wiki/docs/packages/openssh.md

# Override package: openssh

## EL9

- Version `8.7p1-38.4.el9_4.security.0.9`
- Based on `8.7p1-38.el9_4.4`

### Changes summary

- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
- Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
- Fix [CVE-2024-6409](../issues/CVE-2024-6409.md)

### Change log

```
* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.9
- Patch the code to silently ignore GSSAPIKeyExchange when unsupported

* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.8
- Rebase on 8.7p1-38.4

* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.7
- Fix CVE-2024-6409

* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.6
- Rebase on 8.7p1-38.1

* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5
- Fix CVE-2024-6387 regreSSHion

* Mon May 20 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.4
- Rebase on 8.7p1-38

* Sat Mar 16 2024 Solar Designer <solar@openwall.com> 8.7p1-34.3.el9_3.security.0.3
- Comment out GSSAPI* lines in /etc/ssh/ssh*_config.d/50-redhat.conf and patch
  the code to silently ignore GSSAPIKexAlgorithms when unsupported (like it is
  in our new without-Kerberos build)

* Mon Mar 11 2024 Solar Designer <solar@openwall.com> 8.7p1-34.3.el9_3.security.0.2
- Rebase 8.7p1-34.el9_3.security.0.1 on 8.7p1-34.3
- Build without Kerberos support (shortens "ldd sshd" from 20 to 13 lines)

* Wed Nov 22 2023 Solar Designer <solar@openwall.com> 8.7p1-34.el9_3.security.0.1
- Rebase 8.7p1-30.el9.security.0.2 on 8.7p1-34

* Sat Oct 07 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.2
- Load libsystemd.so.0, not libsystemd.so, as the latter is only provided by
  systemd-devel

* Mon Aug 28 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.1
- Instead of linking against libsystemd, load it dynamically in a temporary
  child process to avoid polluting actual sshd's address space with that
  library and its many dependencies (shortens "ldd sshd" from 28 to 20 lines)
```
Add per-package pages 2023-10-13 19:37:48 +00:00			`# Override package: openssh`

			`## EL9`

openssh 8.7p1-38.4.el9_4.security.0.9 2024-08-07 14:05:55 +00:00			- Version `8.7p1-38.4.el9_4.security.0.9`
			- Based on `8.7p1-38.el9_4.4`
Add per-package pages 2023-10-13 19:37:48 +00:00
			`### Changes summary`

			- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
openssh-8.7p1-34.3.el9_3.security.0.2 2024-03-11 18:12:15 +00:00			- Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
openssh 8.7p1-38.1.el9_4.security.0.7 2024-07-08 18:44:12 +00:00			`- Fix [CVE-2024-6409](../issues/CVE-2024-6409.md)`
Add per-package pages 2023-10-13 19:37:48 +00:00
			`### Change log`

			```
openssh 8.7p1-38.4.el9_4.security.0.9 2024-08-07 14:05:55 +00:00			`* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.9`
			`- Patch the code to silently ignore GSSAPIKeyExchange when unsupported`

			`* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.8`
			`- Rebase on 8.7p1-38.4`

openssh 8.7p1-38.1.el9_4.security.0.7 2024-07-08 18:44:12 +00:00			`* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.7`
			`- Fix CVE-2024-6409`

			`* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.6`
			`- Rebase on 8.7p1-38.1`

openssh 8.7p1-38.el9_4.security.0.5 2024-07-01 11:12:16 +00:00			`* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5`
			`- Fix CVE-2024-6387 regreSSHion`

openssh 8.7p1-38.el9_4.security.0.4 2024-05-20 20:08:55 +00:00			`* Mon May 20 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.4`
			`- Rebase on 8.7p1-38`

openssh-8.7p1-34.3.el9_3.security.0.3 2024-03-16 21:25:53 +00:00			`* Sat Mar 16 2024 Solar Designer <solar@openwall.com> 8.7p1-34.3.el9_3.security.0.3`
			`- Comment out GSSAPI* lines in /etc/ssh/ssh*_config.d/50-redhat.conf and patch`
			`the code to silently ignore GSSAPIKexAlgorithms when unsupported (like it is`
			`in our new without-Kerberos build)`

openssh-8.7p1-34.3.el9_3.security.0.2 2024-03-11 18:12:15 +00:00			`* Mon Mar 11 2024 Solar Designer <solar@openwall.com> 8.7p1-34.3.el9_3.security.0.2`
			`- Rebase 8.7p1-34.el9_3.security.0.1 on 8.7p1-34.3`
			`- Build without Kerberos support (shortens "ldd sshd" from 20 to 13 lines)`

openssh-8.7p1-34.el9_3.security.0.1 2023-11-25 12:53:01 +00:00			`* Wed Nov 22 2023 Solar Designer <solar@openwall.com> 8.7p1-34.el9_3.security.0.1`
			`- Rebase 8.7p1-30.el9.security.0.2 on 8.7p1-34`

Add per-package pages 2023-10-13 19:37:48 +00:00			`* Sat Oct 07 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.2`
			`- Load libsystemd.so.0, not libsystemd.so, as the latter is only provided by`
			`systemd-devel`

			`* Mon Aug 28 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.1`
			`- Instead of linking against libsystemd, load it dynamically in a temporary`
			`child process to avoid polluting actual sshd's address space with that`
			`library and its many dependencies (shortens "ldd sshd" from 28 to 20 lines)`
			```