Nopatching CVE-2020-14145. (#337)
* Nopatching CVE-2020-14145 * Addressing linter's suggestions.
This commit is contained in:
Pawel Winogrodzki
GitHub
Родитель
d661370179
Коммит
61c1b96e04
|
|
@ -0,0 +1 @@
|
|||
The CVE is a won't fix for OpenSSH (confirmed on their mailing list). See here: https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
Summary: Free version of the SSH connectivity tools
|
||||
Name: openssh
|
||||
Version: 8.0p1
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: BSD
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
|
@ -12,16 +12,23 @@ Source0: https://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}
|
|||
Source1: http://www.linuxfromscratch.org/blfs/downloads/stable-systemd/blfs-systemd-units-%{systemd_units_rel}.tar.xz
|
||||
Source2: sshd.service
|
||||
Source3: sshd-keygen.service
|
||||
|
||||
Patch0: blfs_systemd_fixes.patch
|
||||
Patch1: CVE-2019-16905.patch
|
||||
|
||||
# Nopatches section
|
||||
|
||||
# Community agreed to not patch this
|
||||
Patch2: CVE-2007-2768.nopatch
|
||||
Patch100: CVE-2007-2768.nopatch
|
||||
Patch101: CVE-2020-14145.nopatch
|
||||
|
||||
BuildRequires: e2fsprogs-devel
|
||||
BuildRequires: groff
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: systemd
|
||||
|
||||
Requires: openssh-clients = %{version}-%{release}
|
||||
Requires: openssh-server = %{version}-%{release}
|
||||
|
||||
|
|
@ -67,21 +74,24 @@ tar xf %{SOURCE1} --no-same-owner
|
|||
--with-maintype=man \
|
||||
--enable-strip=no \
|
||||
--with-kerberos5=%{_prefix}
|
||||
|
||||
make
|
||||
|
||||
%install
|
||||
[ %{buildroot} != "/"] && rm -rf %{buildroot}/*
|
||||
make DESTDIR=%{buildroot} install
|
||||
install -vdm755 %{buildroot}%{_sharedstatedir}/sshd
|
||||
echo "AllowTcpForwarding no" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
echo "ClientAliveCountMax 2" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
echo "Compression no" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
#echo "MaxSessions 2" >> %{buildroot}/etc/ssh/sshd_config
|
||||
echo "TCPKeepAlive no" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
echo "AllowAgentForwarding no" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
echo "PermitRootLogin no" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
echo "UsePAM yes" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
|
||||
cat <<EOF >>%{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
AllowTcpForwarding no
|
||||
ClientAliveCountMax 2
|
||||
Compression no
|
||||
#MaxSessions 2
|
||||
TCPKeepAlive no
|
||||
AllowAgentForwarding no
|
||||
PermitRootLogin no
|
||||
UsePAM yes
|
||||
EOF
|
||||
|
||||
# Install daemon script
|
||||
pushd blfs-systemd-units-%{systemd_units_rel}
|
||||
make DESTDIR=%{buildroot} install-sshd
|
||||
|
|
@ -136,13 +146,14 @@ fi
|
|||
%clean
|
||||
rm -rf %{buildroot}/*
|
||||
|
||||
|
||||
%files
|
||||
%license LICENCE
|
||||
|
||||
%files server
|
||||
%defattr(-,root,root)
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%attr(700,root,sys)%{_sharedstatedir}/sshd
|
||||
%attr(700,root,sys) %{_sharedstatedir}/sshd
|
||||
/lib/systemd/system/sshd-keygen.service
|
||||
/lib/systemd/system/sshd.service
|
||||
/lib/systemd/system/sshd.socket
|
||||
|
|
@ -181,137 +192,140 @@ rm -rf %{buildroot}/*
|
|||
%{_mandir}/man8/ssh-pkcs11-helper.8.gz
|
||||
|
||||
%changelog
|
||||
* Tue Nov 03 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.0p1-11
|
||||
- Nopatching CVE-2020-14145.
