[Midnightbsd-cvs] src [7196] stable/0.6: MidnightBSD 0.6.4

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Tue Jul 28 20:38:44 EDT 2015 

Revision: 7196
          http://svnweb.midnightbsd.org/src/?rev=7196
Author:   laffer1
Date:     2015-07-28 20:38:43 -0400 (Tue, 28 Jul 2015)
Log Message:
-----------
MidnightBSD 0.6.4

        OpenSSH

        Fix two security vulnerabilities:
        OpenSSH clients does not correctly verify DNS SSHFP records when a server
        offers a certificate. [CVE-2014-2653]

        OpenSSH servers which are configured to allow password authentication
        using PAM (default) would allow many password attempts. A bug allows
        MaxAuthTries to be bypassed. [CVE-2015-5600]

Modified Paths:
--------------
    stable/0.6/UPDATING
    stable/0.6/crypto/openssh/auth2-chall.c
    stable/0.6/crypto/openssh/sshconnect.c
    stable/0.6/sys/conf/newvers.sh

Modified: stable/0.6/UPDATING
===================================================================
--- stable/0.6/UPDATING	2015-07-29 00:37:33 UTC (rev 7195)
+++ stable/0.6/UPDATING	2015-07-29 00:38:43 UTC (rev 7196)
@@ -1,5 +1,28 @@
 Updating Information for MidnightBSD users.
 
+20150728:
+	MidnightBSD 0.6.4 RELEASE
+
+        TCP Resassemly resource exhaustion bug:
+        There is a mistake with the introduction of VNET, which converted the
+        global limit on the number of segments that could belong to reassembly
+        queues into a per-VNET limit.  Because mbufs are allocated from a
+        global pool, in the presence of a sufficient number of VNETs, the
+        total number of mbufs attached to reassembly queues can grow to the
+        total number of mbufs in the system, at which point all network
+        traffic would cease.
+        Obtained from: FreeBSD 8
+
+        OpenSSH
+
+        Fix two security vulnerabilities:
+        OpenSSH clients does not correctly verify DNS SSHFP records when a server
+        offers a certificate. [CVE-2014-2653]
+
+        OpenSSH servers which are configured to allow password authentication
+        using PAM (default) would allow many password attempts. A bug allows
+        MaxAuthTries to be bypassed. [CVE-2015-5600]
+
 20150722:
 	MidnightBSD 0.6.3 RELEASE
 

Modified: stable/0.6/crypto/openssh/auth2-chall.c
===================================================================
--- stable/0.6/crypto/openssh/auth2-chall.c	2015-07-29 00:37:33 UTC (rev 7195)
+++ stable/0.6/crypto/openssh/auth2-chall.c	2015-07-29 00:38:43 UTC (rev 7196)
@@ -82,6 +82,7 @@
 	void *ctxt;
 	KbdintDevice *device;
 	u_int nreq;
+	u_int devices_done;
 };
 
 #ifdef USE_PAM
@@ -168,11 +169,15 @@
 		if (len == 0)
 			break;
 		for (i = 0; devices[i]; i++) {
-			if (!auth2_method_allowed(authctxt,
+			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+			    !auth2_method_allowed(authctxt,
 			    "keyboard-interactive", devices[i]->name))
 				continue;
-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+			if (strncmp(kbdintctxt->devices, devices[i]->name,
+			    len) == 0) {
 				kbdintctxt->device = devices[i];
+				kbdintctxt->devices_done |= 1 << i;
+			}
 		}
 		t = kbdintctxt->devices;
 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;

Modified: stable/0.6/crypto/openssh/sshconnect.c
===================================================================
--- stable/0.6/crypto/openssh/sshconnect.c	2015-07-29 00:37:33 UTC (rev 7195)
+++ stable/0.6/crypto/openssh/sshconnect.c	2015-07-29 00:38:43 UTC (rev 7196)
@@ -1219,29 +1219,39 @@
 {
 	int flags = 0;
 	char *fp;
+	Key *plain = NULL;
 
 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 	debug("Server host key: %s %s", key_type(host_key), fp);
 	free(fp);
 
-	/* XXX certs are not yet supported for DNS */
-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-		if (flags & DNS_VERIFY_FOUND) {
-
-			if (options.verify_host_key_dns == 1 &&
-			    flags & DNS_VERIFY_MATCH &&
-			    flags & DNS_VERIFY_SECURE)
-				return 0;
-
-			if (flags & DNS_VERIFY_MATCH) {
-				matching_host_key_dns = 1;
-			} else {
-				warn_changed_key(host_key);
-				error("Update the SSHFP RR in DNS with the new "
-				    "host key to get rid of this message.");
+	if (options.verify_host_key_dns) {
+		/*
+		 * XXX certs are not yet supported for DNS, so downgrade
+		 * them and try the plain key.
+		 */
+		plain = key_from_private(host_key);
+		if (key_is_cert(plain))
+			key_drop_cert(plain);
+		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+			if (flags & DNS_VERIFY_FOUND) {
+				if (options.verify_host_key_dns == 1 &&
+				    flags & DNS_VERIFY_MATCH &&
+				    flags & DNS_VERIFY_SECURE) {
+					key_free(plain);
+					return 0;
+				}
+				if (flags & DNS_VERIFY_MATCH) {
+					matching_host_key_dns = 1;
+				} else {
+					warn_changed_key(plain);
+					error("Update the SSHFP RR in DNS "
+					    "with the new host key to get rid "
+					    "of this message.");
+				}
 			}
 		}
+		key_free(plain);
 	}
 
 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,

Modified: stable/0.6/sys/conf/newvers.sh
===================================================================
--- stable/0.6/sys/conf/newvers.sh	2015-07-29 00:37:33 UTC (rev 7195)
+++ stable/0.6/sys/conf/newvers.sh	2015-07-29 00:38:43 UTC (rev 7196)
@@ -32,7 +32,7 @@
 # $MidnightBSD$
 
 TYPE="MidnightBSD"
-REVISION="0.6.3"
+REVISION="0.6.4"
 RELEASE="${REVISION}"
 VERSION="${TYPE} ${RELEASE}"
 SYSDIR=$(dirname $0)/..

More information about the Midnightbsd-cvs mailing list