git: 30eacf0342 - main - Add SA-24:04.openssh.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Jul 2024 08:45:47 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=30eacf03429eea77dc38d4d718a544dc5d5c1514
commit 30eacf03429eea77dc38d4d718a544dc5d5c1514
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2024-07-01 08:45:13 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-07-01 08:45:13 +0000
Add SA-24:04.openssh.
Approved by: so
---
website/data/security/advisories.toml | 4 +
.../advisories/FreeBSD-SA-24:04.openssh.asc | 172 +++++++++++++++++++++
.../security/patches/SA-24:04/openssh-13.2.patch | 25 +++
.../patches/SA-24:04/openssh-13.2.patch.asc | 16 ++
.../security/patches/SA-24:04/openssh-13.3.patch | 25 +++
.../patches/SA-24:04/openssh-13.3.patch.asc | 16 ++
.../security/patches/SA-24:04/openssh-14.0.patch | 25 +++
.../patches/SA-24:04/openssh-14.0.patch.asc | 16 ++
.../security/patches/SA-24:04/openssh-14.1.patch | 25 +++
.../patches/SA-24:04/openssh-14.1.patch.asc | 16 ++
10 files changed, 340 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index d2a4603d5f..d0945c9078 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,10 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-24:04.openssh"
+date = "2024-07-01"
+
[[advisories]]
name = "FreeBSD-SA-24:03.unbound"
date = "2024-03-28"
diff --git a/website/static/security/advisories/FreeBSD-SA-24:04.openssh.asc b/website/static/security/advisories/FreeBSD-SA-24:04.openssh.asc
new file mode 100644
index 0000000000..faa443d6d0
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:04.openssh.asc
@@ -0,0 +1,172 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:04.openssh Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSH pre-authentication remote code execution
+
+Category: contrib
+Module: openssh
+Announced: 2024-07-01
+Credits: Qualys Threat Research Unit (TRU)
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-07-01 08:22:13 UTC (stable/14, 14.1-STABLE)
+ 2024-07-01 08:24:48 UTC (releng/14.1, 14.1-RELEASE-p2)
+ 2024-07-01 08:26:05 UTC (releng/14.0, 14.0-RELEASE-p8)
+ 2024-07-01 08:23:16 UTC (stable/13, 13.3-STABLE)
+ 2024-07-01 08:27:10 UTC (releng/13.3, 13.3-RELEASE-p4)
+ 2024-07-01 08:27:53 UTC (releng/13.2, 13.2-RELEASE-p12)
+CVE Name: CVE-2024-6387
+
+Note: Due to the fact this advisory is being released the day after
+13.2-RELEASE is going out of support, the Security Team has decided to
+include 13.2-RELEASE in the response for this issue.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services, including
+remote shell access.
+
+II. Problem Description
+
+A signal handler in sshd(8) calls a function that is not async-signal-safe.
+The signal handler is invoked when a client does not authenticate within the
+LoginGraceTime seconds (120 by default). This signal handler executes in the
+context of the sshd(8)'s privileged code, which is not sandboxed and runs
+with full root privileges.
+
+This issue is a regression of CVE-2006-5051 originally reported by Mark Dowd
+and accidentally reintroduced in OpenSSH 8.5p1.
+
+III. Impact
+
+As a result of calling functions that are not async-signal-safe in the
+privileged sshd(8) context, a race condition exists that a determined
+attacker may be able to exploit to allow an unauthenticated remote code
+execution as root.
