Changelog for openssh-blacklist-3.6.1p2-owl26.x86_64.rpm :

* Wed Sep 01 2010 Solar Designer 3.6.1p2-owl26- Have SFTP enabled by default.
* Wed Jul 28 2010 Solar Designer 3.6.1p2-owl25- Have the SSH client use protocol 2 by default (finally).
* Tue Jul 07 2009 Dmitry V. Levin 3.6.1p2-owl24- Backported upstream fix for syslog inside signal handler (CVE-2008-4109).
* Mon May 26 2008 Dmitry V. Levin 3.6.1p2-owl23- Moved blacklist file to separate subpackage.
* Sun May 25 2008 Dmitry V. Levin 3.6.1p2-owl22- Implemented support for RSA/DSA key blacklisting in sshd based on partialfingerprints.
* Fri Nov 23 2007 (GalaxyMaster) 3.6.1p2-owl21- Added a dependency on owl-startup to openssh-server so it would beproperly handled by RPM\'s dependency resolution routines.
* Wed Nov 08 2006 Dmitry V. Levin 3.6.1p2-owl20- Backported upstream fix for a bug in the sshd privilege separationmonitor that weakened its verification of successful authentication(CVE-2006-5794).
* Tue Oct 03 2006 Dmitry V. Levin 3.6.1p2-owl19- Backported upstream fixes for:sshd connection consumption vulnerability(CVE-2004-2069: low, remote, active),scp local arbitrary command execution vulnerability(CVE-2006-0225: none to high, local, active),sshd signal handler race condition(CVE-2006-5051: none, remote, active),CRC compensation attack detector DoS(CVE-2006-4924: low, remote, active),client NULL dereference on protocol error(CVE-2006-4925: low, remote, passive).- Applied RH patch to plug several sftp memory leaks.
* Thu Mar 30 2006 (GalaxyMaster) 3.6.1p2-owl18- Added /etc/ssh/ssh_host_
* to the server filelist as ghosts.
* Fri Feb 03 2006 Dmitry V. Levin 3.6.1p2-owl17- Compressed ChangeLog file.
* Sat Oct 29 2005 Dmitry V. Levin 3.6.1p2-owl16- Changed PAM config file to include system-auth for PAM account,password and session management.- Stripped /lib/security/ prefix from PAM module names.
* Sat Sep 24 2005 Solar Designer 3.6.1p2-owl15- Another bugfix for delayed compression: set the authenticated flag forroot logins as well. Thanks to Damien Miller.
* Thu Jul 28 2005 Solar Designer 3.6.1p2-owl14- Added delayed compression support for protocol 2 (a back-port of thechanges committed into the OpenBSD CVS recently, with a bugfix added),enabled by default. Thanks to Markus Friedl for working on this and forbringing it to our attention.
* Sat Jun 25 2005 Dmitry V. Levin 3.6.1p2-owl13- Rebuilt with
* Wed Jan 05 2005 (GalaxyMaster) 3.6.1p2-owl12- Removed verify checks for sshd_config which is under owl-control.- Cleaned up the spec a little.
* Wed Nov 03 2004 Solar Designer 3.6.1p2-owl11- Sanitize packet types early on.
* Thu Sep 09 2004 (GalaxyMaster) 3.6.1p2-owl10- Rebuild with OpenSSL 0.9.7.
* Fri Jun 04 2004 Michail Litvak 3.6.1p2-owl9- Fixed directory traversal vulnerability in scp which allows remote maliciousservers to overwrite arbitrary files (CAN-2004-0175).
* Mon May 03 2004 Solar Designer 3.6.1p2-owl8- Bumped release to correctly reflect the rebuild against shared libwrap.
* Mon Nov 03 2003 Solar Designer 3.6.1p2-owl7- Always pass empty passwords into PAM to not produce failed authenticationwarnings as empty passwords are tried automatically; this fixes the bugintroduced in the patch in 3.6.1p2-owl1.
* Fri Oct 24 2003 Solar Designer 3.6.1p2-owl6- Explain how to enable the SFTP server with control(8).- Generate SSH host keys at startup if needed (for use with bootable CDs).
* Wed Oct 22 2003 Solar Designer 3.6.1p2-owl5- Set comments in SSH host keys to key type instead of to hostname as thelatter would leak the hostname when doing chrooted installs for othersystems.
* Mon Oct 20 2003 Solar Designer 3.6.1p2-owl4- Check the validity of sshd_config and host keys with \"sshd -t\" beforeproceeding with a restart or reload.
* Wed Sep 17 2003 Solar Designer 3.6.1p2-owl3- Included the buffer and channels memory reallocation fixes from: (2nd revision).- Reviewed all uses of
*realloc(), resulting in four more fixes of thisnature.