|
||||
|
||||
* Fri Oct 30 2020 Nicolas Ontiveros <niontive@microsoft.com> - 8.0p1-10
|
||||
- Add no patch for CVE-2007-2768
|
||||
|
||||
* Mon Oct 19 2020 Andrew Phelps <anphel@microsoft.com> 8.0p1-9
|
||||
- Add patch for CVE-2019-16905
|
||||
* Mon Oct 19 2020 Andrew Phelps <anphel@microsoft.com> - 8.0p1-9
|
||||
- Add patch for CVE-2019-16905
|
||||
|
||||
* Wed Sep 02 2020 Jim Perrin <jim.perrin@microsoft.com> 8.0p1-8
|
||||
- Add wants=sshd-keygen.service to sshd.service for easier service starting
|
||||
* Wed Sep 02 2020 Jim Perrin <jim.perrin@microsoft.com> - 8.0p1-8
|
||||
- Add wants=sshd-keygen.service to sshd.service for easier service starting
|
||||
|
||||
* Thu Jun 04 2020 Chris Co <chrco@microsoft.com> 8.0p1-7
|
||||
- Use default MaxAuthTries value of 6
|
||||
* Thu Jun 04 2020 Chris Co <chrco@microsoft.com> - 8.0p1-7
|
||||
- Use default MaxAuthTries value of 6
|
||||
|
||||
* Tue May 26 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 8.0p1-6
|
||||
- Adding the "%%license" macro.
|
||||
* Tue May 26 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.0p1-6
|
||||
- Adding the "%%license" macro.
|
||||
|
||||
* Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> 8.0p1-5
|
||||
- Renaming Linux-PAM to pam
|
||||
* Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> - 8.0p1-5
|
||||
- Renaming Linux-PAM to pam
|
||||
|
||||
* Mon Apr 27 2020 Emre Girgin <mrgirgin@microsoft.com> 8.0p1-4
|
||||
- Rename shadow to shadow-utils.
|
||||
* Mon Apr 27 2020 Emre Girgin <mrgirgin@microsoft.com> - 8.0p1-4
|
||||
- Rename shadow to shadow-utils.
|
||||
|
||||
* Mon Apr 27 2020 Emre Girgin <mrgirgin@microsoft.com> 8.0p1-3
|
||||
- Rename ncurses-terminfo to ncurses-term.
|
||||
* Mon Apr 27 2020 Emre Girgin <mrgirgin@microsoft.com> - 8.0p1-3
|
||||
- Rename ncurses-terminfo to ncurses-term.
|
||||
|
||||
* Fri Apr 24 2020 Nick Samson <nisamson@microsoft.com> 8.0p1-2
|
||||
- Updated Source0, Source1. blfs-systemd-units updated to latest recommended version (20191026).
|
||||
* Fri Apr 24 2020 Nick Samson <nisamson@microsoft.com> - 8.0p1-2
|
||||
- Updated Source0, Source1. blfs-systemd-units updated to latest recommended version (20191026).
|
||||
|
||||
* Thu Mar 12 2020 Paul Monson <paulmon@microsoft.com> 8.0p1-1
|
||||
- Update to version 8.0p1. License verified.
|
||||
* Thu Mar 12 2020 Paul Monson <paulmon@microsoft.com> - 8.0p1-1
|
||||
- Update to version 8.0p1. License verified.
|
||||
|
||||
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 7.8p1-4
|
||||
- Initial CBL-Mariner import from Photon (license: Apache2).
|
||||
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 7.8p1-4
|
||||
- Initial CBL-Mariner import from Photon (license: Apache2).
|
||||
|
||||
* Thu Feb 14 2019 Ankit Jain <ankitja@vmware.comm> 7.8p1-3
|
||||
- Fix CVE-2018-20685.
|
||||
* Thu Feb 14 2019 Ankit Jain <ankitja@vmware.comm> - 7.8p1-3
|
||||
- Fix CVE-2018-20685.
|
||||
|
||||
* Tue Jan 08 2019 Alexey Makhalov <amakhalov@vmware.com> 7.8p1-2
|
||||
- Added BuildRequires groff
|
||||
- Use %configure
|
||||
* Tue Jan 08 2019 Alexey Makhalov <amakhalov@vmware.com> - 7.8p1-2
|
||||
- Added BuildRequires groff
|
||||
- Use %configure
|
||||
|
||||
* Tue Sep 11 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 7.8p1-1
|
||||
- Update version
|
||||
* Tue Sep 11 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> - 7.8p1-1
|
||||
- Update version
|
||||
|
||||
* Tue Nov 28 2017 Xiaolin Li <xiaolinl@vmware.comm> 7.5p1-11
|
||||
- Fix CVE-2017-15906.
|
||||
* Tue Nov 28 2017 Xiaolin Li <xiaolinl@vmware.comm> - 7.5p1-11
|
||||
- Fix CVE-2017-15906.
