On Thu, 2024-07-04 at 13:46 +0100, Jose Quaresma via lists.openembedded.org wrote: > Release notes at https://www.openssh.com/txt/release-9.8 > > Security > ======== > > This release contains fixes for two security problems, one critical > and one minor. > > 1) Race condition in sshd(8) > > A critical vulnerability in sshd(8) was present in Portable OpenSSH > versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary > code execution with root privileges. > > Successful exploitation has been demonstrated on 32-bit Linux/glibc > systems with ASLR. Under lab conditions, the attack requires on > average 6-8 hours of continuous connections up to the maximum the > server will accept. Exploitation on 64-bit systems is believed to be > possible but has not been demonstrated at this time. It's likely that > these attacks will be improved upon. > > Exploitation on non-glibc systems is conceivable but has not been > examined. Systems that lack ASLR or users of downstream Linux > distributions that have modified OpenSSH to disable per-connection > ASLR re-randomisation (yes - this is a thing, no - we don't > understand why) may potentially have an easier path to exploitation. > OpenBSD is not vulnerable. > > We thank the Qualys Security Advisory Team for discovering, reporting > and demonstrating exploitability of this problem, and for providing > detailed feedback on additional mitigation measures. > > 2) Logic error in ssh(1) ObscureKeystrokeTiming > > In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an > OpenSSH server version 9.5 or later, a logic error in the ssh(1) > ObscureKeystrokeTiming feature (on by default) rendered this feature > ineffective - a passive observer could still detect which network > packets contained real keystrokes when the countermeasure was active > because both fake and real keystroke packets were being sent > unconditionally. > > This bug was found by Philippos Giavridis and also independently by > Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the > University of Cambridge Computer Lab. > > Worse, the unconditional sending of both fake and real keystroke > packets broke another long-standing timing attack mitigation. Since > OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for > traffic received on TTYs in echo-off mode, such as when entering a > password into su(8) or sudo(8). This bug rendered these fake > keystroke echoes ineffective and could allow a passive observer of > a SSH session to once again detect when echo was off and obtain > fairly limited timing information about keystrokes in this situation > (20ms granularity by default). > > This additional implication of the bug was identified by Jacky Wei > En Kung, Daniel Hugenroth and Alastair Beresford and we thank them > for their detailed analysis. > > This bug does not affect connections when ObscureKeystrokeTiming > was disabled or sessions where no TTY was requested. > > Future deprecation notice > ========================= > > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025. This release disables DSA by default at compile time. > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs, mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA > in OpenSSH to be justified and hope that removing it from OpenSSH > can accelerate its wider deprecation in supporting cryptography > libraries. > > This release, and its deactivation of DSA by default at compile-time, > marks the second step in our timeline to finally deprecate DSA. The > final step of removing DSA support entirely is planned for the first > OpenSSH release of 2025. > > DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" > in Makefile.inc. To enable DSA support in portable OpenSSH, pass > the "--enable-dsa-keys" option to configure. > > Potentially-incompatible changes > -------------------------------- > > * all: as mentioned above, the DSA signature algorithm is now > disabled at compile time. > > * sshd(8): the server will now block client addresses that > repeatedly fail authentication, repeatedly connect without ever > completing authentication or that crash the server. See the > discussion of PerSourcePenalties below for more information. > Operators of servers that accept connections from many users, or > servers that accept connections from addresses behind NAT or > proxies may need to consider these settings. > > * sshd(8): the server has been split into a listener binary, > sshd(8), > and a per-session binary "sshd-session". This allows for a much > smaller listener binary, as it no longer needs to support the SSH > protocol. As part of this work, support for disabling privilege > separation (which previously required code changes to disable) and > disabling re-execution of sshd(8) has been removed. Further > separation of sshd-session into additional, minimal binaries is > planned for the future. > > * sshd(8): several log messages have changed. In particular, some > log messages will be tagged with as originating from a process > named "sshd-session" rather than "sshd". > > * ssh-keyscan(1): this tool previously emitted comment lines > containing the hostname and SSH protocol banner to standard error. > This