Changelog for
openssh-clients-6.6.1p1-31.el7.x86_64.rpm :
Tue Sep 6 14:00:00 2016 Jakub Jelen
- 6.6.1p1-31 + 0.9.3-9
- Do not depend on selinux-policy (#1373297)
Fri Jul 29 14:00:00 2016 Jakub Jelen - 6.6.1p1-30 + 0.9.3-9
- Drop dependency on libcap-ng for ssh-keycat (#1357859)
Thu Jul 28 14:00:00 2016 Jakub Jelen - 6.6.1p1-29 + 0.9.3-9
- Rework SELinux context handling with chroot using libcap-ng (#1357859)
Fri Jul 1 14:00:00 2016 Jakub Jelen - 6.6.1p1-28 + 0.9.3-9
- SFTP force permission collision with umask (#1344614)
- Make closefrom() ignore FD\'s to /dev/ devices on s390 (#1318760)
- Create a default value for AuthenticationMethods any (#1237129)
- Fix ssh-copy-id with LogLevel=quiet (#1349556)
- Expose more information to PAM (#1312304)
- Move MAX_DISPLAYS to a configuration option (#1341302)
- Add a wildcard option to PermitOpen directive (host) (#1344106)
Tue May 31 14:00:00 2016 Jakub Jelen - 6.6.1p1-27 + 0.9.3-9
- Coverity and RPMDiff build issues (#1334326)
- CVE-2015-8325: privilege escalation via user\'s PAM environment and UseLogin=yes (#1329191)
- Check for real location of .k5login file (#1328243)
- close ControlPersist background process stderr (#1335540)
Fri Apr 1 14:00:00 2016 Jakub Jelen 6.6.1p1-26 + 0.9.3-9
- Drop glob patch for sftp client preventing listing many files (#1310303)
- Fix race condition between audit messages from different processes (#1310684)
- Make systemd service forking to properly report state (#1291172)
- Get rid of rpm triggers for openssh-5.x (#1312013)
- Generate the host keys when the key files are empty (#1266043)
- pam_ssh_agent_auth: authorized_keys_command option (#1317858)
- Don\'t use MD5 digest from pam_ssh_agent_auth in FIPS mode (#1317952)
Wed Mar 16 13:00:00 2016 Jakub Jelen 6.6.1p1-25 + 0.9.3-9
- CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding (#1298741)
Tue Mar 15 13:00:00 2016 Jakub Jelen 6.6.1p1-24 + 0.9.3-9
- CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317819)
Wed Jan 13 13:00:00 2016 Jakub Jelen 6.6.1p1-23 + 0.9.3-9
- Disable undocumented feauture Roaming for good (#1298218)
- prevents CVE-2016-0777 and CVE-2016-0778
Fri Sep 25 14:00:00 2015 Jakub Jelen 6.6.1p1-22 + 0.9.3-9
- Use the correct constant for glob limits (#1160377)
Thu Sep 24 14:00:00 2015 Jakub Jelen 6.6.1p1-21 + 0.9.3-9
- Extend memory limit for remote glob in sftp acc. to stat limit (#1160377)
Thu Sep 24 14:00:00 2015 Jakub Jelen 6.6.1p1-20 + 0.9.3-9
- Fix vulnerabilities published with openssh-7.0 (#1265807)
- Privilege separation weakness related to PAM support
- Use-after-free bug related to PAM support
Thu Sep 24 14:00:00 2015 Jakub Jelen 6.6.1p1-19 + 0.9.3-9
- Increase limit of files for glob match in sftp to 8192 (#1160377)
Tue Aug 18 14:00:00 2015 Jakub Jelen 6.6.1p1-18 + 0.9.3-9
- Add GSSAPIKexAlgorithms option for server and client application (#1253062)
Wed Jul 29 14:00:00 2015 Jakub Jelen 6.6.1p1-17 + 0.9.3-9
- Security fixes released with openssh-6.9 (CVE-2015-5352) (#1247864)
- XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231)
- weakness of agent locking (ssh-add -x) to password guessing (#1238238)
Mon Jul 27 14:00:00 2015 Jakub Jelen 6.6.1p1-16 + 0.9.3-9
- only query each keyboard-interactive device once (CVE-2015-5600) (#1245971)
Wed Jul 15 14:00:00 2015 Jakub Jelen 6.6.1p1-15 + 0.9.3-9
- One more typo in manual page documenting TERM variable (#1162683)
- Fix race condition with auditing messages answers (#1240613)
Mon Jun 15 14:00:00 2015 Jakub Jelen 6.6.1p1-14 + 0.9.3-9
- Fix ldif schema to have correct spacing on newlines (#1184938)
- Add missing values for sshd test mode (#1187597)
- ssh-copy-id: tcsh doesnt work with multiline strings (#1201758)
- Fix memory problems with newkeys and array transfers (#1223218)
- Enhance AllowGroups documentation in man page (#1150007)
Mon May 11 14:00:00 2015 Jakub Jelen 6.6.1p1-13 + 0.9.3-9
- Increase limit of files for glob match in sftp (#1160377)
- Add pam_reauthorize.so to /etc/pam.d/sshd (#1204233)
- Show all config values in sshd test mode (#1187597)
- Document required selinux boolean for working ssh-ldap-helper (#1178116)
- Consistent usage of pam_namespace in sshd (#1125110)
