Updated and removed upstreamed patch.
Highlights relating to security:
* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.
* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2_MSG_PING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.
Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.
Full release notes: https://www.openssh.com/txt/release-9.9p2
Signed-off-by: John Audia <therealgraysky@proton.me>
The `ssh_systemd_notify` function is causing compilation errors
when built against GCC 14.1. This is due to an incompatible pointer
type being passed to the connect function.
The connect function expects a pointer to `struct sockaddr`, but
was receiving a pointer to `struct sockaddr_un`.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Most distros allow dropping site configuration files into
/etc/sshd_config.d/ so that you don't have to tweak the main
server configuration file.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This adds a couple of patches when setting some openssl options:
* ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
be guarded by OPENSSL_HAS_ECC; otherwise, it will not build with
openssl compiled without ECC support.
* Fix openssl version number in openbsd-compat/openssl-compat.c which
failed to compile --with-ssl-engine; this option is used when
CONFIG_OPENSSL_ENGINE_CRYPTO=y
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Peter Wagner <tripolar@gmx.at>
Five commits from upstream were applied to v. 7.8-p1:
482d23bc upstream: hold our collective noses and use the openssl-1.1.x
API in
48f54b9d adapt -portable to OpenSSL 1.1x API
86e0a9f3 upstream: use only openssl-1.1.x API here too
a3fd8074 upstream: missed a bit of openssl-1.0.x API in this unittest
d64e7852 add compat header
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
The author (@pprindeville) of the original commit noted that the wrong
commit was picked, see
325b7d2cd2 (commitcomment-22387528)
"Err... looks like the wrong fix got committed. I was hoping that this
commit d902e5d would have gone in instead."
This reverts commit 325b7d2cd2.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
types that got generated. Problem was that it didn't remove that key
as one of the paths that the server looks for by default. As a
consequence, your log file might fill up with messages like:
2017-06-01T15:43:07-06:00 openwrt sshd[31929]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
The patch is forunately trivial. Don't set the path for the dsa
key file in the server configuration.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Peter Wagner <tripolar@gmx.at>
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn
ec165c392c
Signed-off-by: Peter Wagner <tripolar@gmx.at>
