diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2025-03-04 09:36:58 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-03-08 06:22:56 -0800 |
| commit | d20a52f2fc36ce154d8830630c37746562d22fc1 (patch) | |
| tree | 84ad05e2106b17c7808ce264931a76db6eff7750 | |
| parent | 3646348c982f2dbb0d1a47896ca82142e208bdb9 (diff) | |
| download | poky-d20a52f2fc36ce154d8830630c37746562d22fc1.tar.gz | |
openssh: Fix CVE-2025-26466
sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2_MSG_PING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.
Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2]
(From OE-Core rev: 7360f3998939e202f9611644a8bed0c3fe0c782a)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch | 38 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 1 |
2 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch new file mode 100644 index 0000000000..27b2fa7143 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | From 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
| 3 | Date: Tue, 18 Feb 2025 08:02:12 +0000 | ||
| 4 | Subject: [PATCH] upstream: Don't reply to PING in preauth phase or during KEX | ||
| 5 | |||
| 6 | Reported by the Qualys Security Advisory team. ok markus@ | ||
| 7 | |||
| 8 | OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217 | ||
| 9 | |||
| 10 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2] | ||
| 11 | CVE: CVE-2025-26466 | ||
| 12 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 13 | --- | ||
| 14 | packet.c | 8 ++++++++ | ||
| 15 | 1 file changed, 8 insertions(+) | ||
| 16 | |||
| 17 | diff --git a/packet.c b/packet.c | ||
| 18 | index beb214f..aeab98c 100644 | ||
| 19 | --- a/packet.c | ||
| 20 | +++ b/packet.c | ||
| 21 | @@ -1773,6 +1773,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) | ||
| 22 | if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0) | ||
| 23 | return r; | ||
| 24 | DBG(debug("Received SSH2_MSG_PING len %zu", len)); | ||
| 25 | + if (!ssh->state->after_authentication) { | ||
| 26 | + DBG(debug("Won't reply to PING in preauth")); | ||
| 27 | + break; | ||
| 28 | + } | ||
| 29 | + if (ssh_packet_is_rekeying(ssh)) { | ||
| 30 | + DBG(debug("Won't reply to PING during KEX")); | ||
| 31 | + break; | ||
| 32 | + } | ||
| 33 | if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 || | ||
| 34 | (r = sshpkt_put_string(ssh, d, len)) != 0 || | ||
| 35 | (r = sshpkt_send(ssh)) != 0) | ||
| 36 | -- | ||
| 37 | 2.25.1 | ||
| 38 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index a8ba67e360..ea5face097 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb | |||
| @@ -29,6 +29,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
| 29 | file://CVE-2024-6387.patch \ | 29 | file://CVE-2024-6387.patch \ |
| 30 | file://CVE-2024-39894.patch \ | 30 | file://CVE-2024-39894.patch \ |
| 31 | file://0001-Fix-missing-header-for-systemd-notification.patch \ | 31 | file://0001-Fix-missing-header-for-systemd-notification.patch \ |
| 32 | file://CVE-2025-26466.patch \ | ||
| 32 | " | 33 | " |
| 33 | SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" | 34 | SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" |
| 34 | 35 | ||