- Fix auditing when using combination of ForcedCommand and PTY (#1199112)
- Add sftp option to force mode of created files (#1197989)
- Ability to specify an arbitrary LDAP filter in ldap.conf for ssh-ldap-helper (#1201753)
- Provide documentation line for systemd service and socket (#1181591)
- Provide LDIF version of LPK schema (#1184938)
- Document TERM environment variable (#1162683)
- Fix ssh-copy-id on non-sh remote shells (#1201758)
- Do not read RSA1 hostkeys for HostBased authentication in FIPS (#1197666)
Thu Mar 19 13:00:00 2015 Jakub Jelen 6.6.1p1-12 + 0.9.3-9
- Fix labeling in MLS according to selected sensitivity (#1202843)
Fri Jan 16 13:00:00 2015 Petr Lautrbach 6.6.1p1-11 + 0.9.3-9
- fix direction in CRYPTO_SESSION audit message (#1171248)
Wed Jan 14 13:00:00 2015 Petr Lautrbach 6.6.1p1-10 + 0.9.3-9
- add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278
(#1169843)
Fri Dec 19 13:00:00 2014 Petr Lautrbach 6.6.1p1-9 + 0.9.3-9
- log via monitor in chroots without /dev/log (#1083482)
Mon Dec 15 13:00:00 2014 Petr Lautrbach 6.6.1p1-8 + 0.9.3-9
- increase size of AUDIT_LOG_SIZE to 256 (#1171163)
- record pfs= field in CRYPTO_SESSION audit event (#1171248)
Thu Nov 13 13:00:00 2014 Petr Lautrbach 6.6.1p1-7 + 0.9.3-9
- fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)
Fri Nov 7 13:00:00 2014 Petr Lautrbach 6.6.1p1-6 + 0.9.3-9
- correct the calculation of bytes for authctxt->krb5_ccname (#1161073)
Tue Nov 4 13:00:00 2014 Petr Lautrbach 6.6.1p1-5 + 0.9.3-9
- change audit trail for unknown users (#1158521)
Sun Oct 26 13:00:00 2014 Petr Lautrbach 6.6.1p1-4 + 0.9.3-9
- revert the default of KerberosUseKuserok back to yes
- fix kuserok patch which checked for the existence of .k5login unconditionally
and hence prevented other mechanisms to be used properly
Mon Sep 29 14:00:00 2014 Petr Lautrbach 6.6.1p1-3 + 0.9.3-9
- fix parsing empty options in sshd_conf
- ignore SIGXFSZ in postauth monitor
Tue Sep 23 14:00:00 2014 Petr Lautrbach 6.6.1p1-2 + 0.9.3-9
- slightly change systemd units logic - use sshd-keygen.service (#1066615)
- log when a client requests an interactive session and only sftp is allowed (#1130198)
- sshd-keygen - don\'t generate DSA and ED25519 host keys in FIPS mode (#1143867)
Mon Sep 8 14:00:00 2014 Petr Lautrbach 6.6.1p1-1 + 0.9.3-9
- new upstream release (#1059667)
- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)
- make /etc/ssh/moduli file public (#1134448)
- test existence of /etc/ssh/ssh_host_ecdsa_key in sshd-keygen.service
- don\'t clean up gssapi credentials by default (#1134447)
- ssh-agent - try CLOCK_BOOTTIME with fallback (#1134449)
- disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6
- add support for ED25519 keys to sshd-keygen and sshd.sysconfig
- standardise on NI_MAXHOST for gethostname() string lengths (#1097665)
- set a client\'s address right after a connection is set (mindrot#2257) (#912792)
- apply RFC3454 stringprep to banners when possible (mindrot#2058) (#1104662)
- don\'t consider a partial success as a failure (mindrot#2270) (#1112972)
Wed Mar 19 13:00:00 2014 Petr Lautrbach 6.4p1-8 + 0.9.3-8
- ignore environment variables with embedded \'=\' or \'\\0\' characters (#1077843)
Tue Jan 28 13:00:00 2014 Petr Lautrbach 6.4p1-7 + 0.9.3-8
- log fipscheck verification message into syslog authpriv
- ssh-keygen - relative-specified certificate expiry time should be relative
to current time and not the validity start time (#1058234)
- use the size of security of 3des for DH (#1053107)
- ssh-copy-id.1 man page fix (#1058792)
Fri Jan 24 13:00:00 2014 Daniel Mach - 6.4p1-6
- Mass rebuild 2014-01-24
Mon Jan 20 13:00:00 2014 Petr Lautrbach 6.4p1-5 + 0.9.3-8
- use tty allocation for a remote scp (#985650)
- run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375)
- FIPS mode - adjust the key echange DH groups and ssh-keygen according toSP800-131A (#1001748)
Fri Dec 27 13:00:00 2013 Daniel Mach - 6.4p1-4
- Mass rebuild 2013-12-27
Wed Dec 11 13:00:00 2013 Petr Lautrbach 6.4p1-3 + 0.9.3-8
- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
- use only rsa and ecdsa host keys by default
Tue Nov 26 13:00:00 2013 Petr Lautrbach 6.4p1-2 + 0.9.3-1