|
||||
|
||||
* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-10
|
||||
- Fix: openssh-server requires(pre) shadow tools
|
||||
* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-10
|
||||
- Fix: openssh-server requires(pre) shadow tools
|
||||
|
||||
* Tue Nov 14 2017 Anish Swaminathan <anishs@vmware.com> 7.5p1-9
|
||||
- Add ciphers aes128-gcm, aes256-gcm and kex dh14/16/18 in fips mode
|
||||
* Tue Nov 14 2017 Anish Swaminathan <anishs@vmware.com> - 7.5p1-9
|
||||
- Add ciphers aes128-gcm, aes256-gcm and kex dh14/16/18 in fips mode
|
||||
|
||||
* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-8
|
||||
- No direct toybox dependency, shadow depends on toybox
|
||||
* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-8
|
||||
- No direct toybox dependency, shadow depends on toybox
|
||||
|
||||
* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-7
|
||||
- Requires shadow or toybox
|
||||
* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-7
|
||||
- Requires shadow or toybox
|
||||
|
||||
* Thu Sep 14 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-6
|
||||
- sshd config: revert MaxSessions to original value
|
||||
* Thu Sep 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-6
|
||||
- sshd config: revert MaxSessions to original value
|
||||
|
||||
* Thu Aug 31 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-5
|
||||
- sshd config hardening based on lynis recommendations
|
||||
* Thu Aug 31 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-5
|
||||
- sshd config hardening based on lynis recommendations
|
||||
|
||||
* Thu Aug 10 2017 Chang Lee <changlee@vmware.com> 7.5p1-4
|
||||
- Fixed %check
|
||||
* Thu Aug 10 2017 Chang Lee <changlee@vmware.com> - 7.5p1-4
|
||||
- Fixed %check
|
||||
|
||||
* Mon Jul 24 2017 Dheeraj Shetty <dheerajs@vmware.com> 7.5p1-3
|
||||
- Seperate the service file from the spec file
|
||||
* Mon Jul 24 2017 Dheeraj Shetty <dheerajs@vmware.com> - 7.5p1-3
|
||||
- Seperate the service file from the spec file
|
||||
|
||||
* Wed May 3 2017 Bo Gan <ganb@vmware.com> 7.5p1-2
|
||||
- Fixed openssh-server dependency on coreutils
|
||||
* Wed May 3 2017 Bo Gan <ganb@vmware.com> - 7.5p1-2
|
||||
- Fixed openssh-server dependency on coreutils
|
||||
|
||||
* Tue Mar 28 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 7.5p1-1
|
||||
- Update version
|
||||
* Tue Mar 28 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 7.5p1-1
|
||||
- Update version
|
||||
|
||||
* Thu Feb 09 2017 Anish Swaminathan <anishs@vmware.com> 7.4p1-3
|
||||
- Add patch to configure openssh FIPS mode
|
||||
* Thu Feb 09 2017 Anish Swaminathan <anishs@vmware.com> - 7.4p1-3
|
||||
- Add patch to configure openssh FIPS mode
|
||||
|
||||
* Thu Feb 02 2017 Anish Swaminathan <anishs@vmware.com> 7.4p1-2
|
||||
- Add patch to support FIPS mode
|
||||
* Thu Feb 02 2017 Anish Swaminathan <anishs@vmware.com> - 7.4p1-2
|
||||
- Add patch to support FIPS mode
|
||||
|
||||
* Fri Jan 06 2017 Xiaolin Li <xiaolinl@vmware.com> 7.4p1-1
|
||||
- Updated to version 7.4p1.
|
||||
* Fri Jan 06 2017 Xiaolin Li <xiaolinl@vmware.com> - 7.4p1-1
|
||||
- Updated to version 7.4p1.
|
||||
|
||||
* Wed Dec 14 2016 Xiaolin Li <xiaolinl@vmware.com> 7.1p2-10
|
||||
- BuildRequires Linux-PAM-devel
|
||||
* Wed Dec 14 2016 Xiaolin Li <xiaolinl@vmware.com> - 7.1p2-10
|
||||
- BuildRequires Linux-PAM-devel
|
||||
|
||||
* Mon Dec 12 2016 Anish Swaminathan <anishs@vmware.com> 7.1p2-9
|
||||
- Add patch to fix CVE-2016-8858
|
||||
* Mon Dec 12 2016 Anish Swaminathan <anishs@vmware.com> - 7.1p2-9
|
||||
- Add patch to fix CVE-2016-8858
|
||||
|
||||
* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> 7.1p2-8
|
||||
- openssh-devel requires ncurses-terminfo to provide extra terms
|
||||
* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> - 7.1p2-8
|
||||
- openssh-devel requires ncurses-terminfo to provide extra terms
|
||||
for the clients
|
||||
|
||||
* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> 7.1p2-7
|
||||
- Required krb5-devel.
