diff --git a/fix-CVE-2024-6387.patch b/fix-CVE-2024-6387.patch new file mode 100644 index 0000000..ba9d506 --- /dev/null +++ b/fix-CVE-2024-6387.patch @@ -0,0 +1,19 @@ +Index: openssh-9.6p1/log.c +=================================================================== +--- openssh-9.6p1.orig/log.c ++++ openssh-9.6p1/log.c +@@ -451,12 +451,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#if 0 + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + diff --git a/openssh.changes b/openssh.changes index ee72e3a..41fc8ff 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa + +- Add patch to fix a race condition in a signal handler by removing + the async-signal-unsafe code (CVE-2024-6387, bsc#1226642): + * fix-CVE-2024-6387.patch + ------------------------------------------------------------------- Mon Jun 10 07:10:48 UTC 2024 - Antonio Larrosa diff --git a/openssh.spec b/openssh.spec index f9267bc..b1171c8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -128,6 +128,8 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch +# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387 +Patch109: fix-CVE-2024-6387.patch %if 0%{with allow_root_password_login_by_default} Patch1000: openssh-7.7p1-allow_root_password_login.patch %endif