On 3/3/21 5:54 AM, Tim Tassonis via blfs-dev wrote:
Hi all
I just saw that openssh has a new version and as I wondered about the
changes, I visited their page.
While the corresponding ticket
http://wiki.linuxfromscratch.org/blfs/ticket/14725
was already assigned but had no changes comment, I added one, I hope
that's ok. Wasn't meant to interfere in any way, just thought maybe
other people would like to see the changes, too. I always like to look
at them, to prioritize my updates.
Bye
Tim
As Bruce mentioned, adding comments on any ticket is appropriate :)
For openssh though, I suggest checking oss-security's archives as well
anytime a new version come out. That often provides some more details.
In this case (https://seclists.org/oss-sec/2021/q1/190):
Security
========
* ssh-agent(1): fixed a double-free memory corruption that was
introduced in OpenSSH 8.2 . We treat all such memory faults as
potentially exploitable. This bug could be reached by an attacker
with access to the agent socket.
On modern operating systems where the OS can provide information
about the user identity connected to a socket, OpenSSH ssh-agent
and sshd limit agent socket access only to the originating user
and root. Additional mitigation may be afforded by the system's
malloc(3)/free(3) implementation, if it detects double-free
conditions.
The most likely scenario for exploitation is a user forwarding an
agent either to an account shared with a malicious user or to a
host with an attacker holding root access.
* Portable sshd(8): Prevent excessively long username going to PAM.
This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations. This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some
other PAM application. GHPR#212
We do carry ssh-agent, so I suppose the top one would affect us. The
bottom one is only applicable to Oracle Solaris.
That email also lists potentially-incompatible changes, as well as a
reminder about ssh-rsa being deprecated because it uses SHA1 and it's
possible to perform attacks against the SHA-1 algorithm for less than
USD$50k.
I'll drop the contents of that email in the ticket when I get there :)
Thank you,
- Doug
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