- fix fatal() cleanup in the audit patch (#1029074)
- fix parsing logic of ldap.conf file (#1033662)
Fri Nov 8 13:00:00 2013 Petr Lautrbach 6.4p1-1 + 0.9.3-1
- new upstream release
Fri Nov 1 13:00:00 2013 Petr Lautrbach 6.3p1-4 + 0.9.3-7
- adjust gss kex mechanism to the upstream changes (#1024004)
- don\'t use xfree in pam_ssh_agent_auth sources (#1024965)
Thu Oct 24 14:00:00 2013 Petr Lautrbach 6.3p1-3 + 0.9.3-6
- don\'t use SSH_FP_MD5 for fingerprints in FIPS mode (#1020948)
Wed Oct 23 14:00:00 2013 Petr Lautrbach 6.3p1-2 + 0.9.3-6
- use default_ccache_name from /etc/krb5.conf for a kerberos cache (#991186)
- increase the size of the Diffie-Hellman groups (#1010607)
- sshd-keygen to generate ECDSA keys (#1019222)
Mon Oct 14 14:00:00 2013 Petr Lautrbach 6.3p1-1 + 0.9.3-6
- new upstream release (#1013635)
Tue Oct 8 14:00:00 2013 Petr Lautrbach 6.2p2-9 + 0.9.3-5
- use dracut-fips package to determine if a FIPS module is installed (#1001566)
- revert -fips subpackages and hmac files suffixes
Wed Sep 25 14:00:00 2013 Petr Lautrbach 6.2p2-8 + 0.9.3-5
- sshd-keygen: generate only RSA keys by default (#1010361)
- use dist tag in suffixes for hmac checksum files
Wed Sep 11 14:00:00 2013 Petr Lautrbach 6.2p2-7 + 0.9.3-5
- use hmac_suffix for ssh{,d} hmac checksums
- bump the minimum value of SSH_USE_STRONG_RNG to 14 according to SP800-131A
- automatically restart sshd.service on-failure after 42s interval
Thu Aug 29 14:00:00 2013 Petr Lautrbach 6.2p2-6.1 + 0.9.3-5
- add -fips subpackages that contains the FIPS module files
Wed Jul 31 14:00:00 2013 Petr Lautrbach 6.2p2-5 + 0.9.3-5
- gssapi credentials need to be stored before a pam session opened (#987792)
Tue Jul 23 14:00:00 2013 Petr Lautrbach 6.2p2-4 + 0.9.3-5
- don\'t show Success for EAI_SYSTEM (#985964)
- make sftp\'s libedit interface marginally multibyte aware (#841771)
Mon Jun 17 14:00:00 2013 Petr Lautrbach 6.2p2-3 + 0.9.3-5
- move default gssapi cache to /run/user/ (#848228)
Tue May 21 14:00:00 2013 Petr Lautrbach 6.2p2-2 + 0.9.3-5
- add socket activated sshd units to the package (#963268)
- fix the example in the HOWTO.ldap-keys
Mon May 20 14:00:00 2013 Petr Lautrbach 6.2p2-1 + 0.9.3-5
- new upstream release (#963582)
Wed Apr 17 14:00:00 2013 Petr Lautrbach 6.2p1-4 + 0.9.3-4
- don\'t use export in sysconfig file (#953111)
Tue Apr 16 14:00:00 2013 Petr Lautrbach 6.2p1-3 + 0.9.3-4
- sshd.service: use KillMode=process (#890376)
- add latest config.{sub,guess} to support aarch64 (#926284)
Tue Apr 9 14:00:00 2013 Petr Lautrbach 6.2p1-2 + 0.9.3-4
- keep track of which IndentityFile options were manually supplied and
which were default options, and don\'t warn if the latter are missing.
(mindrot#2084)
Tue Apr 9 14:00:00 2013 Petr Lautrbach 6.2p1-1 + 0.9.3-4
- new upstream release (#924727)
Wed Mar 6 13:00:00 2013 Petr Lautrbach 6.1p1-7 + 0.9.3-3
- use SELinux type sshd_net_t for [net] childs (#915085)
Thu Feb 14 13:00:00 2013 Petr Lautrbach 6.1p1-6 + 0.9.3-3
- fix AuthorizedKeysCommand option
Fri Feb 8 13:00:00 2013 Petr Lautrbach 6.1p1-5 + 0.9.3-3
- change default value of MaxStartups - CVE-2010-5107 (#908707)
Mon Dec 3 13:00:00 2012 Petr Lautrbach 6.1p1-4 + 0.9.3-3
- fix segfault in openssh-5.8p2-force_krb.patch (#882541)
Mon Dec 3 13:00:00 2012 Petr Lautrbach 6.1p1-3 + 0.9.3-3
- replace RequiredAuthentications2 with AuthenticationMethods based on upstream
- obsolete RequiredAuthentications[12] options
- fix openssh-6.1p1-privsep-selinux.patch
Fri Oct 26 14:00:00 2012 Petr Lautrbach 6.1p1-2
- add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400)
- drop required chkconfig (#865498)
- drop openssh-5.9p1-sftp-chroot.patch (#830237)
Sat Sep 15 14:00:00 2012 Petr Lautrbach 6.1p1-1 + 0.9.3-3
- new upstream release (#852651)
- use DIR: kerberos type cache (#848228)
- don\'t use chroot_user_t for chrooted users (#830237)
- replace scriptlets with systemd macros (#850249)
- don\'t use /bin and /sbin paths (#856590)
Mon Aug 6 14:00:00 2012 Petr Lautrbach 6.0p1-1 + 0.9.3-2
- new upstream release
Mon Aug 6 14:00:00 2012 Petr Lautrbach 5.9p1-26 + 0.9.3-1
- change SELinux context also for root user (#827109)
Fri Jul 27 14:00:00 2012 Petr Lautrbach 5.9p1-25 + 0.9.3-1
