskex auth (#646286)
Thu Nov 11 13:00:00 2010 Jan F. Chadima - 5.5p1-22
- add audit kex and keyusage (#642792)
Mon Nov 8 13:00:00 2010 Jan F. Chadima - 5.5p1-21
- repair bad stderr handling (#631757)
Thu Aug 12 14:00:00 2010 Jan F. Chadima - 5.5p1-20
- set correct socket name length in abstract socket (#621691)
Mon Jul 12 14:00:00 2010 Jan F. Chadima - 5.5p1-19
- replace authorized key command by the upstream version (#613627)
Wed Jun 30 14:00:00 2010 Jan F. Chadima - 5.5p1-18
- use abstract socket for X11 where possible (#598671)
Thu Jun 3 14:00:00 2010 Jan F. Chadima - 5.5p1-17
- parsing authorised file option (#598814)
Fri May 28 14:00:00 2010 Jan F. Chadima - 5.5p1-16
- compile with -fno-strict-alias (#596192)
Mon May 24 14:00:00 2010 Jan F. Chadima - 5.5p1-15
- synchronize uid and gid for the user sshd (#594084)
Mon Apr 12 14:00:00 2010 Jan F. Chadima - 5.3p1-14
- source krb5-devel profile script only if exists (#581444)
Wed Feb 10 13:00:00 2010 Jan F. Chadima - 5.3p1-13
- Allow to use hardware crypto if awailable (#563574)
Thu Jan 28 13:00:00 2010 Jan F. Chadima - 5.3p1-12.3
- set FD_CLOEXEC on accepted socket (#541809)
Thu Jan 21 13:00:00 2010 Jan F. Chadima - 5.3p1-12.2
- add RAND_cleanup at the exit of each program using RAND (#557166)
Tue Jan 12 13:00:00 2010 Jan F. Chadima - 5.3p1-12.1
- Rebuild for new libaudit
Tue Jan 5 13:00:00 2010 Jan F. Chadima - 5.3p1-12
- Update audit patch
- Update pka patch
Mon Nov 30 13:00:00 2009 Jan F. Chadima - 5.3p1-11
- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
Fri Nov 20 13:00:00 2009 Jan F. Chadima - 5.3p1-9
- Add gssapi key exchange patch (#455351)
Fri Nov 20 13:00:00 2009 Jan F. Chadima - 5.3p1-8
- Add public key agent patch (#455350)
Mon Nov 2 13:00:00 2009 Jan F. Chadima - 5.3p1-7
- Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy (#531849)
Thu Oct 29 13:00:00 2009 Jan F. Chadima - 5.3p1-6
- Modify the init script to prevent it to hang during generating the keys (#515145)
Tue Oct 27 13:00:00 2009 Jan F. Chadima - 5.3p1-5
- Add README.nss
Mon Oct 19 14:00:00 2009 Tomas Mraz - 5.3p1-4
- Add pam_ssh_agent_auth module to a subpackage.
Fri Oct 16 14:00:00 2009 Jan F. Chadima - 5.3p1-3
- Reenable audit.
