Message ID | 307078a6-b2d9-a265-0b93-bcfa542b39ca@ipfire.org |
---|---|
State | Accepted |
Commit | 975bd8bc17421a4a72b8263be99d8cce6fe5606d |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 48lBXl5T6mz3yBb for <patchwork@web04.haj.ipfire.org>; Sat, 21 Mar 2020 20:08:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 48lBXk35KXz1DP; Sat, 21 Mar 2020 20:08:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 48lBXk0QGcz2yXM; Sat, 21 Mar 2020 20:08:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48lBXh3H7Tz2y4F for <development@lists.ipfire.org>; Sat, 21 Mar 2020 20:08:20 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 48lBXf3LT5z1DP for <development@lists.ipfire.org>; Sat, 21 Mar 2020 20:08:18 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1584821299; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HgajNpk+jsBWZKcBUCF6v/LYibm9M4vhYj+JgCKOYj0=; b=TyqShRv+VdUU4FNTD3G2GmJNe2eRVysctRTfcBHvqYq7nQ3cupsuUBCMNYFT0JxC8wZ9xT TF6d3Egyf0CjZtBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1584821299; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HgajNpk+jsBWZKcBUCF6v/LYibm9M4vhYj+JgCKOYj0=; b=luZGfixRexAaUrrQ1SaOXw6DwHxOPV+RaonzC2i+eO8eK43k5LPZ6DVihFUEzrEmNclv0c wNvmW76ePFbdPdavdnQW9CF+08f1qnOhE7bRCiN6gt9wCOUjdwnwdJSEYqKgK/YdNG2d9l kATfLNfNG8AL2Hi92v5vedydjxPzbXUkNWFhQFhU/98VIw2bWHPL8LiO4CrH4gMw5vNn3A pnNth4hbR048nDTxR2YRm2Isshj0DpLfjazcGRsbi7S1BhYOlMyuEYie2CbMnqHHGIEcQV 9ceJokkKMGk6yI0cUP9XBlfsAtV6BVqZ8cJNN9oTYr4t5OxxW5/lynoYA3vxVQ== To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] OpenSSH: update to 8.2p1 Message-ID: <307078a6-b2d9-a265-0b93-bcfa542b39ca@ipfire.org> Date: Sat, 21 Mar 2020 20:08:00 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
OpenSSH: update to 8.2p1
|
|
Commit Message
Peter Müller
March 21, 2020, 8:08 p.m. UTC
Please refer to https://www.openssh.com/txt/release-8.2 for release
announcements. Since glibc < 2.31 is used, no additional patching was
required in order to restore correct login functionality.
Cc: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/rootfiles/common/openssh | 2 ++
lfs/openssh | 6 +++---
2 files changed, 5 insertions(+), 3 deletions(-)
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> > On 21 Mar 2020, at 20:08, Peter Müller <peter.mueller@ipfire.org> wrote: > > Please refer to https://www.openssh.com/txt/release-8.2 for release > announcements. Since glibc < 2.31 is used, no additional patching was > required in order to restore correct login functionality. > > Cc: Marcel Lorenz <marcel.lorenz@ipfire.org> > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/rootfiles/common/openssh | 2 ++ > lfs/openssh | 6 +++--- > 2 files changed, 5 insertions(+), 3 deletions(-) > > diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh > index b41190a47..f2f8ea6c5 100644 > --- a/config/rootfiles/common/openssh > +++ b/config/rootfiles/common/openssh > @@ -21,6 +21,7 @@ usr/bin/ssh-keyscan > usr/lib/openssh/sftp-server > usr/lib/openssh/ssh-keysign > usr/lib/openssh/ssh-pkcs11-helper > +usr/lib/openssh/ssh-sk-helper > usr/sbin/sshd > #usr/share/man/man1/scp.1 > #usr/share/man/man1/sftp.1 > @@ -35,4 +36,5 @@ usr/sbin/sshd > #usr/share/man/man8/sftp-server.8 > #usr/share/man/man8/ssh-keysign.8 > #usr/share/man/man8/ssh-pkcs11-helper.8 > +#usr/share/man/man8/ssh-sk-helper.8 > #usr/share/man/man8/sshd.8 > diff --git a/lfs/openssh b/lfs/openssh > index 64e72d654..68a7d63cd 100644 > --- a/lfs/openssh > +++ b/lfs/openssh > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 8.1p1 > +VER = 8.2p1 > > THISAPP = openssh-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 513694343631a99841e815306806edf0 > +$(DL_FILE)_MD5 = 3076e6413e8dbe56d33848c1054ac091 > > install : $(TARGET) > > -- > 2.16.4
