summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2013-04-29 14:05:23 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2013-04-29 17:00:00 (GMT)
commit2cc162ac12db6f5c36e3bed96de87f12b4a6e22a (patch)
tree9b798ed39fe7a5e470bcaf78f86e3de66e71c5ac
parent4a9b9004bca6d1cb58ecc8bccf7f09b38b0e6c73 (diff)
downloadpoky-2cc162ac12db6f5c36e3bed96de87f12b4a6e22a.tar.gz
openssh: fix CVE-2010-5107
From http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5107: "The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections." Integrate patches from upstream to enable "random early drop" by default./ (From OE-Core rev: 1d4f2d5ef65135e61d78ac0db90afe7f5d166d05) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch50
-rw-r--r--meta/recipes-connectivity/openssh/openssh_6.0p1.bb3
2 files changed, 52 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch
new file mode 100644
index 0000000..148dc51
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch
@@ -0,0 +1,50 @@
1Fix CVE-2010-5107 by backporting the relevant changes from upstream CVS.
2
3http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
4http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
5http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
6
7Upstream-Status: Backport
8Signed-off-by: Ross Burton <ross.burton@intel.com>
9
10--- a/src/usr.bin/ssh/sshd_config 2012/10/30 22:29:55 1.88
11+++ b/src/usr.bin/ssh/sshd_config 2013/02/06 00:20:42 1.89
12@@ -96,7 +96,7 @@ UsePrivilegeSeparation sandbox # Default for new inst
13 #ClientAliveCountMax 3
14 #UseDNS yes
15 #PidFile /var/run/sshd.pid
16-#MaxStartups 10
17+#MaxStartups 10:30:100
18 #PermitTunnel no
19 #ChrootDirectory none
20 #VersionAddendum none
21
22--- a/src/usr.bin/ssh/sshd_config.5 2013/01/18 08:00:49 1.155
23+++ b/src/usr.bin/ssh/sshd_config.5 2013/02/06 00:20:42 1.156
24@@ -821,7 +821,7 @@ SSH daemon.
25 Additional connections will be dropped until authentication succeeds or the
26 .Cm LoginGraceTime
27 expires for a connection.
28-The default is 10.
29+The default is 10:30:100.
30 .Pp
31 Alternatively, random early drop can be enabled by specifying
32 the three colon separated values
33
34--- a/src/usr.bin/ssh/servconf.c 2012/12/02 20:46:11 1.233
35+++ b/src/usr.bin/ssh/servconf.c 2013/02/06 00:20:42 1.234
36@@ -242,11 +242,11 @@ fill_default_server_options(ServerOptions *options)
37 if (options->gateway_ports == -1)
38 options->gateway_ports = 0;
39 if (options->max_startups == -1)
40- options->max_startups = 10;
41+ options->max_startups = 100;
42 if (options->max_startups_rate == -1)
43- options->max_startups_rate = 100; /* 100% */
44+ options->max_startups_rate = 30; /* 30% */
45 if (options->max_startups_begin == -1)
46- options->max_startups_begin = options->max_startups;
47+ options->max_startups_begin = 10;
48 if (options->max_authtries == -1)
49 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
50 if (options->max_sessions == -1)
diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
index 31202d4..d1edb6e 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
@@ -23,7 +23,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
23 file://sshd_config \ 23 file://sshd_config \
24 file://ssh_config \ 24 file://ssh_config \
25 file://init \ 25 file://init \
26 ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" 26 ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
27 file://cve-2010-5107.patch;pnum=4"
27 28
28PAM_SRC_URI = "file://sshd" 29PAM_SRC_URI = "file://sshd"
29SRC_URI[md5sum] = "3c9347aa67862881c5da3f3b1c08da7b" 30SRC_URI[md5sum] = "3c9347aa67862881c5da3f3b1c08da7b"