+
+IV. Workaround
+
+If sshd(8) cannot be updated, this signal handler race condition can be
+mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and
+restarting sshd(8). This makes sshd(8) vulnerable to a denial of service
+(the exhaustion of all MaxStartups connections), but makes it safe from the
+remote code execution presented in this advisory.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# service sshd restart
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 14.1]
+# fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-14.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-14.1.patch.asc
+# gpg --verify openssh-14.1.patch.asc
+
+[FreeBSD 14.0]
+# fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-14.0.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-14.0.patch.asc
+# gpg --verify openssh-14.0.patch.asc
+
+[FreeBSD 13.3]
+# fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-13.3.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-13.3.patch.asc
+# gpg --verify openssh-13.3.patch.asc
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-13.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-13.2.patch.asc
+# gpg --verify openssh-13.2.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 620a6a54bb7b stable/14-n268045
+releng/14.1/ 8f80def8aa08 releng/14.1-n267683
+releng/14.0/ 70eb00f17b31 releng/14.0-n265420
+stable/13/ 25cf430cd551 stable/13-n258037
+releng/13.3/ e3e0912f2977 releng/13.3-n257437
+releng/13.2/ 99ad94894edf releng/13.2-n254666
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt>
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2006-5051>
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2024-6387>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:04.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmaCa5QACgkQbljekB8A
+Gu8E9hAA2tYE3vcgDNMnsy9Rw5CR8uJWkCAPk4Pd1RvJlYlCFmC4XASukA6DHdv5
+Zym13OwC7wO3ak4u819y052Iia7fOCzkdg/MWODvao3v8BOjXcOZjtSCgCsh50Om
+NNStF5Bhl4l7FwggZqYgo5+6XafjzjU4NbdiCH4Y4qN8VkQwCoHLozfl7X6/XwyE
+0LRCL9IzS2lpoqsMvOBOYkS1U1/arEsjWrY0XrDtA30r1zGkkZQ2DKLPWhxGM2wR
+/ImPpWiINxfVq0u55ubZCm9g3JqnXJVBQ41wo44wdW4R98WabvqQgKDLfxwMlhTc
+rKlg/JARehrYpPC1d0+PN2RaQUkAucjlxSFjnb3UOt0o0w3FqWB03u9IB7Q7PFya
+O7S4+WNyEJZiex9Ef1C/ea3ewfx9AMfaWYj+t2yYZjy5oXgZHk4EpoWsOqNDgmC7
+bOlFMPeMoxczXkjqiCmsrODho3w8oEo/I111ovo8Sc6tS+13/Tioy9ZSrgdpIVrV
+DGItqasOXmVaHdatkY/DJ6f2buWlpZ3GTadAB5R+sixe/t3s583jV1Hktjb5NY4M
+N8y+TEpf5wf/yn9Z/Ub52JQPQDy1qAwICjWPpdYXligYFMV2vy4XZCptnldttz3y
+gz+2coOund99MGmxpyAm6NVtpVvVpRfjeVFbcqmzxF+35qXsl8w=
+=Zcol
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:04/openssh-13.2.patch b/website/static/security/patches/SA-24:04/openssh-13.2.patch
new file mode 100644
index 0000000000..76ccf6b71d
--- /dev/null
+++ b/website/static/security/patches/SA-24:04/openssh-13.2.patch
@@ -0,0 +1,25 @@
+--- crypto/openssh/log.c.orig
++++ crypto/openssh/log.c
+@@ -451,12 +451,14 @@
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+ LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ va_list args;
+
+ va_start(args, fmt);
+ sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ suffix, fmt, args);
+ va_end(args);
++#endif
+ _exit(1);
+ }
+
+--- crypto/openssh/version.h.orig
++++ crypto/openssh/version.h
+@@ -5,4 +5,4 @@
+ #define SSH_PORTABLE "p2"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+
+-#define SSH_VERSION_FREEBSD "FreeBSD-20230719"
++#define SSH_VERSION_FREEBSD "FreeBSD-20240701"