We need the patches for glibc-2.31 because this update is also planned. Michael has already send the patches but I have not pushed this yet because at least netsnmpd fails. Arne Am 2020-03-21 21:08, schrieb Peter Müller: > Please refer to https://www.openssh.com/txt/release-8.2 for release > announcements. Since glibc < 2.31 is used, no additional patching was > required in order to restore correct login functionality. > > Cc: Marcel Lorenz <marcel.lorenz@ipfire.org> > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/rootfiles/common/openssh | 2 ++ > lfs/openssh | 6 +++--- > 2 files changed, 5 insertions(+), 3 deletions(-) > > diff --git a/config/rootfiles/common/openssh > b/config/rootfiles/common/openssh > index b41190a47..f2f8ea6c5 100644 > --- a/config/rootfiles/common/openssh > +++ b/config/rootfiles/common/openssh > @@ -21,6 +21,7 @@ usr/bin/ssh-keyscan > usr/lib/openssh/sftp-server > usr/lib/openssh/ssh-keysign > usr/lib/openssh/ssh-pkcs11-helper > +usr/lib/openssh/ssh-sk-helper > usr/sbin/sshd > #usr/share/man/man1/scp.1 > #usr/share/man/man1/sftp.1 > @@ -35,4 +36,5 @@ usr/sbin/sshd > #usr/share/man/man8/sftp-server.8 > #usr/share/man/man8/ssh-keysign.8 > #usr/share/man/man8/ssh-pkcs11-helper.8 > +#usr/share/man/man8/ssh-sk-helper.8 > #usr/share/man/man8/sshd.8 > diff --git a/lfs/openssh b/lfs/openssh > index 64e72d654..68a7d63cd 100644 > --- a/lfs/openssh > +++ b/lfs/openssh > @@ -1,7 +1,7 @@ > > ############################################################################### > # > # > # IPFire.org - A linux based firewall > # > -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> > # > +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> > # > # > # > # This program is free software: you can redistribute it and/or modify > # > # it under the terms of the GNU General Public License as published by > # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 8.1p1 > +VER = 8.2p1 > > THISAPP = openssh-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 513694343631a99841e815306806edf0 > +$(DL_FILE)_MD5 = 3076e6413e8dbe56d33848c1054ac091 > > install : $(TARGET)
Hello Arne, to my surprise, OpenSSH 8.2p1 works fine against glibc 2.31, too. Password-based login is possible in a testing VM using a clean build of the next branch with this patch applied. Whatever it was Marcel stumbled across, I cannot reproduce it (or do not see it). In my opinion, this patch can be merged straight away. Thanks, and best regards, Peter Müller > We need the patches for glibc-2.31 because this update is also planned. > > Michael has already send the patches but I have not pushed this yet because > at least netsnmpd fails. > > Arne > > > Am 2020-03-21 21:08, schrieb Peter Müller: >> Please refer to https://www.openssh.com/txt/release-8.2 for release >> announcements. Since glibc < 2.31 is used, no additional patching was >> required in order to restore correct login functionality. >> >> Cc: Marcel Lorenz <marcel.lorenz@ipfire.org> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/rootfiles/common/openssh | 2 ++ >> lfs/openssh | 6 +++--- >> 2 files changed, 5 insertions(+), 3 deletions(-) >> >> diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh >> index b41190a47..f2f8ea6c5 100644 >> --- a/config/rootfiles/common/openssh >> +++ b/config/rootfiles/common/openssh >> @@ -21,6 +21,7 @@ usr/bin/ssh-keyscan >> usr/lib/openssh/sftp-server >> usr/lib/openssh/ssh-keysign >> usr/lib/openssh/ssh-pkcs11-helper >> +usr/lib/openssh/ssh-sk-helper >> usr/sbin/sshd >> #usr/share/man/man1/scp.1 >> #usr/share/man/man1/sftp.1 >> @@ -35,4 +36,5 @@ usr/sbin/sshd >> #usr/share/man/man8/sftp-server.8 >> #usr/share/man/man8/ssh-keysign.8 >> #usr/share/man/man8/ssh-pkcs11-helper.8 >> +#usr/share/man/man8/ssh-sk-helper.8 >> #usr/share/man/man8/sshd.8 >> diff --git a/lfs/openssh b/lfs/openssh >> index 64e72d654..68a7d63cd 100644 >> --- a/lfs/openssh >> +++ b/lfs/openssh >> @@ -1,7 +1,7 @@ >> >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -24,7 +24,7 @@ >> >> include Config >> >> -VER = 8.1p1 >> +VER = 8.2p1 >> >> THISAPP = openssh-$(VER) >> DL_FILE = $(THISAPP).tar.gz >> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >> >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> >> -$(DL_FILE)_MD5 = 513694343631a99841e815306806edf0 >> +$(DL_FILE)_MD5 = 3076e6413e8dbe56d33848c1054ac091 >> >> install : $(TARGET)