- fix various issues in openssh-5.9p1-required-authentications.patch
Tue Jul 17 14:00:00 2012 Tomas Mraz 5.9p1-24 + 0.9.3-1
- allow sha256 and sha512 hmacs in the FIPS mode
Fri Jun 22 14:00:00 2012 Tomas Mraz 5.9p1-23 + 0.9.3-1
- fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent
is not running, most probably not exploitable
- update pam_ssh_agent_auth to 0.9.3 upstream version
Fri Apr 6 14:00:00 2012 Petr Lautrbach 5.9p1-22 + 0.9.2-32
- don\'t create RSA1 key in FIPS mode
- don\'t install sshd-keygen.service (#810419)
Fri Mar 30 14:00:00 2012 Petr Lautrbach 5.9p1-21 + 0.9.2-32
- fix various issues in openssh-5.9p1-required-authentications.patch
Wed Mar 21 13:00:00 2012 Petr Lautrbach 5.9p1-20 + 0.9.2-32
- Fix dependencies in systemd units, don\'t enable sshd-keygen.service (#805338)
Wed Feb 22 13:00:00 2012 Petr Lautrbach 5.9p1-19 + 0.9.2-32
- Look for x11 forward sockets with AI_ADDRCONFIG flag getaddrinfo (#735889)
Mon Feb 6 13:00:00 2012 Petr Lautrbach 5.9p1-18 + 0.9.2-32
- replace TwoFactorAuth with RequiredAuthentications[12]
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Tue Jan 31 13:00:00 2012 Petr Lautrbach 5.9p1-17 + 0.9.2-32
- run privsep slave process as the users SELinux context (#781634)
Tue Dec 13 13:00:00 2011 Tomas Mraz 5.9p1-16 + 0.9.2-32
- add CAVS test driver for the aes-ctr ciphers
Sun Dec 11 13:00:00 2011 Tomas Mraz 5.9p1-15 + 0.9.2-32
- enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI
Tue Dec 6 13:00:00 2011 Petr Lautrbach 5.9p1-14 + 0.9.2-32
- warn about unsupported option UsePAM=no (#757545)
Mon Nov 21 13:00:00 2011 Tomas Mraz - 5.9p1-13 + 0.9.2-32
- add back the restorecon call to ssh-copy-id - it might be needed on older
distributions (#739989)
Fri Nov 18 13:00:00 2011 Tomas Mraz - 5.9p1-12 + 0.9.2-32
- still support /etc/sysconfig/sshd loading in sshd service (#754732)
- fix incorrect key permissions generated by sshd-keygen script (#754779)
Fri Oct 14 14:00:00 2011 Tomas Mraz - 5.9p1-11 + 0.9.2-32
- remove unnecessary requires on initscripts
- set VerifyHostKeyDNS to ask in the default configuration (#739856)
Mon Sep 19 14:00:00 2011 Jan F. Chadima - 5.9p1-10 + 0.9.2-32
- selinux sandbox rewrite
- two factor authentication tweaking
Wed Sep 14 14:00:00 2011 Jan F. Chadima - 5.9p1-9 + 0.9.2-32
- coverity upgrade
- wipe off nonfunctional nss
- selinux sandbox tweaking
Tue Sep 13 14:00:00 2011 Jan F. Chadima - 5.9p1-8 + 0.9.2-32
- coverity upgrade
- experimental selinux sandbox
Tue Sep 13 14:00:00 2011 Jan F. Chadima - 5.9p1-7 + 0.9.2-32
- fully reanable auditing
Mon Sep 12 14:00:00 2011 Jan F. Chadima - 5.9p1-6 + 0.9.2-32
- repair signedness in akc patch
Mon Sep 12 14:00:00 2011 Jan F. Chadima - 5.9p1-5 + 0.9.2-32
- temporarily disable part of audit4 patch
Fri Sep 9 14:00:00 2011 Jan F. Chadima - 5.9p1-3 + 0.9.2-32
- Coverity second pass
- Reenable akc patch
Thu Sep 8 14:00:00 2011 Jan F. Chadima - 5.9p1-2 + 0.9.2-32
- Coverity first pass
Wed Sep 7 14:00:00 2011 Jan F. Chadima - 5.9p1-1 + 0.9.2-32
- Rebase to 5.9p1
- Add chroot sftp patch
- Add two factor auth patch
Tue Aug 23 14:00:00 2011 Jan F. Chadima - 5.8p2-21 + 0.9.2-31
- ignore SIGPIPE in ssh keyscan
Tue Aug 9 14:00:00 2011 Jan F. Chadima - 5.8p2-20 + 0.9.2-31
- save ssh-askpass\'s debuginfo
Mon Aug 8 14:00:00 2011 Jan F. Chadima - 5.8p2-19 + 0.9.2-31
- compile ssh-askpass with corect CFLAGS
Mon Aug 8 14:00:00 2011 Jan F. Chadima - 5.8p2-18 + 0.9.2-31
- improve selinux\'s change context log
Mon Aug 8 14:00:00 2011 Jan F. Chadima - 5.8p2-17 + 0.9.2-31
- repair broken man pages
Mon Jul 25 14:00:00 2011 Jan F. Chadima - 5.8p2-16 + 0.9.2-31
- rebuild due to broken rpmbiild
Thu Jul 21 14:00:00 2011 Jan F. Chadima - 5.8p2-15 + 0.9.2-31
- Do not change context when run under unconfined_t
Thu Jul 14 14:00:00 2011 Jan F. Chadima - 5.8p2-14 + 0.9.2-31
- Add postlogin to pam. (#718807)
Tue Jun 28 14:00:00 2011 Jan F. Chadima - 5.8p2-12 + 0.9.2-31
- Systemd compatibility according to Mathieu Bridon
- Split out the host keygen into their own command, to ease future migration
to systemd. Compatitbility with the init script was kept.
- Migrate the package to full native systemd unit files, according to the Fedora
packaging guidelines.
