From owner-freebsd-security@FreeBSD.ORG Fri Oct 17 10:04:15 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 292AA657 for ; Fri, 17 Oct 2014 10:04:15 +0000 (UTC) Received: from mail.tdx.com (mail.tdx.com [62.13.128.18]) by mx1.freebsd.org (Postfix) with ESMTP id C67E177 for ; Fri, 17 Oct 2014 10:04:13 +0000 (UTC) Received: from Mail-PC.tdx.co.uk (storm.tdx.co.uk [62.13.130.251]) (authenticated bits=0) by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id s9HA46iv070688 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 17 Oct 2014 11:04:07 +0100 (BST) Date: Fri, 17 Oct 2014 11:04:06 +0100 From: Karl Pielorz To: freebsd-security@freebsd.org Subject: sshd Library order fix, not patched by freebsd-update? Message-ID: X-Mailer: Mulberry/4.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2014 10:04:15 -0000 Hi, A long time ago (around 2014/04/12) a number of people (including me) found an issue with sshd - to do with the library bind order (as best as I can explain) - whereby sshd would get 'stuck' and leave a lot of zombied sshd's hanging around. This was traced eventually to libthr being 'after' libc (again, as far as I can remember). This fix, according to Konstantin Belousov: "was committed in r265313 to stable/10, and in r265314 to stable/9, although the later was not strictly necessary." (Which it was) However, on our new 10.0-RELEASE-p9 systems - this bug still exists (as I'd guess it is not patched by freebsd-update). This creates a nasty denial of service issue (you can get effectively locked out of machines, because ssh access to an affected machine results in 'ssh_exchange_identification: Connection closed by remote host'. One known trigger for this is our monthly network scans. Is there any chance to get this fix incorporated as a 'freebsd-update' fix - rather than us having to take those machines to -STABLE? (with all the hassle that intones) - or messing around having to compile up, and replace sshd on affected systems. In our eyes here - this is a security issue, as it can result in a DoS situation for sshd? - And there is a known good / working fix for it (r265313). Obviously I have little idea of the processes involved in what does, or doesn't get picked up by freebsd-update, but as the saying goes - if you don't (politely) ask, you don't get... Thanks, -Karl