Great! Thanks for testing and the feedback. -Michael > On 24 Mar 2020, at 13:18, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Arne, > > to my surprise, OpenSSH 8.2p1 works fine against glibc 2.31, too. Password-based > login is possible in a testing VM using a clean build of the next branch with this > patch applied. > > Whatever it was Marcel stumbled across, I cannot reproduce it (or do not see it). > > In my opinion, this patch can be merged straight away. > > Thanks, and best regards, > Peter Müller > > >> We need the patches for glibc-2.31 because this update is also planned. >> >> Michael has already send the patches but I have not pushed this yet because >> at least netsnmpd fails. >> >> Arne >> >> >> Am 2020-03-21 21:08, schrieb Peter Müller: >>> Please refer to https://www.openssh.com/txt/release-8.2 for release >>> announcements. Since glibc < 2.31 is used, no additional patching was >>> required in order to restore correct login functionality. >>> >>> Cc: Marcel Lorenz <marcel.lorenz@ipfire.org> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> config/rootfiles/common/openssh | 2 ++ >>> lfs/openssh | 6 +++--- >>> 2 files changed, 5 insertions(+), 3 deletions(-) >>> >>> diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh >>> index b41190a47..f2f8ea6c5 100644 >>> --- a/config/rootfiles/common/openssh >>> +++ b/config/rootfiles/common/openssh >>> @@ -21,6 +21,7 @@ usr/bin/ssh-keyscan >>> usr/lib/openssh/sftp-server >>> usr/lib/openssh/ssh-keysign >>> usr/lib/openssh/ssh-pkcs11-helper >>> +usr/lib/openssh/ssh-sk-helper >>> usr/sbin/sshd >>> #usr/share/man/man1/scp.1 >>> #usr/share/man/man1/sftp.1 >>> @@ -35,4 +36,5 @@ usr/sbin/sshd >>> #usr/share/man/man8/sftp-server.8 >>> #usr/share/man/man8/ssh-keysign.8 >>> #usr/share/man/man8/ssh-pkcs11-helper.8 >>> +#usr/share/man/man8/ssh-sk-helper.8 >>> #usr/share/man/man8/sshd.8 >>> diff --git a/lfs/openssh b/lfs/openssh >>> index 64e72d654..68a7d63cd 100644 >>> --- a/lfs/openssh >>> +++ b/lfs/openssh >>> @@ -1,7 +1,7 @@ >>> >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >>> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -24,7 +24,7 @@ >>> >>> include Config >>> >>> -VER = 8.1p1 >>> +VER = 8.2p1 >>> >>> THISAPP = openssh-$(VER) >>> DL_FILE = $(THISAPP).tar.gz >>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>> >>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>> >>> -$(DL_FILE)_MD5 = 513694343631a99841e815306806edf0 >>> +$(DL_FILE)_MD5 = 3076e6413e8dbe56d33848c1054ac091 >>> >>> install : $(TARGET)
Am 2020-03-24 14:18, schrieb Peter Müller: > Hello Arne, > > to my surprise, OpenSSH 8.2p1 works fine against glibc 2.31, too. > Password-based > login is possible in a testing VM using a clean build of the next > branch with this > patch applied. > > Whatever it was Marcel stumbled across, I cannot reproduce it (or do > not see it). > > In my opinion, this patch can be merged straight away. But i can reproduce it. OpenSSH 8.2p1 doesn't ask for the credentials and simple close the connection on i586. Tested as update and on a new i586 flashimage I think i have to revert it... Arne
Hi, Arne and I just wasted an hour on trying to figure out why. The getpeername() syscall seems to fail. It is not included in the seccomp filter, but adding it does not seem to be enough. Maybe someone can find the time to file a bug upstream. Otherwise we have to wait for a new release. Best, -Michael > On 9 Apr 2020, at 17:51, Arne Fitzenreiter <arne_f@ipfire.org> wrote: > > Am 2020-03-24 14:18, schrieb Peter Müller: >> Hello Arne, >> to my surprise, OpenSSH 8.2p1 works fine against glibc 2.31, too. Password-based >> login is possible in a testing VM using a clean build of the next >> branch with this >> patch applied. >> Whatever it was Marcel stumbled across, I cannot reproduce it (or do >> not see it). >> In my opinion, this patch can be merged straight away. > > But i can reproduce it. OpenSSH 8.2p1 doesn't ask for the credentials and simple close the connection on i586. > > Tested as update and on a new i586 flashimage > > I think i have to revert it... > > Arne
diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh index b41190a47..f2f8ea6c5 100644 --- a/config/rootfiles/common/openssh +++ b/config/rootfiles/common/openssh @@ -21,6 +21,7 @@ usr/bin/ssh-keyscan usr/lib/openssh/sftp-server usr/lib/openssh/ssh-keysign usr/lib/openssh/ssh-pkcs11-helper +usr/lib/openssh/ssh-sk-helper usr/sbin/sshd #usr/share/man/man1/scp.1 #usr/share/man/man1/sftp.1 @@ -35,4 +36,5 @@ usr/sbin/sshd #usr/share/man/man8/sftp-server.8 #usr/share/man/man8/ssh-keysign.8 #usr/share/man/man8/ssh-pkcs11-helper.8 +#usr/share/man/man8/ssh-sk-helper.8 #usr/share/man/man8/sshd.8 diff --git a/lfs/openssh b/lfs/openssh index 64e72d654..68a7d63cd 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 8.1p1 +VER = 8.2p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 513694343631a99841e815306806edf0 +$(DL_FILE)_MD5 = 3076e6413e8dbe56d33848c1054ac091 install : $(TARGET)