- Prepate the unit files for running an ondemand server. (do not add it actually)
Tue Jun 21 14:00:00 2011 Jan F. Chadima - 5.8p2-10 + 0.9.2-31
- Mention IPv6 usage in man pages
Mon Jun 20 14:00:00 2011 Jan F. Chadima - 5.8p2-9 + 0.9.2-31
- Improve init script
Thu Jun 16 14:00:00 2011 Jan F. Chadima - 5.8p2-7 + 0.9.2-31
- Add possibility to compile openssh without downstream patches
Thu Jun 9 14:00:00 2011 Jan F. Chadima - 5.8p2-6 + 0.9.2-31
- remove stale control sockets (#706396)
Tue May 31 14:00:00 2011 Jan F. Chadima - 5.8p2-5 + 0.9.2-31
- improove entropy manuals
Fri May 27 14:00:00 2011 Jan F. Chadima - 5.8p2-4 + 0.9.2-31
- improove entropy handling
- concat ldap patches
Tue May 24 14:00:00 2011 Jan F. Chadima - 5.8p2-3 + 0.9.2-31
- improove ldap manuals
Mon May 23 14:00:00 2011 Jan F. Chadima - 5.8p2-2 + 0.9.2-31
- add gssapi forced command
Tue May 3 14:00:00 2011 Jan F. Chadima - 5.8p2-1 + 0.9.2-31
- update the openssh version
Thu Apr 28 14:00:00 2011 Jan F. Chadima - 5.8p1-34 + 0.9.2-30
- temporarily disabling systemd units
Wed Apr 27 14:00:00 2011 Jan F. Chadima - 5.8p1-33 + 0.9.2-30
- add flags AI_V4MAPPED and AI_ADDRCONFIG to getaddrinfo
Tue Apr 26 14:00:00 2011 Jan F. Chadima - 5.8p1-32 + 0.9.2-30
- update scriptlets
Fri Apr 22 14:00:00 2011 Jan F. Chadima - 5.8p1-30 + 0.9.2-30
- add systemd units
Fri Apr 22 14:00:00 2011 Jan F. Chadima - 5.8p1-28 + 0.9.2-30
- improving sshd -> passwd transation
- add template for .local domain to sshd_config
Thu Apr 21 14:00:00 2011 Jan F. Chadima - 5.8p1-27 + 0.9.2-30
- the private keys may be 640 root:ssh_keys ssh_keysign is sgid
Wed Apr 20 14:00:00 2011 Jan F. Chadima - 5.8p1-26 + 0.9.2-30
- improving sshd -> passwd transation
Tue Apr 5 14:00:00 2011 Jan F. Chadima - 5.8p1-25 + 0.9.2-30
- the intermediate context is set to sshd_sftpd_t
- do not crash in packet.c if no connection
Thu Mar 31 14:00:00 2011 Jan F. Chadima - 5.8p1-24 + 0.9.2-30
- resolve warnings in port_linux.c
Tue Mar 29 14:00:00 2011 Jan F. Chadima - 5.8p1-23 + 0.9.2-30
- add /etc/sysconfig/sshd
Mon Mar 28 14:00:00 2011 Jan F. Chadima - 5.8p1-22 + 0.9.2-30
- improve reseeding and seed source (documentation)
Tue Mar 22 13:00:00 2011 Jan F. Chadima - 5.8p1-20 + 0.9.2-30
- use /dev/random or /dev/urandom for seeding prng
- improve periodical reseeding of random generator
Thu Mar 17 13:00:00 2011 Jan F. Chadima - 5.8p1-18 + 0.9.2-30
- add periodical reseeding of random generator
- change selinux contex for internal sftp in do_usercontext
- exit(0) after sigterm
Thu Mar 10 13:00:00 2011 Jan F. Chadima - 5.8p1-17 + 0.9.2-30
- improove ssh-ldap (documentation)
Tue Mar 8 13:00:00 2011 Jan F. Chadima - 5.8p1-16 + 0.9.2-30
- improve session keys audit
Mon Mar 7 13:00:00 2011 Jan F. Chadima - 5.8p1-15 + 0.9.2-30
- CVE-2010-4755
Fri Mar 4 13:00:00 2011 Jan F. Chadima - 5.8p1-14 + 0.9.2-30
- improove ssh-keycat (documentation)
Thu Mar 3 13:00:00 2011 Jan F. Chadima - 5.8p1-13 + 0.9.2-30
- improve audit of logins and auths
Tue Mar 1 13:00:00 2011 Jan F. Chadima - 5.8p1-12 + 0.9.2-30
- improove ssk-keycat
Mon Feb 28 13:00:00 2011 Jan F. Chadima - 5.8p1-11 + 0.9.2-30
- add ssk-keycat
Fri Feb 25 13:00:00 2011 Jan F. Chadima - 5.8p1-10 + 0.9.2-30
- reenable auth-keys ldap backend
Fri Feb 25 13:00:00 2011 Jan F. Chadima - 5.8p1-9 + 0.9.2-30
- another audit improovements
Thu Feb 24 13:00:00 2011 Jan F. Chadima - 5.8p1-8 + 0.9.2-30
- another audit improovements
- switchable fingerprint mode
Thu Feb 17 13:00:00 2011 Jan F. Chadima - 5.8p1-4 + 0.9.2-30
- improve audit of server key management
Wed Feb 16 13:00:00 2011 Jan F. Chadima - 5.8p1-3 + 0.9.2-30
- improve audit of logins and auths
Mon Feb 14 13:00:00 2011 Jan F. Chadima - 5.8p1-1 + 0.9.2-30
- bump openssh version to 5.8p1
Tue Feb 8 13:00:00 2011 Fedora Release Engineering - 5.6p1-30.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
Mon Feb 7 13:00:00 2011 Jan F. Chadima - 5.6p1-30 + 0.9.2-29
- clean the data structures in the non privileged process
- clean the data structures when roaming
