forked from security/wiki
Merge pull request 'solardiz-patch-37' (#39) from solardiz-patch-37 into main
Reviewed-on: security/wiki#39 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
commit
408a1d9b2b
@ -34,9 +34,9 @@ This isn't as secure as checking the package signature would be _if_ you previou
|
|||||||
|
|
||||||
### Note
|
### Note
|
||||||
|
|
||||||
Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository comes disabled by default out of an abundance of caution because of the packages contained within the repository which override the base Rocky Linux packages.
|
Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository for EL9 comes disabled by default out of abundance of caution because of the packages contained within the repository that override the base Rocky Linux packages.
|
||||||
|
|
||||||
In order to receive packages from the SIG, either enable the repository (`dnf config-mangager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`.
|
In order to receive packages from the SIG, either enable the repository (`dnf config-manager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`.
|
||||||
|
|
||||||
## Packages
|
## Packages
|
||||||
|
|
||||||
|
29
docs/issues/CVE-2024-6409.md
Normal file
29
docs/issues/CVE-2024-6409.md
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# CVE-2024-6409: openssh
|
||||||
|
|
||||||
|
## Title
|
||||||
|
|
||||||
|
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
As [discovered by Solar Designer (CIQ/Rocky Linux)](https://www.openwall.com/lists/oss-security/2024/07/08/2):
|
||||||
|
|
||||||
|
OpenSSH versions 8.7 and 8.8 and the corresponding portable releases call `cleanup_exit()` from `grace_alarm_handler()` when running in the privsep child process. `cleanup_exit()` was not meant to be called from a signal handler and may call other async-signal-unsafe functions. The current understanding is that in those upstream versions `cleanup_exit()` would not actually call async-signal-unsafe functions under those conditions, but with downstream distribution patches it sometimes does. Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to `cleanup_exit()` that exposes the issue. Relevantly, this patch is found in EL 9, where the package is based on OpenSSH 8.7p1.
|
||||||
|
|
||||||
|
This is an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](CVE-2024-6387.md).
|
||||||
|
|
||||||
|
Public disclosure date: July 8, 2024
|
||||||
|
|
||||||
|
## EL9
|
||||||
|
|
||||||
|
- Fixed in version: `8.7p1-38.1.el9_4.security.0.7` available July 8, 2024
|
||||||
|
|
||||||
|
## EL8
|
||||||
|
|
||||||
|
- Unaffected
|
||||||
|
|
||||||
|
## Mitigation
|
||||||
|
|
||||||
|
Set `LoginGraceTime 0` in `/etc/ssh/sshd_config` and do a `systemctl restart sshd`.
|
||||||
|
|
||||||
|
A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks.
|
@ -2,6 +2,11 @@
|
|||||||
|
|
||||||
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
||||||
|
|
||||||
|
## July 8, 2024
|
||||||
|
|
||||||
|
[openssh](packages/openssh.md) `8.7p1-38.1.el9_4.security.0.7` for EL9 adds a fix for [CVE-2024-6409](issues/CVE-2024-6409.md),
|
||||||
|
an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
|
||||||
|
|
||||||
## July 1, 2024
|
## July 1, 2024
|
||||||
|
|
||||||
[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
|
[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
|
||||||
|
@ -2,18 +2,24 @@
|
|||||||
|
|
||||||
## EL9
|
## EL9
|
||||||
|
|
||||||
- Version `8.7p1-38.el9_4.security.0.5`
|
- Version `8.7p1-38.1.el9_4.security.0.7`
|
||||||
- Based on `8.7p1-38.el9`
|
- Based on `8.7p1-38.el9_4.1`
|
||||||
|
|
||||||
### Changes summary
|
### Changes summary
|
||||||
|
|
||||||
- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
|
- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
|
||||||
- Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
|
- Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
|
||||||
- Fix CVE-2024-6387 regreSSHion
|
- Fix [CVE-2024-6409](../issues/CVE-2024-6409.md)
|
||||||
|
|
||||||
### Change log
|
### Change log
|
||||||
|
|
||||||
```
|
```
|
||||||
|
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.7
|
||||||
|
- Fix CVE-2024-6409
|
||||||
|
|
||||||
|
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.6
|
||||||
|
- Rebase on 8.7p1-38.1
|
||||||
|
|
||||||
* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5
|
* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5
|
||||||
- Fix CVE-2024-6387 regreSSHion
|
- Fix CVE-2024-6387 regreSSHion
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user