diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2014-04-18 14:41:34 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-04-18 14:45:39 +0000 |
commit | 23d60a55d9a447ffd99c61c562b58bb3aa66bdce (patch) | |
tree | 2207c679c0de25243c6da665cdfbcdbb09801e27 | |
parent | 7c6f59eb07ed9c9fd46b1d2b74aff8d1bf18d7b8 (diff) | |
download | aports-23d60a55d9a447ffd99c61c562b58bb3aa66bdce.tar.bz2 aports-23d60a55d9a447ffd99c61c562b58bb3aa66bdce.tar.xz |
main/openssh: security fix for CVE-2014-2653
fixes #2860
this also makes sure that CVE-2014-2532 is actually applied
-rw-r--r-- | main/openssh/APKBUILD | 14 | ||||
-rw-r--r-- | main/openssh/CVE-2014-2653.patch | 83 |
2 files changed, 92 insertions, 5 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index 70b5103e6c..9e5ca57dfe 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -2,7 +2,7 @@ pkgname=openssh pkgver=6.4_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=1 +pkgrel=2 pkgdesc="Port of OpenBSD's free SSH release" url="http://www.openssh.org/portable.html" arch="all" @@ -19,6 +19,7 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar. sshd.initd sshd.confd CVE-2014-2532.patch + CVE-2014-2653.patch " # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh @@ -31,7 +32,7 @@ prepare() { msg "Applying $i" gunzip -c "$srcdir"/"${i##*/}" | patch -p1 -N || return 1 ;; - *.diff) + *.diff|*.patch) msg "Applying $i" patch -p1 -N -i "$srcdir"/${i##*/} || return 1 ;; @@ -110,7 +111,8 @@ c65d454dc5b149647273485fc184636d openssh-hmac-accel.diff f7d9d6f96940ef66bd3c3a0aa27e57a7 openssh-fix-utmp.diff cb0dd08c413fad346f0c594107b4a2e0 sshd.initd b35e9f3829f4cfca07168fcba98749c7 sshd.confd -e4cf579145106ce3d4465453b70ea50d CVE-2014-2532.patch" +e4cf579145106ce3d4465453b70ea50d CVE-2014-2532.patch +02a7de5652d9769576e3b252d768cd0f CVE-2014-2653.patch" sha256sums="5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2 openssh-6.4p1.tar.gz 4f78f16807c6b6a3a3773c000b85df0c56ea8a93dc35eaa6bbdffe6e30328e58 openssh6.2-dynwindows.diff 6e803be3b3569eedfe69d9e9aeabef2e3fec2ed28f75bc456dfd69c2ef2c8198 openssh-peaktput.diff @@ -119,7 +121,8 @@ c3189ba0e17e60e83851ac2d6f18ad5b08cb90cccfce31d61cccb9fd76d44d59 openssh-fix-in f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde openssh-fix-utmp.diff 3fa062fd4bfac64abf21f3c1d0548f1dfcf3c6e56e84ece14c848f53a293024e sshd.initd 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 sshd.confd -323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa CVE-2014-2532.patch" +323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa CVE-2014-2532.patch +03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd CVE-2014-2653.patch" sha512sums="f87b3e1d3110b87c1dfff729459ff26024863480c8eb4449b9e3b0b750d187acdfedb199ca4ea133b5dfa436bed0e2eea7607392d451b18c626c4dc1d38bb52a openssh-6.4p1.tar.gz 773cc0629e17a8f78e82be56e579855ea9b3ca8fd26360964aee854d717a7cfc2c9d4d654cf0fda5723c3aabe96e48ee2cfe6d1fd64b5717f0ef5eb997d00293 openssh6.2-dynwindows.diff 64f5aff3fc1a0d2f7c65ea875d1c2c4d98a3d305ff2677d9d4ca82f20778df9e317b1bfc428cee2b0df1bfa01a65dfcf83b68435a227a23a2cf3400fef35d656 openssh-peaktput.diff @@ -128,4 +131,5 @@ aaa128126400171d0755038a846672aa7b1e87340edf73a672962d403abf404ef1821466b17da51d cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770a2aef88bcbf15fa61144401aef9ab916c15e1623bcf449b5 openssh-fix-utmp.diff 1483e2bcd700da9b02f04508d490b472c816344787bf1675fef2f7e27f72b91e4323e4e8c1db701e47d81d37d6d4b0623eaeac46b2cf589ae5ad69f363baa594 sshd.initd b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 sshd.confd -4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d CVE-2014-2532.patch" +4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d CVE-2014-2532.patch +be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40 CVE-2014-2653.patch" diff --git a/main/openssh/CVE-2014-2653.patch b/main/openssh/CVE-2014-2653.patch new file mode 100644 index 0000000000..b453081c5a --- /dev/null +++ b/main/openssh/CVE-2014-2653.patch @@ -0,0 +1,83 @@ +From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001 +From: Matthew Vernon <mcv21@cam.ac.uk> +Date: Wed, 26 Mar 2014 15:32:23 +0000 +Subject: Attempt SSHFP lookup even if server presents a certificate + +If an ssh server presents a certificate to the client, then the client +does not check the DNS for SSHFP records. This means that a malicious +server can essentially disable DNS-host-key-checking, which means the +client will fall back to asking the user (who will just say "yes" to +the fingerprint, sadly). + +This patch is by Damien Miller (of openssh upstream). It's simpler +than the patch by Mark Wooding which I applied yesterday; a copy is +taken of the proffered key/cert, the key extracted from the cert (if +necessary), and then the DNS consulted. + +Signed-off-by: Matthew Vernon <matthew@debian.org> +Bug-Debian: http://bugs.debian.org/742513 +Patch-Name: sshfp_with_server_cert_upstr +--- + sshconnect.c | 42 ++++++++++++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/sshconnect.c b/sshconnect.c +index 87c3770..324f5e0 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) + { + int flags = 0; + char *fp; ++ Key *plain = NULL; + + fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); + debug("Server host key: %s %s", key_type(host_key), fp); + free(fp); + +- /* XXX certs are not yet supported for DNS */ +- if (!key_is_cert(host_key) && options.verify_host_key_dns && +- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { +- if (flags & DNS_VERIFY_FOUND) { +- +- if (options.verify_host_key_dns == 1 && +- flags & DNS_VERIFY_MATCH && +- flags & DNS_VERIFY_SECURE) +- return 0; +- +- if (flags & DNS_VERIFY_MATCH) { +- matching_host_key_dns = 1; +- } else { +- warn_changed_key(host_key); +- error("Update the SSHFP RR in DNS with the new " +- "host key to get rid of this message."); ++ if (options.verify_host_key_dns) { ++ /* ++ * XXX certs are not yet supported for DNS, so downgrade ++ * them and try the plain key. ++ */ ++ plain = key_from_private(host_key); ++ if (key_is_cert(plain)) ++ key_drop_cert(plain); ++ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { ++ if (flags & DNS_VERIFY_FOUND) { ++ if (options.verify_host_key_dns == 1 && ++ flags & DNS_VERIFY_MATCH && ++ flags & DNS_VERIFY_SECURE) { ++ key_free(plain); ++ return 0; ++ } ++ if (flags & DNS_VERIFY_MATCH) { ++ matching_host_key_dns = 1; ++ } else { ++ warn_changed_key(plain); ++ error("Update the SSHFP RR in DNS " ++ "with the new host key to get rid " ++ "of this message."); ++ } + } + } ++ key_free(plain); + } + + return check_host_key(host, hostaddr, options.port, host_key, RDRW, |