diff --git a/SOURCES/openssh-6.6p1-systemd.patch b/SOURCES/openssh-6.6p1-systemd.patch deleted file mode 100644 index 8f3114f..0000000 --- a/SOURCES/openssh-6.6p1-systemd.patch +++ /dev/null @@ -1,98 +0,0 @@ -commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31 -Author: Jakub Jelen -Date: Mon Nov 21 15:04:06 2016 +0100 - - systemd stuff - -diff --git a/configure.ac b/configure.ac -index 2ffc369..162ce92 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5], - AC_SUBST([GSSLIBS]) - AC_SUBST([K5LIBS]) - -+# Check whether user wants systemd support -+SYSTEMD_MSG="no" -+AC_ARG_WITH(systemd, -+ [ --with-systemd Enable systemd support], -+ [ if test "x$withval" != "xno" ; then -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) -+ if test "$PKGCONFIG" != "no"; then -+ AC_MSG_CHECKING([for libsystemd]) -+ if $PKGCONFIG --exists libsystemd; then -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" -+ AC_MSG_RESULT([yes]) -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) -+ SYSTEMD_MSG="yes" -+ else -+ AC_MSG_RESULT([no]) -+ fi -+ fi -+ fi ] -+) -+ -+ - # Looking for programs, paths and files - - PRIVSEP_PATH=/var/empty -@@ -5097,6 +5121,7 @@ echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" - echo " Solaris project support: $SP_MSG" - echo " Solaris privilege support: $SPP_MSG" -+echo " systemd support: $SYSTEMD_MSG" - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - echo " BSD Auth support: $BSD_AUTH_MSG" -diff --git a/contrib/sshd.service b/contrib/sshd.service -new file mode 100644 -index 0000000..e0d4923 ---- /dev/null -+++ b/contrib/sshd.service -@@ -0,0 +1,16 @@ -+[Unit] -+Description=OpenSSH server daemon -+Documentation=man:sshd(8) man:sshd_config(5) -+After=network.target -+ -+[Service] -+Type=notify -+ExecStart=/usr/sbin/sshd -D $OPTIONS -+ExecReload=/bin/kill -HUP $MAINPID -+KillMode=process -+Restart=on-failure -+RestartPreventExitStatus=255 -+ -+[Install] -+WantedBy=multi-user.target -+ -diff --git a/sshd.c b/sshd.c -index 816611c..b8b9d13 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -85,6 +85,10 @@ - #include - #endif - -+#ifdef HAVE_SYSTEMD -+#include -+#endif -+ - #include "xmalloc.h" - #include "ssh.h" - #include "ssh2.h" -@@ -1833,6 +1837,11 @@ main(int ac, char **av) - } - } - -+#ifdef HAVE_SYSTEMD -+ /* Signal systemd that we are ready to accept connections */ -+ sd_notify(0, "READY=1"); -+#endif -+ - /* Accept a connection and return in a forked child */ - server_accept_loop(&sock_in, &sock_out, - &newsock, config_s); diff --git a/SOURCES/openssh-9.8p1-cve-2024-6387.patch b/SOURCES/openssh-9.8p1-cve-2024-6387.patch new file mode 100644 index 0000000..7c0345a --- /dev/null +++ b/SOURCES/openssh-9.8p1-cve-2024-6387.patch @@ -0,0 +1,78 @@ +From 81c1099d22b81ebfd20a334ce986c4f753b0db29 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 6 Jun 2024 17:15:25 +0000 +Subject: [PATCH] upstream: Add a facility to sshd(8) to penalise particular + +problematic client behaviours, controlled by two new sshd_config(5) options: +PerSourcePenalties and PerSourcePenaltyExemptList. + +When PerSourcePenalties are enabled, sshd(8) will monitor the exit +status of its child pre-auth session processes. Through the exit +status, it can observe situations where the session did not +authenticate as expected. These conditions include when the client +repeatedly attempted authentication unsucessfully (possibly indicating +an attack against one or more accounts, e.g. password guessing), or +when client behaviour caused sshd to crash (possibly indicating +attempts to exploit sshd). + +When such a condition is observed, sshd will record a penalty of some +duration (e.g. 30 seconds) against the client's address. If this time +is above a minimum threshold specified by the PerSourcePenalties, then +connections from the client address will be refused (along with any +others in the same PerSourceNetBlockSize CIDR range). + +Repeated offenses by the same client address will accrue greater +penalties, up to a configurable maximum. A PerSourcePenaltyExemptList +option allows certain address ranges to be exempt from all penalties. + +We hope these options will make it significantly more difficult for +attackers to find accounts with weak/guessable passwords or exploit +bugs in sshd(8) itself. + +PerSourcePenalties is off by default, but we expect to enable it +automatically in the near future. + +much feedback markus@ and others, ok markus@ + +OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca + +XenServer changes: +This is a partial backport of the fix for CVE-2024-6387. +The existing code in XenServer is not vulnerable to the specific issue +exploited in CVE-2024-6387 since the buggy code is #ifdef'd out. +However, the signal handler may potentially call malloc() in other code +paths. A call to malloc() in a signal handler could race with another +memory allocator call which could then be exploited. Therefore, backport +the relevant part of the upstream fix which removes the potentially +buggy code completely. + +This is not a complete backport since the upstream fix is part of a +large commit that changes far more than fixing the immediate issue with +the signal handler. + +Signed-off-by: Ross Lagerwall +diff --git a/sshd.c b/sshd.c +index 408a9bfbbe03..704e98a3dde2 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -357,6 +357,8 @@ main_sigchld_handler(int sig) + errno = save_errno; + } + ++#define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */ ++ + /* + * Signal handler for the alarm after the login grace period has expired. + */ +@@ -375,10 +377,7 @@ grace_alarm_handler(int sig) + signal(SIGTERM, SIG_IGN); + kill(0, SIGTERM); + } +- +- /* Log error and exit. */ +- sigdie("Timeout before authentication for %s port %d", +- ssh_remote_ipaddr(active_state), ssh_remote_port(active_state)); ++ _exit(EXIT_LOGIN_GRACE); + } + + static void diff --git a/SOURCES/openssh-9.8p1-systemd-1.patch b/SOURCES/openssh-9.8p1-systemd-1.patch new file mode 100644 index 0000000..4b81c37 --- /dev/null +++ b/SOURCES/openssh-9.8p1-systemd-1.patch @@ -0,0 +1,60 @@ +From 166927fd410823eec8a7b2472463db51e0e6fef5 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 12 Nov 2019 22:32:48 +0000 +Subject: [PATCH] upstream: add xvasprintf() + +OpenBSD-Commit-ID: e5e3671c05c121993b034db935bce1a7aa372247 +--- + xmalloc.c | 21 ++++++++++++++------- + xmalloc.h | 4 +++- + 2 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/xmalloc.c b/xmalloc.c +index 9cd0127dd3c7..b48d33bbf68c 100644 +--- a/xmalloc.c ++++ b/xmalloc.c +@@ -95,6 +95,17 @@ xstrdup(const char *str) + return cp; + } + ++int ++xvasprintf(char **ret, const char *fmt, va_list ap) ++{ ++ int i; ++ ++ i = vasprintf(ret, fmt, ap); ++ if (i < 0 || *ret == NULL) ++ fatal("xvasprintf: could not allocate memory"); ++ return i; ++} ++ + int + xasprintf(char **ret, const char *fmt, ...) + { +@@ -102,11 +113,7 @@ xasprintf(char **ret, const char *fmt, ...) + int i; + + va_start(ap, fmt); +- i = vasprintf(ret, fmt, ap); ++ i = xvasprintf(ret, fmt, ap); + va_end(ap); +- +- if (i < 0 || *ret == NULL) +- fatal("xasprintf: could not allocate memory"); +- +- return (i); ++ return i; + } +diff --git a/xmalloc.h b/xmalloc.h +index 1d5f62df77a3..abaf7ada2c6c 100644 +--- a/xmalloc.h ++++ b/xmalloc.h +@@ -24,3 +24,5 @@ char *xstrdup(const char *); + int xasprintf(char **, const char *, ...) + __attribute__((__format__ (printf, 2, 3))) + __attribute__((__nonnull__ (2))); ++int xvasprintf(char **, const char *, va_list) ++ __attribute__((__nonnull__ (2))); +-- +2.45.2 + diff --git a/SOURCES/openssh-9.8p1-systemd-2.patch b/SOURCES/openssh-9.8p1-systemd-2.patch new file mode 100644 index 0000000..a3bd43e --- /dev/null +++ b/SOURCES/openssh-9.8p1-systemd-2.patch @@ -0,0 +1,207 @@ +From 08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Wed, 3 Apr 2024 14:40:32 +1100 +Subject: [PATCH] notify systemd on listen and reload + +Standalone implementation that does not depend on libsystemd. +With assistance from Luca Boccassi, and feedback/testing from Colin +Watson. bz2641 +diff --git a/configure.ac b/configure.ac +index 21755349dc71..14b5c7701837 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -775,6 +775,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) + AC_DEFINE([USE_BTMP]) + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) + inet6_default_4in6=yes + case `uname -r` in + 1.*|2.0.*) +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index ba7e49515ade..8a2835cb6911 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -21,11 +21,17 @@ + + #include "includes.h" + +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ ++ defined(SYSTEMD_NOTIFY) ++#include ++#include ++ + #include ++#include + #include + #include + #include ++#include + + #include "log.h" + #include "xmalloc.h" +@@ -398,4 +404,94 @@ get_canonical_hostname(struct ssh *ssh, int use_dns) + return dnsname; + } + } +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ ++ ++#ifdef SYSTEMD_NOTIFY ++ ++static void ssh_systemd_notify(const char *, ...) ++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); ++ ++static void ++ssh_systemd_notify(const char *fmt, ...) ++{ ++ char *s = NULL; ++ const char *path; ++ struct stat sb; ++ struct sockaddr_un addr; ++ int fd = -1; ++ va_list ap; ++ ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) ++ return; ++ ++ va_start(ap, fmt); ++ xvasprintf(&s, fmt, ap); ++ va_end(ap); ++ ++ /* Only AF_UNIX is supported, with path or abstract sockets */ ++ if (path[0] != '/' && path[0] != '@') { ++ error("%s: socket \"%s\" is not compatible with AF_UNIX", __func__, path); ++ goto out; ++ } ++ ++ if (path[0] == '/' && stat(path, &sb) != 0) { ++ error("%s: socket \"%s\" stat: %s", __func__, path, strerror(errno)); ++ goto out; ++ } ++ ++ memset(&addr, 0, sizeof(addr)); ++ addr.sun_family = AF_UNIX; ++ if (strlcpy(addr.sun_path, path, ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { ++ error("%s: socket path \"%s\" too long", __func__, path); ++ goto out; ++ } ++ /* Support for abstract socket */ ++ if (addr.sun_path[0] == '@') ++ addr.sun_path[0] = 0; ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { ++ error("%s: socket \"%s\": %s", __func__, path, strerror(errno)); ++ goto out; ++ } ++ if (connect(fd, &addr, sizeof(addr)) != 0) { ++ error("%s: socket \"%s\" connect: %s", __func__, path, strerror(errno)); ++ goto out; ++ } ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { ++ error("%s: socket \"%s\" write: %s", __func__, path, strerror(errno)); ++ goto out; ++ } ++ debug("%s: socket \"%s\" notified %s", __func__, path, s); ++ out: ++ if (fd != -1) ++ close(fd); ++ free(s); ++} ++ ++void ++ssh_systemd_notify_ready(void) ++{ ++ ssh_systemd_notify("READY=1"); ++} ++ ++void ++ssh_systemd_notify_reload(void) ++{ ++ struct timespec now; ++ int ret; ++ ++ ret = clock_gettime(CLOCK_MONOTONIC, &now); ++ if (ret) { ++ error("%s: monotime failed: %s", __func__, strerror(errno)); ++ ssh_systemd_notify("RELOADING=1"); ++ } else if (now.tv_sec < 0 || now.tv_nsec < 0) { ++ error("%s: monotime returned negative value", __func__); ++ ssh_systemd_notify("RELOADING=1"); ++ } else { ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", ++ ((uint64_t)now.tv_sec * 1000000ULL) + ++ ((uint64_t)now.tv_nsec / 1000ULL)); ++ } ++} ++#endif /* SYSTEMD_NOTIFY */ ++ ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index ef6399d0af84..ed376ac85281 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -40,5 +40,9 @@ void linux_seed(void); + const char *get_canonical_hostname(struct ssh *, int); + char *remote_hostname(struct ssh *); + ++#ifdef SYSTEMD_NOTIFY ++void ssh_systemd_notify_ready(void); ++void ssh_systemd_notify_reload(void); ++#endif + + #endif /* ! _PORT_LINUX_H */ +diff --git a/platform.c b/platform.c +index 78cfc6ee172c..0fd8520695de 100644 +--- a/platform.c ++++ b/platform.c +@@ -43,6 +43,14 @@ platform_pre_listen(void) + #endif + } + ++void ++platform_post_listen(void) ++{ ++#ifdef SYSTEMD_NOTIFY ++ ssh_systemd_notify_ready(); ++#endif ++} ++ + void + platform_pre_fork(void) + { +@@ -54,6 +62,9 @@ platform_pre_fork(void) + void + platform_pre_restart(void) + { ++#ifdef SYSTEMD_NOTIFY ++ ssh_systemd_notify_reload(); ++#endif + #ifdef LINUX_OOM_ADJUST + oom_adjust_restore(); + #endif +diff --git a/platform.h b/platform.h +index ea4f9c584924..4cbdf1f8c990 100644 +--- a/platform.h ++++ b/platform.h +@@ -21,6 +21,7 @@ + void platform_pre_listen(void); + void platform_pre_fork(void); + void platform_pre_restart(void); ++void platform_post_listen(void); + void platform_post_fork_parent(pid_t child_pid); + void platform_post_fork_child(void); + int platform_privileged_uidswap(void); +diff --git a/sshd.c b/sshd.c +index 8c109bb8f91c..c55446e76b4f 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1990,6 +1990,8 @@ main(int ac, char **av) + signal(SIGTERM, sigterm_handler); + signal(SIGQUIT, sigterm_handler); + ++ platform_post_listen(); ++ + /* + * Write out the pid file after the sigterm handler + * is setup and the listen sockets are bound diff --git a/SOURCES/openssh-9.8p1-systemd-3.patch b/SOURCES/openssh-9.8p1-systemd-3.patch new file mode 100644 index 0000000..3a5a251 --- /dev/null +++ b/SOURCES/openssh-9.8p1-systemd-3.patch @@ -0,0 +1,21 @@ +From 88351eca17dcc55189991ba60e50819b6d4193c1 Mon Sep 17 00:00:00 2001 +From: 90 +Date: Fri, 5 Apr 2024 19:36:06 +0100 +Subject: [PATCH] Fix missing header for systemd notification + +--- + openbsd-compat/port-linux.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 509049dd6813..d0d8e7513f15 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "xmalloc.h" diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 997a64d..cb580d8 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -1,6 +1,6 @@ -%global package_speccommit c13e58105df32e273cc2458e2ae266cdb74e7564 +%global package_speccommit ee60184dd35a7faef65befbbf9f473cb2fefcd62 %global usver 7.4p1 -%global xsver 23.2 +%global xsver 23.3 %global xsrel %{xsver}%{?xscount}%{?xshash} # Do we want SELinux & Audit %if 0%{?!noselinux:1} @@ -141,34 +141,37 @@ Patch44: openssh-7.4p1-gssKexAlgorithms.patch Patch45: openssh-6.6p1-s390-closefrom.patch Patch46: openssh-7.4p1-expose-pam.patch