Fri Oct 2 14:00:00 2009 Jan F. Chadima - 5.3p1-2
- Upgrade to new wersion 5.3p1
Tue Sep 29 14:00:00 2009 Jan F. Chadima - 5.2p1-29
- Resolve locking in ssh-add (#491312)
Thu Sep 24 14:00:00 2009 Jan F. Chadima - 5.2p1-28
- Repair initscript to be acord to guidelines (#521860)
- Add bugzilla# to application of edns and xmodifiers patch
Wed Sep 16 14:00:00 2009 Jan F. Chadima - 5.2p1-26
- Changed pam stack to password-auth
Fri Sep 11 14:00:00 2009 Jan F. Chadima - 5.2p1-25
- Dropped homechroot patch
Mon Sep 7 14:00:00 2009 Jan F. Chadima - 5.2p1-24
- Add check for nosuid, nodev in homechroot
Tue Sep 1 14:00:00 2009 Jan F. Chadima - 5.2p1-23
- add correct patch for ip-opts
Tue Sep 1 14:00:00 2009 Jan F. Chadima - 5.2p1-22
- replace ip-opts patch by an upstream candidate version
Mon Aug 31 14:00:00 2009 Jan F. Chadima - 5.2p1-21
- rearange selinux patch to be acceptable for upstream
- replace seftp patch by an upstream version
Fri Aug 28 14:00:00 2009 Jan F. Chadima - 5.2p1-20
- merged xmodifiers to redhat patch
- merged gssapi-role to selinux patch
- merged cve-2007_3102 to audit patch
- sesftp patch only with WITH_SELINUX flag
- rearange sesftp patch according to upstream request
Wed Aug 26 14:00:00 2009 Jan F. Chadima - 5.2p1-19
- minor change in sesftp patch
Fri Aug 21 14:00:00 2009 Tomas Mraz - 5.2p1-18
- rebuilt with new openssl
Thu Jul 30 14:00:00 2009 Jan F. Chadima - 5.2p1-17
- Added dnssec support. (#205842)
Sat Jul 25 14:00:00 2009 Fedora Release Engineering - 5.2p1-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
Fri Jul 24 14:00:00 2009 Jan F. Chadima - 5.2p1-15
- only INTERNAL_SFTP can be home-chrooted
- save _u and _r parts of context changing to sftpd_t
Fri Jul 17 14:00:00 2009 Jan F. Chadima - 5.2p1-14
- changed internal-sftp context to sftpd_t
Fri Jul 3 14:00:00 2009 Jan F. Chadima - 5.2p1-13
- changed home length path patch to upstream version
Tue Jun 30 14:00:00 2009 Jan F. Chadima - 5.2p1-12
- create \'~/.ssh/known_hosts\' within proper context
Mon Jun 29 14:00:00 2009 Jan F. Chadima - 5.2p1-11
- length of home path in ssh now limited by PATH_MAX
- correct timezone with daylight processing
Sat Jun 27 14:00:00 2009 Jan F. Chadima - 5.2p1-10
- final version chroot %h (sftp only)
Tue Jun 23 14:00:00 2009 Jan F. Chadima - 5.2p1-9
- repair broken ls in chroot %h
Fri Jun 12 14:00:00 2009 Jan F. Chadima - 5.2p1-8
- add XMODIFIERS to exported environment (#495690)
Fri May 15 14:00:00 2009 Tomas Mraz - 5.2p1-6
- allow only protocol 2 in the FIPS mode
Thu Apr 30 14:00:00 2009 Tomas Mraz - 5.2p1-5
- do integrity verification only on binaries which are part
of the OpenSSH FIPS modules
Mon Apr 20 14:00:00 2009 Tomas Mraz - 5.2p1-4
- log if FIPS mode is initialized
- make aes-ctr cipher modes work in the FIPS mode
Fri Apr 3 14:00:00 2009 Jan F. Chadima - 5.2p1-3
- fix logging after chroot
- enable non root users to use chroot %h in internal-sftp
Fri Mar 13 13:00:00 2009 Tomas Mraz - 5.2p1-2
- add AES-CTR ciphers to the FIPS mode proposal
Mon Mar 9 13:00:00 2009 Jan F. Chadima - 5.2p1-1
- upgrade to new upstream release
Thu Feb 26 13:00:00 2009 Fedora Release Engineering - 5.1p1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
Thu Feb 12 13:00:00 2009 Tomas Mraz - 5.1p1-7
- drop obsolete triggers
- add testing FIPS mode support
