From 1c324bb23551e7545608e6d6325dc984cd7435a5 Mon Sep 17 00:00:00 2001 From: Michel Lind Date: Jul 02 2024 16:47:10 +0000 Subject: Fix CVE-2024-6387 (regreSSHion) Refresh Facebook patches Signed-off-by: Michel Lind --- diff --git a/fb87_070_logging_reverse_port_forward.patch b/fb87_070_logging_reverse_port_forward.patch index 339fd35..a255577 100644 --- a/fb87_070_logging_reverse_port_forward.patch +++ b/fb87_070_logging_reverse_port_forward.patch @@ -1,6 +1,4 @@ -Index: b/channels.c -=================================================================== ---- b.orig/channels.c +--- a/channels.c +++ b/channels.c @@ -3774,6 +3774,7 @@ int channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd, @@ -37,7 +35,7 @@ Index: b/channels.c } /* -@@ -4593,7 +4603,7 @@ x11_create_display_inet(struct ssh *ssh, +@@ -4591,7 +4601,7 @@ x11_create_display_inet(struct ssh *ssh, if ((errno != EINVAL) && (errno != EAFNOSUPPORT) #ifdef EPFNOSUPPORT && (errno != EPFNOSUPPORT) diff --git a/fb87_080_logging_certificates.patch b/fb87_080_logging_certificates.patch index 46cc276..26e244e 100644 --- a/fb87_080_logging_certificates.patch +++ b/fb87_080_logging_certificates.patch @@ -1,8 +1,6 @@ -Index: b/auth2-pubkey.c -=================================================================== ---- b.orig/auth2-pubkey.c +--- a/auth2-pubkey.c +++ b/auth2-pubkey.c -@@ -389,6 +389,10 @@ check_principals_line(struct ssh *ssh, c +@@ -390,6 +390,10 @@ check_principals_line(struct ssh *ssh, c continue; debug3("%s: matched principal \"%.100s\"", loc, cert->principals[i]); @@ -13,7 +11,7 @@ Index: b/auth2-pubkey.c found = 1; slog_set_principal(cp); } -@@ -432,6 +436,8 @@ process_principals(struct ssh *ssh, FILE +@@ -433,6 +437,8 @@ process_principals(struct ssh *ssh, FILE found_principal = 1; } free(line); @@ -22,7 +20,7 @@ Index: b/auth2-pubkey.c return found_principal; } -@@ -710,7 +716,7 @@ check_authkey_line(struct ssh *ssh, stru +@@ -711,7 +717,7 @@ check_authkey_line(struct ssh *ssh, stru &reason) != 0) goto fail_reason; @@ -31,7 +29,7 @@ Index: b/auth2-pubkey.c "signed by CA %s %s found at %s", key->cert->key_id, (unsigned long long)key->cert->serial, -@@ -780,7 +786,7 @@ static int +@@ -781,7 +787,7 @@ static int user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key, struct sshauthopt **authoptsp) { @@ -40,7 +38,7 @@ Index: b/auth2-pubkey.c const char *reason; struct sshauthopt *principals_opts = NULL, *cert_opts = NULL; struct sshauthopt *final_opts = NULL; -@@ -796,11 +802,16 @@ user_cert_trusted_ca(struct ssh *ssh, st +@@ -797,11 +803,16 @@ user_cert_trusted_ca(struct ssh *ssh, st options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) return 0; @@ -57,7 +55,7 @@ Index: b/auth2-pubkey.c goto out; } /* -@@ -851,6 +862,11 @@ user_cert_trusted_ca(struct ssh *ssh, st +@@ -852,6 +863,11 @@ user_cert_trusted_ca(struct ssh *ssh, st if ((final_opts = sshauthopt_merge(principals_opts, cert_opts, &reason)) == NULL) { fail_reason: @@ -69,7 +67,7 @@ Index: b/auth2-pubkey.c error("%s", reason); auth_debug_add("%s", reason); goto out; -@@ -858,9 +874,10 @@ user_cert_trusted_ca(struct ssh *ssh, st +@@ -859,9 +875,10 @@ user_cert_trusted_ca(struct ssh *ssh, st } /* Success */ @@ -83,7 +81,7 @@ Index: b/auth2-pubkey.c sshkey_type(key->cert->signature_key), ca_fp, options.trusted_user_ca_keys); if (authoptsp != NULL) { -@@ -875,6 +892,7 @@ user_cert_trusted_ca(struct ssh *ssh, st +@@ -876,6 +893,7 @@ user_cert_trusted_ca(struct ssh *ssh, st