git: 7b31ce1eeeb4 - main - security/openssh-portable: Bring in patches for recent CVES
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 02 Jul 2024 16:11:32 UTC
The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=7b31ce1eeeb40098b213a153e10530a196b52322 commit 7b31ce1eeeb40098b213a153e10530a196b52322 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2024-07-02 16:08:13 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2024-07-02 16:08:13 +0000 security/openssh-portable: Bring in patches for recent CVES Source: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html PR: 280068 --- security/openssh-portable/Makefile | 2 +- security/openssh-portable/files/patch-9.8-cves | 56 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 5cf4aa38d3e3..9b1d44580f94 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,6 +1,6 @@ PORTNAME= openssh DISTVERSION= 9.7p1 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable diff --git a/security/openssh-portable/files/patch-9.8-cves b/security/openssh-portable/files/patch-9.8-cves new file mode 100644 index 000000000000..2e47d586edcd --- /dev/null +++ b/security/openssh-portable/files/patch-9.8-cves @@ -0,0 +1,56 @@ +https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html + +Damien Miller djm at mindrot.org +Mon Jul 1 18:21:11 AEST 2024 +Previous message (by thread): Announce: OpenSSH 9.8 released +Next message (by thread): Announce: OpenSSH 9.8 released +Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] +Hi, + +Regarding the race condition fixed in OpenSSH 9.8. A mitigation to +prevent exploitation of this bug is to disable the login grace timer +by setting LoginGraceTime=0 in sshd_config. This will however make +it much easier for an attacker to deny service to sshd. + +Similarly, the much more minor keystroke timing bug can be avoided +by disabling the feature using ObscureKeystrokeTiming=0. + +Some users will understandably prefer to patch their OpenSSH rather +than upgrade to the newest version, so here are minimal patches for +both problems. + +1) Critical race condition in sshd + +2) Minor logic error in ObscureKeystrokeTiming + +--- log.c.orig 2024-07-02 09:05:35.023051000 -0700 ++++ log.c 2024-07-02 09:05:54.881067000 -0700 +@@ -451,12 +451,14 @@ sshsigdie(const char *file, const char *func, int line + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#ifdef SYSLOG_R_SAFE_IN_SIGHAND + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + +--- clientloop.c.orig 2024-07-02 09:06:09.736347000 -0700 ++++ clientloop.c 2024-07-02 09:06:41.414979000 -0700 +@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct tim + if (timespeccmp(&now, &chaff_until, >=)) { + /* Stop if there have been no keystrokes for a while */ + stop_reason = "chaff time expired"; +- } else if (timespeccmp(&now, &next_interval, >=)) { +- /* Otherwise if we were due to send, then send chaff */ ++ } else if (timespeccmp(&now, &next_interval, >=) && ++ !ssh_packet_have_data_to_write(ssh)) { ++ /* If due to send but have no data, then send chaff */ + if (send_chaff(ssh)) + nchaff++; + }