- LSBize the initscript (#247014)
Fri Jan 30 13:00:00 2009 Tomas Mraz - 5.1p1-6
- enable use of ssl engines (#481100)
Thu Jan 15 13:00:00 2009 Tomas Mraz - 5.1p1-5
- remove obsolete --with-rsh (#478298)
- add pam_sepermit to allow blocking confined users in permissive mode
(#471746)
- move system-auth after pam_selinux in the session stack
Thu Dec 11 13:00:00 2008 Tomas Mraz - 5.1p1-4
- set FD_CLOEXEC on channel sockets (#475866)
- adjust summary
- adjust nss-keys patch so it is applicable without selinux patches (#470859)
Fri Oct 17 14:00:00 2008 Tomas Mraz - 5.1p1-3
- fix compatibility with some servers (#466818)
Thu Jul 31 14:00:00 2008 Tomas Mraz - 5.1p1-2
- fixed zero length banner problem (#457326)
Wed Jul 23 14:00:00 2008 Tomas Mraz - 5.1p1-1
- upgrade to new upstream release
- fixed a problem with public key authentication and explicitely
specified SELinux role
Wed May 21 14:00:00 2008 Tomas Mraz - 5.0p1-3
- pass the connection socket to ssh-keysign (#447680)
Mon May 19 14:00:00 2008 Tomas Mraz - 5.0p1-2
- add LANGUAGE to accepted/sent environment variables (#443231)
- use pam_selinux to obtain the user context instead of doing it itself
- unbreak server keep alive settings (patch from upstream)
- small addition to scp manpage
Mon Apr 7 14:00:00 2008 Tomas Mraz - 5.0p1-1
- upgrade to new upstream (#441066)
- prevent initscript from killing itself on halt with upstart (#438449)
- initscript status should show that the daemon is running
only when the main daemon is still alive (#430882)
Thu Mar 6 13:00:00 2008 Tomas Mraz - 4.7p1-10
- fix race on control master and cleanup stale control socket (#436311)
patches by David Woodhouse
Fri Feb 29 13:00:00 2008 Tomas Mraz - 4.7p1-9
- set FD_CLOEXEC on client socket
- apply real fix for window size problem (#286181) from upstream
- apply fix for the spurious failed bind from upstream
- apply open handle leak in sftp fix from upstream
Tue Feb 12 13:00:00 2008 Dennis Gilmore - 4.7p1-8
- we build for sparcv9 now and it needs -fPIE
Thu Jan 3 13:00:00 2008 Tomas Mraz - 4.7p1-7
- fix gssapi auth with explicit selinux role requested (#427303) - patch
by Nalin Dahyabhai
Tue Dec 4 13:00:00 2007 Tomas Mraz - 4.7p1-6
- explicitly source krb5-devel profile script
Tue Dec 4 13:00:00 2007 Release Engineering - 4.7p1-5
- Rebuild for openssl bump
Tue Nov 20 13:00:00 2007 Tomas Mraz - 4.7p1-4
- do not copy /etc/localtime into the chroot as it is not
necessary anymore (#193184)
- call setkeycreatecon when selinux context is established
- test for NULL privk when freeing key (#391871) - patch by
Pierre Ossman
Mon Sep 17 14:00:00 2007 Tomas Mraz - 4.7p1-2
- revert default window size adjustments (#286181)
Thu Sep 6 14:00:00 2007 Tomas Mraz - 4.7p1-1
- upgrade to latest upstream
- use libedit in sftp (#203009)
- fixed audit log injection problem (CVE-2007-3102)
Thu Aug 9 14:00:00 2007 Tomas Mraz - 4.5p1-8
- fix sftp client problems on write error (#247802)
- allow disabling autocreation of server keys (#235466)
Wed Jun 20 14:00:00 2007 Tomas Mraz - 4.5p1-7
- experimental NSS keys support
- correctly setup context when empty level requested (#234951)
Tue Mar 20 13:00:00 2007 Tomas Mraz - 4.5p1-6
- mls level check must be done with default role same as requested
Mon Mar 19 13:00:00 2007 Tomas Mraz - 4.5p1-5
- make profile.d/gnome-ssh-askpass.
