diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2016-08-17 19:29:50 +0200 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-08-17 17:55:05 +0000 |
| commit | 110afa7ead25761b7734c452b9667ac3b7202d91 (patch) | |
| tree | ec022d46782501042e6e12e550e49fe153bc93d6 | |
| parent | ed8947a7db077739e00779d65abe60ed81d445d6 (diff) | |
| download | aports-110afa7ead25761b7734c452b9667ac3b7202d91.tar.bz2 aports-110afa7ead25761b7734c452b9667ac3b7202d91.tar.xz | |
main/openssh: security fix for CVE-2016-6515
fixes #6043
| -rw-r--r-- | main/openssh/APKBUILD | 14 | ||||
| -rw-r--r-- | main/openssh/CVE-2016-6515.patch | 46 |
2 files changed, 56 insertions, 4 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index 2f955679db..f755ca7c18 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -2,7 +2,7 @@ pkgname=openssh pkgver=6.7_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=5 +pkgrel=6 pkgdesc="Port of OpenBSD's free SSH release" url="http://www.openssh.org/portable.html" arch="all" @@ -27,12 +27,15 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar CVE-2016-3115.patch CVE-2016-6210-1.patch CVE-2016-6210-2.patch + CVE-2016-6515.patch " # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh # secfixes: # 6.7_p1-r5: # - CVE-2016-6210 +# 6.7_p1-r6: +# - CVE-2016-6515 _builddir="$srcdir"/$pkgname-$_myver prepare() { @@ -134,7 +137,8 @@ ae3ac6c890f3172327118f3b793e7f05 CVE-2015-6563.patch 05cc6c7c1101b76959eac0d2d843561f CVE-2016-0777_CVE-2016-0778.patch 9dcae186783ebc1eaf80867016dde695 CVE-2016-3115.patch 8bdbd8213f3f5cac420839045fd377be CVE-2016-6210-1.patch -0a21e81b0920b2b79f788668072b827e CVE-2016-6210-2.patch" +0a21e81b0920b2b79f788668072b827e CVE-2016-6210-2.patch +c70de89a56f365514ea7a877c8267715 CVE-2016-6515.patch" sha256sums="b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 openssh-6.7p1.tar.gz 7d02930524d1357232770e9dc5a92746e654d6dafcbd5762c8618b059f0bf7b9 openssh6.7-dynwindows.diff bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249 openssh6.5-peaktput.diff @@ -150,7 +154,8 @@ e42adee1f712850efcce272b556909fd3daf688c1f6059d86bfcc064cea09e87 CVE-2015-6565. 0b5536dc8b1d19a536826d0fe2fe27e4b814b12a2d5f1902ffd6f96ce14e6b49 CVE-2016-0777_CVE-2016-0778.patch 75c8353309d0c1870c40498f1c9ca370dfef336d7771a4a6a4301edc5a020115 CVE-2016-3115.patch 9d241c182c62d6ac55ef2db0f377cea8b2293131b75b97de939f36ece61725a4 CVE-2016-6210-1.patch -021f15627e56ca5c45a05d3a71d2c79af9d3c86637c1eb40208c6f71d2fb9697 CVE-2016-6210-2.patch" +021f15627e56ca5c45a05d3a71d2c79af9d3c86637c1eb40208c6f71d2fb9697 CVE-2016-6210-2.patch +dae8c7167a614eae45e5efadd635791e1d7f47dadfa605819a29f7b8ecedf9aa CVE-2016-6515.patch" sha512sums="2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d openssh-6.7p1.tar.gz 4985134b4b1b06d9c8bc81af9f0e0690c3f23d78f3df2af70cd0030cc7ab5bd8d9aad60031ce8069902c6bb8ae6dde754aa87d6fd4587cdc6e99e7bb33f0d1bb openssh6.7-dynwindows.diff e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1 openssh6.5-peaktput.diff @@ -166,4 +171,5 @@ e5a7d536837aefb07260b01c2863f96d0db2521d7739ded69f92490fad4c8537c853320458cdbc3a c60a6d66537f08b69bcb320903c2903c10f7685052fa58b5ef3deb102f7a1ea50d817e5980bcc6c96d7b898f9cb8f4b0081c59d06c5a49dbc7e1ca737b63f6b1 CVE-2016-0777_CVE-2016-0778.patch 3fdfa02f4892abd1f5ca4cbe5e1cf5fe528c55b0ead3dd32de0bc04d4ec1ff6aec377b8e3a912bc209bb5186802ff9d86bd86ae7aefb59740005e4e091643aef CVE-2016-3115.patch 6c78935209d9af00c4f0ce27261a40cdea8714ce0eaf28935ec75853333421f72ee2281c674d70c2a5ef7c297ec0fe4699214e0874efe0341c35dfd5027a1702 CVE-2016-6210-1.patch -aad1fc45a8f83fc778105ea43b6406860155fc89545a058ff0359586cbb33a0d0ebff99dc70be64a9e1021c4b971658b33bbae3efd383a9d81531dc4395b83a5 CVE-2016-6210-2.patch" +aad1fc45a8f83fc778105ea43b6406860155fc89545a058ff0359586cbb33a0d0ebff99dc70be64a9e1021c4b971658b33bbae3efd383a9d81531dc4395b83a5 CVE-2016-6210-2.patch +23794c9035ac25851734f154fca25f10fdb4bb6fc02c4162e7593ee7f05dbbd7bc3d158fca640cc57819e8fb9d64053f188f7a2cbb204c7f37fe6a60115f2ac6 CVE-2016-6515.patch" diff --git a/main/openssh/CVE-2016-6515.patch b/main/openssh/CVE-2016-6515.patch new file mode 100644 index 0000000000..5a46966760 --- /dev/null +++ b/main/openssh/CVE-2016-6515.patch @@ -0,0 +1,46 @@ +From fcd135c9df440bcd2d5870405ad3311743d78d97 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Thu, 21 Jul 2016 01:39:35 +0000 +Subject: [PATCH] upstream commit + +Skip passwords longer than 1k in length so clients can't +easily DoS sshd by sending very long passwords, causing it to spend CPU +hashing them. feedback djm@, ok markus@. + +Brought to our attention by tomas.kuthan at oracle.com, shilei-c at +360.cn and coredump at autistici.org + +Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333 +--- + auth-passwd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/auth-passwd.c b/auth-passwd.c +index 530b5d4..996c2cf 100644 +--- a/auth-passwd.c ++++ b/auth-passwd.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */ ++/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -66,6 +66,8 @@ extern login_cap_t *lc; + #define DAY (24L * 60 * 60) /* 1 day in seconds */ + #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ + ++#define MAX_PASSWORD_LEN 1024 ++ + void + disable_forwarding(void) + { +@@ -87,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password) + static int expire_checked = 0; + #endif + ++ if (strlen(password) > MAX_PASSWORD_LEN) ++ return 0; ++ + #ifndef HAVE_CYGWIN + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + ok = 0; |