Summary: | <net-misc/openssh-{9.6_p1-r5, 9.7_p1-r6, 9.8_p1}: Remote code execution | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | blocker | CC: | alarig, alexander, base-system, esavier, hanno, kfm, kripton, luke, orzel, powerboat9.gamer |
Priority: | Highest | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt | ||
See Also: |
https://bugzilla.mindrot.org/show_bug.cgi?id=3598 https://bugzilla.mindrot.org/show_bug.cgi?id=3690 https://bugs.gentoo.org/show_bug.cgi?id=709748 |
||
Whiteboard: | A0 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 935272, 935275 | ||
Bug Blocks: |
Description
Sam James
![]() ![]() ![]() ![]() The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=083d7d12832b91073f5cac94df2ba067495857a7 commit 083d7d12832b91073f5cac94df2ba067495857a7 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-01 08:40:45 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-01 08:40:45 +0000 net-misc/openssh: add 9.8_p1 This fixes CVE-2024-6387 but I'm going to backport a fix to 9.7 shortly as 9.8_p1 isn't a good stable candidate given it's only just been released and has many other changes. Bug: https://bugs.gentoo.org/935271 Signed-off-by: Sam James <sam@gentoo.org> net-misc/openssh/Manifest | 2 + net-misc/openssh/openssh-9.8_p1.ebuild | 398 +++++++++++++++++++++++++++++++++ 2 files changed, 400 insertions(+) Upstream made patch suggestions at https://marc.info/?l=oss-security&m=171982317624594&w=2. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1633ef45475afb9eea04e9cf27021c9d994af338 commit 1633ef45475afb9eea04e9cf27021c9d994af338 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-01 08:51:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-01 08:54:59 +0000 net-misc/openssh: backport CVE-2024-6387 fix to 9.6_p1-r5, 9.7_p1-r6 This applies upstream's backport suggestions from https://marc.info/?l=oss-security&m=171982317624594&w=2 for both CVE-2024-6387 and a "minor logic error in ObscureKeystrokeTiming". Bug: https://bugs.gentoo.org/935271 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssh-9.6_p1-CVE-2024-6387.patch | 19 + .../openssh/files/openssh-9.6_p1-chaff-logic.patch | 16 + net-misc/openssh/openssh-9.6_p1-r5.ebuild | 392 ++++++++++++++++++++ net-misc/openssh/openssh-9.7_p1-r6.ebuild | 400 +++++++++++++++++++++ 4 files changed, 827 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9aab3ef968b7a6d58fa215223d116b98af7d399 commit b9aab3ef968b7a6d58fa215223d116b98af7d399 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-01 09:59:36 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-01 10:22:02 +0000 net-misc/openssh: restart sshd on major version upgrades openssh-9.8_p1 again breaks cross-version compatibility, meaning that a running sshd with 9.7_p1 will no longer be able to accept connections after upgrading to 9.8_p1. We tried doing a news item on this in the past (bug #709748) and it ended up being insufficient and poorly coordinated (as you really need it again when stabling). Nobody is going to thank us for leaving their sshd broken, so pick the lesser evil and attempt to restart sshd on major version upgrades. This is especially important as people may be racing to upgrade to 9.8_p1 for the CVE-2024-6387 fix (although we have backported a fix to older versions). I also note there's precedent here with e.g. the systemd rebuild where it's done to avoid immediate breakage of user sessions. Thanks to kerframil who proposed a snippet for this some time ago whose work I've lifted here. Bug: https://bugs.gentoo.org/709748 Bug: https://bugs.gentoo.org/935271 Signed-off-by: Sam James <sam@gentoo.org> ...nssh-9.8_p1.ebuild => openssh-9.8_p1-r1.ebuild} | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) Filed a stablereq for 9.7_p1-r6, see https://bugs.gentoo.org/935275#c0. It's not strictly a dependency for this bug as explained there but it maybe simplifies the GLSA and such and allows cleanup... The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da4d673c8709506f7aaaa5316f7fc3ccf2178b17 commit da4d673c8709506f7aaaa5316f7fc3ccf2178b17 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-01 11:11:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-01 11:11:56 +0000 net-misc/openssh: drop 9.6_p1-r4, 9.7_p1-r2, 9.7_p1-r3, 9.7_p1-r5 Bug: https://bugs.gentoo.org/935271 Signed-off-by: Sam James <sam@gentoo.org> net-misc/openssh/openssh-9.6_p1-r4.ebuild | 390 ---------------------------- net-misc/openssh/openssh-9.7_p1-r2.ebuild | 403 ----------------------------- net-misc/openssh/openssh-9.7_p1-r3.ebuild | 404 ------------------------------ net-misc/openssh/openssh-9.7_p1-r5.ebuild | 398 ----------------------------- 4 files changed, 1595 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=812073712b87f878fc20506cca474c045b6a8b7e commit 812073712b87f878fc20506cca474c045b6a8b7e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-01 18:03:48 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-07-01 18:06:02 +0000 [ GLSA 202407-09 ] OpenSSH: Remote Code Execution Bug: https://bugs.gentoo.org/935271 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202407-09.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=615ab9d0a7ea42e3fa992a2f728c45019f8706c2 commit 615ab9d0a7ea42e3fa992a2f728c45019f8706c2 Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2024-07-02 17:02:29 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2024-07-02 17:07:07 +0000 net-misc/openssh-contrib: Revbump, add fix for CVE-2024-6387 Bug: https://bugs.gentoo.org/935271 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> .../files/openssh-9.6_p1-CVE-2024-6387.patch | 19 ++++++++++++++ .../files/openssh-9.6_p1-chaff-logic.patch | 16 ++++++++++++ .../files/openssh-9.6_p1-fix-xmss-c99.patch | 20 +++++++++++++++ .../files/openssh-9.7_p1-X509-CVE-2024-6387.patch | 29 ++++++++++++++++++++++ ...-r3.ebuild => openssh-contrib-9.7_p1-r4.ebuild} | 11 +++++++- 5 files changed, 94 insertions(+), 1 deletion(-) *** Bug 935388 has been marked as a duplicate of this bug. *** commit da4d673c8709506f7aaaa5316f7fc3ccf2178b17 Author: Sam James <sam@gentoo.org> Date: Mon Jul 1 12:11:56 2024 +0100 net-misc/openssh: drop 9.6_p1-r4, 9.7_p1-r2, 9.7_p1-r3, 9.7_p1-r5 |