From b5cc72b1423a26e03f6dd2a729d4ff58046ccc01 Mon Sep 17 00:00:00 2001
From: Solar Designer <solar@openwall.com>
Date: Mon, 1 Jul 2024 13:12:16 +0200
Subject: [PATCH] openssh 8.7p1-38.el9_4.security.0.5

---
 docs/issues/CVE-2024-6387.md | 30 ++++++++++++++++++++++++++++++
 docs/news.md                 |  5 +++++
 docs/packages/openssh.md     |  6 +++++-
 3 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 docs/issues/CVE-2024-6387.md

diff --git a/docs/issues/CVE-2024-6387.md b/docs/issues/CVE-2024-6387.md
new file mode 100644
index 0000000..74b137a
--- /dev/null
+++ b/docs/issues/CVE-2024-6387.md
@@ -0,0 +1,30 @@
+# CVE-2024-6387: openssh
+
+## Title
+
+CVE-2024-6387: regreSSHion: remote code execution (RCE) in OpenSSH server, exploitable at least on glibc-based Linux systems
+
+## Summary
+
+As [discovered by Qualys](https://www.openwall.com/lists/oss-security/2024/07/01/3) and
+[summarized by OpenSSH upstream](https://www.openwall.com/lists/oss-security/2024/07/01/1):
+
+A critical vulnerability in sshd(8) was present in Portable OpenSSH versions 8.5p1 [to] 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges.
+
+Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.
+
+Public disclosure date: July 1, 2024
+
+## EL9
+
+- Fixed in version: `8.7p1-38.el9_4.security.0.5` available July 1, 2024
+
+## EL8
+
+- Unaffected
+
+## Mitigation
+
+Set `LoginGraceTime 0` in `/etc/ssh/sshd_config` and do a `systemctl restart sshd`.
+
+A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks.
diff --git a/docs/news.md b/docs/news.md
index 5dc7869..cce6c53 100644
--- a/docs/news.md
+++ b/docs/news.md
@@ -2,6 +2,11 @@
 
 These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
 
+## July 1, 2024
+
+[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
+EL8 is unaffected.
+
 ## June 13, 2024
 
 [glibc](packages/glibc.md) `2.34-100.2.el9_4.security.0.9` is a rebase on `2.34-100.el9_4.2`,
diff --git a/docs/packages/openssh.md b/docs/packages/openssh.md
index b92a78b..260d6fe 100644
--- a/docs/packages/openssh.md
+++ b/docs/packages/openssh.md
@@ -2,17 +2,21 @@
 
 ## EL9
 
-- Version `8.7p1-38.el9_4.security.0.4`
+- Version `8.7p1-38.el9_4.security.0.5`
 - Based on `8.7p1-38.el9`
 
 ### Changes summary
 
 - Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
 - Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
+- Fix CVE-2024-6387 regreSSHion
 
 ### Change log
 
 ```
+* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5
+- Fix CVE-2024-6387 regreSSHion
+
 * Mon May 20 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.4
 - Rebase on 8.7p1-38