* regular files (#226218)
Tue Feb 27 13:00:00 2007 Tomas Mraz - 4.5p1-4
- reject connection if requested mls range is not obtained (#229278)
Thu Feb 22 13:00:00 2007 Tomas Mraz - 4.5p1-3
- improve Buildroot
- remove duplicate /etc/ssh from files
Tue Jan 16 13:00:00 2007 Tomas Mraz - 4.5p1-2
- support mls on labeled networks (#220487)
- support mls level selection on unlabeled networks
- allow / in usernames in scp (only beginning /, ./, and ../ is special)
Thu Dec 21 13:00:00 2006 Tomas Mraz - 4.5p1-1
- update to 4.5p1 (#212606)
Thu Nov 30 13:00:00 2006 Tomas Mraz - 4.3p2-14
- fix gssapi with DNS loadbalanced clusters (#216857)
Tue Nov 28 13:00:00 2006 Tomas Mraz - 4.3p2-13
- improved pam_session patch so it doesn\'t regress, the patch is necessary
for the pam_session_close to be called correctly as uid 0
Fri Nov 10 13:00:00 2006 Tomas Mraz - 4.3p2-12
- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)
Thu Nov 2 13:00:00 2006 Tomas Mraz - 4.3p2-11
- merge sshd initscript patches
- kill all ssh sessions when stop is called in halt or reboot runlevel
- remove -TERM option from killproc so we don\'t race on sshd restart
Mon Oct 2 14:00:00 2006 Tomas Mraz - 4.3p2-10
- improve gssapi-no-spnego patch (#208102)
- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
- CVE-2006-5051 - don\'t call cleanups from signal handler (#208459)
Wed Aug 23 14:00:00 2006 Tomas Mraz - 4.3p2-9
- don\'t report duplicate syslog messages, use correct local time (#189158)
- don\'t allow spnego as gssapi mechanism (from upstream)
- fixed memleaks found by Coverity (from upstream)
- allow ip options except source routing (#202856) (patch by HP)
Tue Aug 8 14:00:00 2006 Tomas Mraz - 4.3p2-8
- drop the pam-session patch from the previous build (#201341)
- don\'t set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)
Thu Jul 20 14:00:00 2006 Tomas Mraz - 4.3p2-7
- dropped old ssh obsoletes
- call the pam_session_open/close from the monitor when privsep is
enabled so it is always called as root (patch by Darren Tucker)
Mon Jul 17 14:00:00 2006 Tomas Mraz - 4.3p2-6
- improve selinux patch (by Jan Kiszka)
- upstream patch for buffer append space error (#191940)
- fixed typo in configure.ac (#198986)
- added pam_keyinit to pam configuration (#198628)
- improved error message when askpass dialog cannot grab
keyboard input (#198332)
- buildrequires xauth instead of xorg-x11-xauth
- fixed a few rpmlint warnings
Wed Jul 12 14:00:00 2006 Jesse Keating - 4.3p2-5.1
- rebuild
Fri Apr 14 14:00:00 2006 Tomas Mraz - 4.3p2-5
- don\'t request pseudoterminal allocation if stdin is not tty (#188983)
Thu Mar 2 13:00:00 2006 Tomas Mraz - 4.3p2-4
- allow access if audit is not compiled in kernel (#183243)
Fri Feb 24 13:00:00 2006 Tomas Mraz - 4.3p2-3
- enable the subprocess in chroot to send messages to system log
- sshd should prevent login if audit call fails
Tue Feb 21 13:00:00 2006 Tomas Mraz - 4.3p2-2
- print error from scp if not remote (patch by Bjorn Augustsson #178923)
Mon Feb 13 13:00:00 2006 Tomas Mraz - 4.3p2-1
- new version
Fri Feb 10 13:00:00 2006 Jesse Keating - 4.3p1-2.1
- bump again for double-long bug on ppc(64)
Mon Feb 6 13:00:00 2006 Tomas Mraz - 4.3p1-2
- fixed another place where syslog was called in signal handler
- pass locale environment variables to server, accept them there (#179851)
Wed Feb 1 13:00:00 2006 Tomas Mraz - 4.3p1-1
- new version, dropped obsolete patches
Tue Dec 20 13:00:00 2005 Tomas Mraz - 4.2p1-10
- hopefully make the askpass dialog less confusing (#174765)
Fri Dec 9 13:00:00 2005 Jesse Keating
- rebuilt
Tue Nov 22 13:00:00 2005 Tomas Mraz - 4.2p1-9
- drop x11-ssh-askpass from the package
- drop old build_6x ifs from spec file
- improve gnome-ssh-askpass so it doesn\'t reveal number of passphrase
characters to person looking at the display
- less hackish fix for the __USE_GNU problem
Fri Nov 18 13:00:00 2005 Nalin Dahyabhai - 4.2p1-8
- work around missing gccmakedep by wrapping makedepend in a local script
- remove now-obsolete build dependency on \"xauth\"
Thu Nov 17 13:00:00 2005 Warren Togami - 4.2p1-7
- xorg-x11-devel -> libXt-devel
- rebuild for new xauth location so X forwarding works
- buildreq audit-libs-devel
- buildreq automake for aclocal
- buildreq imake for xmkmf
- -D_GNU_SOURCE in flags in order to get it to build
Ugly hack to workaround openssh defining __USE_GNU which is
not allowed and causes problems according to Ulrich Drepper
fix this the correct way after FC5test1
Wed Nov 9 13:00:00 2005 Jeremy Katz - 4.2p1-6
- rebuild against new openssl
Fri Oct 28 14:00:00 2005 Tomas Mraz 4.2p1-5
- put back the possibility to skip SELinux patch
- add patch for user login auditing by Steve Grubb
Tue Oct 18 14:00:00 2005 Dan Walsh 4.2p1-4
- Change selinux patch to use get_default_context_with_rolelevel in libselinux.