Wed Feb 2 13:00:00 2011 Jan F. Chadima - 5.6p1-28 + 0.9.2-29
- clean the data structures in the privileged process
Tue Jan 25 13:00:00 2011 Jan F. Chadima - 5.6p1-25 + 0.9.2-29
- clean the data structures before exit net process
Mon Jan 17 13:00:00 2011 Jan F. Chadima - 5.6p1-24 + 0.9.2-29
- make audit compatible with the fips mode
Fri Jan 14 13:00:00 2011 Jan F. Chadima - 5.6p1-23 + 0.9.2-29
- add audit of destruction the server keys
Wed Jan 12 13:00:00 2011 Jan F. Chadima - 5.6p1-22 + 0.9.2-29
- add audit of destruction the session keys
Fri Dec 10 13:00:00 2010 Jan F. Chadima - 5.6p1-21 + 0.9.2-29
- reenable run sshd as non root user
- renable rekeying
Wed Nov 24 13:00:00 2010 Jan F. Chadima - 5.6p1-20 + 0.9.2-29
- reapair clientloop crash (#627332)
- properly restore euid in case connect to the ssh-agent socket fails
Mon Nov 22 13:00:00 2010 Jan F. Chadima - 5.6p1-19 + 0.9.2-28
- striped read permissions from suid and sgid binaries
Mon Nov 15 13:00:00 2010 Jan F. Chadima - 5.6p1-18 + 0.9.2-27
- used upstream version of the biguid patch
Mon Nov 15 13:00:00 2010 Jan F. Chadima - 5.6p1-17 + 0.9.2-27
- improoved kuserok patch
Fri Nov 5 13:00:00 2010 Jan F. Chadima - 5.6p1-16 + 0.9.2-27
- add auditing the host based key ussage
- repait X11 abstract layer socket (#648896)
Wed Nov 3 13:00:00 2010 Jan F. Chadima - 5.6p1-15 + 0.9.2-27
- add auditing the kex result
Tue Nov 2 13:00:00 2010 Jan F. Chadima - 5.6p1-14 + 0.9.2-27
- add auditing the key ussage
Wed Oct 20 14:00:00 2010 Jan F. Chadima - 5.6p1-12 + 0.9.2-27
- update gsskex patch (#645389)
Wed Oct 20 14:00:00 2010 Jan F. Chadima - 5.6p1-11 + 0.9.2-27
- rebase linux audit according to upstream
Fri Oct 1 14:00:00 2010 Jan F. Chadima - 5.6p1-10 + 0.9.2-27
- add missing headers to linux audit
Wed Sep 29 14:00:00 2010 Jan F. Chadima - 5.6p1-9 + 0.9.2-27
- audit module now uses openssh audit framevork
Wed Sep 15 14:00:00 2010 Jan F. Chadima - 5.6p1-8 + 0.9.2-27
- Add the GSSAPI kuserok switch to the kuserok patch
Wed Sep 15 14:00:00 2010 Jan F. Chadima - 5.6p1-7 + 0.9.2-27
- Repaired the kuserok patch
Mon Sep 13 14:00:00 2010 Jan F. Chadima - 5.6p1-6 + 0.9.2-27
- Repaired the problem with puting entries with very big uid into lastlog
Mon Sep 13 14:00:00 2010 Jan F. Chadima - 5.6p1-5 + 0.9.2-27
- Merging selabel patch with the upstream version. (#632914)
Mon Sep 13 14:00:00 2010 Jan F. Chadima - 5.6p1-4 + 0.9.2-27
- Tweaking selabel patch to work properly without selinux rules loaded. (#632914)
Wed Sep 8 14:00:00 2010 Tomas Mraz - 5.6p1-3 + 0.9.2-27
- Make fipscheck hmacs compliant with FHS - requires new fipscheck
Fri Sep 3 14:00:00 2010 Jan F. Chadima - 5.6p1-2 + 0.9.2-27
- Added -z relro -z now to LDFLAGS
Fri Sep 3 14:00:00 2010 Jan F. Chadima - 5.6p1-1 + 0.9.2-27
- Rebased to openssh5.6p1
Wed Jul 7 14:00:00 2010 Jan F. Chadima - 5.5p1-18 + 0.9.2-26
- merged with newer bugzilla\'s version of authorized keys command patch
Wed Jun 30 14:00:00 2010 Jan F. Chadima - 5.5p1-17 + 0.9.2-26
- improved the x11 patch according to upstream (#598671)
Fri Jun 25 14:00:00 2010 Jan F. Chadima - 5.5p1-16 + 0.9.2-26
- improved the x11 patch (#598671)
Thu Jun 24 14:00:00 2010 Jan F. Chadima - 5.5p1-15 + 0.9.2-26
- changed _PATH_UNIX_X to unexistent file name (#598671)
Wed Jun 23 14:00:00 2010 Jan F. Chadima - 5.5p1-14 + 0.9.2-26
- sftp works in deviceless chroot again (broken from 5.5p1-3)
Tue Jun 8 14:00:00 2010 Jan F. Chadima - 5.5p1-13 + 0.9.2-26
- add option to switch out krb5_kuserok
Fri May 21 14:00:00 2010 Jan F. Chadima - 5.5p1-12 + 0.9.2-26
- synchronize uid and gid for the user sshd
Thu May 20 14:00:00 2010 Jan F. Chadima - 5.5p1-11 + 0.9.2-26
- Typo in ssh-ldap.conf(5) and ssh-ladap-helper(8)
Fri May 14 14:00:00 2010 Jan F. Chadima - 5.5p1-10 + 0.9.2-26
- Repair the reference in man ssh-ldap-helper(8)
- Repair the PubkeyAgent section in sshd_config(5)
- Provide example ldap.conf
Thu May 13 14:00:00 2010 Jan F. Chadima - 5.5p1-9 + 0.9.2-26
- Make the Ldap configuration widely compatible
- create the aditional docs for LDAP support.
