diff --git a/SOURCES/openssh-9.3p1-openssl-compat.patch b/SOURCES/openssh-9.3p1-openssl-compat.patch new file mode 100644 index 0000000..0efbdec --- /dev/null +++ b/SOURCES/openssh-9.3p1-openssl-compat.patch @@ -0,0 +1,52 @@ +--- openssh-9.3p1/openbsd-compat/openssl-compat.c 2023-03-15 22:28:19.000000000 +0100 ++++ /home/dbelyavs/work/upstream/openssh-portable/openbsd-compat/openssl-compat.c 2023-05-25 14:19:42.870841944 +0200 +@@ -33,10 +33,10 @@ + + /* + * OpenSSL version numbers: MNNFFPPS: major minor fix patch status +- * We match major, minor, fix and status (not patch) for <1.0.0. +- * After that, we acceptable compatible fix versions (so we +- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed +- * within a patch series. ++ * Versions >=3 require only major versions to match. ++ * For versions <3, we accept compatible fix versions (so we allow 1.0.1 ++ * to work with 1.0.0). Going backwards is only allowed within a patch series. ++ * See https://www.openssl.org/policies/releasestrat.html + */ + + int +@@ -48,15 +48,17 @@ + if (headerver == libver) + return 1; + +- /* for versions < 1.0.0, major,minor,fix,status must match */ +- if (headerver < 0x1000000f) { +- mask = 0xfffff00fL; /* major,minor,fix,status */ ++ /* ++ * For versions >= 3.0, only the major and status must match. ++ */ ++ if (headerver >= 0x3000000f) { ++ mask = 0xf000000fL; /* major,status */ + return (headerver & mask) == (libver & mask); + } + + /* +- * For versions >= 1.0.0, major,minor,status must match and library +- * fix version must be equal to or newer than the header. ++ * For versions >= 1.0.0, but <3, major,minor,status must match and ++ * library fix version must be equal to or newer than the header. + */ + mask = 0xfff0000fL; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; +diff -up openssh-8.7p1/configure.ac.check openssh-8.7p1/configure.ac +--- openssh-8.7p1/configure.ac.check 2023-11-27 14:54:32.959113758 +0100 ++++ openssh-8.7p1/configure.ac 2023-11-27 14:54:49.467500523 +0100 +@@ -2821,7 +2821,7 @@ if test "x$openssl" = "xyes" ; then + ;; + 101*) ;; # 1.1.x + 200*) ;; # LibreSSL +- 300*) ;; # OpenSSL development branch. ++ 30*) ;; # OpenSSL 3.x series + *) + AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")]) + ;; diff --git a/SOURCES/openssh-9.4p2-limit-delay.patch b/SOURCES/openssh-9.4p2-limit-delay.patch new file mode 100644 index 0000000..8c1cbcb --- /dev/null +++ b/SOURCES/openssh-9.4p2-limit-delay.patch @@ -0,0 +1,33 @@ +diff -u -p -r1.166 auth2.c +--- a/auth2.c 8 Mar 2023 04:43:12 -0000 1.166 ++++ b/auth2.c 28 Aug 2023 08:32:44 -0000 +@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_ + } + + #define MIN_FAIL_DELAY_SECONDS 0.005 ++#define MAX_FAIL_DELAY_SECONDS 5.0 + static double + user_specific_delay(const char *user) + { +@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start, + struct timespec ts; + double elapsed = monotime_double() - start, req = seconds, remain; + ++ if (elapsed > MAX_FAIL_DELAY_SECONDS) { ++ debug3_f("elapsed %0.3lfms exceeded the max delay " ++ "requested %0.3lfms)", elapsed*1000, req*1000); ++ return; ++ } ++ + /* if we've already passed the requested time, scale up */ + while ((remain = seconds - elapsed) < 0.0) + seconds *= 2; +@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32 + debug2("input_userauth_request: try method %s", method); + authenticated = m->userauth(ssh); + } +- if (!authctxt->authenticated) ++ if (!authctxt->authenticated && strcmp(method, "none") != 0) + ensure_minimum_time_since(tstart, + user_specific_delay(authctxt->user)); + userauth_finish(ssh, authenticated, method, NULL); diff --git a/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch b/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch new file mode 100644 index 0000000..754d279 --- /dev/null +++ b/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch @@ -0,0 +1,18 @@ +diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c +--- openssh-8.7p1/log.c.xxx 2024-06-28 11:02:43.949912398 +0200 ++++ openssh-8.7p1/log.c 2024-06-28 11:02:58.652297885 +0200 +@@ -455,12 +455,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#if 0 + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + diff --git a/SOURCES/openssh-server-systemd-sysusers.conf b/SOURCES/openssh-server-systemd-sysusers.conf new file mode 100644 index 0000000..419c529 --- /dev/null +++ b/SOURCES/openssh-server-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u sshd 74 "Privilege-separated SSH" /usr/share/empty.sshd - diff --git a/SOURCES/openssh-systemd-sysusers.conf b/SOURCES/openssh-systemd-sysusers.conf new file mode 100644 index 0000000..1192c0b --- /dev/null +++ b/SOURCES/openssh-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID +g ssh_keys 101 diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 0103524..2e3f35b 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -7,10 +7,6 @@ %global _hardened_build 1 -# OpenSSH privilege separation requires a user & group ID -%global sshd_uid 74 -%global sshd_gid 74 - # Do we want to disable building of gnome-askpass? (1=yes 0=no) %global no_gnome_askpass 0 @@ -51,14 +47,14 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 34 +%global openssh_rel 38 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}.3 +Release: %{openssh_rel}%{?dist}.1 URL: http://www.openssh.com/portable.html #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -76,6 +72,8 @@ Source12: sshd-keygen@.service Source13: sshd-keygen Source15: sshd-keygen.target Source16: ssh-agent.service +Source17: openssh-systemd-sysusers.conf +Source18: openssh-server-systemd-sysusers.conf #https://bugzilla.mindrot.org/show_bug.cgi?id=2581 Patch100: openssh-6.7p1-coverity.patch @@ -282,10 +280,15 @@ Patch1014: openssh-8.7p1-UTC-time-parse.patch # upsream commit # b23fe83f06ee7e721033769cfa03ae840476d280 Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch +#upstream commit b7afd8a4ecaca8afd3179b55e9db79c0ff210237 +Patch1016: openssh-9.3p1-openssl-compat.patch +#upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec +Patch1017: openssh-9.4p2-limit-delay.patch #upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Patch1018: openssh-9.6p1-CVE-2023-48795.patch #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a Patch1019: openssh-9.6p1-CVE-2023-51385.patch +Patch1020: openssh-9.8p1-upstream-cve-2024-6387.patch License: BSD Requires: /sbin/nologin @@ -360,7 +363,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.3 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1 License: BSD %description @@ -505,8 +508,11 @@ popd %patch1013 -p1 -b .man-hostkeyalgos %patch1014 -p1 -b .utc_parse %patch1015 -p1 -b .cve-2023-38408 +%patch1016 -p1 -b .openssl3compat +%patch1017 -p1 -b .limitdelay %patch1018 -p1 -b .cve-2023-48795 %patch1019 -p1 -b .cve-2023-51385 +%patch1020 -p1 -b .cve-2024-6387 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -652,6 +658,8 @@ install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd +install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/openssh.conf +install -p -D -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/openssh-server.conf %if ! %{no_gnome_askpass} install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass @@ -680,13 +688,10 @@ install -m 755 -d $RPM_BUILD_ROOT%{_libdir}/sshtest/ install -m 755 regress/misc/sk-dummy/sk-dummy.so $RPM_BUILD_ROOT%{_libdir}/sshtest %pre -getent group ssh_keys >/dev/null || groupadd -r ssh_keys || : +%sysusers_create_compat %{SOURCE17} %pre server -getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || : -getent passwd sshd >/dev/null || \ - useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \ - -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || : +%sysusers_create_compat %{SOURCE18} %post server %systemd_post sshd.service sshd.socket @@ -724,6 +729,7 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %dir %{_libexecdir}/openssh %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* +%attr(0644,root,root) %{_sysusersdir}/openssh.conf %files clients %attr(0755,root,root) %{_bindir}/ssh @@ -769,6 +775,7 @@ test -f %{sysconfig_anaconda} && \ %attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service %attr(0644,root,root) %{_unitdir}/sshd-keygen.target +%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf %files keycat %doc HOWTO.ssh-keycat @@ -793,18 +800,33 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog -* Mon Jan 08 2024 Dmitry Belyavskiy - 8.7p1-34.3 -- rebuilt +* Fri Jun 28 2024 Dmitry Belyavskiy - 8.7p1-38.1 +- Possible remote code execution due to a race condition (CVE-2024-6387) + Resolves: RHEL-45347 -* Mon Jan 08 2024 Dmitry Belyavskiy - 8.7p1-34.2 +* Fri Jan 05 2024 Dmitry Belyavskiy - 8.7p1-38 - Fix Terrapin attack - Resolves: RHEL-19764 + Resolves: CVE-2023-48795 -* Thu Dec 21 2023 Dmitry Belyavskiy - 8.7p1-34.1 -- Fix Terrapin attack (CVE-2023-48795) - Resolves: RHEL-19764 -- Forbid shell metasymbols in username/hostname (CVE-2023-51385) - Resolves: RHEL-19822 +* Fri Jan 05 2024 Dmitry Belyavskiy - 8.7p1-37 +- Fix Terrapin attack + Resolves: CVE-2023-48795 + +* Wed Dec 20 2023 Dmitry Belyavskiy - 8.7p1-36 +- Fix Terrapin attack + Resolves: CVE-2023-48795 +- Relax OpenSSH build-time checks for OpenSSL version + Related: RHEL-4734 +- Forbid shell metasymbols in username/hostname + Resolves: CVE-2023-51385 + +* Mon Oct 23 2023 Dmitry Belyavskiy - 8.7p1-35 +- Relax OpenSSH checks for OpenSSL version + Resolves: RHEL-4734 +- Limit artificial delays in sshd while login using AD user + Resolves: RHEL-2469 +- Move users/groups creation logic to sysusers.d fragments + Resolves: RHEL-5222 * Thu Jul 20 2023 Dmitry Belyavskiy - 8.7p1-34 - Avoid remote code execution in ssh-agent PKCS#11 support