diff --git a/backport-fix-CVE-2023-38408-upstream-terminate-process.patch b/backport-fix-CVE-2023-38408-upstream-terminate-process.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e72dd4acb949700f80bfb7e5a89331fd30f0210 --- /dev/null +++ b/backport-fix-CVE-2023-38408-upstream-terminate-process.patch @@ -0,0 +1,43 @@ +From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 19 Jul 2023 13:55:53 +0000 +Subject: [PATCH] upstream: terminate process if requested to load a +PKCS#11 + provider + +that isn't a PKCS#11 provider; from / ok markus@ + +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c + +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=892506b1365 +Conflict:pkcs11_initialize_provider +--- + ssh-pkcs11.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 995841f..b96021f 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-pkcs11.c,v 1.47 2020/01/25 00:03:36 djm Exp $ */ ++/* $OpenBSD: ssh-pkcs11.c,v 1.57 2023/07/19 13:55:53 djm Exp $ */ + /* + * Copyright (c) 2010 Markus Friedl. All rights reserved. + * Copyright (c) 2014 Pedro Martelletto. All rights reserved. +@@ -1743,10 +1743,8 @@ pkcs11_initialize_provider(struct pkcs11_uri *uri, struct pkcs11_provider **prov + error("dlopen %s failed: %s", provider_module, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + + p->module->handle = handle; + /* setup the pkcs11 callbacks */ +-- +2.23.0 + diff --git a/openssh.spec b/openssh.spec index 57d97aa57e6bf7bc9c33d06690d7af850cf5774c..0fa90341bf3dd5c4e62214bb6a50b46a5d4bcd56 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 26 +%global openssh_release 27 Name: openssh Version: 8.2p1 @@ -101,6 +101,8 @@ Patch67: backport-change-types-in-convtime-unit-test-to-int-to-match.patc Patch68: feature-add-SMx-support.patch Patch69: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch Patch70: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch +Patch71: backport-fix-CVE-2023-38408-upstream-terminate-process.patch +Patch72: set-ssh-config.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -274,6 +276,8 @@ popd %patch68 -p1 %patch69 -p1 %patch70 -p1 +%patch71 -p1 +%patch72 -p1 autoreconf pushd pam_ssh_agent_auth-0.10.3 @@ -483,6 +487,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Thu Jul 27 2023 renmingshuai - 8.2p1-27 +- Type:CVE +- CVE:CVE-2023-38408 +- SUG:NA +- DESC:fix CVE-2023-38408 and set ssh default config + * Mon Jan 09 2023 renmingshuai - 8.2p1-26 - Type:bugfix - CVE: diff --git a/set-ssh-config.patch b/set-ssh-config.patch index 8da9e7ee135cd3f73ae45f9477104ebcd76ab8da..a1899c1f80a27f0773c161d24ee8710ecf1efeb3 100644 --- a/set-ssh-config.patch +++ b/set-ssh-config.patch @@ -21,7 +21,7 @@ index df22e2f..46b0987 100644 + ForwardX11Trusted yes + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+ SendEnv LC_IDENTIFIACTION LC_ALL_LANGUAGE ++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS + Include /etc/ssh/ssh_config.d/*.conf