-
Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
- Avoid remote code execution in ssh-agent PKCS#11 support
Resolves: CVE-2023-38408
-
Tue Jun 13 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-33
- Allow specifying validity interval in UTC
Resolves: rhbz#2115043
-
Wed May 24 2023 Norbert Pocs <npocs@redhat.com> - 8.7p1-32
- Fix pkcs11 issue with the recent changes
- Delete unnecessary log messages from previous compl-dh patch
- Add ssh_config man page explanation on rhbz#2068423
- Resolves: rhbz#2207793, rhbz#2209096
-
Tue May 16 2023 Norbert Pocs <npocs@redhat.com> - 8.7p1-31
- Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch:
- Check return values
- Use EVP API to get the size of DH
- Add some log debug lines
- Related: rhbz#2091694
-
Thu Apr 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-30
- Some non-terminating processes were listening on ports.
Resolves: rhbz#2177768
- On sshd startup, we check whether signing using the SHA1 for signing is
available and don't use it when it isn't.
- On ssh private key conversion we explicitly use SHA2 for testing RSA keys.
- In sshd, when SHA1 signatures are unavailable, we fallback (fall forward :) )
to SHA2 on host keys proof confirmation.
- On a client side we permit SHA2-based proofs from server when requested SHA1
proof (or didn't specify the hash algorithm that implies SHA1 on the client
side). It is aligned with already present exception for RSA certificates.
- We fallback to SHA2 if SHA1 signatures is not available on the client side
(file sshconnect2.c).
- We skip dss-related tests (they don't work without SHA1).
Resolves: rhbz#2070163
- FIPS compliance efforts for dh, ecdh and signing
Resolves: rhbz#2091694
-
Thu Apr 06 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-29
- Resolve possible self-DoS with some clients
Resolves: rhbz#2186473
-
Thu Jan 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-28
- Do not try to use SHA1 for host key ownership proof when we don't support it server-side
Resolves: rhbz#2088750
-
Thu Jan 12 2023 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-27
- Add sk-dummy subpackage for test purposes
Resolves: rhbz#2092780
-
Fri Jan 06 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-26
- Fix one-byte overflow in SSH banner processing
Resolves: rhbz#2138345
- Fix double free() in error path
Resolves: rhbz#2138347
-
Fri Dec 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-25
- Build fix after OpenSSL rebase
Resolves: rhbz#2153626