Date: Mon, 24 Oct 2016 22:52:17 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r424592 - in head/security/openssh-portable: . files Message-ID: <201610242252.u9OMqHS3055037@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Mon Oct 24 22:52:17 2016 New Revision: 424592 URL: https://svnweb.freebsd.org/changeset/ports/424592 Log: Bring in upstream commit ec165c392ca54317dbe3064a8c200de6531e89ad: Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn Security: CVE-2016-8858 Added: head/security/openssh-portable/files/patch-kex.c (contents, props changed) Modified: head/security/openssh-portable/Makefile Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Mon Oct 24 20:42:15 2016 (r424591) +++ head/security/openssh-portable/Makefile Mon Oct 24 22:52:17 2016 (r424592) @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 7.3p1 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable Added: head/security/openssh-portable/files/patch-kex.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/patch-kex.c Mon Oct 24 22:52:17 2016 (r424592) @@ -0,0 +1,33 @@ +From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 +From: "markus@openbsd.org" <markus@openbsd.org> +Date: Mon, 10 Oct 2016 19:28:48 +0000 +Subject: [PATCH] upstream commit + +Unregister the KEXINIT handler after message has been +received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause +allocation of up to 128MB -- until the connection is closed. Reported by +shilei-c at 360.cn + +Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 +--- + kex.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git kex.c kex.c +index 3f97f8c..6a94bc5 100644 +--- kex.c ++++ kex.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */ ++/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */ + /* + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * +@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610242252.u9OMqHS3055037>