On Tue, 2 Jul 2024 at 17:34, Jose Quaresma via lists.openembedded.org <[email protected]> wrote: > > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). > Race condition resulting in potential remote code execution. > A race condition in sshd(8) could allow remote code execution as root on > non-OpenBSD systems. > This attack could be prevented by disabling the login grace timeout > (LoginGraceTime=0 in sshd_config) > though this makes denial-of service against sshd(8) considerably easier. > For more information, please refer to the release notes [1] and the > report from the Qualys Security Advisory Team [2] who discovered the bug.
Wouldn't it be better to use the much cleaner fix from openssh-portable: https://github.com/openssh/openssh-portable/commit/b00331402fe5c60d577f3ffcc35e49286cdc6b47 I realise that most of the distros seem to have copied the same early patch but I assume that was to get the fix done prior to public exposure. As there's a proper fix isn't that better? Matthew
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201438): https://lists.openembedded.org/g/openembedded-core/message/201438 Mute This Topic: https://lists.openembedded.org/mt/107003224/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
