pool/openssh
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b071b0b1fc
openssh/openssh-7.2p2-audit_fixes.patch
Petr Cerny e8b9919265 Accepting request 500279 from home:pcerny:factory 
- Fix preauth seccomp separation on mainframes (bsc#1016709)
  [openssh-7.2p2-s390_hw_crypto_syscalls.patch]
  [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
- enable case-insensitive hostname matching (bsc#1017099)
  [openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
- add CAVS tests 
  [openssh-7.2p2-cavstest-ctr.patch]
  [openssh-7.2p2-cavstest-kdf.patch]
- Adding missing pieces for user matching (bsc#1021626)
- Properly verify CIDR masks in configuration
  (bsc#1005893)
  [openssh-7.2p2-verify_CIDR_address_ranges.patch]
- Remove pre-auth compression support from the server to prevent
  possible cryptographic attacks.
  (CVE-2016-10012, bsc#1016370)
  [openssh-7.2p2-disable_preauth_compression.patch]
- limit directories for loading PKCS11 modules
  (CVE-2016-10009, bsc#1016366)
  [openssh-7.2p2-restrict_pkcs11-modules.patch]
- Prevent possible leaks of host private keys to low-privilege
  process handling authentication
  (CVE-2016-10011, bsc#1016369)
  [openssh-7.2p2-prevent_private_key_leakage.patch]
- Do not allow unix socket forwarding when running without
  privilege separation
  (CVE-2016-10010, bsc#1016368)
  [openssh-7.2p2-secure_unix_sockets_forwarding.patch]
- prevent resource depletion during key exchange
  (bsc#1005480, CVE-2016-8858)
  [openssh-7.2p2-kex_resource_depletion.patch]

OBS-URL: https://build.opensuse.org/request/show/500279
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
2017-05-31 23:09:14 +00:00

29 lines
960 B
Diff
Raw Blame History

# HG changeset patch
# Parent 51a3a8eab1493a799c5a9df95e8e757f872886d0
Various auditing fixes to be merged into the RH-originated patch.
diff --git a/openssh-7.2p2/packet.c b/openssh-7.2p2/packet.c
--- a/openssh-7.2p2/packet.c
+++ b/openssh-7.2p2/packet.c
@@ -375,16 +375,20 @@ ssh_packet_start_discard(struct ssh *ssh
int
ssh_packet_connection_is_on_socket(struct ssh *ssh)
{
struct session_state *state = ssh->state;
struct sockaddr_storage from, to;
socklen_t fromlen, tolen;
+ /* auditing might get here without valid connection structure when
+ * destroying sensitive data on exit and thus aborting disgracefully */
+ if (!ssh)
+ return 0;
/* filedescriptors in and out are the same, so it's a socket */
if (state->connection_in == state->connection_out)
return 1;
fromlen = sizeof(from);
memset(&from, 0, sizeof(from));
if (getpeername(state->connection_in, (struct sockaddr *)&from,
&fromlen) < 0)
return 0;
Reference in New Issue View Git Blame Copy Permalink