* [Buildroot] [PATCH 1/1] package/openssh: security bump to version 8.5p1
@ 2021-03-22 19:00 Fabrice Fontaine
2021-03-28 8:29 ` Yann E. MORIN
2021-03-29 19:53 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-03-22 19:00 UTC (permalink / raw)
To: buildroot
* ssh-agent(1): fixed a double-free memory corruption that was
introduced in OpenSSH 8.2 . We treat all such memory faults as
potentially exploitable. This bug could be reached by an attacker
with access to the agent socket.
On modern operating systems where the OS can provide information
about the user identity connected to a socket, OpenSSH ssh-agent
and sshd limit agent socket access only to the originating user
and root. Additional mitigation may be afforded by the system's
malloc(3)/free(3) implementation, if it detects double-free
conditions.
The most likely scenario for exploitation is a user forwarding an
agent either to an account shared with a malicious user or to a
host with an attacker holding root access.
* Portable sshd(8): Prevent excessively long username going to PAM.
This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations. This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some
other PAM application. GHPR#212
Also license has been updated to add some openbsd-compat licenses:
https://github.com/openssh/openssh-portable/commit/922cfac5ed5ead9f796f7d39f012dd653dc5c173
https://www.openssh.com/txt/release-8.5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/openssh/openssh.hash | 6 +++---
package/openssh/openssh.mk | 10 ++++++----
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/package/openssh/openssh.hash b/package/openssh/openssh.hash
index 840467f50a..c50a49896c 100644
--- a/package/openssh/openssh.hash
+++ b/package/openssh/openssh.hash
@@ -1,4 +1,4 @@
-# From https://www.openssh.com/txt/release-8.4 (base64 encoded)
-sha256 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 openssh-8.4p1.tar.gz
+# From https://www.openssh.com/txt/release-8.5 (base64 encoded)
+sha256 f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25 openssh-8.5p1.tar.gz
# Locally calculated
-sha256 73d0db766229670c7b4e1ec5e6baed54977a0694a565e7cc878c45ee834045d7 LICENCE
+sha256 432abf7480fb31473a6706627212913fc70032e3fb71b90fecb28ae26a2d741d LICENCE
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 64e3084ca1..055c024cab 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -4,11 +4,13 @@
#
################################################################################
-OPENSSH_VERSION = 8.4p1
-OPENSSH_CPE_ID_VERSION = 8.4
-OPENSSH_CPE_ID_UPDATE = p1
+OPENSSH_VERSION_MAJOR = 8.5
+OPENSSH_VERSION_MINOR = p1
+OPENSSH_VERSION = $(OPENSSH_VERSION_MAJOR)$(OPENSSH_VERSION_MINOR)
+OPENSSH_CPE_ID_VERSION = $(OPENSSH_VERSION_MAJOR)
+OPENSSH_CPE_ID_UPDATE = $(OPENSSH_VERSION_MINOR)
OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
-OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
+OPENSSH_LICENSE = BSD-4-Clause, BSD-3-Clause, BSD-2-Clause, Public Domain
OPENSSH_LICENSE_FILES = LICENCE
OPENSSH_CONF_ENV = \
LD="$(TARGET_CC)" \
--
2.30.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/openssh: security bump to version 8.5p1
2021-03-22 19:00 [Buildroot] [PATCH 1/1] package/openssh: security bump to version 8.5p1 Fabrice Fontaine
@ 2021-03-28 8:29 ` Yann E. MORIN
2021-03-29 19:53 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2021-03-28 8:29 UTC (permalink / raw)
To: buildroot
Fabrice, All,
On 2021-03-22 20:00 +0100, Fabrice Fontaine spake thusly:
> * ssh-agent(1): fixed a double-free memory corruption that was
> introduced in OpenSSH 8.2 . We treat all such memory faults as
> potentially exploitable. This bug could be reached by an attacker
> with access to the agent socket.
>
> On modern operating systems where the OS can provide information
> about the user identity connected to a socket, OpenSSH ssh-agent
> and sshd limit agent socket access only to the originating user
> and root. Additional mitigation may be afforded by the system's
> malloc(3)/free(3) implementation, if it detects double-free
> conditions.
>
> The most likely scenario for exploitation is a user forwarding an
> agent either to an account shared with a malicious user or to a
> host with an attacker holding root access.
>
> * Portable sshd(8): Prevent excessively long username going to PAM.
