From 2cc162ac12db6f5c36e3bed96de87f12b4a6e22a Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Mon, 29 Apr 2013 15:05:23 +0100 Subject: openssh: fix CVE-2010-5107 From http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5107: "The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections." Integrate patches from upstream to enable "random early drop" by default./ (From OE-Core rev: 1d4f2d5ef65135e61d78ac0db90afe7f5d166d05) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../openssh/openssh-6.0p1/cve-2010-5107.patch | 50 ++++++++++++++++++++++ meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 3 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch new file mode 100644 index 0000000000..148dc510c1 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/cve-2010-5107.patch @@ -0,0 +1,50 @@ +Fix CVE-2010-5107 by backporting the relevant changes from upstream CVS. + +http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 +http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 +http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89 + +Upstream-Status: Backport +Signed-off-by: Ross Burton + +--- a/src/usr.bin/ssh/sshd_config 2012/10/30 22:29:55 1.88 ++++ b/src/usr.bin/ssh/sshd_config 2013/02/06 00:20:42 1.89 +@@ -96,7 +96,7 @@ UsePrivilegeSeparation sandbox # Default for new inst + #ClientAliveCountMax 3 + #UseDNS yes + #PidFile /var/run/sshd.pid +-#MaxStartups 10 ++#MaxStartups 10:30:100 + #PermitTunnel no + #ChrootDirectory none + #VersionAddendum none + +--- a/src/usr.bin/ssh/sshd_config.5 2013/01/18 08:00:49 1.155 ++++ b/src/usr.bin/ssh/sshd_config.5 2013/02/06 00:20:42 1.156 +@@ -821,7 +821,7 @@ SSH daemon. + Additional connections will be dropped until authentication succeeds or the + .Cm LoginGraceTime + expires for a connection. +-The default is 10. ++The default is 10:30:100. + .Pp + Alternatively, random early drop can be enabled by specifying + the three colon separated values + +--- a/src/usr.bin/ssh/servconf.c 2012/12/02 20:46:11 1.233 ++++ b/src/usr.bin/ssh/servconf.c 2013/02/06 00:20:42 1.234 +@@ -242,11 +242,11 @@ fill_default_server_options(ServerOptions *options) + if (options->gateway_ports == -1) + options->gateway_ports = 0; + if (options->max_startups == -1) +- options->max_startups = 10; ++ options->max_startups = 100; + if (options->max_startups_rate == -1) +- options->max_startups_rate = 100; /* 100% */ ++ options->max_startups_rate = 30; /* 30% */ + if (options->max_startups_begin == -1) +- options->max_startups_begin = options->max_startups; ++ options->max_startups_begin = 10; + if (options->max_authtries == -1) + options->max_authtries = DEFAULT_AUTH_FAIL_MAX; + if (options->max_sessions == -1) diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb index 31202d4284..d1edb6ed04 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb @@ -23,7 +23,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. file://sshd_config \ file://ssh_config \ file://init \ - ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" + ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://cve-2010-5107.patch;pnum=4" PAM_SRC_URI = "file://sshd" SRC_URI[md5sum] = "3c9347aa67862881c5da3f3b1c08da7b" -- cgit v1.2.3-54-g00ecf