Date: Fri, 17 Oct 2014 11:04:06 +0100 From: Karl Pielorz <kpielorz_lst@tdx.co.uk> To: freebsd-security@freebsd.org Subject: sshd Library order fix, not patched by freebsd-update? Message-ID: <DD13B6D6FEA3B2187160FC43@Mail-PC.tdx.co.uk>
next in thread | raw e-mail | index | archive | help
Hi, A long time ago (around 2014/04/12) a number of people (including me) found an issue with sshd - to do with the library bind order (as best as I can explain) - whereby sshd would get 'stuck' and leave a lot of zombied sshd's hanging around. This was traced eventually to libthr being 'after' libc (again, as far as I can remember). This fix, according to Konstantin Belousov: "was committed in r265313 to stable/10, and in r265314 to stable/9, although the later was not strictly necessary." (Which it was) However, on our new 10.0-RELEASE-p9 systems - this bug still exists (as I'd guess it is not patched by freebsd-update). This creates a nasty denial of service issue (you can get effectively locked out of machines, because ssh access to an affected machine results in 'ssh_exchange_identification: Connection closed by remote host'. One known trigger for this is our monthly network scans. Is there any chance to get this fix incorporated as a 'freebsd-update' fix - rather than us having to take those machines to -STABLE? (with all the hassle that intones) - or messing around having to compile up, and replace sshd on affected systems. In our eyes here - this is a security issue, as it can result in a DoS situation for sshd? - And there is a known good / working fix for it (r265313). Obviously I have little idea of the processes involved in what does, or doesn't get picked up by freebsd-update, but as the saying goes - if you don't (politely) ask, you don't get... Thanks, -Karl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DD13B6D6FEA3B2187160FC43>