diff --git a/website/static/security/patches/SA-24:04/openssh-13.2.patch.asc b/website/static/security/patches/SA-24:04/openssh-13.2.patch.asc
new file mode 100644
index 0000000000..b05c3ef8c6
--- /dev/null
+++ b/website/static/security/patches/SA-24:04/openssh-13.2.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmaCa50ACgkQbljekB8A
+Gu+e9xAA4g9l5lGA5pmUl0WYKfPWo0UwQxcAkS2rTdXqsbFhg2OgwHoRQkCvrcPq
+85BaFGGDQ0yQz1f0nXqWZ3iIVHP4++/jr7Nibq1CxOb0VPiSzo6vHyPqXeuGPVSB
+Wu9RqQ4w4pTICkCFkBj5xwBHnR1lxMV9dzD0UNClmQB6pXS/PnEDLJgeIfjLG1zg
+ZcYcWyxwItlqOf8Qw1OGGqNXpjycAbZwwB2IwQGZbUxpwC/DEGwESfPk+cfvSBqm
+VqI7PyfHQ6mb+yzU/h6CcJFLCmp83uRvN3/aL+8FAeO/9nzDriY8Lh5v4IX3vMaV
+T2rV0q9UAk78rUywpUyH1MHqK7y9mALTtuoDreyTxQotTaw07jE6EpzzScUsQ/bf
+CfzFKs04zg2hSS9HAmV+SNmvoBNlxZCN0r0Oi7xCs3w115yucCt6ggoOLooLhMYG
+C+JCwZlu5hhOvso15SjViSwlScxoyPbMzsXc0hDvWcgTd0I4SvPRXLde3kDkftUx
+e+eVtvgezPI/Dpbap9WlHvz5P5kWizt7KxTIV7wIds+kSftNIK1ly6+ANTSDS1Pi
+DjnJX403pQXjTDe7EjQvRZ4XfDYrdu5VjeUgaBHTbhyIMa2tbdNxTpVeJ51NcMkH
+cYKEVuLgnnuPXxOzsQe0LCWiecA4Zu27Gf2+c3Mcm2gWe39lD3E=
+=9+5+
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:04/openssh-13.3.patch b/website/static/security/patches/SA-24:04/openssh-13.3.patch
new file mode 100644
index 0000000000..79a3f5f05e
--- /dev/null
+++ b/website/static/security/patches/SA-24:04/openssh-13.3.patch
@@ -0,0 +1,25 @@
+--- crypto/openssh/log.c.orig
++++ crypto/openssh/log.c
+@@ -451,12 +451,14 @@
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+ LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ va_list args;
+
+ va_start(args, fmt);
+ sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ suffix, fmt, args);
+ va_end(args);
++#endif
+ _exit(1);
+ }
+
+--- crypto/openssh/version.h.orig
++++ crypto/openssh/version.h
+@@ -5,4 +5,4 @@
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+
+-#define SSH_VERSION_FREEBSD "FreeBSD-20240104"
++#define SSH_VERSION_FREEBSD "FreeBSD-20240701"
diff --git a/website/static/security/patches/SA-24:04/openssh-13.3.patch.asc b/website/static/security/patches/SA-24:04/openssh-13.3.patch.asc
new file mode 100644
index 0000000000..f913074526
--- /dev/null
+++ b/website/static/security/patches/SA-24:04/openssh-13.3.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmaCa50ACgkQbljekB8A
+Gu+ZOBAA4jpr0cTMKkVM4W2gmJ+9Oal4e0vR0feTBnyUlNAU7x7fRdzKke3zgMnZ
+jLQks9voO52NkRuMkv/1dZxWdCIOle9eJHe1IgouoKbc1S2bp0NgPlrvePVs7ikR
+bScCsuYKHozQbvj5zpEp49DIdu1eIPZ9pMH+G7NzvvD/jQoOa7d+tPxdRuDDw9bW
+3U63BmxcWkf52/v3LLM9neCXd/5C1to53t4s/+QCHzbO13K9jHKu81RsDKbeyXT9
+VKgKER30mDnEO5q7MLwsZdzQEoKXKXE1W2jKpgw5ZK9rh+TD/sFVVwCkclVAXWNV
+6CnbGUlm4NB24T4EETNsbrwnsjo54ORSxaXG/fUm7v3MDJrmTpahvESgppYmC51h
+B8pLZtlTGYGc+7cH4MHQJrTGizG50cu5EQYW8zKhKWQOReDehTxY9ihUhcaz+m3h
+LB2bAslsG4p09GUTYOJo9SPQ76lEwhMVP2jxdIRnNU02G1rqrxbo6075xDzyKHiZ
+G5jfhyh0USKovAWWZJgM0KwnUDemogM0psDI7MWUa3T75xDaOLKVDXD4Q8hiVD7D
+4svljDmjf+pHqWAvHhWOa1raNtxUpJ+tk3ACRlLufBQyQ5JA5BwJ2SEzCEZslQuh
+mEKaY/TPp6tdALa5yOz3je/dGMLI45ZTVVzpr6PXJ9ixjQZGUSo=
+=ZlwG
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:04/openssh-14.0.patch b/website/static/security/patches/SA-24:04/openssh-14.0.patch
new file mode 100644
index 0000000000..e5776e6297
--- /dev/null
+++ b/website/static/security/patches/SA-24:04/openssh-14.0.patch
@@ -0,0 +1,25 @@
+--- crypto/openssh/log.c.orig
++++ crypto/openssh/log.c
+@@ -451,12 +451,14 @@
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+ LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ va_list args;