* Mon Jul 21 2003 Solar Designer 3.6.1p2-owl2- Included a change from the CVS to deprecate VerifyReverseMapping andreplace it with a new option, UseDNS. This should solve the clientaddress restriction circumvention attack discovered by Mike Harding.
* Mon Jun 02 2003 Solar Designer 3.6.1p2-owl1- Updated to 3.6.1p2.- When we know we\'re going to fail authentication for reasons externalto PAM, pass there a hopefully incorrect password to have it behave thesame for correct and incorrect passwords.
* Thu May 29 2003 Solar Designer 3.6.1p1-owl4- write_to=tcb
* Fri Apr 18 2003 Solar Designer 3.6.1p1-owl3- Added back the now more complete patch to always run PAM with passwordauthentication, even for non-existent or not allowed usernames.- Tell pam_tcb to not log failed authentication attempts when a blankpassword is tried (blank_nolog) as this is attempted automatically.- Pass prefix= and count= to pam_tcb also for authentication such that itcan use this information to reduce timing leaks.
* Tue Apr 08 2003 Dmitry V. Levin 3.6.1p1-owl2- Updated pam_userpass support: build with libpam_userpass.
* Tue Apr 08 2003 Solar Designer 3.6.1p1-owl1- Updated to 3.6.1p1.- Make ssh-agent protect itself by setting prctl(PR_SET_DUMPABLE, 0) onLinux 2.4+.
* Thu Dec 19 2002 Solar Designer - New release number for linking against tcp_wrappers with Steve Grubb\'serror handling fix.
* Sun Nov 03 2002 Solar Designer - Dump/restore the owl-control setting for sftp on package upgrades.
* Thu Aug 29 2002 Solar Designer - Corrected the dependencies (many are specific to the server package).
* Sun Jul 28 2002 Solar Designer - Install the packet_close() cleanup for the client as well.
* Sun Jul 07 2002 Solar Designer - Install the packet_close() cleanup for root logins as well (which arenot privilege separated because that wouldn\'t make sense and thus werehandled by a different code path which I initially have missed).
* Sat Jul 06 2002 Solar Designer - Re-initialize logging after calls into PAM module stacks, make use oflog_reinit() where the original code needed that kind of functionality.- Stack pam_limits for account management, not session setup, such thatits configuration file doesn\'t need to be world-readable with privsep.
* Fri Jul 05 2002 Solar Designer - Re-enable the password changing code (disabled in 3.3p1 and 3.4p1) fornon-privsep case, disallowing any forwardings (such that the session maynot be actually used while still not changing the expired password).- Limit three of the cleanup functions to apply to just the proper sshdprocesses, make sure session_pty_cleanup() happens before packet_close().
* Tue Jul 02 2002 Solar Designer - In the PAM conversation, queue any text messages appearing in initiallogin mode for printing later, similarly to what the original code did.This is needed to pass password expiration warnings on to the user.
* Sat Jun 29 2002 Solar Designer - Keep the /dev/log fd open and only close it before executing otherprograms, to enable direct logging from chrooted child processes.
* Thu Jun 27 2002 Solar Designer - Updated to 3.4p1.- Zero out the written-to pages in memory mapped areas when they\'redestroyed to reduce the chances of sensitive data remaining on disk mediain a remotely-recoverable way while not wasting any extra physical pagesor filesystem blocks.
* Tue Jun 25 2002 Solar Designer - Fixed the dropping of supplementary groups now included in 3.3p1 ratherthan adding our own version of the fix, to allow for running sshd asnon-root and to be fail-close whenever possible.
* Sun Jun 23 2002 Solar Designer - Updated to 3.3p1 with privilege separation.- If MAP_ANON|MAP_SHARED fails (is unsupported on Linux 2.2), fallbackto using SysV shm, and, if that fails too (SysV shm is a compile-timekernel option), to MAP_SHARED with sparse and unlinked swap files.- pam_mktemp is now run during account management, not session setup,as the latter is no longer done as root (possibly something to bereverted in future versions).
* Sat Jun 08 2002 Solar Designer - Build deattack.c with -mcpu=ev5 when building for alphaev56+ to nottrigger a not fully debugged problem with the EV56+ code.
* Sun Mar 17 2002 Solar Designer - Updated to 3.1p1.
* Tue Mar 05 2002 Solar Designer - Patched a channel id check off by one bug discovered by Joost Pol.
* Tue Feb 05 2002 Solar Designer - Enforce our new spec file conventions.
* Wed Dec 12 2001 Solar Designer - Updated to 3.0.2p1.