Patch47: openssh-6.6p1-x11-max-displays.patch -Patch48: openssh-6.6p1-systemd.patch -Patch49: openssh-7.4p1-permit-root-login.patch -Patch50: openssh-7.4p1-debian-restore-tcp-wrappers.patch -Patch51: openssh-7.4p1-pkcs11-whitelist.patch -Patch52: openssh-7.4p1-legacy-algorithms.patch -Patch53: openssh-7.4p1-show-more-fingerprints.patch -Patch54: openssh-7.4p1-newline-banner.patch -Patch55: openssh-7.4p1-sha2-signatures.patch -Patch56: openssh-7.4p1-canonize-pkcs11-provider.patch -Patch57: openssh-7.4p1-rsa1-segfault.patch -Patch58: openssh-7.4p1-cbc-weakness.patch -Patch59: openssh-7.4p1-sandbox-ppc64le.patch -Patch60: openssh-7.4p1-ControlPath_too_long.patch -Patch61: openssh-7.4p1-sandbox-ibmca.patch -Patch62: openssh-7.4p1-usedns-yes.patch -Patch63: openssh-7.4p1-rekeying-timeouts.patch -Patch64: openssh-7.4p1-winscp-compat.patch -Patch65: openssh-7.4p1-authorized_keys_command.patch -Patch66: openssh-7.5p1-sftp-empty-files.patch -Patch67: openssh-7.4p1-CVE-2018-15473.patch -Patch68: openssh-7.4p1-uidswap.patch -Patch69: openssh-8.7p1-upstream-cve-2021-41617.patch -Patch70: openssh-7.4p1-audit.patch -Patch71: openssh-6.6p1-audit-race-condition.patch -Patch72: openssh-7.4p1-fips.patch -Patch73: openssh-7.4p1-coverity.patch -Patch74: openssh-9.3p1-upstream-cve-2023-38408.patch -Patch75: openssh-8.7p1-CVE-2023-48795.patch +Patch48: openssh-7.4p1-permit-root-login.patch +Patch49: openssh-7.4p1-debian-restore-tcp-wrappers.patch +Patch50: openssh-7.4p1-pkcs11-whitelist.patch +Patch51: openssh-7.4p1-legacy-algorithms.patch +Patch52: openssh-7.4p1-show-more-fingerprints.patch +Patch53: openssh-7.4p1-newline-banner.patch +Patch54: openssh-7.4p1-sha2-signatures.patch +Patch55: openssh-7.4p1-canonize-pkcs11-provider.patch +Patch56: openssh-7.4p1-rsa1-segfault.patch +Patch57: openssh-7.4p1-cbc-weakness.patch +Patch58: openssh-7.4p1-sandbox-ppc64le.patch +Patch59: openssh-7.4p1-ControlPath_too_long.patch +Patch60: openssh-7.4p1-sandbox-ibmca.patch +Patch61: openssh-7.4p1-usedns-yes.patch +Patch62: openssh-7.4p1-rekeying-timeouts.patch +Patch63: openssh-7.4p1-winscp-compat.patch +Patch64: openssh-7.4p1-authorized_keys_command.patch +Patch65: openssh-7.5p1-sftp-empty-files.patch +Patch66: openssh-7.4p1-CVE-2018-15473.patch +Patch67: openssh-7.4p1-uidswap.patch +Patch68: openssh-8.7p1-upstream-cve-2021-41617.patch +Patch69: openssh-7.4p1-audit.patch +Patch70: openssh-6.6p1-audit-race-condition.patch +Patch71: openssh-7.4p1-fips.patch +Patch72: openssh-7.4p1-coverity.patch +Patch73: openssh-9.3p1-upstream-cve-2023-38408.patch +Patch74: openssh-8.7p1-CVE-2023-48795.patch +Patch75: openssh-9.8p1-systemd-1.patch +Patch76: openssh-9.8p1-systemd-2.patch +Patch77: openssh-9.8p1-systemd-3.patch +Patch78: openssh-9.8p1-cve-2024-6387.patch # XCP-ng patches Patch1000: xcpng-harden-default-ciphers-and-algorithms.patch @@ -395,7 +398,6 @@ fi --without-zlib-version-check \ --with-ssl-engine \ --with-ipaddr-display \ - --with-systemd \ --with-ssh1 \ %if %{ldap} --with-ldap \ @@ -655,6 +657,13 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Mon Aug 12 2024 Samuel Verschelde - 7.4p1-23.3.1 + 0.10.3-2.23.3.1 +- Sync with 7.4p1-23.3 + 0.10.3-2.23.3 +- *** Upstream changelog *** +- * Tue Jul 02 2024 Ross Lagerwall - 7.4p1-23.3 + 0.10.3-2 +- - CP-50166: Remove libsystemd integration +- - CA-395182: Fix CVE-2024-6387 - use of non-async-signal-safe fn in sighandler + * Tue Apr 30 2024 Thierry Escande - 7.4p1-23.2.1 + 0.10.3-2.23.2.1 - Harden default ciphers and algorithms - Disable GSSAPIAuthentication in sshd_config