+
+ va_start(args, fmt);
+ sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ suffix, fmt, args);
+ va_end(args);
++#endif
+ _exit(1);
+ }
+
+--- crypto/openssh/version.h.orig
++++ crypto/openssh/version.h
+@@ -5,4 +5,4 @@
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+
+-#define SSH_VERSION_FREEBSD "FreeBSD-20231004"
++#define SSH_VERSION_FREEBSD "FreeBSD-20240701"
diff --git a/website/static/security/patches/SA-24:04/openssh-14.0.patch.asc b/website/static/security/patches/SA-24:04/openssh-14.0.patch.asc
new file mode 100644
index 0000000000..975eb0722f
--- /dev/null
+++ b/website/static/security/patches/SA-24:04/openssh-14.0.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmaCa54ACgkQbljekB8A
+Gu+ZbA/9H8DQNNO4MFXq8Hl2McnZLB3imXY++/L8ip27zY2kYk55AKiMG6dAo57p
+2ERz+HfCpOtC4FbVPTlvtxJRgjhCB35XF8of+7O+ncZRm1uGtujZlhDVA+EWuceE
+cKhMMr7enge1F3lpjcT5LmwetktGD3J/t3Z6mpSwydQOb7oaWopQ7lCm6UQu50Op
+iyHOiAmLXoUQTw2uayCELWK3yhh+tshB/+OkJxCniB5UwMq32qrWvdH6JS3hRmzy
+t+qeRP3IlH9wK4/j+fbXgudplxTwAerSB33q+3IlSBKdXBBh8essGsgieE7NNLr8
+xoiZAGkCcVi/hk5ByO6GnuyLsqc/sD2Y71iNq/2Ykn0no12Ukd1h358TJraWlH1r
+Fd6lE1/qMKl8dp1KD6X0cK4mTcCYqzOzfOHYtR7/NI+0s9nFge7HCEaFRZ8iZn9H
+akY6ktQvFNVUvZKG+OkYWf7yzhuxp8WCXxlm1+gy09guiwSCVCZOJfsi0+iE30oD
+QVbvwudOsiNTEd/6wD+lW4fNpXRn0+TYi0i5rUutZxg6bpXJaseSvUue0rB7SMEF
+F+JfB99POkk4MwUM3BOzAjphmDQSu2j0LgI8jvqeP4YjVemBi0hbzciv2Qx74Ycd
+q53i2fxWMqWQSWN4X/3pj6/9Zxr5Uh5FATij1Eq9fZFGxiozfLE=
+=Djd4
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:04/openssh-14.1.patch b/website/static/security/patches/SA-24:04/openssh-14.1.patch
new file mode 100644
index 0000000000..bf837d641e
--- /dev/null
+++ b/website/static/security/patches/SA-24:04/openssh-14.1.patch
@@ -0,0 +1,25 @@
+--- crypto/openssh/log.c.orig
++++ crypto/openssh/log.c
+@@ -451,12 +451,14 @@
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+ LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ va_list args;
+
+ va_start(args, fmt);
+ sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ suffix, fmt, args);
+ va_end(args);
++#endif
+ _exit(1);
+ }
+
+--- crypto/openssh/version.h.orig
++++ crypto/openssh/version.h
+@@ -5,4 +5,4 @@
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+
+-#define SSH_VERSION_FREEBSD "FreeBSD-20240318"
++#define SSH_VERSION_FREEBSD "FreeBSD-20240701"
diff --git a/website/static/security/patches/SA-24:04/openssh-14.1.patch.asc b/website/static/security/patches/SA-24:04/openssh-14.1.patch.asc
new file mode 100644
index 0000000000..872149c3b3
--- /dev/null
+++ b/website/static/security/patches/SA-24:04/openssh-14.1.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmaCa58ACgkQbljekB8A
+Gu+BXw//eLmEY6RPG3Y6oM1ddxGtN2Ori7L6fGigwQBdLNYTL0OJABunoU1rTyaR
+u9VwVEwg55FNNV52YZz3yhWaaWpQ2mJgbrWTSzKUXJt0cAr/V6lXcZslAQWnOx76
+hfmkHR/eSJa8yOSrTetI8x4wSnqlxDv5AY5emJH9J1pjFAD7gOwxfAWUxaLdva49
+MBYg2xXxcDfrP8ASLFPeyM8rG29RmtxDlMWMvExoaDlKSaMTSvJwnkUYfXAe39H3
+3vLxoyJRggopj142JE/kbOEvptdF/sQJIyrnRFJwpeKbRzrJkQ+gjb/VuKVTTTrf
+oJMswTPHe9gK56y47Pg2G+XoMC82+hCXqytVaQC1BsfFfZ+9Fx5b+pwXbgJybWx2
+lLzlWGEsX81b6mu4iJcpdGX1GNF94NzBfIiPm9Dsls6qISy/JZrdbh9rvaCjjlR4
+QO2h9Ci3m66/hpHsCZyg2zwG7ykSPAB12hkPsArKbHrPmfVGhTB79cs31baXRjcN
+tYZF69fhsqnFMpOw7buKYbwO+JI61AU9pl08HkkhFDCbfE88lEivaGIoxcfQr9mE
+tWcp4EI9XPryT9FpiOREKDK/aupTF/iEled31PflE8RICYn/XG6CqJszLu6P8+tZ
+IXwcb7GiPWGu4fnZ35hqsSya6wPA81vP1DAHo9qq2C9q0/yFUgg=
+=ZL11
+-----END PGP SIGNATURE-----