rpms/openssh/FC-3 openssh-3.9p1-can-2005-2798.patch, NONE, 1.1 openssh-3.9p1-skip-used.patch, NONE, 1.1 openssh.spec, 1.45, 1.46
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 7 08:04:29 UTC 2005
- Previous message (by thread): rpms/tzdata/FC-3 .cvsignore, 1.7, 1.8 sources, 1.7, 1.8 tzdata.spec, 1.7, 1.8
- Next message (by thread): rpms/patch/devel patch-parse.patch,NONE,1.1 patch.spec,1.19,1.20
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/dist/rpms/openssh/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv30486
Modified Files:
openssh.spec
Added Files:
openssh-3.9p1-can-2005-2798.patch
openssh-3.9p1-skip-used.patch
Log Message:
* Wed Sep 7 2005 Tomas Mraz <tmraz at redhat.com> 3.9p1-8.0.3
- destroy creds if gssapi authentication fails - CAN-2005-2798 (#167444)
- don't use X11 port which can't be bound on all IP families (#163732)
openssh-3.9p1-can-2005-2798.patch:
gss-serv.c | 13 ++++++++++++-
sshconnect2.c | 3 ++-
2 files changed, 14 insertions(+), 2 deletions(-)
--- NEW FILE openssh-3.9p1-can-2005-2798.patch ---
Stops credentials being delegated to users who are not authorised for
GSSAPIAuthentication when GSSAPIDeletegateCredentials=yes and another
authentication mechanism succeeds.
===================================================================
RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/gss-serv.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- src/usr.bin/ssh/gss-serv.c 2005/07/17 07:17:55 1.7
+++ src/usr.bin/ssh/gss-serv.c 2005/08/30 22:08:05 1.8
@@ -275,13 +275,24 @@
int
ssh_gssapi_userok(char *user)
{
+ OM_uint32 lmin;
+
if (gssapi_client.exportedname.length == 0 ||
gssapi_client.exportedname.value == NULL) {
debug("No suitable client data");
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
- return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+ if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+ return 1;
+ else {
+ /* Destroy delegated credentials if userok fails */
+ gss_release_buffer(&lmin, &gssapi_client.displayname);
+ gss_release_buffer(&lmin, &gssapi_client.exportedname);
+ gss_release_cred(&lmin, &gssapi_client.creds);
+ memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+ return 0;
+ }
else
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
return (0);
===================================================================
RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/sshconnect2.c,v
retrieving revision 1.141
retrieving revision 1.142
diff -u -r1.141 -r1.142
--- src/usr.bin/ssh/sshconnect2.c 2005/07/25 11:59:40 1.141
+++ src/usr.bin/ssh/sshconnect2.c 2005/08/30 22:08:05 1.142
@@ -543,7 +543,8 @@
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt = authctxt->methoddata;
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc gssbuf, mic;
+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc gssbuf;
OM_uint32 status, ms, flags;
Buffer b;
openssh-3.9p1-skip-used.patch:
channels.c | 3 ---
1 files changed, 3 deletions(-)
--- NEW FILE openssh-3.9p1-skip-used.patch ---
--- openssh-3.9p1/channels.c.skip-used 2005-07-08 22:42:35.000000000 +0200
+++ openssh-3.9p1/channels.c 2005-07-25 21:34:29.000000000 +0200
@@ -2653,9 +2653,6 @@
debug2("bind port %d: %.100s", port, strerror(errno));
close(sock);
- if (ai->ai_next)
- continue;
-
for (n = 0; n < num_socks; n++) {
close(socks[n]);
}
Index: openssh.spec
===================================================================
RCS file: /cvs/dist/rpms/openssh/FC-3/openssh.spec,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- openssh.spec 28 Jun 2005 13:24:22 -0000 1.45
+++ openssh.spec 7 Sep 2005 08:04:26 -0000 1.46
@@ -79,7 +79,7 @@
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
Name: openssh
Version: 3.9p1
-%define rel 8.0.2
+%define rel 8.0.3
%if %{rescue}
Release: %{rel}rescue
%else
@@ -101,6 +101,8 @@
Patch7: openssh-3.9p1-gid.patch
Patch12: openssh-selinux.patch
Patch20: openssh-3.8p1-gssapimitm.patch
+Patch21: openssh-3.9p1-skip-used.patch
+Patch22: openssh-3.9p1-can-2005-2798.patch
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@@ -236,6 +238,8 @@
%endif
#%patch20 -p0 -b .gssapimitm
+%patch21 -p1 -b .skip-used
+%patch22 -p3 -b .destroy-creds
autoreconf
@@ -504,6 +508,10 @@
%endif
%changelog
+* Wed Sep 7 2005 Tomas Mraz <tmraz at redhat.com> 3.9p1-8.0.3
+- destroy creds if gssapi authentication fails - CAN-2005-2798 (#167444)
+- don't use X11 port which can't be bound on all IP families (#163732)
+
* Tue Jun 28 2005 Tomas Mraz <tmraz at redhat.com> 3.9p1-8.0.2
- don't deadlock on exit with multiple X forwarded channels (#152432)
- allow ssh-ing from root account with nondefault group (#155220)
- Previous message (by thread): rpms/tzdata/FC-3 .cvsignore, 1.7, 1.8 sources, 1.7, 1.8 tzdata.spec, 1.7, 1.8
- Next message (by thread): rpms/patch/devel patch-parse.patch,NONE,1.1 patch.spec,1.19,1.20
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list