release now emits them to standard output, but adds a new > "-q" flag to silence them altogether. > > * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] > as the PAM service name. A new "PAMServiceName" sshd_config(5) > directive allows selecting the service name at runtime. This > defaults to "sshd". bz2101 > > * (portable OpenSSH only) Automatically-generated files, such as > configure, config.h.in, etc will now be checked in to the portable > OpenSSH git release branch (e.g. V_9_8). This should ensure that > the contents of the signed release branch exactly match the > contents of the signed release tarball. > > Changes since OpenSSH 9.7 > ========================= > > This release contains mostly bugfixes. > > New features > ------------ > > * sshd(8): as described above, sshd(8) will now penalise client > addresses that, for various reasons, do not successfully complete > authentication. This feature is controlled by a new sshd_config(5) > PerSourcePenalties option and is on by default. > > sshd(8) will now identify situations where the session did not > authenticate as expected. These conditions include when the client > repeatedly attempted authentication unsucessfully (possibly > indicating an attack against one or more accounts, e.g. password > guessing), or when client behaviour caused sshd to crash (possibly > indicating attempts to exploit bugs in sshd). > > When such a condition is observed, sshd will record a penalty of > some duration (e.g. 30 seconds) against the client's address. If > this time is above a minimum configurable threshold, then all > connections from the client address will be refused (along with > any > others in the same PerSourceNetBlockSize CIDR range) until the > penalty expire. > > Repeated offenses by the same client address will accrue greater > penalties, up to a configurable maximum. Address ranges may be > fully exempted from penalties, e.g. to guarantee access from a set > of trusted management addresses, using the new sshd_config(5) > PerSourcePenaltyExemptList option. > > We hope these options will make it significantly more difficult > for > attackers to find accounts with weak/guessable passwords or > exploit > bugs in sshd(8) itself. This option is enabled by default. > > * ssh(8): allow the HostkeyAlgorithms directive to disable the > implicit fallback from certificate host key to plain host keys. > > Bugfixes > -------- > > * misc: fix a number of inaccuracies in the PROTOCOL.* > documentation files. GHPR430 GHPR487 > > * all: switch to strtonum(3) for more robust integer parsing in most > places. > > * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() > > * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 > > * sftp(1): flush stdout after writing "sftp>" prompt when not using > editline. GHPR480 > > * sftp-server(8): fix home-directory extension implementation, it > previously always returned the current user's home directory > contrary to the spec. GHPR477 > > * ssh-keyscan(1): do not close stdin to prevent error messages when > stdin is read multiple times. E.g. > echo localhost | ssh-keyscan -f - -f - > > * regression tests: fix rekey test that was testing the same KEX > algorithm repeatedly instead of testing all of them. bz3692 > > * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive > documentation, especially around what is supported vs available. > bz3701. > > Portability > ----------- > > * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules > unconditionally. The previous behaviour was to expose it only when > particular authentication methods were in use. > > * build: fix OpenSSL ED25519 support detection. An incorrect > function > signature in configure.ac previously prevented enabling the > recently > added support for ED25519 private keys in PEM PKCS8 format. > > * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY > environment variable to enable SSH_ASKPASS, similarly to the X11 > DISPLAY environment variable. GHPR479 > > * build: improve detection of the -fzero-call-used-regs compiler > flag. bz3673. > > * build: relax OpenSSL version check to accept all OpenSSL 3.x > versions. > > * sshd(8): add support for notifying systemd on server listen and > reload, using a standalone implementation that doesn't depend on > libsystemd. bz2641 > > Signed-off-by: Jose Quaresma <[email protected]> > --- > > v2: > - fix musl build > - fix sshd-session packing on openssh-sshd > - rebase on top of the CVE-2024-6387 fix sent
Thanks for the fixes. Unfortunately I think there is still one issue remaining as the openssh ptests appear to be hanging on both arm and x86: https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/6600 https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6778 On a previous build run I ended up stopping them after 24h+ but I wasn't sure if that was related to other issues with the update or not. It now looks like it is a separate issue :( Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201586): https://lists.openembedded.org/g/openembedded-core/message/201586 Mute This Topic: https://lists.openembedded.org/mt/107036805/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
