[oe-commits] Ross Burton : openssh: fix CVE-2010-5107
git at git.openembedded.org
git at git.openembedded.org
Mon Apr 29 16:55:59 UTC 2013
Module: openembedded-core.git
Branch: danny
Commit: 1d4f2d5ef65135e61d78ac0db90afe7f5d166d05
URL: http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=1d4f2d5ef65135e61d78ac0db90afe7f5d166d05
Author: Ross Burton <ross.burton at intel.com>
Date: Mon Apr 29 15:05:23 2013 +0100
openssh: fix CVE-2010-5107
>From http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5107:
"The default configuration of OpenSSH through 6.1 enforces a fixed time limit
between establishing a TCP connection and completing a login, which makes it
easier for remote attackers to cause a denial of service (connection-slot
exhaustion) by periodically making many new TCP connections."
Integrate patches from upstream to enable "random early drop" by default./
Signed-off-by: Ross Burton <ross.burton at intel.com>
---
.../openssh/openssh-6.0p1/cve-2010-5107.patch | 50 ++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 3 +-
2 files changed, 52 insertions(+), 1 deletions(-)
diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch
new file mode 100644
index 0000000..148dc51
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch
@@ -0,0 +1,50 @@
+Fix CVE-2010-5107 by backporting the relevant changes from upstream CVS.
+
+http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
+http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
+http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton at intel.com>
+
+--- a/src/usr.bin/ssh/sshd_config 2012/10/30 22:29:55 1.88
++++ b/src/usr.bin/ssh/sshd_config 2013/02/06 00:20:42 1.89
+@@ -96,7 +96,7 @@ UsePrivilegeSeparation sandbox # Default for new inst
+ #ClientAliveCountMax 3
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
++#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ #VersionAddendum none
+
+--- a/src/usr.bin/ssh/sshd_config.5 2013/01/18 08:00:49 1.155
++++ b/src/usr.bin/ssh/sshd_config.5 2013/02/06 00:20:42 1.156
+@@ -821,7 +821,7 @@ SSH daemon.
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
++The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values
+
+--- a/src/usr.bin/ssh/servconf.c 2012/12/02 20:46:11 1.233
++++ b/src/usr.bin/ssh/servconf.c 2013/02/06 00:20:42 1.234
+@@ -242,11 +242,11 @@ fill_default_server_options(ServerOptions *options)
+ if (options->gateway_ports == -1)
+ options->gateway_ports = 0;
+ if (options->max_startups == -1)
+- options->max_startups = 10;
++ options->max_startups = 100;
+ if (options->max_startups_rate == -1)
+- options->max_startups_rate = 100; /* 100% */
++ options->max_startups_rate = 30; /* 30% */
+ if (options->max_startups_begin == -1)
+- options->max_startups_begin = options->max_startups;
++ options->max_startups_begin = 10;
+ if (options->max_authtries == -1)
+ options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+ if (options->max_sessions == -1)
diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
index 31202d4..d1edb6e 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
@@ -23,7 +23,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://sshd_config \
file://ssh_config \
file://init \
- ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
+ ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+ file://cve-2010-5107.patch;pnum=4"
PAM_SRC_URI = "file://sshd"
SRC_URI[md5sum] = "3c9347aa67862881c5da3f3b1c08da7b"
More information about the Openembedded-commits
mailing list