Thu May 6 14:00:00 2010 Jan F. Chadima - 5.5p1-8 + 0.9.2-26
- Make LDAP config elements TLS_CACERT and TLS_REQCERT compatiple with pam_ldap (#589360)
Thu May 6 14:00:00 2010 Jan F. Chadima - 5.5p1-7 + 0.9.2-26
- Make LDAP config element tls_checkpeer compatiple with nss_ldap (#589360)
Tue May 4 14:00:00 2010 Jan F. Chadima - 5.5p1-6 + 0.9.2-26
- Comment spec.file
- Sync patches from upstream
Mon May 3 14:00:00 2010 Jan F. Chadima - 5.5p1-5 + 0.9.2-26
- Create separate ldap package
- Tweak the ldap patch
- Rename stderr patch properly
Thu Apr 29 14:00:00 2010 Jan F. Chadima - 5.5p1-4 + 0.9.2-26
- Added LDAP support
Mon Apr 26 14:00:00 2010 Jan F. Chadima - 5.5p1-3 + 0.9.2-26
- Ignore .bashrc output to stderr in the subsystems
Tue Apr 20 14:00:00 2010 Jan F. Chadima - 5.5p1-2 + 0.9.2-26
- Drop dependency on man
Fri Apr 16 14:00:00 2010 Jan F. Chadima - 5.5p1-1 + 0.9.2-26
- Update to 5.5p1
Fri Mar 12 13:00:00 2010 Jan F. Chadima - 5.4p1-3 + 0.9.2-25
- repair configure script of pam_ssh_agent
- repair error mesage in ssh-keygen
Fri Mar 12 13:00:00 2010 Jan F. Chadima - 5.4p1-2
- source krb5-devel profile script only if exists
Tue Mar 9 13:00:00 2010 Jan F. Chadima - 5.4p1-1
- Update to 5.4p1
- discontinued support for nss-keys
- discontinued support for scard
Wed Mar 3 13:00:00 2010 Jan F. Chadima - 5.4p1-0.snap20100302.1
- Prepare update to 5.4p1
Mon Feb 15 13:00:00 2010 Jan F. Chadima - 5.3p1-22
- ImplicitDSOLinking (#564824)
Fri Jan 29 13:00:00 2010 Jan F. Chadima - 5.3p1-21
- Allow to use hardware crypto if awailable (#559555)
Mon Jan 25 13:00:00 2010 Jan F. Chadima - 5.3p1-20
- optimized FD_CLOEXEC on accept socket (#541809)
Mon Jan 25 13:00:00 2010 Tomas Mraz - 5.3p1-19
- updated pam_ssh_agent_auth to new version from upstream (just
a licence change)
Thu Jan 21 13:00:00 2010 Jan F. Chadima - 5.3p1-18
- optimized RAND_cleanup patch (#557166)
Wed Jan 20 13:00:00 2010 Jan F. Chadima - 5.3p1-17
- add RAND_cleanup at the exit of each program using RAND (#557166)
Tue Jan 19 13:00:00 2010 Jan F. Chadima - 5.3p1-16
- set FD_CLOEXEC on accepted socket (#541809)
Fri Jan 8 13:00:00 2010 Jan F. Chadima - 5.3p1-15
- replaced define by global in macros
Tue Jan 5 13:00:00 2010 Jan F. Chadima - 5.3p1-14
- Update the pka patch
Mon Dec 21 13:00:00 2009 Jan F. Chadima - 5.3p1-13
- Update the audit patch
Fri Dec 4 13:00:00 2009 Jan F. Chadima - 5.3p1-12
- Add possibility to autocreate only RSA key into initscript (#533339)
Fri Nov 27 13:00:00 2009 Jan F. Chadima - 5.3p1-11
- Prepare NSS key patch for future SEC_ERROR_LOCKED_PASSWORD (#537411)
Tue Nov 24 13:00:00 2009 Jan F. Chadima - 5.3p1-10
- Update NSS key patch (#537411, #356451)
Fri Nov 20 13:00:00 2009 Jan F. Chadima - 5.3p1-9
- Add gssapi key exchange patch (#455351)
Fri Nov 20 13:00:00 2009 Jan F. Chadima - 5.3p1-8
- Add public key agent patch (#455350)
Mon Nov 2 13:00:00 2009 Jan F. Chadima - 5.3p1-7
- Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy (#531849)
Thu Oct 29 13:00:00 2009 Jan F. Chadima - 5.3p1-6
- Modify the init script to prevent it to hang during generating the keys (#515145)
Tue Oct 27 13:00:00 2009 Jan F. Chadima - 5.3p1-5
- Add README.nss
Mon Oct 19 14:00:00 2009 Tomas Mraz - 5.3p1-4
- Add pam_ssh_agent_auth module to a subpackage.
Fri Oct 16 14:00:00 2009 Jan F. Chadima - 5.3p1-3
- Reenable audit.