> This is a mitigation for a buffer overflow in Solaris' PAM username
> handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
> implementations. This is not a problem in sshd itself, it only
> prevents sshd from being used as a vector to attack Solaris' PAM.
> It does not prevent the bug in PAM from being exploited via some
> other PAM application. GHPR#212
>
> Also license has been updated to add some openbsd-compat licenses:
> https://github.com/openssh/openssh-portable/commit/922cfac5ed5ead9f796f7d39f012dd653dc5c173
>
> https://www.openssh.com/txt/release-8.5
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/openssh/openssh.hash | 6 +++---
> package/openssh/openssh.mk | 10 ++++++----
> 2 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/package/openssh/openssh.hash b/package/openssh/openssh.hash
> index 840467f50a..c50a49896c 100644
> --- a/package/openssh/openssh.hash
> +++ b/package/openssh/openssh.hash
> @@ -1,4 +1,4 @@
> -# From https://www.openssh.com/txt/release-8.4 (base64 encoded)
> -sha256 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 openssh-8.4p1.tar.gz
> +# From https://www.openssh.com/txt/release-8.5 (base64 encoded)
> +sha256 f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25 openssh-8.5p1.tar.gz
> # Locally calculated
> -sha256 73d0db766229670c7b4e1ec5e6baed54977a0694a565e7cc878c45ee834045d7 LICENCE
> +sha256 432abf7480fb31473a6706627212913fc70032e3fb71b90fecb28ae26a2d741d LICENCE
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 64e3084ca1..055c024cab 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -4,11 +4,13 @@
> #
> ################################################################################
>
> -OPENSSH_VERSION = 8.4p1
> -OPENSSH_CPE_ID_VERSION = 8.4
> -OPENSSH_CPE_ID_UPDATE = p1
> +OPENSSH_VERSION_MAJOR = 8.5
> +OPENSSH_VERSION_MINOR = p1
> +OPENSSH_VERSION = $(OPENSSH_VERSION_MAJOR)$(OPENSSH_VERSION_MINOR)
> +OPENSSH_CPE_ID_VERSION = $(OPENSSH_VERSION_MAJOR)
> +OPENSSH_CPE_ID_UPDATE = $(OPENSSH_VERSION_MINOR)
> OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
> -OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
> +OPENSSH_LICENSE = BSD-4-Clause, BSD-3-Clause, BSD-2-Clause, Public Domain
> OPENSSH_LICENSE_FILES = LICENCE
> OPENSSH_CONF_ENV = \
> LD="$(TARGET_CC)" \
> --
> 2.30.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/openssh: security bump to version 8.5p1
2021-03-22 19:00 [Buildroot] [PATCH 1/1] package/openssh: security bump to version 8.5p1 Fabrice Fontaine
2021-03-28 8:29 ` Yann E. MORIN
@ 2021-03-29 19:53 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-03-29 19:53 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> * ssh-agent(1): fixed a double-free memory corruption that was
> introduced in OpenSSH 8.2 . We treat all such memory faults as
> potentially exploitable. This bug could be reached by an attacker
> with access to the agent socket.
> On modern operating systems where the OS can provide information
> about the user identity connected to a socket, OpenSSH ssh-agent
> and sshd limit agent socket access only to the originating user
> and root. Additional mitigation may be afforded by the system's
> malloc(3)/free(3) implementation, if it detects double-free
> conditions.
> The most likely scenario for exploitation is a user forwarding an
> agent either to an account shared with a malicious user or to a
> host with an attacker holding root access.
> * Portable sshd(8): Prevent excessively long username going to PAM.
> This is a mitigation for a buffer overflow in Solaris' PAM username
> handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
> implementations. This is not a problem in sshd itself, it only
> prevents sshd from being used as a vector to attack Solaris' PAM.
> It does not prevent the bug in PAM from being exploited via some
> other PAM application. GHPR#212
> Also license has been updated to add some openbsd-compat licenses:
> https://github.com/openssh/openssh-portable/commit/922cfac5ed5ead9f796f7d39f012dd653dc5c173
> https://www.openssh.com/txt/release-8.5
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2020.02.x, 2020.11.x and 2021.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-29 19:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-22 19:00 [Buildroot] [PATCH 1/1] package/openssh: security bump to version 8.5p1 Fabrice Fontaine
2021-03-28 8:29 ` Yann E. MORIN
2021-03-29 19:53 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.