Thu Oct 13 14:00:00 2005 Tomas Mraz 4.2p1-3
- Update selinux patch to use getseuserbyname
Fri Oct 7 14:00:00 2005 Tomas Mraz 4.2p1-2
- use include instead of pam_stack in pam config
- use fork+exec instead of system in scp - CVE-2006-0225 (#168167)
- upstream patch for displaying authentication errors
Tue Sep 6 14:00:00 2005 Tomas Mraz 4.2p1-1
- upgrade to a new upstream version
Tue Aug 16 14:00:00 2005 Tomas Mraz 4.1p1-5
- use x11-ssh-askpass if openssh-askpass-gnome is not installed (#165207)
- install ssh-copy-id from contrib (#88707)
Wed Jul 27 14:00:00 2005 Tomas Mraz 4.1p1-4
- don\'t deadlock on exit with multiple X forwarded channels (#152432)
- don\'t use X11 port which can\'t be bound on all IP families (#163732)
Wed Jun 29 14:00:00 2005 Tomas Mraz 4.1p1-3
- fix small regression caused by the nologin patch (#161956)
- fix race in getpeername error checking (mindrot #1054)
Thu Jun 9 14:00:00 2005 Tomas Mraz 4.1p1-2
- use only pam_nologin for nologin testing
Mon Jun 6 14:00:00 2005 Tomas Mraz 4.1p1-1
- upgrade to a new upstream version
- call pam_loginuid as a pam session module
Mon May 16 14:00:00 2005 Tomas Mraz 4.0p1-3
- link libselinux only to sshd (#157678)
Mon Apr 4 14:00:00 2005 Tomas Mraz 4.0p1-2
- fixed Local/RemoteForward in ssh_config.5 manpage
- fix fatal when Local/RemoteForward is used and scp run (#153258)
- don\'t leak user validity when using krb5 authentication
Thu Mar 24 13:00:00 2005 Tomas Mraz 4.0p1-1
- upgrade to 4.0p1
- remove obsolete groups patch
Wed Mar 16 13:00:00 2005 Elliot Lee
- rebuilt
Mon Feb 28 13:00:00 2005 Nalin Dahyabhai 3.9p1-12
- rebuild so that configure can detect that krb5_init_ets is gone now
Mon Feb 21 13:00:00 2005 Tomas Mraz 3.9p1-11
- don\'t call syslog in signal handler
- allow password authentication when copying from remote
to remote machine (#103364)
Wed Feb 9 13:00:00 2005 Tomas Mraz
- add spaces to messages in initscript (#138508)
Tue Feb 8 13:00:00 2005 Tomas Mraz 3.9p1-10
- enable trusted forwarding by default if X11 forwarding is
required by user (#137685 and duplicates)
- disable protocol 1 support by default in sshd server config (#88329)
- keep the gnome-askpass dialog above others (#69131)
Fri Feb 4 13:00:00 2005 Tomas Mraz
- change permissions on pam.d/sshd to 0644 (#64697)
- patch initscript so it doesn\'t kill opened sessions if
the sshd daemon isn\'t running anymore (#67624)
Mon Jan 3 13:00:00 2005 Bill Nottingham 3.9p1-9
- don\'t use initlog
Mon Nov 29 13:00:00 2004 Thomas Woerner 3.9p1-8.1
- fixed PIE build for all architectures
Mon Oct 4 14:00:00 2004 Nalin Dahyabhai 3.9p1-8
- add a --enable-vendor-patchlevel option which allows a ShowPatchLevel option
to enable display of a vendor patch level during version exchange (#120285)
- configure with --disable-strip to build useful debuginfo subpackages
Mon Sep 20 14:00:00 2004 Bill Nottingham 3.9p1-7
- when using gtk2 for askpass, don\'t buildprereq gnome-libs-devel
Tue Sep 14 14:00:00 2004 Nalin Dahyabhai 3.9p1-6
- build
Mon Sep 13 14:00:00 2004 Nalin Dahyabhai
- disable ACSS support
Thu Sep 2 14:00:00 2004 Daniel Walsh 3.9p1-5
- Change selinux patch to use get_default_context_with_role in libselinux.
Thu Sep 2 14:00:00 2004 Daniel Walsh 3.9p1-4
- Fix patch
* Bad debug statement.
* Handle root/sysadm_r:kerberos
Thu Sep 2 14:00:00 2004 Daniel Walsh 3.9p1-3
- Modify Colin Walter\'s patch to allow specifying rule during connection
Tue Aug 31 14:00:00 2004 Daniel Walsh 3.9p1-2
- Fix TTY handling for SELinux
Tue Aug 24 14:00:00 2004 Daniel Walsh 3.9p1-1
- Update to upstream
Sun Aug 1 14:00:00 2004 Alan Cox 3.8.1p1-5
- Apply buildreq fixup patch (#125296)
Tue Jun 15 14:00:00 2004 Daniel Walsh 3.8.1p1-4
- Clean up patch for upstream submission.
Tue Jun 15 14:00:00 2004 Elliot Lee
- rebuilt
Wed Jun 9 14:00:00 2004 Daniel Walsh 3.8.1p1-2
- Remove use of pam_selinux and patch selinux in directly.
Mon Jun 7 14:00:00 2004 Nalin Dahyabhai 3.8.1p1-1
- request gssapi-with-mic by default but not delegation (flag day for anyone
who used previous gssapi patches)
- no longer request x11 forwarding by default
Thu Jun 3 14:00:00 2004 Daniel Walsh 3.6.1p2-36
- Change pam file to use open and close with pam_selinux
Tue Jun 1 14:00:00 2004 Nalin Dahyabhai 3.8.1p1-0
- update to 3.8.1p1
- add workaround from CVS to reintroduce passwordauth using pam
Tue Jun 1 14:00:00 2004 Daniel Walsh 3.6.1p2-35
- Remove CLOSEXEC on STDERR
Tue Mar 16 13:00:00 2004 Daniel Walsh 3.6.1p2-34
* Wed Mar 03 2004 Phil Knirsch 3.6.1p2-33.30.1
- Built RHLE3 U2 update package.
Wed Mar 3 13:00:00 2004 Daniel Walsh 3.6.1p2-33
- Close file descriptors on exec
Mon Mar 1 13:00:00 2004 Thomas Woerner 3.6.1p2-32
- fixed pie build
Thu Feb 26 13:00:00 2004 Daniel Walsh 3.6.1p2-31
- Add restorecon to startup scripts
Thu Feb 26 13:00:00 2004 Daniel Walsh 3.6.1p2-30
- Add multiple qualified to openssh
Mon Feb 23 13:00:00 2004 Daniel Walsh 3.6.1p2-29
- Eliminate selinux code and use pam_selinux
Fri Feb 13 13:00:00 2004 Elliot Lee
- rebuilt
Mon Jan 26 13:00:00 2004 Daniel Walsh 3.6.1p2-27
- turn off pie on ppc
Mon Jan 26 13:00:00 2004 Daniel Walsh 3.6.1p2-26
- fix is_selinux_enabled
Wed Jan 14 13:00:00 2004 Daniel Walsh 3.6.1p2-25
- Rebuild to grab shared libselinux
Wed Dec 3 13:00:00 2003 Daniel Walsh 3.6.1p2-24
- turn on selinux
Tue Nov 18 13:00:00 2003 Nalin Dahyabhai
- un#ifdef out code for reporting password expiration in non-privsep
mode (#83585)
Mon Nov 10 13:00:00 2003 Nalin Dahyabhai
- add machinery to build with/without -fpie/-pie, default to doing so
Thu Nov 6 13:00:00 2003 David Woodhouse 3.6.1p2-23
- Don\'t whinge about getsockopt failing (#109161)
Fri Oct 24 14:00:00 2003 Nalin Dahyabhai
- add missing buildprereq on zlib-devel (#104558)
Mon Oct 13 14:00:00 2003 Daniel Walsh 3.6.1p2-22
- turn selinux off
Mon Oct 13 14:00:00 2003 Daniel Walsh 3.6.1p2-21.sel