* Fri Nov 16 2001 Solar Designer - Use pam_tcb.
* Sun Oct 07 2001 Solar Designer - Updates to appl_userpass.c to support building against Linux-PAM 0.74+.
* Sat Sep 29 2001 Solar Designer - Include post-2.9.9 fixes from the CVS, most importantly to restore theorder of reading for ~/.ssh/config and /etc/ssh_config.
* Thu Sep 27 2001 Solar Designer - Updated to 2.9.9p2.- Patched the OpenSSL version check to ignore the patch and status bits.- Drop supplementary groups at sshd startup such that they aren\'t inheritedby the PAM modules.
* Wed Jul 11 2001 Solar Designer - New release number for upgrades after building against OpenSSL 0.9.6b.
* Fri Jun 15 2001 Solar Designer - Prevent additional timing leaks with null passwords (when allowed),updated patch from Rafal Wojtczuk .
* Mon Jun 11 2001 Solar Designer - Switch credentials when cleaning up temporary files and sockets to fixthe vulnerability reported by on Bugtraq; the patch isby Markus Friedl with a later OpenSSH CVS change added and two bugs fixed.
* Sun May 06 2001 Solar Designer - Updated to 2.9p1.- Added sftp.control.
* Sun Apr 22 2001 Solar Designer - New release number for upgrades after building against OpenSSL 0.9.6a.
* Sun Apr 01 2001 Solar Designer - Patch from the CVS to not use AES/Rijndael against OpenSSH versionswith bigendian bug.
* Fri Mar 23 2001 Solar Designer - Updated to 2.5.2p2.- Dropped two PAM patches (included in 2.5.2p2).
* Wed Mar 21 2001 Solar Designer - Updated to 2.5.2p1.- Patched a potential uninitialized reference in do_pam_cleanup_proc().
* Mon Mar 19 2001 Solar Designer - Package files introduced with 2.5.0 (primes, sftp, ssh-keyscan).
* Sun Mar 18 2001 Solar Designer - Increased the STALLTIME for scp from 5 to 60 seconds (needed for largewindows and slow links).- scp will now calculate ETA without account for possible stall time.
* Wed Feb 28 2001 Solar Designer - Updated to 2.5.1p1.- Updated the don\'t-log-unknown-users and pam_userpass patches.- Added a patch to always run PAM authentication, even for unknown users(makes it less trivial to check for valid usernames; still easy, though).- Dropped the traffic analysis patch (OpenSSH now includes an improvedversion).- Dropped the client version string NUL termination patch (fixed).
* Fri Jan 26 2001 Solar Designer - Added a patch to reduce the impact of traffic analysis by padding initiallogin passwords for SSH-1 and simulating echo during interactive sessions.(Thanks to Dug Song for updating the patch to current OpenSSH.)
* Wed Dec 20 2000 Solar Designer - Use pam_mktemp.
* Thu Dec 07 2000 Solar Designer - Updated sshd.init to use --pidfile and --expect-user.
* Fri Dec 01 2000 Solar Designer - Adjusted sshd.init for owl-startup.- Restart sshd after package upgrades in an owl-startup compatible way.- Corrected package descriptions.
* Mon Nov 20 2000 Solar Designer - Updated to 2.3.0p1.
* Fri Aug 04 2000 Solar Designer - Updated to 2.1.1p4.
* Sun Jul 23 2000 Solar Designer - Added dependencies on pam_userpass and /dev/urandom into openssh-server.
* Mon Jul 17 2000 Solar Designer - Added a patch to not log unknown usernames (someone could have typedtheir password at the username prompt by mistake, even though there\'s nosuch prompt with the \"native\" client).
* Wed Jul 12 2000 Solar Designer - Cleaned up the default ssh
*_config.- The config files are now declared as separate Source\'s in this spec.- Moved this changelog to end of spec file.
* Sun Jul 09 2000 Solar Designer - Imported current Damien Miller\'s spec file, removed the X11-specificstuff, fixed buildroot issues.- sshd.pam and sshd.init are now taken from separate files, not theoriginal package.- Added -lcrypt so that PAM modules may access crypt(3); the OpenSSLpackage should also have a patch applied so that it doesn\'t export itscrypt() function as a symbol, but only #define it in the appropriateheader file. Other things might break (look for \"DES corruption\" inChangeLog), but this is better than getting failed authentication withmodern hashes and I believe current glibc is careful not to exportinternal functions and use weak aliases when exporting things.- Patched PAM authentication to use pam_userpass rather than assumethat modules can only ask for a password.- Changed default ssh
*_config.- non-SUID installation by default.