sshauthopt_free(final_opts); free(principals_file); free(ca_fp); @@ -91,8 +89,6 @@ Index: b/auth2-pubkey.c return ret; } -Index: b/regress/cert-logging.sh -=================================================================== --- /dev/null +++ b/regress/cert-logging.sh @@ -0,0 +1,84 @@ diff --git a/fb87_090_logging_shell_cmd_pty.patch b/fb87_090_logging_shell_cmd_pty.patch index 6017884..f8c1731 100644 --- a/fb87_090_logging_shell_cmd_pty.patch +++ b/fb87_090_logging_shell_cmd_pty.patch @@ -1,8 +1,6 @@ -Index: b/session.c -=================================================================== ---- b.orig/session.c +--- a/session.c +++ b/session.c -@@ -2049,6 +2049,8 @@ session_pty_req(struct ssh *ssh, Session +@@ -2053,6 +2053,8 @@ session_pty_req(struct ssh *ssh, Session return 0; } debug("session_pty_req: session %d alloc %s", s->self, s->tty); @@ -11,7 +9,7 @@ Index: b/session.c ssh_tty_parse_modes(ssh, s->ttyfd); -@@ -2148,6 +2150,7 @@ session_shell_req(struct ssh *ssh, Sessi +@@ -2152,6 +2154,7 @@ session_shell_req(struct ssh *ssh, Sessi if ((r = sshpkt_get_end(ssh)) != 0) sshpkt_fatal(ssh, r, "%s: parse packet", __func__); @@ -19,7 +17,7 @@ Index: b/session.c return do_exec(ssh, s, NULL) == 0; } -@@ -2163,6 +2166,7 @@ session_exec_req(struct ssh *ssh, Sessio +@@ -2167,6 +2170,7 @@ session_exec_req(struct ssh *ssh, Sessio sshpkt_fatal(ssh, r, "%s: parse packet", __func__); slog_set_command(command); @@ -27,8 +25,6 @@ Index: b/session.c success = do_exec(ssh, s, command) == 0; free(command); return success; -Index: b/regress/session-req.sh -=================================================================== --- /dev/null +++ b/regress/session-req.sh @@ -0,0 +1,39 @@ diff --git a/fb87_810_increase_ssh_cert_max_principals.patch b/fb87_810_increase_ssh_cert_max_principals.patch index 2abe0e6..82919c2 100644 --- a/fb87_810_increase_ssh_cert_max_principals.patch +++ b/fb87_810_increase_ssh_cert_max_principals.patch @@ -1,8 +1,6 @@ -Index: b/sshkey.h -=================================================================== ---- b.orig/sshkey.h +--- a/sshkey.h +++ b/sshkey.h -@@ -106,7 +106,7 @@ enum sshkey_private_format { +@@ -109,7 +109,7 @@ enum sshkey_private_format { /* key is stored in external hardware */ #define SSHKEY_FLAG_EXT 0x0001 diff --git a/fb87_log_accept_env.patch b/fb87_log_accept_env.patch index cbb5c01..11bd761 100644 --- a/fb87_log_accept_env.patch +++ b/fb87_log_accept_env.patch @@ -1,8 +1,6 @@ -Index: b/session.c -=================================================================== ---- b.orig/session.c +--- a/session.c +++ b/session.c -@@ -2206,7 +2206,7 @@ session_env_req(struct ssh *ssh, Session +@@ -2210,7 +2210,7 @@ session_env_req(struct ssh *ssh, Session for (i = 0; i < options.num_accept_env; i++) { if (match_pattern(name, options.accept_env[i])) { @@ -11,7 +9,7 @@ Index: b/session.c s->env = xrecallocarray(s->env, s->num_env, s->num_env + 1, sizeof(*s->env)); s->env[s->num_env].name = name; -@@ -2215,7 +2215,7 @@ session_env_req(struct ssh *ssh, Session +@@ -2219,7 +2219,7 @@ session_env_req(struct ssh *ssh, Session return (1); } } diff --git a/fb87_log_auth_info.patch b/fb87_log_auth_info.patch index 45f320a..8b1ab6a 100644 --- a/fb87_log_auth_info.patch +++ b/fb87_log_auth_info.patch @@ -1,6 +1,4 @@ -Index: b/regress/slog.sh -=================================================================== ---- b.orig/regress/slog.sh +--- a/regress/slog.sh +++ b/regress/slog.sh @@ -1,41 +1,60 @@ tid='structured log' @@ -179,9 +177,7 @@ Index: b/regress/slog.sh +make_cert "$princ" "$keytype" "$serial" +test_auth_info "$keyfp" "$keytype" "$princ" "$serial" +test_cert_serial "$serial" -Index: b/auth.c -=================================================================== ---- b.orig/auth.c +--- a/auth.c +++ b/auth.c @@ -351,6 +351,8 @@ auth_log(struct ssh *ssh, int authentica extra != NULL ? ": " : "", @@ -192,11 +188,9 @@ Index: b/auth.c free(extra); slog_set_auth_data(authenticated, method, authctxt->user); -Index: b/auth2-pubkey.c -=================================================================== ---- b.orig/auth2-pubkey.c +--- a/auth2-pubkey.c +++ b/auth2-pubkey.c -@@ -722,7 +722,7 @@ check_authkey_line(struct ssh *ssh, stru +@@ -723,7 +723,7 @@ check_authkey_line(struct ssh *ssh, stru (unsigned long long)key->cert->serial, sshkey_type(found), fp, loc); @@ -205,7 +199,7 @@ Index: b/auth2-pubkey.c success: if (finalopts == NULL) fatal_f("internal error: missing options"); -@@ -885,6 +885,8 @@ user_cert_trusted_ca(struct ssh *ssh, st +@@ -886,6 +886,8 @@ user_cert_trusted_ca(struct ssh *ssh, st final_opts = NULL; } slog_set_cert_id(key->cert->key_id); diff --git a/fb87_log_port_forwards.patch b/fb87_log_port_forwards.patch index 8a7b030..d43b857 100644 --- a/fb87_log_port_forwards.patch +++ b/fb87_log_port_forwards.patch @@ -1,6 +1,4 @@ -Index: b/serverloop.c -=================================================================== ---- b.orig/serverloop.c +--- a/serverloop.c +++ b/serverloop.c @@ -433,6 +433,7 @@ server_request_direct_tcpip(struct ssh * char *target = NULL, *originator = NULL; diff --git a/fb87_log_session_id.patch b/fb87_log_session_id.patch index a86aa72..b23278a 100644 --- a/fb87_log_session_id.patch +++ b/fb87_log_session_id.patch @@ -1,6 +1,4 @@ -Index: b/sshd.c -=================================================================== ---- b.orig/sshd.c +--- a/sshd.c +++ b/sshd.c @@ -1420,6 +1420,8 @@ server_accept_loop(struct ssh *ssh, int options.log_level, @@ -11,9 +9,7 @@ Index: b/sshd.c if (rexec_flag) close(config_s[0]); else { -Index: b/log.c -=================================================================== ---- b.orig/log.c +--- a/log.c +++ b/log.c @@ -410,17 +410,17 @@ do_log(LogLevel level, int force, const tmp_handler(level, force, fmtbuf, log_handler_ctx); @@ -71,8 +67,6 @@ Index: b/log.c sshsigdie(const char *file, const char *func, int line, int showfunc, LogLevel level, const char *suffix, const char *fmt, ...) { -Index: b/regress/session-id.sh -=================================================================== --- /dev/null +++ b/regress/session-id.sh @@ -0,0 +1,23 @@ @@ -99,9 +93,7 @@ Index: b/regress/session-id.sh +if [ $line_count != $stable_id_count ]; then + fail 'Mismatching session ids found' +fi -Index: b/log.h -=================================================================== ---- b.orig/log.h +--- a/log.h +++ b/log.h @@ -68,6 +68,9 @@ const char * log_level_name(LogLevel); void set_log_handler(log_handler_fn *, void *); @@ -113,9 +105,7 @@ Index: b/log.h void sshlog(const char *, const char *, int, int, LogLevel, const char *, const char *, ...) __attribute__((format(printf, 7, 8))); -Index: b/session.c -=================================================================== ---- b.orig/session.c +--- a/session.c +++ b/session.c @@ -1256,6 +1256,10 @@ do_setup_env(struct ssh *ssh, Session *s child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", diff --git a/fb87_pass_principals_to_child.patch b/fb87_pass_principals_to_child.patch index 21d907c..49de966 100644 --- a/fb87_pass_principals_to_child.patch +++ b/fb87_pass_principals_to_child.patch @@ -1,6 +1,4 @@ -Index: b/session.c -=================================================================== ---- b.orig/session.c +--- a/session.c +++ b/session.c @@ -98,6 +98,7 @@ #include "atomicio.h" @@ -89,8 +87,6 @@ Index: b/session.c /* set LOG_SESSION_ID for child */ child_set_env(&env, &envsize, "LOG_SESSION_ID", get_log_session_id()); -Index: b/regress/cert-princ-env.sh -=================================================================== --- /dev/null +++ b/regress/cert-princ-env.sh @@ -0,0 +1,129 @@ diff --git a/fb87_slog.patch b/fb87_slog.patch index ffeb03d..cc50788 100644 --- a/fb87_slog.patch +++ b/fb87_slog.patch @@ -1,7 +1,5 @@ -Index: openssh-8.7p1/slog.c -=================================================================== --- /dev/null -+++ openssh-8.7p1/slog.c ++++ b/slog.c @@ -0,0 +1,619 @@ +/* + * Copyright 2004-present Facebook. All Rights Reserved. @@ -622,10 +620,8 @@ Index: openssh-8.7p1/slog.c + return "Unknown session state"; // Should never happen + } +} -Index: openssh-8.7p1/servconf.c -=================================================================== ---- openssh-8.7p1.orig/servconf.c -+++ openssh-8.7p1/servconf.c +--- a/servconf.c ++++ b/servconf.c @@ -205,6 +205,9 @@ initialize_server_options(ServerOptions options->disable_forwarding = -1; options->expose_userauth_info = -1; @@ -721,10 +717,8 @@ Index: openssh-8.7p1/servconf.c /* other arguments */ for (i = 0; i < o->num_subsystems; i++) -Index: openssh-8.7p1/auth2-pubkey.c -=================================================================== ---- openssh-8.7p1.orig/auth2-pubkey.c -+++ openssh-8.7p1/auth2-pubkey.c +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c @@ -66,6 +66,7 @@ #include "monitor_wrap.h" #include "authfile.h" @@ -757,11 +751,9 @@ Index: openssh-8.7p1/auth2-pubkey.c ret = 1; out: sshauthopt_free(principals_opts); -Index: openssh-8.7p1/regress/test-exec.sh -=================================================================== ---- openssh-8.7p1.orig/regress/test-exec.sh -+++ openssh-8.7p1/regress/test-exec.sh -@@ -689,7 +689,7 @@ start_sshd () +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -690,7 +690,7 @@ start_sshd () trace "wait for sshd" i=0; @@ -770,10 +762,8 @@ Index: openssh-8.7p1/regress/test-exec.sh i=`expr $i + 1` sleep $i done -Index: openssh-8.7p1/session.c -=================================================================== ---- openssh-8.7p1.orig/session.c -+++ openssh-8.7p1/session.c +--- a/session.c ++++ b/session.c @@ -96,6 +96,8 @@ #include "monitor_wrap.h" #include "sftp.h" @@ -791,7 +781,7 @@ Index: openssh-8.7p1/session.c #ifdef SSH_AUDIT_EVENTS if (s->command != NULL || s->command_handle != -1) -@@ -1482,7 +1485,7 @@ do_setusercontext(struct passwd *pw) +@@ -1486,7 +1489,7 @@ do_setusercontext(struct passwd *pw) perror("unable to set user context (setuser)"); exit(1); } @@ -800,7 +790,7 @@ Index: openssh-8.7p1/session.c * FreeBSD's setusercontext() will not apply the user's * own umask setting unless running with the user's UID. */ -@@ -2159,6 +2162,7 @@ session_exec_req(struct ssh *ssh, Sessio +@@ -2163,6 +2166,7 @@ session_exec_req(struct ssh *ssh, Sessio (r = sshpkt_get_end(ssh)) != 0) sshpkt_fatal(ssh, r, "%s: parse packet", __func__); @@ -808,15 +798,13 @@ Index: openssh-8.7p1/session.c success = do_exec(ssh, s, command) == 0; free(command); return success; -@@ -2869,4 +2873,3 @@ session_get_remote_name_or_ip(struct ssh +@@ -2873,4 +2877,3 @@ session_get_remote_name_or_ip(struct ssh remote = ssh_remote_ipaddr(ssh); return remote; } - -Index: openssh-8.7p1/log.h -=================================================================== ---- openssh-8.7p1.orig/log.h -+++ openssh-8.7p1/log.h +--- a/log.h ++++ b/log.h @@ -133,4 +133,6 @@ void sshlogdirect(LogLevel, int, const #define logdie_fr(r, ...) sshlogdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__) #define sigdie_fr(r, ...) sshsigdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__) @@ -824,11 +812,9 @@ Index: openssh-8.7p1/log.h +void do_log_slog_payload(const char *); + #endif -Index: openssh-8.7p1/log.c -=================================================================== ---- openssh-8.7p1.orig/log.c -+++ openssh-8.7p1/log.c -@@ -529,3 +529,39 @@ sshlogdirect(LogLevel level, int forced, +--- a/log.c ++++ b/log.c +@@ -531,3 +531,39 @@ sshlogdirect(LogLevel level, int forced, do_log(level, forced, NULL, fmt, args); va_end(args); } @@ -868,10 +854,8 @@ Index: openssh-8.7p1/log.c + } + errno = saved_errno; +} -Index: openssh-8.7p1/slog.h -=================================================================== --- /dev/null -+++ openssh-8.7p1/slog.h ++++ b/slog.h @@ -0,0 +1,41 @@ +/* + * Copyright 2004-present Facebook. All Rights Reserved. @@ -914,10 +898,8 @@ Index: openssh-8.7p1/slog.h +void slog_log_session(void); + +#endif -Index: openssh-8.7p1/sshd.c -=================================================================== ---- openssh-8.7p1.orig/sshd.c -+++ openssh-8.7p1/sshd.c +--- a/sshd.c ++++ b/sshd.c @@ -132,6 +132,8 @@ #include "sk-api.h" #include "srclimit.h" @@ -927,7 +909,7 @@ Index: openssh-8.7p1/sshd.c /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) -@@ -2163,6 +2165,7 @@ main(int ac, char **av) +@@ -2177,6 +2179,7 @@ main(int ac, char **av) } /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -935,7 +917,7 @@ Index: openssh-8.7p1/sshd.c if (FIPS_mode()) { debug("FIPS mode initialized"); -@@ -2332,8 +2335,15 @@ main(int ac, char **av) +@@ -2346,8 +2349,15 @@ main(int ac, char **av) rdomain == NULL ? "" : " rdomain \"", rdomain == NULL ? "" : rdomain, rdomain == NULL ? "" : "\""); @@ -952,7 +934,7 @@ Index: openssh-8.7p1/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2655,6 +2665,7 @@ cleanup_exit(int i) +@@ -2674,6 +2684,7 @@ cleanup_exit(int i) if (in_cleanup) _exit(i); in_cleanup = 1; @@ -960,10 +942,8 @@ Index: openssh-8.7p1/sshd.c if (the_active_state != NULL && the_authctxt != NULL) { do_cleanup(the_active_state, the_authctxt); if (use_privsep && privsep_is_preauth && -Index: openssh-8.7p1/sshd_config -=================================================================== ---- openssh-8.7p1.orig/sshd_config -+++ openssh-8.7p1/sshd_config +--- a/sshd_config ++++ b/sshd_config @@ -33,6 +33,15 @@ Include /etc/ssh/sshd_config.d/*.conf # Logging #SyslogFacility AUTH @@ -980,10 +960,8 @@ Index: openssh-8.7p1/sshd_config # Authentication: -Index: openssh-8.7p1/auth-pam.c -=================================================================== ---- openssh-8.7p1.orig/auth-pam.c -+++ openssh-8.7p1/auth-pam.c +--- a/auth-pam.c ++++ b/auth-pam.c @@ -94,6 +94,7 @@ extern char *__progname; #include "auth-pam.h" #include "canohost.h" @@ -992,7 +970,7 @@ Index: openssh-8.7p1/auth-pam.c #include "msg.h" #include "packet.h" #include "misc.h" -@@ -1223,9 +1224,12 @@ do_pam_session(struct ssh *ssh) +@@ -1210,9 +1211,12 @@ do_pam_session(struct ssh *ssh) if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); @@ -1006,10 +984,8 @@ Index: openssh-8.7p1/auth-pam.c else { sshpam_session_open = 0; auth_restrict_session(ssh); -Index: openssh-8.7p1/servconf.h -=================================================================== ---- openssh-8.7p1.orig/servconf.h -+++ openssh-8.7p1/servconf.h +--- a/servconf.h ++++ b/servconf.h @@ -22,6 +22,8 @@ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ @@ -1032,10 +1008,8 @@ Index: openssh-8.7p1/servconf.h } ServerOptions; /* Information about the incoming connection as used by Match */ -Index: openssh-8.7p1/regress/slog.sh -=================================================================== --- /dev/null -+++ openssh-8.7p1/regress/slog.sh ++++ b/regress/slog.sh @@ -0,0 +1,59 @@ +tid='structured log' + @@ -1096,10 +1070,8 @@ Index: openssh-8.7p1/regress/slog.sh + +test_log_counts +test_json_valid -Index: openssh-8.7p1/Makefile.in -=================================================================== ---- openssh-8.7p1.orig/Makefile.in -+++ openssh-8.7p1/Makefile.in +--- a/Makefile.in ++++ b/Makefile.in @@ -129,7 +129,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw monitor.o monitor_wrap.o auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ @@ -1118,10 +1090,8 @@ Index: openssh-8.7p1/Makefile.in rm -rf autom4te.cache rm -f regress/check-perm rm -f regress/mkdtemp -Index: openssh-8.7p1/auth.c -=================================================================== ---- openssh-8.7p1.orig/auth.c -+++ openssh-8.7p1/auth.c +--- a/auth.c ++++ b/auth.c @@ -76,6 +76,7 @@ #include "ssherr.h" #include "compat.h" diff --git a/openssh-8.7p1-CVE-2024-6387.patch b/openssh-8.7p1-CVE-2024-6387.patch new file mode 100644 index 0000000..e32f68f --- /dev/null +++ b/openssh-8.7p1-CVE-2024-6387.patch @@ -0,0 +1,17 @@ +--- a/log.c ++++ b/log.c +@@ -455,12 +455,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#ifdef SYSLOG_R_SAFE_IN_SIGHAND + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + diff --git a/openssh.spec b/openssh.spec index dcfcc40..171e5d4 100644 --- a/openssh.spec +++ b/openssh.spec @@ -52,7 +52,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 %global openssh_rel 38 -%global hyperscale_rel 8 +%global hyperscale_rel 9 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -300,6 +300,9 @@ Patch1018: openssh-9.6p1-CVE-2023-48795.patch #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a Patch1019: openssh-9.6p1-CVE-2023-51385.patch +# temporary CVE-2024-6387 fix; drop when rebasing on patched c9s +Patch1020: openssh-8.7p1-CVE-2024-6387.patch + # c9s specific logic factored out of openssh-7.7p1-fips.patch Patch2000: openssh-7.7p1-fips-warning.patch @@ -564,6 +567,8 @@ popd %patch1018 -p1 -b .cve-2023-48795 %patch1019 -p1 -b .cve-2023-51385 +%patch1020 -p1 -b .cve-2024-6387 + %if 0%{?facebook} && !0%{?use_quilt} %patch2010 -p1 -b .log_session_id %patch2011 -p1 -b .slog @@ -868,6 +873,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Tue Jul 02 2024 Michel Lind - 8.7p1-38.9 + 0.10.4-5.7 +- Fix CVE-2024-6387 (regreSSHion) +- Refresh Facebook patches + * Fri May 3 2024 Raymond Colebaugh - 8.7p1-38.8 + 0.10.4-5.7 - Merge "Add LOG_SESSION_ID for everyone" patch into fb87_log_session_id.patch, update fb87_pass_principals_to_child.patch to account for this change