|
||||
* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> - 7.1p2-7
|
||||
- Required krb5-devel.
|
||||
|
||||
* Thu Nov 03 2016 Sharath George <sharathg@vmware.com> 7.1p2-6
|
||||
- Split openssh into client and server rpms.
|
||||
* Thu Nov 03 2016 Sharath George <sharathg@vmware.com> - 7.1p2-6
|
||||
- Split openssh into client and server rpms.
|
||||
|
||||
* Wed Oct 05 2016 ChangLee <changlee@vmware.com> 7.1p2-5
|
||||
- Modified %check
|
||||
* Wed Oct 05 2016 ChangLee <changlee@vmware.com> - 7.1p2-5
|
||||
- Modified %check
|
||||
|
||||
* Thu Sep 15 2016 Anish Swaminathan <anishs@vmware.com> 7.1p2-4
|
||||
- Add patch to fix CVE-2016-6515
|
||||
* Thu Sep 15 2016 Anish Swaminathan <anishs@vmware.com> - 7.1p2-4
|
||||
- Add patch to fix CVE-2016-6515
|
||||
|
||||
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 7.1p2-3
|
||||
- GA - Bump release of all rpms
|
||||
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 7.1p2-3
|
||||
- GA - Bump release of all rpms
|
||||
|
||||
* Wed May 04 2016 Anish Swaminathan <anishs@vmware.com> 7.1p2-2
|
||||
- Edit scriptlets.
|
||||
* Wed May 04 2016 Anish Swaminathan <anishs@vmware.com> - 7.1p2-2
|
||||
- Edit scriptlets.
|
||||
|
||||
* Thu Mar 17 2016 Xiaolin Li <xiaolinl@vmware.com> 7.1p2-1
|
||||
- Updated to version 7.1p2
|
||||
* Thu Mar 17 2016 Xiaolin Li <xiaolinl@vmware.com> - 7.1p2-1
|
||||
- Updated to version 7.1p2
|
||||
|
||||
* Fri Feb 05 2016 Anish Swaminathan <anishs@vmware.com> 6.6p1-6
|
||||
- Add pre install scripts in the rpm
|
||||
* Fri Feb 05 2016 Anish Swaminathan <anishs@vmware.com> - 6.6p1-6
|
||||
- Add pre install scripts in the rpm
|
||||
|
||||
* Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com> 6.6p1-5
|
||||
- Change config file attributes.
|
||||
* Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com> - 6.6p1-5
|
||||
- Change config file attributes.
|
||||
|
||||
* Thu Dec 10 2015 Xiaolin Li <xiaolinl@vmware.com> 6.6p1-4
|
||||
- Add systemd to Requires and BuildRequires.
|
||||
- Use systemctl to enable/disable service.
|
||||
* Thu Dec 10 2015 Xiaolin Li <xiaolinl@vmware.com> - 6.6p1-4
|
||||
- Add systemd to Requires and BuildRequires.
|
||||
- Use systemctl to enable/disable service.
|
||||
|
||||
* Fri Jul 17 2015 Divya Thaluru <dthaluru@vmware.com> 6.6p1-3
|
||||
- Enabling ssh-keygen service by default and fixed service file to execute only once.
|
||||
* Fri Jul 17 2015 Divya Thaluru <dthaluru@vmware.com> - 6.6p1-3
|
||||
- Enabling ssh-keygen service by default and fixed service file to execute only once.
|
||||
|
||||
* Tue May 19 2015 Sharath George <sharathg@vmware.com> 6.6p1-2
|
||||
- Bulding ssh server with kerberos 5.
|
||||
* Tue May 19 2015 Sharath George <sharathg@vmware.com> - 6.6p1-2
|
||||
- Bulding ssh server with kerberos 5.
|
||||
|
||||
* Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 6.6p1-1
|
||||
- Initial build. First version
|
||||
* Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> - 6.6p1-1
|
||||
- Initial build. First version
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче