Merge pull request 'solardiz-patch-37' (#39) from solardiz-patch-37 into main

Reviewed-on: security/wiki#39
Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
Neil Hanlon 2024-07-08 19:03:14 +00:00
commit 408a1d9b2b
4 changed files with 45 additions and 5 deletions

View File

@ -34,9 +34,9 @@ This isn't as secure as checking the package signature would be _if_ you previou
### Note ### Note
Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository comes disabled by default out of an abundance of caution because of the packages contained within the repository which override the base Rocky Linux packages. Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository for EL9 comes disabled by default out of abundance of caution because of the packages contained within the repository that override the base Rocky Linux packages.
In order to receive packages from the SIG, either enable the repository (`dnf config-mangager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`. In order to receive packages from the SIG, either enable the repository (`dnf config-manager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`.
## Packages ## Packages

View File

@ -0,0 +1,29 @@
# CVE-2024-6409: openssh
## Title
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling
## Summary
As [discovered by Solar Designer (CIQ/Rocky Linux)](https://www.openwall.com/lists/oss-security/2024/07/08/2):
OpenSSH versions 8.7 and 8.8 and the corresponding portable releases call `cleanup_exit()` from `grace_alarm_handler()` when running in the privsep child process. `cleanup_exit()` was not meant to be called from a signal handler and may call other async-signal-unsafe functions. The current understanding is that in those upstream versions `cleanup_exit()` would not actually call async-signal-unsafe functions under those conditions, but with downstream distribution patches it sometimes does. Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to `cleanup_exit()` that exposes the issue. Relevantly, this patch is found in EL 9, where the package is based on OpenSSH 8.7p1.
This is an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](CVE-2024-6387.md).
Public disclosure date: July 8, 2024
## EL9
- Fixed in version: `8.7p1-38.1.el9_4.security.0.7` available July 8, 2024
## EL8
- Unaffected
## Mitigation
Set `LoginGraceTime 0` in `/etc/ssh/sshd_config` and do a `systemctl restart sshd`.
A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks.

View File

@ -2,6 +2,11 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## July 8, 2024
[openssh](packages/openssh.md) `8.7p1-38.1.el9_4.security.0.7` for EL9 adds a fix for [CVE-2024-6409](issues/CVE-2024-6409.md),
an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
## July 1, 2024 ## July 1, 2024
[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md). [openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).

View File

@ -2,18 +2,24 @@
## EL9 ## EL9
- Version `8.7p1-38.el9_4.security.0.5` - Version `8.7p1-38.1.el9_4.security.0.7`
- Based on `8.7p1-38.el9` - Based on `8.7p1-38.el9_4.1`
### Changes summary ### Changes summary
- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines) - Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
- Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines) - Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
- Fix CVE-2024-6387 regreSSHion - Fix [CVE-2024-6409](../issues/CVE-2024-6409.md)
### Change log ### Change log
``` ```
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.7
- Fix CVE-2024-6409
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.6
- Rebase on 8.7p1-38.1
* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5 * Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5
- Fix CVE-2024-6387 regreSSHion - Fix CVE-2024-6387 regreSSHion