Fri Oct 2 14:00:00 2009 Jan F. Chadima - 5.3p1-2
- Upgrade to new wersion 5.3p1
Tue Sep 29 14:00:00 2009 Jan F. Chadima - 5.2p1-29
- Resolve locking in ssh-add (#491312)
Thu Sep 24 14:00:00 2009 Jan F. Chadima - 5.2p1-28
- Repair initscript to be acord to guidelines (#521860)
- Add bugzilla# to application of edns and xmodifiers patch
Wed Sep 16 14:00:00 2009 Jan F. Chadima - 5.2p1-26
- Changed pam stack to password-auth
Fri Sep 11 14:00:00 2009 Jan F. Chadima - 5.2p1-25
- Dropped homechroot patch
Mon Sep 7 14:00:00 2009 Jan F. Chadima - 5.2p1-24
- Add check for nosuid, nodev in homechroot
Tue Sep 1 14:00:00 2009 Jan F. Chadima - 5.2p1-23
- add correct patch for ip-opts
Tue Sep 1 14:00:00 2009 Jan F. Chadima - 5.2p1-22
- replace ip-opts patch by an upstream candidate version
Mon Aug 31 14:00:00 2009 Jan F. Chadima - 5.2p1-21
- rearange selinux patch to be acceptable for upstream
- replace seftp patch by an upstream version
Fri Aug 28 14:00:00 2009 Jan F. Chadima - 5.2p1-20
- merged xmodifiers to redhat patch
- merged gssapi-role to selinux patch
- merged cve-2007_3102 to audit patch
- sesftp patch only with WITH_SELINUX flag
- rearange sesftp patch according to upstream request
Wed Aug 26 14:00:00 2009 Jan F. Chadima - 5.2p1-19
- minor change in sesftp patch
Fri Aug 21 14:00:00 2009 Tomas Mraz - 5.2p1-18
- rebuilt with new openssl
Thu Jul 30 14:00:00 2009 Jan F. Chadima - 5.2p1-17
- Added dnssec support. (#205842)
Sat Jul 25 14:00:00 2009 Fedora Release Engineering - 5.2p1-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
Fri Jul 24 14:00:00 2009 Jan F. Chadima - 5.2p1-15
- only INTERNAL_SFTP can be home-chrooted
- save _u and _r parts of context changing to sftpd_t
Fri Jul 17 14:00:00 2009 Jan F. Chadima - 5.2p1-14
- changed internal-sftp context to sftpd_t
Fri Jul 3 14:00:00 2009 Jan F. Chadima - 5.2p1-13
- changed home length path patch to upstream version
Tue Jun 30 14:00:00 2009 Jan F. Chadima - 5.2p1-12
- create \'~/.ssh/known_hosts\' within proper context
Mon Jun 29 14:00:00 2009 Jan F. Chadima - 5.2p1-11
- length of home path in ssh now limited by PATH_MAX
- correct timezone with daylight processing
Sat Jun 27 14:00:00 2009 Jan F. Chadima - 5.2p1-10
- final version chroot %h (sftp only)
Tue Jun 23 14:00:00 2009 Jan F. Chadima - 5.2p1-9
- repair broken ls in chroot %h
Fri Jun 12 14:00:00 2009 Jan F. Chadima - 5.2p1-8
- add XMODIFIERS to exported environment (#495690)
Fri May 15 14:00:00 2009 Tomas Mraz - 5.2p1-6
- allow only protocol 2 in the FIPS mode
Thu Apr 30 14:00:00 2009 Tomas Mraz - 5.2p1-5
- do integrity verification only on binaries which are part
of the OpenSSH FIPS modules
Mon Apr 20 14:00:00 2009 Tomas Mraz - 5.2p1-4
- log if FIPS mode is initialized
- make aes-ctr cipher modes work in the FIPS mode
Fri Apr 3 14:00:00 2009 Jan F. Chadima - 5.2p1-3
- fix logging after chroot
- enable non root users to use chroot %h in internal-sftp
Fri Mar 13 13:00:00 2009 Tomas Mraz - 5.2p1-2
- add AES-CTR ciphers to the FIPS mode proposal
Mon Mar 9 13:00:00 2009 Jan F. Chadima - 5.2p1-1
- upgrade to new upstream release
Thu Feb 26 13:00:00 2009 Fedora Release Engineering - 5.1p1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
Thu Feb 12 13:00:00 2009 Tomas Mraz - 5.1p1-7
- drop obsolete triggers
- add testing FIPS mode support
- LSBize the initscript (#247014)
Fri Jan 30 13:00:00 2009 Tomas Mraz - 5.1p1-6
- enable use of ssl engines (#481100)
Thu Jan 15 13:00:00 2009 Tomas Mraz - 5.1p1-5
- remove obsolete --with-rsh (#478298)
- add pam_sepermit to allow blocking confined users in permissive mode
(#471746)
- move system-auth after pam_selinux in the session stack
Thu Dec 11 13:00:00 2008 Tomas Mraz - 5.1p1-4
- set FD_CLOEXEC on channel sockets (#475866)
- adjust summary
- adjust nss-keys patch so it is applicable without selinux patches (#470859)
Fri Oct 17 14:00:00 2008 Tomas Mraz - 5.1p1-3
- fix compatibility with some servers (#466818)
Thu Jul 31 14:00:00 2008 Tomas Mraz - 5.1p1-2
- fixed zero length banner problem (#457326)
Wed Jul 23 14:00:00 2008 Tomas Mraz - 5.1p1-1
- upgrade to new upstream release
- fixed a problem with public key authentication and explicitely
specified SELinux role
Wed May 21 14:00:00 2008 Tomas Mraz - 5.0p1-3
- pass the connection socket to ssh-keysign (#447680)
Mon May 19 14:00:00 2008 Tomas Mraz - 5.0p1-2